diff --git a/.acrolinx-config.edn b/.acrolinx-config.edn index 61cb120716..ca2b15930d 100644 --- a/.acrolinx-config.edn +++ b/.acrolinx-config.edn @@ -1,6 +1,21 @@ {:allowed-branchname-matches ["master"] :allowed-filename-matches ["windows/"] + :targets + { + :counts { + ;;:spelling 10 + ;;:grammar 3 + ;;:total 15 ;; absolute flag count but i don't know the difference between this and issues + ;;:issues 15 ;; coming from the platform, will need to be tested. + } + :scores { + ;;:terminology 100 + :qualityscore 65 ;; Confirmed with Hugo that you just comment out the single score and leave the structure in place + ;;:spelling 40 + } + } + :guidance-profile "d2b6c2c8-00ee-47f1-8d10-b280cc3434c1" ;; Profile ID for "M365-specific" :acrolinx-check-settings @@ -12,7 +27,7 @@ "TERMINOLOGY_VALID" "VOICE_GUIDANCE" ] - "termSetNames" ["M365"] + "termSetNames" ["M365" "Products" "Microsoft"] } :template-header @@ -20,7 +35,15 @@ " ## Acrolinx Scorecards -**A minimum Acrolinx score of 20 is required.** +**The minimum Acrolinx topic score of 65 is required for all MARVEL content merged to the default branch.** + +If you need a scoring exception for content in this PR, add the *Sign off* and the *Acrolinx exception* labels to the PR. The PubOps Team will review the exception request and may take one or more of the following actions: + +- Work with you to resolve the issues requiring the exception. +- Escalate the exception request to the Acrolinx Review Team for review. +- Approve the exception and work with the GitHub Admin Team to merge the PR to the default branch. + +For more information about the exception criteria and exception process, see [Minimum Acrolinx topic scores for publishing](https://review.docs.microsoft.com/en-us/office-authoring-guide/acrolinx-min-score?branch=master). Click the scorecard links for each article to review the Acrolinx feedback on grammar, spelling, punctuation, writing style, and terminology: @@ -36,6 +59,6 @@ Click the scorecard links for each article to review the Acrolinx feedback on gr " **More info about Acrolinx** -We have set the minimum score to 20. This is effectively *not* setting a minimum score. If you need to bypass this score, please contact MARVEL PubOps. +Use the Acrolinx extension, or sidebar, in Visual Studio Code to check spelling, grammar, style, tone, clarity, and key terminology when you're creating or updating content. For more information, see [Use the Visual Studio Code extension to run Acrolinx locally](https://review.docs.microsoft.com/en-us/office-authoring-guide/acrolinx-vscode?branch=master). " } diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 3e1c1d1d11..f9ebdac192 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -390,7 +390,7 @@ "elizapo@microsoft.com" ], "sync_notification_subscribers": [ - "daniha@microsoft.com" + "dstrome@microsoft.com" ], "branches_to_filter": [ "" @@ -431,9 +431,9 @@ "template_folder": "_themes.pdf" } }, - "need_generate_pdf": false, - "need_generate_intellisense": false, "docs_build_engine": { "name": "docfx_v3" - } -} + }, + "need_generate_pdf": false, + "need_generate_intellisense": false +} \ No newline at end of file diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index aaf6321d69..0cf060785e 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -79,6 +79,16 @@ "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-privacy", + "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-privacy", + "redirect_document_id": false }, { "source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md", @@ -148,7 +158,7 @@ { "source_path": "windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md", "redirect_url": "https://docs.microsoft.com/microsoft-365/security/mtp/top-scoring-industry-tests", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/information-protection/bitlocker/protect-bitlocker-from-pre-boot-attacks.md", @@ -857,12 +867,12 @@ }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection", "redirect_document_id": true }, { "source_path": "windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-exploit-guard", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection", "redirect_document_id": true }, { @@ -1210,11 +1220,6 @@ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction", "redirect_document_id": true }, - { - "source_path": "windows/security/threat-protection/windows-defender-atp/configuration-score.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", - "redirect_document_id": false - }, { "source_path": "windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access", @@ -1435,16 +1440,6 @@ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators", "redirect_document_id": false }, - { - "source_path": "windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection", - "redirect_document_id": true - }, - { - "source_path": "windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices", - "redirect_document_id": true - }, { "source_path": "windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection", @@ -1539,6 +1534,11 @@ "source_path": "windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list", + "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md", @@ -1795,6 +1795,21 @@ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation", "redirect_document_id": true }, + { + "source_path": "windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection", + "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard", + "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection", + "redirect_document_id": true + }, { "source_path": "windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score", @@ -1805,11 +1820,26 @@ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", "redirect_document_id": true }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/configuration-score.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices", + "redirect_document_id": true + }, { "source_path": "windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", "redirect_document_id": false }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/windows-defender-atp/configuration-score.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", + "redirect_document_id": false + }, { "source_path": "windows/security/threat-protection/windows-defender-atp/partner-applications.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/partner-applications", @@ -1834,6 +1864,11 @@ "source_path": "windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/windows-defender-atp/powerbi-reports.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/api-power-bi", + "redirect_document_id": true }, { "source_path": "windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md", @@ -1980,16 +2015,6 @@ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test", "redirect_document_id": true }, - { - "source_path": "windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection", - "redirect_document_id": true - }, - { - "source_path": "windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard", - "redirect_document_id": true - }, { "source_path": "windows/security/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection", @@ -2362,9 +2387,14 @@ }, { "source_path": "windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-windows-microsoft-antivirus", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus", "redirect_document_id": true }, + { + "source_path": "windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus", @@ -2521,9 +2551,9 @@ "redirect_document_id": true }, { - "source_path": "windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md", + "source_path": "windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md", "redirect_url": "https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/threat-protection/windows-defender-application-control.md", @@ -14555,41 +14585,86 @@ "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policy-csps-supported-by-surface-hub", "redirect_document_id": false }, + { + "source_path": "windows/client-management/mdm/policy-csps-supported-by-surface-hub.md", + "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/policies-supported-by-iot-enterprise.md", "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise", "redirect_document_id": false }, + { + "source_path": "windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md", + "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-enterprise", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/policies-supported-by-iot-core.md", "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policy-csps-supported-by-iot-core", "redirect_document_id": false }, + { + "source_path": "windows/client-management/mdm/policy-csps-supported-by-iot-core.md", + "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/policies-supported-by-hololens2.md", "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policy-csps-supported-by-hololens2", "redirect_document_id": false }, + { + "source_path": "windows/client-management/mdm/policy-csps-supported-by-hololens2.md", + "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/policies-supported-by-hololens-1st-gen-development-edition.md", "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-development-edition", "redirect_document_id": false }, + { + "source_path": "windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-development-edition.md", + "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/policies-supported-by-hololens-1st-gen-commercial-suite.md", "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-commercial-suite", "redirect_document_id": false }, + { + "source_path": "windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-commercial-suite.md", + "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/policies-admx-backed.md", "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policy-csps-admx-backed", "redirect_document_id": false }, + { + "source_path": "windows/client-management/mdm/policy-csps-admx-backed.md", + "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policies-in-policy-csp-admx-backed", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/policies-supported-by-group-policy.md", "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policy-csps-supported-by-group-policy", "redirect_document_id": false }, + { + "source_path": "windows/client-management/mdm/policy-csps-supported-by-group-policy.md", + "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/mdm/policy-csps-that-can-be-set-using-eas.md", + "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas", + "redirect_document_id": false + }, { "source_path": "windows/keep-secure/collect-wip-audit-event-logs.md", "redirect_url": "https://docs.microsoft.com/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs", @@ -15523,7 +15598,7 @@ { "source_path": "education/get-started/change-history-ms-edu-get-started.md", "redirect_url": "https://docs.microsoft.com/microsoft-365/education/deploy", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "education/get-started/get-started-with-microsoft-education.md", @@ -15594,6 +15669,11 @@ "source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac", + "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-whatsnew.md", @@ -16009,6 +16089,11 @@ "source_path": "windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/gov", + "redirect_document_id": true }, { "source_path": "windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md", @@ -16145,11 +16230,6 @@ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus", "redirect_document_id": true }, - { - "source_path": "windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus", - "redirect_document_id": true - }, { "source_path": "windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus", @@ -16429,6 +16509,11 @@ "source_path": "windows/deployment/windows-autopilot/windows-autopilot.md", "redirect_url": "https://docs.microsoft.com/mem/autopilot/windows-autopilot", "redirect_document_id": true + }, + { + "source_path": "windows/hub/windows-10.yml", + "redirect_url": "https://docs.microsoft.com/windows/windows-10", + "redirect_document_id": false } ] } diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000000..f66a07d2e4 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,5 @@ +{ + "cSpell.words": [ + "emie" + ] +} \ No newline at end of file diff --git a/browsers/edge/TOC.md b/browsers/edge/TOC.md index 3314f77577..bae1f59877 100644 --- a/browsers/edge/TOC.md +++ b/browsers/edge/TOC.md @@ -28,6 +28,6 @@ ## [Change history for Microsoft Edge](change-history-for-microsoft-edge.md) -## [Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md) +## [Microsoft Edge Frequently Asked Questions (FAQ)](microsoft-edge-faq.yml) diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md index 2529a88fea..af27551fc8 100644 --- a/browsers/edge/change-history-for-microsoft-edge.md +++ b/browsers/edge/change-history-for-microsoft-edge.md @@ -60,7 +60,7 @@ We have discontinued the **Configure Favorites** group policy, so use the [Provi |New or changed topic | Description | |---------------------|-------------| -|[Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros](microsoft-edge-faq.md) | New | +|[Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros](microsoft-edge-faq.yml) | New | ## February 2017 diff --git a/browsers/edge/group-policies/index.yml b/browsers/edge/group-policies/index.yml index f55040beb3..8fb16843d8 100644 --- a/browsers/edge/group-policies/index.yml +++ b/browsers/edge/group-policies/index.yml @@ -1,229 +1,80 @@ -### YamlMime:YamlDocument +### YamlMime:Landing -documentType: LandingData - -title: Microsoft Edge Legacy group policies +title: Microsoft Edge Legacy group policies # < 60 chars +summary: Microsoft Edge Legacy works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. # < 160 chars metadata: - - title: Microsoft Edge Legacy group policies - - description: Learn how to configure group policies in Microsoft Edge Legacy on Windows 10. - - text: Some of the features in Microsoft Edge Legacy gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. (To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) - + title: Microsoft Edge Legacy # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # Required; article description that is displayed in search results. < 160 chars. keywords: Microsoft Edge Legacy, Windows 10, Windows 10 Mobile - ms.localizationpriority: medium - + ms.prod: edge author: shortpatti - ms.author: pashort - - ms.date: 10/02/2018 - - ms.topic: article - + ms.topic: landing-page ms.devlang: na - -sections: - -- title: - -- items: - - - type: markdown - - text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Microsoft Edge Legacy works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. - -- items: - - - type: list - - style: cards - - className: cardsE - - columns: 3 - - items: - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/address-bar-settings-gp - - html:

Learn how you can configure Microsoft Edge to show search suggestions in the address bar.

- - image: - - src: https://docs.microsoft.com/media/common/i_http.svg - - title: Address bar - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/adobe-settings-gp - - html:

Learn how you can configure Microsoft Edge to load Adobe Flash content automatically.

- - image: - - src: https://docs.microsoft.com/media/common/i_setup.svg - - title: Adobe Flash - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/books-library-management-gp - - html:

Learn how you can set up and use the books library, such as using a shared books folder for students and teachers.

- - image: - - src: https://docs.microsoft.com/media/common/i_library.svg - - title: Books Library - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/browser-settings-management-gp - - html:

Learn how you can customize the browser settings, such as printing and saving browsing history, plus more.

- - image: - - src: https://docs.microsoft.com/media/common/i_management.svg - - title: Browser experience - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/developer-settings-gp - - html:

Learn how to configure Microsoft Edge for development and testing.

- - image: - - src: https://docs.microsoft.com/media/common/i_config-tools.svg - - title: Developer tools - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/extensions-management-gp - - html:

Learn how you can configure Microsoft Edge to either prevent or allow users to install and run unverified extensions.

- - image: - - src: https://docs.microsoft.com/media/common/i_extensions.svg - - title: Extensions - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/favorites-management-gp - - html:

Learn how you can provision a standard favorites list as well as keep the favorites lists in sync between IE11 and Microsoft Edge.

- - image: - - src: https://docs.microsoft.com/media/common/i_link.svg - - title: Favorites - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/home-button-gp - - html:

Learn how you can customize the home button or hide it.

- - image: - - src: https://docs.microsoft.com/media/common/i_setup.svg - - title: Home button - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp - - html:

Learn how you use Microsoft Edge and Internet Explorer together for a full browsing experience.

- - image: - - src: https://docs.microsoft.com/media/common/i_management.svg - - title: Interoperability and enterprise guidance - - - href: https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy - - html:

Learn how Microsoft Edge kiosk mode works with assigned access to let IT administrators create a tailored browsing experience designed for kiosk devices.

- - image: - - src: https://docs.microsoft.com/media/common/i_categorize.svg - - title: Kiosk mode deployment in Microsoft Edge - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/new-tab-page-settings-gp - - html:

Learn how to configure the New Tab page in Microsoft Edge.

- - image: - - src: https://docs.microsoft.com/media/common/i_setup.svg - - title: New Tab page - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/prelaunch-preload-gp - - html:

Learn how pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge.

- - image: - - src: https://docs.microsoft.com/media/common/i_setup.svg - - title: Prelaunch Microsoft Edge and preload tabs - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/search-engine-customization-gp - - html:

Learn how you can set the default search engine and configure additional ones.

- - image: - - src: https://docs.microsoft.com/media/common/i_search.svg - - title: Search engine customization - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/security-privacy-management-gp - - html:

Learn how you can keep your environment and users safe from attacks.

- - image: - - src: https://docs.microsoft.com/media/common/i_security-management.svg - - title: Security and privacy - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/start-pages-gp - - html:

Learn how to configure the Start pages in Microsoft Edge.

- - image: - - src: https://docs.microsoft.com/media/common/i_setup.svg - - title: Start page - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/sync-browser-settings-gp - - html:

Learn how to you can prevent the "browser" group from syncing and prevent users from turning on the Sync your Settings toggle.

- - image: - - src: https://docs.microsoft.com/media/common/i_sync.svg - - title: Sync browser - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/telemetry-management-gp - - html:

Learn how you can configure Microsoft Edge to collect certain data.

- - image: - - src: https://docs.microsoft.com/media/common/i_data-collection.svg - - title: Telemetry and data collection - - - href: https://docs.microsoft.com/microsoft-edge/deploy/available-policies - - html:

View all available group policies for Microsoft Edge on Windows 10.

- - image: - - src: https://docs.microsoft.com/media/common/i_policy.svg - - title: All group policies + ms.date: 08/28/2020 #Required; mm/dd/yyyy format. + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: What's new + linkLists: + - linkListType: whats-new + links: + - text: Documentation for Microsoft Edge version 77 or later + url: https://docs.microsoft.com/DeployEdge/ + - text: Microsoft Edge Legacy desktop app will reach end of support on March 9, 2021 + url: https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666 + + # Card (optional) + - title: Group policies configure guidance part 1 + linkLists: + - linkListType: reference + links: + - text: All group policies + url: /microsoft-edge/deploy/available-policies + - text: Address bar + url: /microsoft-edge/deploy/group-policies/address-bar-settings-gp + - text: Adobe Flash + url: /microsoft-edge/deploy/group-policies/adobe-settings-gp + - text: Books Library + url: /microsoft-edge/deploy/group-policies/books-library-management-gp + - text: Browser experience + url: /microsoft-edge/deploy/group-policies/browser-settings-management-gp + - text: Developer tools + url: /microsoft-edge/deploy/group-policies/developer-settings-gp + - text: Extensions + url: /microsoft-edge/deploy/group-policies/extensions-management-gp + - text: Favorites + url: /microsoft-edge/deploy/group-policies/favorites-management-gp + - text: Home button + url: /microsoft-edge/deploy/group-policies/home-button-gp + + # Card (optional) + - title: Group policies configure guidance part 2 + linkLists: + - linkListType: reference + links: + - text: Interoperability and enterprise mode + url: /microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp + - text: New Tab page + url: /microsoft-edge/deploy/group-policies/new-tab-page-settings-gp + - text: Kiosk mode deployment in Microsoft Edge + url: /microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy + - text: Prelaunch Microsoft Edge and preload tabs + url: /microsoft-edge/deploy/group-policies/prelaunch-preload-gp + - text: Search engine customization + url: /microsoft-edge/deploy/group-policies/search-engine-customization-gp + - text: Security and privacy + url: /microsoft-edge/deploy/group-policies/security-privacy-management-gp + - text: Start page + url: /microsoft-edge/deploy/group-policies/start-pages-gp + - text: Sync browser + url: /microsoft-edge/deploy/group-policies/sync-browser-settings-gp + - text: Telemetry and data collection + url: /microsoft-edge/deploy/group-policies/telemetry-management-gp + diff --git a/browsers/edge/group-policies/sync-browser-settings-gp.md b/browsers/edge/group-policies/sync-browser-settings-gp.md index cdce19d2e5..d948b2c862 100644 --- a/browsers/edge/group-policies/sync-browser-settings-gp.md +++ b/browsers/edge/group-policies/sync-browser-settings-gp.md @@ -6,17 +6,17 @@ manager: dansimp ms.author: dansimp author: dansimp ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: ms.localizationpriority: medium ms.topic: reference --- -# Sync browser settings +# Sync browser settings > [!NOTE] > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). -By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. +By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. ## Relevant policies @@ -38,7 +38,7 @@ You can find the Microsoft Edge Group Policy settings in the following location To verify the settings: 1. In the upper-right corner of Microsoft Edge, click **More** \(**...**\). 2. Click **Settings**. -3. Under Account, see if the setting is toggled on or off.

![Verify configuration](../images/sync-settings.PNG) +3. Under Account, see if the setting is toggled on or off.

![Verify configuration](../images/sync-settings.png) ## Do not sync browser settings diff --git a/browsers/edge/images/allow-smart-screen-validation.PNG b/browsers/edge/images/allow-smart-screen-validation.png similarity index 100% rename from browsers/edge/images/allow-smart-screen-validation.PNG rename to browsers/edge/images/allow-smart-screen-validation.png diff --git a/browsers/edge/images/sync-settings.PNG b/browsers/edge/images/sync-settings.png similarity index 100% rename from browsers/edge/images/sync-settings.PNG rename to browsers/edge/images/sync-settings.png diff --git a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md index c17f639024..375951a25c 100644 --- a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md +++ b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md @@ -2,7 +2,7 @@ author: eavena ms.author: eravena ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: audience: itpro manager: dansimp ms.prod: edge @@ -25,9 +25,9 @@ ms.topic: include --- -To verify Windows Defender SmartScreen is turned off (disabled): +To verify Windows Defender SmartScreen is turned off (disabled): 1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. -2. Verify the setting **Help protect me from malicious sites and download with Windows Defender SmartScreen** is disabled.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG) +2. Verify the setting **Help protect me from malicious sites and download with Windows Defender SmartScreen** is disabled.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.png) ### ADMX info and settings @@ -40,7 +40,7 @@ To verify Windows Defender SmartScreen is turned off (disabled): #### MDM settings - **MDM name:** Browser/[AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) - **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen - **Data type:** Integer #### Registry settings diff --git a/browsers/edge/microsoft-edge-faq.md b/browsers/edge/microsoft-edge-faq.md deleted file mode 100644 index 632905e3cb..0000000000 --- a/browsers/edge/microsoft-edge-faq.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros -ms.reviewer: -audience: itpro -manager: dansimp -description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems. -author: dansimp -ms.author: dansimp -ms.prod: edge -ms.topic: article -ms.mktglfcycl: general -ms.sitesec: library -ms.localizationpriority: medium ---- - -# Frequently Asked Questions (FAQs) for IT Pros - ->Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). - -## How can I get the next major version of Microsoft Edge, based on Chromium? -In December 2018, Microsoft [announced](https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-better-through-more-open-source-collaboration/#8jv53blDvL6TIKuS.97) our intention to adopt the Chromium open source project in the development of Microsoft Edge on the desktop, to create better web compatibility for our customers and less fragmentation of the web for all web developers. You can get more information at the [Microsoft Edge Insiders site](https://www.microsoftedgeinsider.com/). - -## What’s the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use? -Microsoft Edge is the default browser for all Windows 10 devices. It’s built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](emie-to-improve-compatibility.md) to automatically send users to Internet Explorer 11. - -For more information on how Internet Explorer and Microsoft Edge work together to support your legacy web apps, while still defaulting to the higher security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97). - -## Does Microsoft Edge work with Enterprise Mode? -[Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) helps you run many legacy web applications with better backward compatibility. You can configure both Microsoft Edge and Internet Explorer to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. - -## How do I customize Microsoft Edge and related settings for my organization? -You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals. - -## Is Adobe Flash supported in Microsoft Edge? -Adobe Flash is currently supported as a built-in feature of Microsoft Edge on PCs running Windows 10. In July 2017, Adobe announced that Flash support will end after 2020. With this change to Adobe support, we’ve started to phase Flash out of Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting group policy](https://docs.microsoft.com/microsoft-edge/deploy/available-policies#configure-the-adobe-flash-click-to-run-setting) - this lets you control which websites can run Adobe Flash content. - -To learn more about Microsoft’s plan for phasing Flash out of Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). - -## Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java? -No. Microsoft Edge doesn’t support ActiveX controls and BHOs like Silverlight or Java. If you’re running web apps that use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and standards support. - -## How often will Microsoft Edge be updated? -In Windows 10, we’re delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, while bigger feature updates are included in the Windows 10 releases on a semi-annual cadence. - -## How can I provide feedback on Microsoft Edge? -Microsoft Edge is an evergreen browser - we’ll continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. - -## Will Internet Explorer 11 continue to receive updates? -We’re committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it’s installed. For details, see [Lifecycle FAQ - Internet Explorer](https://support.microsoft.com/help/17454/). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge. - -## How do I find out what version of Microsoft Edge I have? -In the upper right corner of Microsoft Edge, click the ellipses icon (**...**), and then click **Settings**. Look in the **About Microsoft Edge** section to find your version. - -## What is Microsoft EdgeHTML? -Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform. (As opposed to *Microsoft Edge, based on Chromium*.) diff --git a/browsers/edge/microsoft-edge-faq.yml b/browsers/edge/microsoft-edge-faq.yml new file mode 100644 index 0000000000..751f40f4ea --- /dev/null +++ b/browsers/edge/microsoft-edge-faq.yml @@ -0,0 +1,74 @@ +### YamlMime:FAQ +metadata: + title: Microsoft Edge - Frequently Asked Questions (FAQ) for IT Pros + ms.reviewer: + audience: itpro + manager: dansimp + description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems. + author: dansimp + ms.author: dansimp + ms.prod: edge + ms.topic: article + ms.mktglfcycl: general + ms.sitesec: library + ms.localizationpriority: medium + +title: Frequently Asked Questions (FAQ) for IT Pros +summary: | + Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile + + > [!NOTE] + > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). + + +sections: + - name: Ignored + questions: + - question: How can I get the next major version of Microsoft Edge, based on Chromium? + answer: | + In December 2018, Microsoft [announced](https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-better-through-more-open-source-collaboration/#8jv53blDvL6TIKuS.97) our intention to adopt the Chromium open source project in the development of Microsoft Edge on the desktop, to create better web compatibility for our customers and less fragmentation of the web for all web developers. You can get more information at the [Microsoft Edge Insiders site](https://www.microsoftedgeinsider.com/). + + - question: What's the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use? + answer: | + Microsoft Edge is the default browser for all Windows 10 devices. It's built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](emie-to-improve-compatibility.md) to automatically send users to Internet Explorer 11. + + For more information on how Internet Explorer and Microsoft Edge work together to support your legacy web apps, while still defaulting to the higher security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97). + + - question: Does Microsoft Edge work with Enterprise Mode? + answer: | + [Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) helps you run many legacy web applications with better backward compatibility. You can configure both Microsoft Edge and Internet Explorer to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. + + - question: How do I customize Microsoft Edge and related settings for my organization? + answer: | + You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals. + + - question: Is Adobe Flash supported in Microsoft Edge? + answer: | + Adobe Flash is currently supported as a built-in feature of Microsoft Edge on PCs running Windows 10. In July 2017, Adobe announced that Flash support will end after 2020. With this change to Adobe support, we've started to phase Flash out of Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting group policy](https://docs.microsoft.com/microsoft-edge/deploy/available-policies#configure-the-adobe-flash-click-to-run-setting) - this lets you control which websites can run Adobe Flash content. + + To learn more about Microsoft's plan for phasing Flash out of Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). + + - question: Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java? + answer: | + No, Microsoft Edge doesn't support ActiveX controls and Browser Helper Objects (BHOs) like Silverlight or Java. If you're running web apps that use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in Internet Explorer 11. Internet Explorer 11 offers additional security, manageability, performance, backward compatibility, and standards support. + + - question: How often will Microsoft Edge be updated? + answer: | + In Windows 10, we're delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, while bigger feature updates are included in the Windows 10 releases on a semi-annual cadence. + + - question: How can I provide feedback on Microsoft Edge? + answer: | + Microsoft Edge is an evergreen browser - we'll continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. + + - question: Will Internet Explorer 11 continue to receive updates? + answer: | + We're committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it's installed. For details, see [Lifecycle FAQ - Internet Explorer](https://support.microsoft.com/help/17454/). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge. + + - question: How do I find out which version of Microsoft Edge I have? + answer: | + In the upper-right corner of Microsoft Edge, select the ellipses icon (**...**), and then select **Settings**. Look in the **About Microsoft Edge** section to find your version. + + - question: What is Microsoft EdgeHTML? + answer: | + Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform (as opposed to *Microsoft Edge, based on Chromium*). + diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md index edcb50cb9e..bd0befaee9 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md +++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md @@ -68,7 +68,7 @@ Additional information on Internet Explorer 11, including a Readiness Toolkit, t ## Availability of Internet Explorer 11 -Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the Microsoft Endpoint Configuration Manager and WSUS. +Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the Microsoft Endpoint Manager and WSUS. ## Prevent automatic installation of Internet Explorer 11 with WSUS diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.md b/browsers/internet-explorer/kb-support/ie-edge-faqs.md index 0257a9db03..5c29be5126 100644 --- a/browsers/internet-explorer/kb-support/ie-edge-faqs.md +++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.md @@ -10,9 +10,7 @@ ms.prod: internet-explorer ms.technology: ms.topic: kb-support ms.custom: CI=111020 -ms.localizationpriority: Normal -# localization_priority: medium -# ms.translationtype: MT +ms.localizationpriority: medium ms.date: 01/23/2020 --- # Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros diff --git a/education/developers.yml b/education/developers.yml index 9e21b6d27f..6533d8c51c 100644 --- a/education/developers.yml +++ b/education/developers.yml @@ -18,16 +18,16 @@ additionalContent: # Card - title: UWP apps for education summary: Learn how to write universal apps for education. - url: https://docs.microsoft.com/en-us/windows/uwp/apps-for-education/ + url: https://docs.microsoft.com/windows/uwp/apps-for-education/ # Card - title: Take a test API summary: Learn how web applications can use the API to provide a locked down experience for taking tests. - url: https://docs.microsoft.com/en-us/windows/uwp/apps-for-education/take-a-test-api + url: https://docs.microsoft.com/windows/uwp/apps-for-education/take-a-test-api # Card - title: Office Education Dev center summary: Integrate with Office 365 across devices and services to extend Microsoft enterprise-scale compliance and security to students, teachers, and staff in your education app - url: https://dev.office.com/industry-verticals/edu + url: https://developer.microsoft.com/office/edu # Card - title: Data Streamer summary: Bring new STEM experiences into the classroom with real-time data in Excel using Data Streamer. Data Streamer can send data to Excel from a sensor or application. - url: https://docs.microsoft.com/en-us/microsoft-365/education/data-streamer \ No newline at end of file + url: https://docs.microsoft.com/microsoft-365/education/data-streamer diff --git a/education/docfx.json b/education/docfx.json index 809a2da28f..8ba1394c6d 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -7,7 +7,8 @@ "**/**.yml" ], "exclude": [ - "**/obj/**" + "**/obj/**", + "**/includes/**" ] } ], @@ -19,7 +20,8 @@ "**/*.svg" ], "exclude": [ - "**/obj/**" + "**/obj/**", + "**/includes/**" ] } ], diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md new file mode 100644 index 0000000000..36578af4bf --- /dev/null +++ b/education/includes/education-content-updates.md @@ -0,0 +1,10 @@ + + + + +## Week of November 30, 2020 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 12/4/2020 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified | diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index cbbdb3502b..3cd18bebdd 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -457,7 +457,7 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid X -Use Microsoft Endpoint Configuration Manager for management +Use Microsoft Endpoint Manager for management X X diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index 3a2d13b9b9..d2a18c7393 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -26,69 +26,106 @@ This guide shows you how to deploy the Windows 10 operating system in a school d Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. Just as with building a house, you need a blueprint for what your district and individual schools should look like when it’s finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district. ->**Note**  This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/cloud-platform/mobile-device-management). +> [!NOTE] +> This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/cloud-platform/mobile-device-management). ### Plan a typical district configuration As part of preparing for your district deployment, you need to plan your district configuration — the focus of this guide. Figure 1 illustrates a typical finished district configuration that you can use as a model (the blueprint in our builder analogy) for the finished state. -![Typical district configuration for this guide](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide") +> [!div class="mx-imgBorder"] +> ![Typical district configuration for this guide](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide") *Figure 1. Typical district configuration for this guide* A *district* consists of multiple schools, typically at different physical locations. Figure 2 illustrates a typical school configuration within the district that this guide uses. -![Typical school configuration for this guide](images/edu-districtdeploy-fig2.png "Typical school configuration for this guide") +> [!div class="mx-imgBorder"] +> ![Typical school configuration for this guide](images/edu-districtdeploy-fig2.png "Typical school configuration for this guide") *Figure 2. Typical school configuration for this guide* Finally, each school consists of multiple classrooms. Figure 3 shows the classroom configuration this guide uses. -![Typical classroom configuration in a school](images/edu-districtdeploy-fig3.png "Typical classroom configuration in a school") +> [!div class="mx-imgBorder"] +> ![Typical classroom configuration in a school](images/edu-districtdeploy-fig3.png "Typical classroom configuration in a school") *Figure 3. Typical classroom configuration in a school* This district configuration has the following characteristics: * It contains one or more admin devices. + * It contains two or more schools. + * Each school contains two or more classrooms. + * Each classroom contains one teacher device. + * The classrooms connect to each other through multiple subnets. + * All devices in each classroom connect to a single subnet. + * All devices have high-speed, persistent connections to each other and to the Internet. + * All teachers and students have access to Microsoft Store or Microsoft Store for Business. + * You install a 64-bit version of Windows 10 on the admin device. + * You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device. + * You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device. - >**Note**  In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2. + + > [!NOTE] + > In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2. + * The devices use Azure AD in Office 365 Education for identity management. + * If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/). + * Use [Intune](https://docs.microsoft.com/intune/), [Mobile Device Management for Office 365](https://support.office.com/en-us/article/Set-up-Mobile-Device-Management-MDM-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy in AD DS](https://technet.microsoft.com/library/cc725828.aspx) to manage devices. + * Each device supports a one-student-per-device or multiple-students-per-device scenario. + * The devices can be a mixture of different make, model, and processor architecture (32-bit or 64-bit) or be identical. + * To initiate Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment (PXE) boot. + * The devices can be a mixture of different Windows 10 editions, such as Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education. Use these characteristics at a minimum as you deploy your schools. If your district deployment is less complex, you may want to review the guidance in [Deploy Windows 10 in a school](https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school). ->**Note**  This guide focuses on Intune as the mobile device management (MDM) solution. If you want to use an MDM solution other than Intune, ignore the Intune-specific content in this guide. For each section, contact your MDM provider to determine the features and management capabilities for your institution. +> [!NOTE] +> This guide focuses on Intune as the mobile device management (MDM) solution. If you want to use an MDM solution other than Intune, ignore the Intune-specific content in this guide. For each section, contact your MDM provider to determine the features and management capabilities for your institution. Office 365 Education allows: * Students and faculty to use Microsoft Office to create and edit Microsoft Word, OneNote, PowerPoint, and Excel documents in a browser. + * Teachers to use the [OneNote Class Notebook app](https://www.onenote.com/classnotebook) to share content and collaborate with students. + * Faculty to use the [OneNote Staff Notebooks app](https://www.onenote.com/staffnotebookedu) to collaborate with other teachers, the administration, and faculty. + * Teachers to employ Sway to create interactive educational digital storytelling. + * Students and faculty to use email and calendars, with mailboxes up to 50 GB per user. + * Faculty to use advanced email features like email archiving and legal hold capabilities. + * Faculty to help prevent unauthorized users from accessing documents and email by using Microsoft Azure Rights Management. + * Faculty to use advanced compliance tools on the unified eDiscovery pages in the Office 365 Compliance Center. + * Faculty to host online classes, parent–teacher conferences, and other collaboration in Skype for Business. + * Students and faculty to access up to 1 TB of personal cloud storage that users inside and outside the educational institution can share through OneDrive for Business. + * Teachers to provide collaboration in the classroom through Microsoft SharePoint Online team sites. + * Students and faculty to use Office 365 Video to manage videos. + * Students and faculty to use Yammer to collaborate through private social networking. + * Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices). For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://products.office.com/en-us/academic). @@ -105,7 +142,7 @@ This guide focuses on LTI deployments to deploy the reference device. You can us MDT includes the Deployment Workbench, a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices. -LTI performs deployment from a *deployment share* — a network-shared folder on the device on which you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section. +LTI performs deployment from a *deployment share* — a network-shared folder on the device on which you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in [Prepare the admin device](#prepare-the-admin-device), earlier in this article. The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements. @@ -114,9 +151,13 @@ ZTI performs fully automated deployments using Configuration Manager and MDT. Al The configuration process requires the following devices: * **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK, MDT, and the Configuration Manager Console on this device. + * **Reference devices.** These are the devices that you will use as a template for the faculty and student devices. You install Windows 10 and Windows desktop apps on these devices, and then capture an image (.wim file) of the devices. + You will have a reference device for each type of device in your district. For example, if your district has Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you would have a reference device for each model. For more information about approved Windows 10 devices, see [Explore devices](https://www.microsoft.com/windows/view-all). + * **Faculty and staff devices.** These are the devices that the teachers, faculty, and staff use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices. + * **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them. The high-level process for deploying and configuring devices within individual classrooms, individual schools, and the district as a whole is as follows and illustrated in Figure 4: @@ -139,7 +180,8 @@ The high-level process for deploying and configuring devices within individual c 9. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS–Azure AD integration. -![How district configuration works](images/edu-districtdeploy-fig4.png "How district configuration works") +> [!div class="mx-imgBorder"] +> ![How district configuration works](images/edu-districtdeploy-fig4.png "How district configuration works") *Figure 4. How district configuration works* @@ -160,7 +202,7 @@ Before you select the deployment and management methods, you need to review the |Scenario feature |Cloud-centric|On-premises and cloud| |---|---|---| |Identity management | Azure AD (stand-alone or integrated with on-premises AD DS) | AD DS integrated with Azure AD | -|Windows 10 deployment | MDT only | Microsoft Endpoint Configuration Manager with MDT | +|Windows 10 deployment | MDT only | Microsoft Endpoint Manager with MDT | |Configuration setting management | Intune | Group Policy

Intune| |App and update management | Intune |Microsoft Endpoint Configuration Manager

Intune| @@ -174,14 +216,14 @@ These scenarios assume the need to support: Some constraints exist in these scenarios. As you select the deployment and management methods for your device, keep the following constraints in mind: * You can use Group Policy or Intune to manage configuration settings on a device but not both. -* You can use Microsoft Endpoint Configuration Manager or Intune to manage apps and updates on a device but not both. +* You can use Microsoft Endpoint Manager or Intune to manage apps and updates on a device but not both. * You cannot manage multiple users on a device with Intune if the device is AD DS domain joined. Use the cloud-centric scenario and on-premises and cloud scenario as a guide for your district. You may need to customize these scenarios, however, based on your district. As you go through the [Select the deployment methods](#select-the-deployment-methods), [Select the configuration setting management methods](#select-the-configuration-setting-management-methods), and the [Select the app and update management products](#select-the-app-and-update-management-products) sections, remember these scenarios and use them as the basis for your district. ### Select the deployment methods -To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Configuration Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution. +To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution. @@ -249,7 +291,7 @@ Select this method when you:

The disadvantages of this method are that it:

@@ -265,7 +307,7 @@ Record the deployment methods you selected in Table 3. |Selection | Deployment method| |--------- | -----------------| | |MDT by itself | -| |Microsoft Endpoint Configuration Manager and MDT| +| |Microsoft Endpoint Manager and MDT| *Table 3. Deployment methods selected* @@ -441,12 +483,12 @@ Select this method when you:

- + - + diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index 0e1870a49d..15937b2e7c 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -1,6 +1,6 @@ --- title: Deploy and configure App-V apps using MDM -description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Endpoint Configuration Manager or App-V server. +description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Endpoint Manager or App-V server. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -15,7 +15,7 @@ manager: dansimp ## Executive summary -

Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using Microsoft Endpoint Configuration Manager or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.

+

Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using Microsoft Endpoint Manager or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.

MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.

diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 8e84d077d5..b511fd100f 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -165,7 +165,10 @@ The following image illustrates how MDM applications will show up in the Azure a ### Add cloud-based MDM to the app gallery -You should work with the Azure AD engineering team if your MDM application is cloud-based. The following table shows the required information to create an entry in the Azure AD app gallery. +> [!NOTE] +> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application + +The following table shows the required information to create an entry in the Azure AD app gallery.
Microsoft Endpoint Configuration Manager and Intune (hybrid)Microsoft Endpoint Manager and Intune (hybrid)

Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.

Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.

Select this method when you:
Colour profileColor profile b08997ca-60ab-4dce-b088-f92e9c7994f3
diff --git a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index 706b102207..61ff7e767b 100644 --- a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -1,24 +1,29 @@ --- title: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal -description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal +description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new portal ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows author: lomayor -ms.date: 01/17/2018 +ms.date: 12/18/2020 ms.reviewer: manager: dansimp --- # Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal -Go to your Azure AD Blade, select the Mobility (MDM and MAM) and there should be the Microsoft Intune "App" Visible, select the Microsoft Intune and configure the Blade +> [!NOTE] +> Microsoft Intune portal can be accessed at the following link: [https://endpoint.microsoft.com](https://endpoint.microsoft.com). + +1. Go to your Azure AD Blade. +2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app. +3. Select **Microsoft Intune** and configure the blade. ![How to get to the Blade](images/azure-mdm-intune.png) -Configure the Blade +Configure the blade ![Configure the Blade](images/azure-intune-configure-scope.png) -Select all for allow all users to enroll a Device and make it Intune ready, or Some, then you can add a Group of Users. +You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users). diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 07f3aa7f0f..03a48da95f 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -300,6 +300,10 @@ If you disable or do not configure this setting, users can configure only basic > [!NOTE] > If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard. +> [!NOTE] +> Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern +> Standby devices will not be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN. + Sample value for this node to enable this policy is: ```xml @@ -1126,12 +1130,12 @@ Supported values: |-----|------------| | 0 |The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.| | 1 |The encryption method of the OS volume doesn't match the BitLocker policy.| -| 2 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.| +| 2 |The OS volume is unprotected.| | 3 |The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection isn't used.| | 4 |The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector isn't used.| | 5 |The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector isn't used.| | 6 |The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector isn't used.| -| 7 |The OS volume is unprotected.| +| 7 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.| | 8 |Recovery key backup failed.| | 9 |A fixed drive is unprotected.| | 10 |The encryption method of the fixed drive doesn't match the BitLocker policy.| diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index 2818c2e55f..c0c9fdf44c 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -35,7 +35,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro > [!NOTE] > - Bulk-join is not supported in Azure Active Directory Join. > - Bulk enrollment does not work in Intune standalone environment. -> - Bulk enrollment works in Microsoft Endpoint Configuration Manager where the ppkg is generated from the Configuration Manager console. +> - Bulk enrollment works in Microsoft Endpoint Manager where the ppkg is generated from the Configuration Manager console. > - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**. ## What you need diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md new file mode 100644 index 0000000000..556ff58e7a --- /dev/null +++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md @@ -0,0 +1,1085 @@ +--- +title: Change history for MDM documentation +description: This article lists new and updated articles for Mobile Device Management. +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 10/19/2020 +--- + +# Change history for Mobile Device Management documentation + +This article lists new and updated articles for the Mobile Device Management (MDM) documentation. Updated articles are those that had content addition, removal, or corrections—minor fixes, such as correction of typos, style, or formatting issues are not listed. + +## November 2020 + +|New or updated article | Description| +|--- | ---| +| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policy:
- [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) | +| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
-Properties/SleepMode | + +## October 2020 + +|New or updated article | Description| +|--- | ---| +| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies
- [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent)
- [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)
- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
- [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)
- [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)
- [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)
- [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)
- [Update/DisableWUfBSafeguards](policy-csp-update.md#update-disablewufbsafeguards)
- [WindowsSandbox/AllowAudioInput](policy-csp-windowssandbox.md#windowssandbox-allowaudioinput)
- [WindowsSandbox/AllowClipboardRedirection](policy-csp-windowssandbox.md#windowssandbox-allowclipboardredirection)
- [WindowsSandbox/AllowNetworking](policy-csp-windowssandbox.md#windowssandbox-allownetworking)
- [WindowsSandbox/AllowPrinterRedirection](policy-csp-windowssandbox.md#windowssandbox-allowprinterredirection)
- [WindowsSandbox/AllowVGPU](policy-csp-windowssandbox.md#windowssandbox-allowvgpu)
- [WindowsSandbox/AllowVideoInput](policy-csp-windowssandbox.md#windowssandbox-allowvideoinput) | + +## September 2020 + +|New or updated article | Description| +|--- | ---| +|[NetworkQoSPolicy CSP](networkqospolicy-csp.md)|Updated support information of the NetworkQoSPolicy CSP.| +|[Policy CSP - LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)|Removed the following unsupported LocalPoliciesSecurityOptions policy settings from the documentation:
- RecoveryConsole_AllowAutomaticAdministrativeLogon
- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
- DomainMember_DisableMachineAccountPasswordChanges
- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
| + +## August 2020 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - System](policy-csp-system.md)|Removed the following policy settings:
- System/AllowDesktopAnalyticsProcessing
- System/AllowMicrosoftManagedDesktopProcessing
- System/AllowUpdateComplianceProcessing
- System/AllowWUfBCloudProcessing
| + +## July 2020 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - System](policy-csp-system.md)|Added the following new policy settings:
- System/AllowDesktopAnalyticsProcessing
- System/AllowMicrosoftManagedDesktopProcessing
- System/AllowUpdateComplianceProcessing
- System/AllowWUfBCloudProcessing


Updated the following policy setting:
- System/AllowCommercialDataPipeline
| + +## June 2020 + +|New or updated article | Description| +|--- | ---| +|[BitLocker CSP](bitlocker-csp.md)|Added SKU support table for **AllowStandardUserEncryption**.| +|[Policy CSP - NetworkIsolation](policy-csp-networkisolation.md)|Updated the description from Boolean to Integer for the following policy settings:
EnterpriseIPRangesAreAuthoritative, EnterpriseProxyServersAreAuthoritative.| + +## May 2020 + +|New or updated article | Description| +|--- | ---| +|[BitLocker CSP](bitlocker-csp.md)|Added the bitmask table for the Status/DeviceEncryptionStatus node.| +|[Policy CSP - RestrictedGroups](policy-csp-restrictedgroups.md)| Updated the topic with additional details. Added policy timeline table. + +## February 2020 + +|New or updated article | Description| +|--- | ---| +|[CertificateStore CSP](certificatestore-csp.md)
[ClientCertificateInstall CSP](clientcertificateinstall-csp.md)|Added details about SubjectName value.| + +## January 2020 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - Defender](policy-csp-defender.md)|Added descriptions for supported actions for Defender/ThreatSeverityDefaultAction.| + +## November 2019 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added option 5 in the supported values list for DeliveryOptimization/DOGroupIdSource.| +|[DiagnosticLog CSP](diagnosticlog-csp.md)|Added substantial updates to this CSP doc.| + +## October 2019 + +|New or updated article | Description| +|--- | ---| +|[BitLocker CSP](bitlocker-csp.md)|Added the following new nodes:
ConfigureRecoveryPasswordRotation, RotateRecoveryPasswords, RotateRecoveryPasswordsStatus, RotateRecoveryPasswordsRequestID.| +|[Defender CSP](defender-csp.md)|Added the following new nodes:
Health/TamperProtectionEnabled, Health/IsVirtualMachine, Configuration, Configuration/TamperProtection, Configuration/EnableFileHashComputation.| + +## September 2019 + +|New or updated article | Description| +|--- | ---| +|[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added the following new node:
IsStub.| +|[Policy CSP - Defender](policy-csp-defender.md)|Updated the supported value list for Defender/ScheduleScanDay policy.| +|[Policy CSP - DeviceInstallation](policy-csp-deviceinstallation.md)|Added the following new policies:
DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs, DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs.| + +## August 2019 + +|New or updated article | Description| +|--- | ---| +|[DiagnosticLog CSP](diagnosticlog-csp.md)
[DiagnosticLog DDF](diagnosticlog-ddf.md)|Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes:
Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelName/MaximumFileSize, Policy/Channels/ChannelName/SDDL, Policy/Channels/ChannelName/ActionWhenFull, Policy/Channels/ChannelName/Enabled, DiagnosticArchive, DiagnosticArchive/ArchiveDefinition, DiagnosticArchive/ArchiveResults.| +|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Enhanced the article to include additional reference links and the following two topics:
Verify auto-enrollment requirements and settings, Troubleshoot auto-enrollment of devices.| + +## July 2019 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP](policy-configuration-service-provider.md)|Added the following list:
Policies supported by HoloLens 2| +|[ApplicationControl CSP](applicationcontrol-csp.md)|Added new CSP in Windows 10, version 1903.| +|[PassportForWork CSP](passportforwork-csp.md)|Added the following new nodes in Windows 10, version 1903:
SecurityKey, SecurityKey/UseSecurityKeyForSignin| +|[Policy CSP - Privacy](policy-csp-privacy.md)|Added the following new policies:
LetAppsActivateWithVoice, LetAppsActivateWithVoiceAboveLock| +|Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs is not currently supported:
Create a custom configuration service provider
Design a custom configuration service provider
IConfigServiceProvider2
IConfigServiceProvider2::ConfigManagerNotification
IConfigServiceProvider2::GetNode
ICSPNode
ICSPNode::Add
ICSPNode::Clear
ICSPNode::Copy
ICSPNode::DeleteChild
ICSPNode::DeleteProperty
ICSPNode::Execute
ICSPNode::GetChildNodeNames
ICSPNode::GetProperty
ICSPNode::GetPropertyIdentifiers
ICSPNode::GetValue
ICSPNode::Move
ICSPNode::SetProperty
ICSPNode::SetValue
ICSPNodeTransactioning
ICSPValidate
Samples for writing a custom configuration service provider.| + +## June 2019 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - DeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md)|Added the following new policies:
AllowDeviceHealthMonitoring, ConfigDeviceHealthMonitoringScope, ConfigDeviceHealthMonitoringUploadDestination.| +|[Policy CSP - TimeLanguageSettings](policy-csp-timelanguagesettings.md)|Added the following new policy:
ConfigureTimeZone.| + +## May 2019 + +|New or updated article | Description| +|--- | ---| +|[DeviceStatus CSP](devicestatus-csp.md)|Updated description of the following nodes:
DeviceStatus/Antivirus/SignatureStatus, DeviceStatus/Antispyware/SignatureStatus.| +|[EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md)|Added new CSP in Windows 10, version 1903.| +|[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added the following new policies:
DODelayCacheServerFallbackBackground, DODelayCacheServerFallbackForeground.

Updated description of the following policies:
DOMinRAMAllowedToPeer, DOMinFileSizeToCache, DOMinDiskSizeAllowedToPeer.| +|[Policy CSP - Experience](policy-csp-experience.md)|Added the following new policy:
ShowLockOnUserTile.| +|[Policy CSP - InternetExplorer](policy-csp-internetexplorer.md)|Added the following new policies:
AllowEnhancedSuggestionsInAddressBar, DisableActiveXVersionListAutoDownload, DisableCompatView, DisableFeedsBackgroundSync, DisableGeolocation, DisableWebAddressAutoComplete, NewTabDefaultPage.| +|[Policy CSP - Power](policy-csp-power.md)|Added the following new policies:
EnergySaverBatteryThresholdOnBattery, EnergySaverBatteryThresholdPluggedIn, SelectLidCloseActionOnBattery, SelectLidCloseActionPluggedIn, SelectPowerButtonActionOnBattery, SelectPowerButtonActionPluggedIn, SelectSleepButtonActionOnBattery, SelectSleepButtonActionPluggedIn, TurnOffHybridSleepOnBattery, TurnOffHybridSleepPluggedIn, UnattendedSleepTimeoutOnBattery, UnattendedSleepTimeoutPluggedIn.| +|[Policy CSP - Search](policy-csp-search.md)|Added the following new policy:
AllowFindMyFiles.| +|[Policy CSP - ServiceControlManager](policy-csp-servicecontrolmanager.md)|Added the following new policy:
SvchostProcessMitigation.| +|[Policy CSP - System](policy-csp-system.md)|Added the following new policies:
AllowCommercialDataPipeline, TurnOffFileHistory.| +|[Policy CSP - Troubleshooting](policy-csp-troubleshooting.md)|Added the following new policy:
AllowRecommendations.| +|[Policy CSP - Update](policy-csp-update.md)|Added the following new policies:
AutomaticMaintenanceWakeUp, ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod, ConfigureDeadlineNoAutoReboot.| +|[Policy CSP - WindowsLogon](policy-csp-windowslogon.md)|Added the following new policies:
AllowAutomaticRestartSignOn, ConfigAutomaticRestartSignOn, EnableFirstLogonAnimation.

Removed the following policy:
SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart. This policy is replaced by AllowAutomaticRestartSignOn.| + +## April 2019 + +| New or updated article | Description | +|-------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) | Added the following warning at the end of the Overview section:
Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. | +| [Policy CSP - UserRights](policy-csp-userrights.md) | Added a note stating if you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag () to wrap the data fields. | + +## March 2019 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - Storage](policy-csp-storage.md)|Updated ADMX Info of the following policies:
AllowStorageSenseGlobal, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseCloudContentDehydrationThreshold, ConfigStorageSenseDownloadsCleanupThreshold, ConfigStorageSenseGlobalCadence, ConfigStorageSenseRecycleBinCleanupThreshold.

Updated description of ConfigStorageSenseDownloadsCleanupThreshold.| + +## February 2019 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP](policy-configuration-service-provider.md)|Updated supported policies for Holographic.| + +## January 2019 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - Storage](policy-csp-storage.md)|Added the following new policies: AllowStorageSenseGlobal, ConfigStorageSenseGlobalCadence, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseRecycleBinCleanupThreshold, ConfigStorageSenseDownloadsCleanupThreshold, and ConfigStorageSenseCloudContentCleanupThreshold.| +|[SharedPC CSP](sharedpc-csp.md)|Updated values and supported operations.| +|[Mobile device management](index.md)|Updated information about MDM Security Baseline.| + +## December 2018 + +|New or updated article | Description| +|--- | ---| +|[BitLocker CSP](bitlocker-csp.md)|Updated AllowWarningForOtherDiskEncryption policy description to describe silent and non-silent encryption scenarios, as well as where and how the recovery key is backed up for each scenario.| + +## September 2018 + +|New or updated article | Description| +|--- | ---| +|[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT).| +|[Policy CSP - DeviceGuard](policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.| + +## August 2018 + +
++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
BitLocker CSP

Added support for Windows 10 Pro starting in the version 1809.

+
Office CSP

Added FinalStatus setting in Windows 10, version 1809.

+
RemoteWipe CSP

Added new settings in Windows 10, version 1809.

+
TenantLockdown CSP

Added new CSP in Windows 10, version 1809.

+
WindowsDefenderApplicationGuard CSP

Added new settings in Windows 10, version 1809.

+
Policy DDF file

Posted an updated version of the Policy DDF for Windows 10, version 1809.

+
Policy CSP

Added the following new policies in Windows 10, version 1809:

+
    +
  • Browser/AllowFullScreenMode
    • +
  • Browser/AllowPrelaunch
    • +
  • Browser/AllowPrinting
    • +
  • Browser/AllowSavingHistory
    • +
  • Browser/AllowSideloadingOfExtensions
    • +
  • Browser/AllowTabPreloading
    • +
  • Browser/AllowWebContentOnNewTabPage
    • +
  • Browser/ConfigureFavoritesBar
    • +
  • Browser/ConfigureHomeButton
    • +
  • Browser/ConfigureKioskMode
    • +
  • Browser/ConfigureKioskResetAfterIdleTimeout
    • +
  • Browser/ConfigureOpenMicrosoftEdgeWith
    • +
  • Browser/ConfigureTelemetryForMicrosoft365Analytics
    • +
  • Browser/PreventCertErrorOverrides
    • +
  • Browser/SetHomeButtonURL
    • +
  • Browser/SetNewTabPageURL
    • +
  • Browser/UnlockHomeButton
    • +
  • Experience/DoNotSyncBrowserSettings
    • +
  • Experience/PreventUsersFromTurningOnBrowserSyncing
    • +
  • Kerberos/UPNNameHints
    • +
  • Privacy/AllowCrossDeviceClipboard
    • +
  • Privacy/DisablePrivacyExperience
    • +
  • Privacy/UploadUserActivities
    • +
  • System/AllowDeviceNameInDiagnosticData
    • +
  • System/ConfigureMicrosoft365UploadEndpoint
    • +
  • System/DisableDeviceDelete
    • +
  • System/DisableDiagnosticDataViewer
    • +
  • Storage/RemovableDiskDenyWriteAccess
    • +
  • Update/UpdateNotificationLevel
    • +
+

Start/DisableContextMenus - added in Windows 10, version 1803.

+

RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.

+
+ +## July 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
AssignedAccess CSP

Added the following note:

+
    +
  • You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
    • +
+
PassportForWork CSP

Added new settings in Windows 10, version 1809.

+
EnterpriseModernAppManagement CSP

Added NonRemovable setting under AppManagement node in Windows 10, version 1809.

+
Win32CompatibilityAppraiser CSP

Added new configuration service provider in Windows 10, version 1809.

+
WindowsLicensing CSP

Added S mode settings and SyncML examples in Windows 10, version 1809.

+
SUPL CSP

Added 3 new certificate nodes in Windows 10, version 1809.

+
Defender CSP

Added a new node Health/ProductStatus in Windows 10, version 1809.

+
BitLocker CSP

Added a new node AllowStandardUserEncryption in Windows 10, version 1809.

+
DevDetail CSP

Added a new node SMBIOSSerialNumber in Windows 10, version 1809.

+
Policy CSP

Added the following new policies in Windows 10, version 1809:

+
    +
  • ApplicationManagement/LaunchAppAfterLogOn
    • +
  • ApplicationManagement/ScheduleForceRestartForUpdateFailures
    • +
  • Authentication/EnableFastFirstSignIn (Preview mode only)
    • +
  • Authentication/EnableWebSignIn (Preview mode only)
    • +
  • Authentication/PreferredAadTenantDomainName
    • +
  • Defender/CheckForSignaturesBeforeRunningScan
    • +
  • Defender/DisableCatchupFullScan
    • +
  • Defender/DisableCatchupQuickScan
    • +
  • Defender/EnableLowCPUPriority
    • +
  • Defender/SignatureUpdateFallbackOrder
    • +
  • Defender/SignatureUpdateFileSharesSources
    • +
  • DeviceGuard/ConfigureSystemGuardLaunch
    • +
  • DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
    • +
  • DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
    • +
  • DeviceInstallation/PreventDeviceMetadataFromNetwork
    • +
  • DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
    • +
  • DmaGuard/DeviceEnumerationPolicy
    • +
  • Experience/AllowClipboardHistory
    • +
  • Security/RecoveryEnvironmentAuthentication
    • +
  • TaskManager/AllowEndTask
    • +
  • WindowsDefenderSecurityCenter/DisableClearTpmButton
    • +
  • WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
    • +
  • WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
    • +
  • WindowsLogon/DontDisplayNetworkSelectionUI
    • +
+

Recent changes:

+
    +
  • DataUsage/SetCost3G - deprecated in Windows 10, version 1809.
    • +
+
+ +## June 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
Wifi CSP

Added a new node WifiCost in Windows 10, version 1809.

+
Diagnose MDM failures in Windows 10

Recent changes:

+
    +
  • Added procedure for collecting logs remotely from Windows 10 Holographic.
    • +
  • Added procedure for downloading the MDM Diagnostic Information log.
    • +
+
BitLocker CSP

Added new node AllowStandardUserEncryption in Windows 10, version 1809.

+
Policy CSP

Recent changes:

+
    +
  • AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration - removed from docs. Not supported.
    • +
  • AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold - removed from docs. Not supported.
    • +
  • AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter - removed from docs. Not supported.
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers - removed from docs. Not supported.
    • +
  • System/AllowFontProviders is not supported in HoloLens (1st gen) Commercial Suite.
    • +
  • Security/RequireDeviceEncryption is supported in the Home SKU.
    • +
  • Start/StartLayout - added a table of SKU support information.
    • +
  • Start/ImportEdgeAssets - added a table of SKU support information.
    • +
+

Added the following new policies in Windows 10, version 1809:

+
    +
  • Update/EngagedRestartDeadlineForFeatureUpdates
    • +
  • Update/EngagedRestartSnoozeScheduleForFeatureUpdates
    • +
  • Update/EngagedRestartTransitionScheduleForFeatureUpdates
    • +
  • Update/SetDisablePauseUXAccess
    • +
  • Update/SetDisableUXWUAccess
    • +
+
WiredNetwork CSPNew CSP added in Windows 10, version 1809. +
+ +## May 2018 + + ++++ + + + + + + + + + + + +
New or updated articleDescription
Policy DDF file

Updated the DDF files in the Windows 10 version 1703 and 1709.

+ +
+ +## April 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
WindowsDefenderApplicationGuard CSP

Added the following node in Windows 10, version 1803:

+
    +
  • Settings/AllowVirtualGPU
    • +
  • Settings/SaveFilesToHost
    • +
+
NetworkProxy CSP

Added the following node in Windows 10, version 1803:

+
    +
  • ProxySettingsPerUser
    • +
+
Accounts CSP

Added a new CSP in Windows 10, version 1803.

+
MDM Migration Analysis Tool (MMAT)

Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.

+
CSP DDF files download

Added the DDF download of Windows 10, version 1803 configuration service providers.

+
Policy CSP

Added the following new policies for Windows 10, version 1803:

+
    +
  • Bluetooth/AllowPromptedProximalConnections
    • +
  • KioskBrowser/EnableEndSessionButton
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers
    • +
+
+ +## March 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
eUICCs CSP

Added the following node in Windows 10, version 1803:

+
    +
  • IsEnabled
    • +
+
DeviceStatus CSP

Added the following node in Windows 10, version 1803:

+
    +
  • OS/Mode
    • +
+
Understanding ADMX-backed policies

Added the following videos:

+ +
AccountManagement CSP

Added a new CSP in Windows 10, version 1803.

+
RootCATrustedCertificates CSP

Added the following node in Windows 10, version 1803:

+
    +
  • UntrustedCertificates
    • +
+
Policy CSP

Added the following new policies for Windows 10, version 1803:

+
    +
  • ApplicationDefaults/EnableAppUriHandlers
    • +
  • ApplicationManagement/MSIAllowUserControlOverInstall
    • +
  • ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
    • +
  • Connectivity/AllowPhonePCLinking
    • +
  • Notifications/DisallowCloudNotification
    • +
  • Notifications/DisallowTileNotification
    • +
  • RestrictedGroups/ConfigureGroupMembership
    • +
+

The following existing policies were updated:

+
    +
  • Browser/AllowCookies - updated the supported values. There are 3 values - 0, 1, 2.
    • +
  • InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML
    • +
  • TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.
    • +
+

Added a new section:

+ +
Policy CSP - Bluetooth

Added new section ServicesAllowedList usage guide.

+
MultiSIM CSP

Added SyncML examples and updated the settings descriptions.

+
RemoteWipe CSP

Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.

+
+ +## February 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
Policy CSP

Added the following new policies for Windows 10, version 1803:

+
    +
  • Display/DisablePerProcessDpiForApps
    • +
  • Display/EnablePerProcessDpi
    • +
  • Display/EnablePerProcessDpiForApps
    • +
  • Experience/AllowWindowsSpotlightOnSettings
    • +
  • TextInput/ForceTouchKeyboardDockedState
    • +
  • TextInput/TouchKeyboardDictationButtonAvailability
    • +
  • TextInput/TouchKeyboardEmojiButtonAvailability
    • +
  • TextInput/TouchKeyboardFullModeAvailability
    • +
  • TextInput/TouchKeyboardHandwritingModeAvailability
    • +
  • TextInput/TouchKeyboardNarrowModeAvailability
    • +
  • TextInput/TouchKeyboardSplitModeAvailability
    • +
  • TextInput/TouchKeyboardWideModeAvailability
    • +
      +
VPNv2 ProfileXML XSD

Updated the XSD and Plug-in profile example for VPNv2 CSP.

+
AssignedAccess CSP

Added the following nodes in Windows 10, version 1803:

+
    +
  • Status
    • +
  • ShellLauncher
    • +
  • StatusConfiguration
    • +
+

Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite.

+
MultiSIM CSP

Added a new CSP in Windows 10, version 1803.

+
EnterpriseModernAppManagement CSP

Added the following node in Windows 10, version 1803:

+
    +
  • MaintainProcessorArchitectureOnUpdate
    • +
+
+ +## January 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
Policy CSP

Added the following new policies for Windows 10, version 1803:

+
    +
  • Browser/AllowConfigurationUpdateForBooksLibrary
    • +
  • Browser/AlwaysEnableBooksLibrary
    • +
  • Browser/EnableExtendedBooksTelemetry
    • +
  • Browser/UseSharedFolderForBooks
    • +
  • DeliveryOptimization/DODelayBackgroundDownloadFromHttp
    • +
  • DeliveryOptimization/DODelayForegroundDownloadFromHttp
    • +
  • DeliveryOptimization/DOGroupIdSource
    • +
  • DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth
    • +
  • DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth
    • +
  • DeliveryOptimization/DORestrictPeerSelectionBy
    • +
  • DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth
    • +
  • DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth
    • +
  • KioskBrowser/BlockedUrlExceptions
    • +
  • KioskBrowser/BlockedUrls
    • +
  • KioskBrowser/DefaultURL
    • +
  • KioskBrowser/EnableHomeButton
    • +
  • KioskBrowser/EnableNavigationButtons
    • +
  • KioskBrowser/RestartOnIdleTime
    • +
  • LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
    • +
  • LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
    • +
  • LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
    • +
  • LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
    • +
  • LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
    • +
  • RestrictedGroups/ConfigureGroupMembership
    • +
  • Search/AllowCortanaInAAD
    • +
  • Search/DoNotUseWebResults
    • +
  • Security/ConfigureWindowsPasswords
    • +
  • System/FeedbackHubAlwaysSaveDiagnosticsLocally
    • +
  • SystemServices/ConfigureHomeGroupListenerServiceStartupMode
    • +
  • SystemServices/ConfigureHomeGroupProviderServiceStartupMode
    • +
  • SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode
    • +
  • SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode
    • +
  • SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode
    • +
  • SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode
    • +
  • TaskScheduler/EnableXboxGameSaveTask
    • +
  • TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode
    • +
  • Update/ConfigureFeatureUpdateUninstallPeriod
    • +
  • UserRights/AccessCredentialManagerAsTrustedCaller
    • +
  • UserRights/AccessFromNetwork
    • +
  • UserRights/ActAsPartOfTheOperatingSystem
    • +
  • UserRights/AllowLocalLogOn
    • +
  • UserRights/BackupFilesAndDirectories
    • +
  • UserRights/ChangeSystemTime
    • +
  • UserRights/CreateGlobalObjects
    • +
  • UserRights/CreatePageFile
    • +
  • UserRights/CreatePermanentSharedObjects
    • +
  • UserRights/CreateSymbolicLinks
    • +
  • UserRights/CreateToken
    • +
  • UserRights/DebugPrograms
    • +
  • UserRights/DenyAccessFromNetwork
    • +
  • UserRights/DenyLocalLogOn
    • +
  • UserRights/DenyRemoteDesktopServicesLogOn
    • +
  • UserRights/EnableDelegation
    • +
  • UserRights/GenerateSecurityAudits
    • +
  • UserRights/ImpersonateClient
    • +
  • UserRights/IncreaseSchedulingPriority
    • +
  • UserRights/LoadUnloadDeviceDrivers
    • +
  • UserRights/LockMemory
    • +
  • UserRights/ManageAuditingAndSecurityLog
    • +
  • UserRights/ManageVolume
    • +
  • UserRights/ModifyFirmwareEnvironment
    • +
  • UserRights/ModifyObjectLabel
    • +
  • UserRights/ProfileSingleProcess
    • +
  • UserRights/RemoteShutdown
    • +
  • UserRights/RestoreFilesAndDirectories
    • +
  • UserRights/TakeOwnership
    • +
  • WindowsDefenderSecurityCenter/DisableAccountProtectionUI
    • +
  • WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
    • +
  • WindowsDefenderSecurityCenter/HideRansomwareDataRecovery
    • +
  • WindowsDefenderSecurityCenter/HideSecureBoot
    • +
  • WindowsDefenderSecurityCenter/HideTPMTroubleshooting
    • +
+

Added the following policies the were added in Windows 10, version 1709

+
    +
  • DeviceLock/MinimumPasswordAge
    • +
  • Settings/AllowOnlineTips
    • +
  • System/DisableEnterpriseAuthProxy
    • +
+

Security/RequireDeviceEncryption - updated to show it is supported in desktop.

+
BitLocker CSP

Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.

+
EnterpriseModernAppManagement CSP

Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.

+
DMClient CSP

Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:

+
    +
  • AADSendDeviceToken
    • +
  • BlockInStatusPage
    • +
  • AllowCollectLogsButton
    • +
  • CustomErrorText
    • +
  • SkipDeviceStatusPage
    • +
  • SkipUserStatusPage
    • +
+
Defender CSP

Added new node (OfflineScan) in Windows 10, version 1803.

+
UEFI CSP

Added a new CSP in Windows 10, version 1803.

+
Update CSP

Added the following nodes in Windows 10, version 1803:

+
    +
  • Rollback
    • +
  • Rollback/FeatureUpdate
    • +
  • Rollback/QualityUpdateStatus
    • +
  • Rollback/FeatureUpdateStatus
    • +
+
+ +## December 2017 + + ++++ + + + + + + + + + + + +
New or updated articleDescription
Configuration service provider reference

Added new section CSP DDF files download

+
+ +## November 2017 + + ++++ + + + + + + + + + + + +
New or updated articleDescription
Policy CSP

Added the following policies for Windows 10, version 1709:

+
    +
  • Authentication/AllowFidoDeviceSignon
    • +
  • Cellular/LetAppsAccessCellularData
    • +
  • Cellular/LetAppsAccessCellularData_ForceAllowTheseApps
    • +
  • Cellular/LetAppsAccessCellularData_ForceDenyTheseApps
    • +
  • Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps
    • +
  • Start/HidePeopleBar
    • +
  • Storage/EnhancedStorageDevices
    • +
  • Update/ManagePreviewBuilds
    • +
  • WirelessDisplay/AllowMdnsAdvertisement
    • +
  • WirelessDisplay/AllowMdnsDiscovery
    • +
+

Added missing policies from previous releases:

+
    +
  • Connectivity/DisallowNetworkConnectivityActiveTest
    • +
  • Search/AllowWindowsIndexer
    • +
+
+ +## October 2017 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
Policy DDF file

Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.

+
Policy CSP

Updated the following policies:

+
    +
  • Defender/ControlledFolderAccessAllowedApplications - string separator is |.
    • +
  • Defender/ControlledFolderAccessProtectedFolders - string separator is |.
    • +
+
eUICCs CSP

Added new CSP in Windows 10, version 1709.

+
AssignedAccess CSP

Added SyncML examples for the new Configuration node.

+
DMClient CSP

Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.

+
+ +## September 2017 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
Policy CSP

Added the following new policies for Windows 10, version 1709:

+
    +
  • Authentication/AllowAadPasswordReset
    • +
  • Handwriting/PanelDefaultModeDocked
    • +
  • Search/AllowCloudSearch
    • +
  • System/LimitEnhancedDiagnosticDataWindowsAnalytics
    • +
+

Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.

+
AssignedAccess CSP

Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.

+
Microsoft Store for Business and Microsoft Store

Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.

+
The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2

The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:

+
    +
  • UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
    • +
  • ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
    • +
  • DomainName - fully qualified domain name if the device is domain-joined.
    • +
+

For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.

+
EnterpriseAPN CSP

Added a SyncML example.

+
VPNv2 CSP

Added RegisterDNS setting in Windows 10, version 1709.

+
Enroll a Windows 10 device automatically using Group Policy

Added new topic to introduce a new Group Policy for automatic MDM enrollment.

+
MDM enrollment of Windows-based devices

New features in the Settings app:

+
    +
  • User sees installation progress of critical policies during MDM enrollment.
    • +
  • User knows what policies, profiles, apps MDM has configured
    • +
  • IT helpdesk can get detailed MDM diagnostic information using client tools
    • +
+

For details, see Managing connections and Collecting diagnostic logs

+
+ +## August 2017 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
Enable ADMX-backed policies in MDM

Added new step-by-step guide to enable ADMX-backed policies.

+
Mobile device enrollment

Added the following statement:

+
    +
  • Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
    • +
+
CM_CellularEntries CSP

Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.

+
EnterpriseDataProtection CSP

Updated the Settings/EDPEnforcementLevel values to the following:

+
    +
  • 0 (default) – Off / No protection (decrypts previously protected data).
    • +
  • 1 – Silent mode (encrypt and audit only).
    • +
  • 2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
    • +
  • 3 – Hides overrides (encrypt, prompt but hide overrides, and audit).
    • +
+
AppLocker CSP

Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in Allow list examples.

+
DeviceManageability CSP

Added the following settings in Windows 10, version 1709:

+
    +
  • Provider/ProviderID/ConfigInfo
    • +
  • Provider/ProviderID/EnrollmentInfo
    • +
+
Office CSP

Added the following setting in Windows 10, version 1709:

+
    +
  • Installation/CurrentStatus
    • +
+
BitLocker CSPAdded information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709. +
Firewall CSPUpdated the CSP and DDF topics. Here are the changes: +
    +
  • Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.
    • +
  • Changed some data types from integer to bool.
    • +
  • Updated the list of supported operations for some settings.
    • +
  • Added default values.
    • +
+
Policy DDF fileAdded another Policy DDF file download for the 8C release of Windows 10, version 1607, which added the following policies: +
    +
  • Browser/AllowMicrosoftCompatibilityList
    • +
  • Update/DisableDualScan
    • +
  • Update/FillEmptyContentUrls
    • +
+
Policy CSP

Added the following new policies for Windows 10, version 1709:

+
    +
  • Browser/ProvisionFavorites
    • +
  • Browser/LockdownFavorites
    • +
  • ExploitGuard/ExploitProtectionSettings
    • +
  • Games/AllowAdvancedGamingServices
    • +
  • LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
    • +
  • LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
    • +
  • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
    • +
  • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
    • +
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
    • +
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
    • +
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
    • +
  • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
    • +
  • Privacy/EnableActivityFeed
    • +
  • Privacy/PublishUserActivities
    • +
  • Update/DisableDualScan
    • +
  • Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork
    • +
+

Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.

+

Changed the names of the following policies:

+
    +
  • Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications
    • +
  • Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders
    • +
  • Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess
    • +
+

Added links to the additional ADMX-backed BitLocker policies.

+

There were issues reported with the previous release of the following policies. These issues were fixed in Window 10, version 1709:

+
    +
  • Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts
    • +
  • Start/HideAppList
    • +
+
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index fb69460ed8..dcf8eec173 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -9,7 +9,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 06/03/2020 +ms.date: 09/18/2020 --- # Configuration service provider reference @@ -1108,7 +1108,8 @@ Additional lists: Mobile Enterprise - check mark + check mark +Only for mobile application management (MAM) check mark check mark @@ -1556,13 +1557,13 @@ Additional lists: Mobile Enterprise - cross mark - cross mark - cross mark - cross mark - cross mark - cross mark - cross mark + check mark + check mark + check mark + check mark + check mark + check mark + check mark @@ -2727,6 +2728,7 @@ The following list shows the CSPs supported in HoloLens devices: | [DiagnosticLog CSP](diagnosticlog-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [DMAcc CSP](dmacc-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [DMClient CSP](dmclient-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | | [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [NetworkProxy CSP](networkproxy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [NetworkQoSPolicy CSP](networkqospolicy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 8| @@ -2736,6 +2738,7 @@ The following list shows the CSPs supported in HoloLens devices: | [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | | [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | | [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | | [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [VPNv2 CSP](vpnv2-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [WiFi CSP](wifi-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | @@ -2744,10 +2747,11 @@ The following list shows the CSPs supported in HoloLens devices: ## CSPs supported in Microsoft Surface Hub -- [Accounts CSP](accounts-csp.md)9 **Note:** Support in Surface Hub is limited to **Domain\ComputerName**. +- [Accounts CSP](accounts-csp.md)9 + > [!NOTE] + > Support in Surface Hub is limited to **Domain\ComputerName**. - [AccountManagement CSP](accountmanagement-csp.md) - [APPLICATION CSP](application-csp.md) -- [Bitlocker-CSP](bitlocker-csp.md)9 - [CertificateStore CSP](certificatestore-csp.md) - [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) - [Defender CSP](defender-csp.md) @@ -2813,3 +2817,4 @@ The following list shows the CSPs supported in HoloLens devices: - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. - 9 - Added in Windows 10 Team 2020 Update +- 10 - Added in [Windows Holographic, version 20H2](https://docs.microsoft.com/hololens/hololens-release-notes#windows-holographic-version-20h2) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index da9959c0a2..37205534c5 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -390,6 +390,26 @@ Intune tamper protection setting UX supports three states: When enabled or disabled exists on the client and admin moves the setting to not configured, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. +**Configuration/DisableLocalAdminMerge**
+This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusions. + +If you disable or do not configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, management settings will override preference settings. + +If you enable this setting, only items defined by management will be used in the resulting effective policy. Managed settings will override preference settings configured by the local administrator. + +> [!NOTE] +> Applying this setting will not remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in **Get-MpPreference**. + +Supported OS versions: Windows 10 + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +- 1 – Enable. +- 0 (default) – Disable. + **Configuration/EnableFileHashComputation** Enables or disables file hash computation feature. When this feature is enabled Windows defender will compute hashes for files it scans. diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index 06e4d21323..6ab35ba018 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -36,9 +36,8 @@ Supported operation is Get. **DeviceStatus/CellularIdentities** Required. Node for queries on the SIM cards. -> **Note**  Multiple SIMs are supported. - - +>[!NOTE] +>Multiple SIMs are supported. **DeviceStatus/CellularIdentities/***IMEI* The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device. @@ -107,7 +106,7 @@ Supported operation is Get. Node for the compliance query. **DeviceStatus/Compliance/EncryptionCompliance** -Boolean value that indicates compliance with the enterprise encryption policy. The value is one of the following: +Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following: - 0 - not encrypted - 1 - encrypted diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index 2c49067d90..fb9c1a57d8 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -199,8 +199,111 @@ A Get to the above URI will return the results of the data gathering for the las Each data gathering node is annotated with the HRESULT of the action and the collection is also annotated with an overall HRESULT. In this example, note that the mdmdiagnosticstool.exe command failed. -The zip file which is created also contains a results.xml file whose contents align to the Data section in the SyncML for ArchiveResults. Accordingly, an IT admin using the zip file for troubleshooting can determine the order and success of each directive without needing a permanent record of the SyncML value for DiagnosticArchive/ArchiveResults. +### Making use of the uploaded data +The zip archive which is created and uploaded by the CSP contains a folder structure like the following: +```powershell +PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z + + Directory: C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z + +Mode LastWriteTime Length Name +---- ------------- ------ ---- +la--- 1/4/2021 2:45 PM 1 +la--- 1/4/2021 2:45 PM 2 +la--- 12/2/2020 6:27 PM 2701 results.xml +``` +Each data gathering directive from the original `Collection` XML corresponds to a folder in the output. For example, if the first directive was HKLM\Software\Policies then folder `1` will contain the corresponding `export.reg` file. + +The `results.xml` file is the authoritative map to the output. It includes a status code for each directive. The order of the directives in the file corresponds to the order of the output folders. Using `results.xml` the administrator can see what data was gathered, what failures may have occurred, and which folders contain which output. For example, the following `results.xml` content indicates that registry export of HKLM\Software\Policies was successful and the data can be found in folder `1`. It also indicates that `netsh.exe wlan show profiles` command failed. + +```xml + + 268b3056-8c15-47c6-a1bd-4bc257aef7b2 + HKLM\Software\Policies + %windir%\system32\netsh.exe wlan show profiles + +``` + +Administrators can apply automation to 'results.xml' to create their own preferred views of the data. For example, the following PowerShell one-liner extracts from the XML an ordered list of the directives with status code and details. +```powershell +Select-XML -Path results.xml -XPath '//RegistryKey | //Command | //Events | //FoldersFiles' | Foreach-Object -Begin {$i=1} -Process { [pscustomobject]@{DirectiveNumber=$i; DirectiveHRESULT=$_.Node.HRESULT; DirectiveInput=$_.Node.('#text')} ; $i++} +``` +This example produces output similar to the following: +``` +DirectiveNumber DirectiveHRESULT DirectiveInput +--------------- ---------------- -------------- + 1 0 HKLM\Software\Policies + 2 0 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall + 3 0 HKLM\Software\Microsoft\IntuneManagementExtension + 4 0 HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall + 5 0 %windir%\system32\ipconfig.exe /all + 6 0 %windir%\system32\netsh.exe advfirewall show allprofiles + 7 0 %windir%\system32\netsh.exe advfirewall show global + 8 -2147024895 %windir%\system32\netsh.exe wlan show profiles +``` + +The next example extracts the zip archive into a customized flattened file structure. Each file name includes the directive number, HRESULT, and so on. This example could be customized to make different choices about what information to include in the file names and what formatting choices to make for special characters. + +```powershell +param( $DiagnosticArchiveZipPath = "C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z.zip" ) + +#region Formatting Choices +$flatFileNameTemplate = '({0:D2}) ({3}) (0x{2:X8})' +$maxLengthForInputTextPassedToOutput = 80 +#endregion + +#region Create Output Folders and Expand Zip +$diagnosticArchiveTempUnzippedPath = $DiagnosticArchiveZipPath + "_expanded" +if(-not (Test-Path $diagnosticArchiveTempUnzippedPath)){mkdir $diagnosticArchiveTempUnzippedPath} +$reformattedArchivePath = $DiagnosticArchiveZipPath + "_formatted" +if(-not (Test-Path $reformattedArchivePath)){mkdir $reformattedArchivePath} +Expand-Archive -Path $DiagnosticArchiveZipPath -DestinationPath $diagnosticArchiveTempUnzippedPath +#endregion + +#region Discover and Move/rename Files +$resultElements = ([xml](Get-Content -Path (Join-Path -Path $diagnosticArchiveTempUnzippedPath -ChildPath "results.xml"))).Collection.ChildNodes | Foreach-Object{ $_ } +$n = 0 +foreach( $element in $resultElements ) +{ + $directiveNumber = $n + $n++ + if($element.Name -eq 'ID'){ continue } + $directiveType = $element.Name + $directiveStatus = [int]$element.Attributes.ItemOf('HRESULT').psbase.Value + $directiveUserInputRaw = $element.InnerText + $directiveUserInputFileNameCompatible = $directiveUserInputRaw -replace '[\\|/\[\]<>\:"\?\*%\.\s]','_' + $directiveUserInputTrimmed = $directiveUserInputFileNameCompatible.substring(0, [System.Math]::Min($maxLengthForInputTextPassedToOutput, $directiveUserInputFileNameCompatible.Length)) + $directiveSummaryString = $flatFileNameTemplate -f $directiveNumber,$directiveType,$directiveStatus,$directiveUserInputTrimmed + $directiveOutputFolder = Join-Path -Path $diagnosticArchiveTempUnzippedPath -ChildPath $directiveNumber + $directiveOutputFiles = Get-ChildItem -Path $directiveOutputFolder -File + foreach( $file in $directiveOutputFiles) + { + $leafSummaryString = $directiveSummaryString,$file.Name -join ' ' + Copy-Item $file.FullName -Destination (Join-Path -Path $reformattedArchivePath -ChildPath $leafSummaryString) + } +} +#endregion +Remove-Item -Path $diagnosticArchiveTempUnzippedPath -Force -Recurse +``` +That example script produces a set of files similar to the following, which can be a useful view for an administrator interactively browsing the results without needing to navigate any sub-folders or refer to `results.xml` repeatedly: + +```powershell +PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z.zip_formatted | format-table Length,Name + + Length Name + ------ ---- + 46640 (01) (HKLM_Software_Policies) (0x00000000) export.reg + 203792 (02) (HKLM_Software_Microsoft_Windows_CurrentVersion_Uninstall) (0x00000000) export.reg + 214902 (03) (HKLM_Software_Microsoft_IntuneManagementExtension) (0x00000000) export.reg + 212278 (04) (HKLM_SOFTWARE_WOW6432Node_Microsoft_Windows_CurrentVersion_Uninstall) (0x00000000) export.reg + 2400 (05) (_windir__system32_ipconfig_exe__all) (0x00000000) output.log + 2147 (06) (_windir__system32_netsh_exe_advfirewall_show_allprofiles) (0x00000000) output.log + 1043 (07) (_windir__system32_netsh_exe_advfirewall_show_global) (0x00000000) output.log + 59 (08) (_windir__system32_netsh_exe_wlan_show_profiles) (0x80070001) output.log + 1591 (09) (_windir__system32_ping_exe_-n_50_localhost) (0x00000000) output.log + 5192 (10) (_windir__system32_Dsregcmd_exe__status) (0x00000000) output.log +``` ## Policy area diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index 3cb1682333..35fe6568b0 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -44,7 +44,8 @@ In Windows, after the user confirms the account deletion command and before the This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work. -> **Note**  The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526). +> [!NOTE] +> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).   The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**. @@ -157,4 +158,3 @@ When the disconnection is completed, the user is notified that the device has be - diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index 805f9ee481..d79b428c0e 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -33,7 +33,7 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune]( ## Enable a policy > [!NOTE] -> See [Understanding ADMX-backed policy CSPs](https://docs.microsoft.com/windows/client-management/mdm/understanding-admx-backed-policies). +> See [Understanding ADMX-backed policies in Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/understanding-admx-backed-policies). 1. Find the policy from the list [ADMX-backed policies](policy-csps-admx-backed.md). You need the following information listed in the policy description. - GP English name diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md index 7ef806784f..fcb261d1c2 100644 --- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md +++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md @@ -138,10 +138,10 @@ There are two ways to retrieve this file from the device; one pre-GDR1 and one p 2. Set a baseline for this configuration item with a “dummy” value (such as zzz), and ensure that you do not remediate it. The dummy value is not set; it is only used for comparison. -3. After the report XML is sent to the device, Microsoft Endpoint Configuration Manager displays a compliance log that contains the report information. The log can contain significant amount of data. +3. After the report XML is sent to the device, Microsoft Endpoint Manager displays a compliance log that contains the report information. The log can contain significant amount of data. 4. Parse this log for the report XML content. -For a step-by-step walkthrough, see [Retrieve a device update report using Microsoft Endpoint Configuration Manager logs](#retrieve-a-device-update-report-using-microsoft-endpoint-configuration-manager-logs). +For a step-by-step walkthrough, see [Retrieve a device update report using Microsoft Endpoint Manager logs](#retrieve-a-device-update-report-using-microsoft-endpoint-configuration-manager-logs). **Post-GDR1: Retrieve the report xml file using an SD card** @@ -460,7 +460,7 @@ DownloadFiles $inputFile $downloadCache $localCacheURL ``` -## Retrieve a device update report using Microsoft Endpoint Configuration Manager logs +## Retrieve a device update report using Microsoft Endpoint Manager logs **For pre-GDR1 devices** Use this procedure for pre-GDR1 devices: diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 349687ed6c..08073b46d6 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -7,22 +7,22 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.date: -ms.reviewer: +ms.reviewer: manager: dansimp --- # Enroll a Windows 10 device automatically using Group Policy -Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. +Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account. Requirements: - AD-joined PC running Windows 10, version 1709 or later -- The enterprise has configured a mobile device management (MDM) service -- The enterprise AD must be [registered with Azure Active Directory (Azure AD)](azure-active-directory-integration-with-mdm.md) +- The enterprise has configured a mobile device management (MDM) service +- The on-premises AD must be [integrated with Azure AD (via Azure AD Connect)](https://docs.microsoft.com/azure/architecture/reference-architectures/identity/azure-ad) - The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`) -- The minimum Windows Server version requirement is based on the Hybrid AAD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) for more information. +- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) for more information. > [!TIP] > For additional information, see the following topics: @@ -30,10 +30,10 @@ Requirements: > - [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) > - [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm) -The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered. +The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD–registered. > [!NOTE] -> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. +> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. @@ -42,13 +42,13 @@ In Windows 10, version 1709 or later, when the same policy is configured in GP a For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices. ## Verify auto-enrollment requirements and settings -To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. +To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. The following steps demonstrate required settings using the Intune service: 1. Verify that the user who is going to enroll the device has a valid Intune license. ![Intune license verification](images/auto-enrollment-intune-license-verification.png) -2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](https://docs.microsoft.com/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal). +2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](https://docs.microsoft.com/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal). ![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png) @@ -80,7 +80,7 @@ The following steps demonstrate required settings using the Intune service: ![Mobility setting MDM intune](images/auto-enrollment-microsoft-intune-setting.png) -7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune. +7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully. 8. Verify that the device is not enrolled with the old Intune client used on the Intune Silverlight Portal (this is the Intune portal used before the Azure portal). @@ -95,32 +95,35 @@ This procedure is only for illustration purposes to show how the new auto-enroll Requirements: - AD-joined PC running Windows 10, version 1709 or later -- Enterprise has MDM service already configured +- Enterprise has MDM service already configured - Enterprise AD must be registered with Azure AD 1. Run GPEdit.msc - Click Start, then in the text box type gpedit. + Click Start, then in the text box type gpedit. ![GPEdit desktop app search result](images/autoenrollment-gpedit.png) 2. Under **Best match**, click **Edit group policy** to launch it. -3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**. +3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**. - ![MDM policies](images/autoenrollment-mdm-policies.png) + ![MDM policies](images/autoenrollment-mdm-policies.png) -4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** (support for Device Credential is coming) as the Selected Credential Type to use. User Credential enrolls Windows 10, version 1709 and later once an Intune licensed user logs into the device. Device Credential will enroll the device and then assign a user later, once support for this is available. +4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use. - ![MDM autoenrollment policy](images/autoenrollment-policy.png) + > [!NOTE] + > **Device Credential** Credential Type may work, however, it is not yet supported by Intune. We don't recommend using this option until it's supported. + ![MDM autoenrollment policy](images/autoenrollment-policy.png) 5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**. > [!NOTE] - > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. + > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. > The default behavior for older releases is to revert to **User Credential**. + > **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device. - When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." + When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). @@ -149,11 +152,11 @@ Requirements: 2. Under **Best match**, click **Task Scheduler** to launch it. -3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**. +3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**. ![Auto-enrollment scheduled task](images/autoenrollment-scheduled-task.png) - To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab. + To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab. If the device enrollment is blocked, your IT admin may have enabled the **Disable MDM Enrollment** policy. Note that the GPEdit console does not reflect the status of policies set by your IT admin on your device. It is only used by the user to set policies. @@ -161,37 +164,49 @@ Requirements: Requirements: - AD-joined PC running Windows 10, version 1709 or later -- Enterprise has MDM service already configured (with Intune or a third party service provider) +- Enterprise has MDM service already configured (with Intune or a third-party service provider) - Enterprise AD must be integrated with Azure AD. - Ensure that PCs belong to same computer group. > [!IMPORTANT] > If you do not see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible. -1. Download: - - - 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) - - - 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) - - - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all) - +1. Download: + + - 1803 --> [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) + + - 1809 --> [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) + + - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) + + - 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591) + + - 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445) + + - 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) + 2. Install the package on the Domain Controller. - + 3. Navigate, depending on the version to the folder: - + - 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2** - + - 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2** - + - 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3** - + + - 1909 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)** + + - 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)** + + - 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)** + 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**. - -5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. - + +5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. + If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain. - + 6. Restart the Domain Controller for the policy to be available. This procedure will work for any future version as well. @@ -205,7 +220,7 @@ This procedure will work for any future version as well. 4. Filter using Security Groups. ## Troubleshoot auto-enrollment of devices -Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. +Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. To collect Event Viewer logs: @@ -241,13 +256,13 @@ To collect Event Viewer logs: Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment. - If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required. + If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required. One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen: ![Outdated enrollment entries](images/auto-enrollment-outdated-enrollment-entries.png) - By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016. - A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display less entries as shown in the following screenshot: + By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016. + A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot: ![Manually deleted entries](images/auto-enrollment-activation-verification-less-entries.png) diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md index 79545b45cc..4f516e8c19 100644 --- a/windows/client-management/mdm/esim-enterprise-management.md +++ b/windows/client-management/mdm/esim-enterprise-management.md @@ -12,15 +12,17 @@ ms.topic: conceptual --- # How Mobile Device Management Providers support eSIM Management on Windows -The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to leverage an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will leverage the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and installation happens on the background and not impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. - If you are a Mobile Device Management (MDM) Provider and would like to support eSIM Management on Windows, you should do the following: +The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. + If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps: - Onboard to Azure Active Directory -- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, please contact them and learn more about their onboarding. If you would like to support multiple mobile operators, [orchestrator providers]( https://www.idemia.com/esim-management-facilitation) are there to act as a proxy that will handle MDM onboarding as well as mobile operator onboarding. Their main [role]( https://www.idemia.com/smart-connect-hub) is to enable the process to be as painless but scalable to all parties. +- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding as well as mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include: + - [HPE’s Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html) + - [IDEMIA’s The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub) - Assess solution type that you would like to provide your customers - Batch/offline solution - IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices. -- Operator does not have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to +- Operator doesn't have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to - Real-time solution - MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via sim vendor solution component. IT Admin can view subscription pool and provision eSIM in real time. - Operator is notified of the status of each eSIM profile and has visibility on which devices are being used -**Note:** The solution type is not noticeable to the end-user. The choice between the two is made between the MDM and the Mobile Operator. +**Note:** End users don't notice the solution type. The choice between the two is made between the MDM and the Mobile Operator. diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 1fae08c646..bf8a5ea5ad 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -248,10 +248,10 @@ Sample syncxml to provision the firewall settings to evaluate

Value type is string. Supported operations are Add, Get, Replace, and Delete.

**FirewallRules/*FirewallRuleName*/LocalAddressRanges** -

Comma separated list of local addresses covered by the rule. The default value is "". Valid tokens include:

+

Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:
  • AES-CFB128:
  • AES-XTS:
    • @@ -2393,7 +2539,7 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
  • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • +
  • Additional authenticated data length: 0-65536
  • AES-CFB128:
  • AES-XTS:
    • @@ -2484,7 +2630,7 @@ The following tables are organized by cryptographic algorithms with their modes, -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4897

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4897

    Version 10.0.16299

    @@ -2495,7 +2641,7 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Key Lengths: 128, 192, 256 (bits)
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • -

    AES Val#4902

    +

    AES validation number 4902

    Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #4900

    Version 10.0.15063.674

    @@ -2507,7 +2653,7 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Key Lengths: 128, 192, 256 (bits)
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • -

    AES Val#4901

    +

    AES validation number 4901

    Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #4899

    Version 10.0.15254

    @@ -2519,8 +2665,8 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Key Lengths: 128, 192, 256 (bits)
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • -

    AES Val#4897

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898

    +

    AES validation number 4897

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898

    Version 10.0.16299

    @@ -2530,9 +2676,9 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Tag Lengths: 128 (bits)
  • IV Lengths: 96 (bits)
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • +
  • Additional authenticated data length: 0-65536
    • -

    AES Val#4902

    +

    AES validation number 4902

    Microsoft Surface Hub BitLocker(R) Cryptographic Implementations #4896

    Version 10.0.15063.674

    @@ -2543,9 +2689,9 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Tag Lengths: 128 (bits)
  • IV Lengths: 96 (bits)
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • +
  • Additional authenticated data length: 0-65536
    • -

    AES Val#4901

    +

    AES validation number 4901

    Windows 10 Mobile (version 1709) BitLocker(R) Cryptographic Implementations #4895

    Version 10.0.15254

    @@ -2556,291 +2702,291 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Tag Lengths: 128 (bits)
  • IV Lengths: 96 (bits)
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • +
  • Additional authenticated data length: 0-65536
    • -

    AES Val#4897

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894

    +

    AES validation number 4897

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894

    Version 10.0.16299

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB128 ( e/d; 128 , 192 , 256 );

    -

    OFB ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB128 (e/d; 128, 192, 256);

    +

    OFB (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #4627

    Version 10.0.15063

    -

    KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

    -

    AES Val#4624

    +

    KW (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)

    +

    AES validation number 4624

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626

    Version 10.0.15063

    -

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    -

    AES Val#4624

    +

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    +

    AES validation number 4624

     

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625

    Version 10.0.15063

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    -

    CFB128 ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    -

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    -

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )

    -

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

    -

    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

    -

    IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; 96BitIV_Supported

    -

    GMAC_Supported

    -

    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

    +

    CFB128 (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    +

    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

    +

    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16)

    +

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)

    +

    (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)

    +

    IV Generated: (External); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); 96 bit IV supported

    +

    GMAC supported

    +

    XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624

    Version 10.0.15063

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434

    Version 7.00.2872

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433

    Version 8.00.6246

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431

    Version 7.00.2872

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430

    Version 8.00.6246

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB128 ( e/d; 128 , 192 , 256 );

    -

    OFB ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB128 (e/d; 128, 192, 256);

    +

    OFB (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074

    Version 10.0.14393

    -

    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

    -

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    -

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

    -

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
    -(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
    -IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
    -GMAC_Supported

    -

    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

    +

    ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); CFB128 (e/d; 128, 192, 256); CTR (int only; 128, 192, 256)

    +

    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

    +

    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

    +

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    +(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    +IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported
    +GMAC supported

    +

    XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064

    Version 10.0.14393

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

     

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
    Version 10.0.14393 -

    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )

    -

    AES Val#4064

    +

    KW  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 192, 256, 320, 2048)

    +

    AES validation number 4064

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062

    Version 10.0.14393

    -

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    -

    AES Val#4064

    +

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    +

    AES validation number 4064

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061

    Version 10.0.14393

    -

    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

    -

    AES Val#3629

    +

    KW  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)

    +

    AES validation number 3629

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652

    Version 10.0.10586

    -

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    -

    AES Val#3629

    +

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    +

    AES validation number 3629

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653

    Version 10.0.10586

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

     

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
    Version 10.0.10586 -

    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

    -

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    -

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

    -

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
    -(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
    -IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
    -GMAC_Supported

    -

    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

    +

    ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); CFB128 (e/d; 128, 192, 256); CTR (int only; 128, 192, 256)

    +

    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

    +

    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

    +

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    +(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    +IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported
    +GMAC supported

    +

    XTS((KS: XTS_128((e/d) (f)) KS: XTS_256((e/d) (f))

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629

    Version 10.0.10586

    -

    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

    -

    AES Val#3497

    +

    KW  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)

    +

    AES validation number 3497

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507

    Version 10.0.10240

    -

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    -

    AES Val#3497

    +

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    +

    AES validation number 3497

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498

    Version 10.0.10240

    -

    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

    -

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    -

    CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

    -

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
    -(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
    -IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
    -GMAC_Supported

    -

    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

    +

    ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); CFB128 (e/d; 128, 192, 256); CTR (int only; 128, 192, 256)

    +

    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

    +

    CMAC(Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

    +

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    +(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    +IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested:  (0, 0); 96 bit IV supported
    +GMAC supported

    +

    XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
    Version 10.0.10240 -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

     

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
    Version 10.0.10240 -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

     

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853

    Version 6.3.9600

    -

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    -

    AES Val#2832

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848

    +

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    +

    AES validation number 2832

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BitLocker Cryptographic Implementations #2848

    Version 6.3.9600

    -

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    -

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

    -

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

    -

    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

    -

    IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 8 , 1024 ) ; 96BitIV_Supported ;
    +

    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 0 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

    +

    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

    +

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)

    +

    (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)

    +

    IV Generated:  (Externally); PT Lengths Tested:  (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 128, 1024, 8, 1016); IV Lengths Tested:  (8, 1024); 96 bit IV supported;
    OtherIVLen_Supported
    -GMAC_Supported

    -

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832

    +GMAC supported

    +

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832

    Version 6.3.9600

    -

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
    -AES Val#2197

    -

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
    -AES Val#2197

    -

    GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
    -(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
    -IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
    -GMAC_Supported

    +

    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)
    +AES validation number 2197

    +

    CMAC (Generation/Verification) (KS: 128; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 192; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 256; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16)
    +AES validation number 2197

    +

    GCM(KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    +(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    +IV Generated: (Externally); PT Lengths Tested: (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 128, 1024, 8, 1016); IV Lengths Tested: (8, 1024); 96 bit IV supported
    +GMAC supported

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216 -

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    -

    AES Val#2196

    +

    CCM (KS: 256) (Assoc. Data Len Range: 0 - 0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    +

    AES validation number 2196

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198 -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    -

    CFB128 ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

    +

    CFB128 (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197 -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

     

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196 -CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
    -AES Val#1168 +CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 – 0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)
    +AES validation number 1168

    Windows Server 2008 R2 and SP1 CNG algorithms #1187

    Windows 7 Ultimate and SP1 CNG algorithms #1178

    -CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
    -AES Val#1168 +CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16)
    +AES validation number 1168 Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177 -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

     

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168

    GCM

    GMAC

    -Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 , vendor-affirmed +Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168, vendor-affirmed -CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) +CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16) Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760 -CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) +CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 - 0, 2^16) (Payload Length Range: 1 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

    Windows Server 2008 CNG algorithms #757

    Windows Vista Ultimate SP1 CNG algorithms #756

    -

    CBC ( e/d; 128 , 256 );

    -

    CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )

    +

    CBC (e/d; 128, 256);

    +

    CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16)

    Windows Vista Ultimate BitLocker Drive Encryption #715

    Windows Vista Ultimate BitLocker Drive Encryption #424

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

    Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation #739

    Windows Vista Symmetric Algorithm Implementation #553

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #2023 -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #2024

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #818

    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #781

    @@ -2856,7 +3002,7 @@ AES #4903

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733

    Version 10.0.16299

    @@ -2930,74 +3076,74 @@ Deterministic Random Bit Generator (DRBG)

    Prerequisite: AES #4897

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730

    Version 10.0.16299

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ] +CTR_DRBG: [Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4627)]

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556

    Version 10.0.15063

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 4624)]

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555

    Version 10.0.15063

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4434)]

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433

    Version 7.00.2872

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4433)]

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432

    Version 8.00.6246

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4431)]

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430

    Version 7.00.2872

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4430)]

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429

    Version 8.00.6246

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ] -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222

    +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4074)] +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222

    Version 10.0.14393

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 4064)]

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217

    Version 10.0.14393

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 3629)]

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955

    Version 10.0.10586

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 3497)]

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868

    Version 10.0.10240

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ] -

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489

    +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 2832)] +

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489

    Version 6.3.9600

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 2197)] Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258 -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 2023)] Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193 -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 1168)] Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23 @@ -3133,84 +3279,84 @@ Deterministic Random Bit Generator (DRBG)

    Prerequisite: SHS #4009, DRBG #1730

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301

    Version 10.0.16299

    FIPS186-4:

    -

    PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]

    -

    PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    -

    KeyPairGen:   [ (2048,256) ; (3072,256) ]

    -

    SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]

    -

    SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    -

    SHS: Val#3790

    -

    DRBG: Val# 1555

    +

    PQG(gen)PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)]

    +

    PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    +

    KeyPairGen:   [(2048,256); (3072,256)]

    +

    SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    +

    SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    +

    SHS: validation number 3790

    +

    DRBG: validation number 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223

    Version 10.0.15063

    FIPS186-4:
    -PQG(ver)PARMS TESTED:       [ (1024,160) SHA( 1 ); ]
    -SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
    -SHS: Val# 3649 +PQG(ver)PARMS TESTED:   [(1024,160) SHA(1)]
    +SIG(ver)PARMS TESTED:   [(1024,160) SHA(1)]
    +SHS: validation number 3649

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188

    Version 7.00.2872

    FIPS186-4:
    -PQG(ver)PARMS TESTED:       [ (1024,160) SHA( 1 ); ]
    -SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
    -SHS: Val#3648 +PQG(ver)PARMS TESTED:   [(1024,160) SHA(1)]
    +SIG(ver)PARMS TESTED:   [(1024,160) SHA(1)]
    +SHS: validation number 3648

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187

    Version 8.00.6246

    FIPS186-4:
    PQG(gen)    PARMS TESTED: [
    -(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
    -PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
    -KeyPairGen:    [ (2048,256) ; (3072,256) ]
    -SIG(gen)PARMS TESTED:   [ (2048,256)
    -SHA( 256 ); (3072,256) SHA( 256 ); ]
    -SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    -

    SHS: Val# 3347
    -DRBG: Val# 1217

    +(2048,256)SHA(256); (3072,256) SHA(256)]
    +PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    +KeyPairGen:    [(2048,256); (3072,256)]
    +SIG(gen)PARMS TESTED:   [(2048,256)
    +SHA(256); (3072,256) SHA(256)]
    +SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    +

    SHS: validation number 3347
    +DRBG: validation number 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098

    Version 10.0.14393

    FIPS186-4:
    -PQG(gen)    PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
    -KeyPairGen:    [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
    -SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    -

    SHS: Val# 3047
    -DRBG: Val# 955

    +PQG(gen)PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)] PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    +KeyPairGen:    [(2048,256); (3072,256)] SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    +SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    +

    SHS: validation number 3047
    +DRBG: validation number 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024

    Version 10.0.10586

    FIPS186-4:
    -PQG(gen)    PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
    -PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
    -KeyPairGen:    [ (2048,256) ; (3072,256) ]
    -SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    -

    SHS: Val# 2886
    -DRBG: Val# 868

    +PQG(gen)PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)]
    +PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    +KeyPairGen:    [(2048,256); (3072,256)]
    +SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)] SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    +

    SHS: validation number 2886
    +DRBG: validation number 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983

    Version 10.0.10240

    FIPS186-4:
    PQG(gen)    PARMS TESTED:   [
    -(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
    -PQG(ver)PARMS TESTED:   [ (2048,256)
    -SHA( 256 ); (3072,256) SHA( 256 ) ]
    -KeyPairGen:    [ (2048,256) ; (3072,256) ]
    -SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
    -SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    -

    SHS: Val# 2373
    -DRBG: Val# 489

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855

    +(2048,256)SHA(256); (3072,256) SHA(256)]
    +PQG(ver)PARMS TESTED:   [(2048,256)
    +SHA(256); (3072,256) SHA(256)]
    +KeyPairGen:    [(2048,256); (3072,256)]
    +SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    +SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    +

    SHS: validation number 2373
    +DRBG: validation number 489

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855

    Version 6.3.9600

    @@ -3220,13 +3366,13 @@ DRBG: #1903
    DRBG: #258

    FIPS186-4:
    -PQG(gen)PARMS TESTED    : [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
    -PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
    -SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
    -SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
    +PQG(gen)PARMS TESTED: [(2048,256)SHA(256); (3072,256) SHA(256)]
    +PQG(ver)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
    +SIG(gen)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
    +SIG(ver)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
    SHS: #1903
    DRBG: #258
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687.

    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 687.

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687 @@ -3235,75 +3381,75 @@ PQG(ver) MOD(1024);
    SIG(ver) MOD(1024);
    SHS: #1902
    DRBG: #258
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686. +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 686. Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686 FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 1773
    -DRBG: Val# 193
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645. +SHS: validation number 1773
    +DRBG: validation number 193
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 645. Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645 FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 1081
    -DRBG: Val# 23
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386. +SHS: validation number 1081
    +DRBG: validation number 23
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 391. See Historical DSA List validation number 386.

    Windows Server 2008 R2 and SP1 CNG algorithms #391

    Windows 7 Ultimate and SP1 CNG algorithms #386

    FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 1081
    -RNG: Val# 649
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385. +SHS: validation number 1081
    +RNG: validation number 649
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 390. See Historical DSA List validation number 385.

    Windows Server 2008 R2 and SP1 Enhanced DSS (DSSENH) #390

    Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385

    FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 753
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283. +SHS: validation number 753
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 284. See Historical DSA List validation number 283.

    Windows Server 2008 CNG algorithms #284

    Windows Vista Ultimate SP1 CNG algorithms #283

    FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 753
    -RNG: Val# 435
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281. +SHS: validation number 753
    +RNG: validation number 435
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 282. See Historical DSA List validation number 281.

    Windows Server 2008 Enhanced DSS (DSSENH) #282

    Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281

    FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 618
    -RNG: Val# 321
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226. +SHS: validation number 618
    +RNG: validation number 321
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 227. See Historical DSA List validation number 226.

    Windows Vista CNG algorithms #227

    Windows Vista Enhanced DSS (DSSENH) #226

    FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 784
    -RNG: Val# 448
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292. +SHS: validation number 784
    +RNG: validation number 448
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 292. Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292 FIPS186-2:
    SIG(ver)     MOD(1024);
    -SHS: Val# 783
    -RNG: Val# 447
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291. +SHS: validation number 783
    +RNG: validation number 447
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 291. Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291 @@ -3313,8 +3459,8 @@ PQG(gen) MOD(1024);
    KEYGEN(Y) MOD(1024);
    SIG(gen) MOD(1024);
    SIG(ver) MOD(1024);
    -SHS: Val# 611
    -RNG: Val# 314 +SHS: validation number 611
    +RNG: validation number 314 Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221 @@ -3324,7 +3470,7 @@ PQG(gen) MOD(1024);
    KEYGEN(Y) MOD(1024);
    SIG(gen) MOD(1024);
    SIG(ver) MOD(1024);
    -SHS: Val# 385 +SHS: validation number 385 Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146 @@ -3333,7 +3479,7 @@ PQG(ver) MOD(1024);
    KEYGEN(Y) MOD(1024);
    SIG(gen) MOD(1024);
    SIG(ver) MOD(1024);
    -SHS: Val# 181
    +SHS: validation number 181

    Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95 @@ -3409,7 +3555,7 @@ SHS: SHA-1 (BYTE)

    Prerequisite: SHS #2373, DRBG #489

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263

    Version 6.3.9600

    @@ -3445,7 +3591,7 @@ SHS: SHA-1 (BYTE)

    Prerequisite: SHS #4009, DRBG #1733

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252

    Version 10.0.16299

    @@ -3615,7 +3761,7 @@ SHS: SHA-1 (BYTE)

    Prerequisite: SHS #4009, DRBG #1730

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247

    Version 10.0.16299

    @@ -3649,178 +3795,178 @@ SHS: SHA-1 (BYTE)

    Prerequisite: SHS #4009, DRBG #1730

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246

    Version 10.0.16299

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 TestingCandidates )
    -SHS: Val#3790
    -DRBG: Val# 1555 +PKG: CURVES(P-256 P-384 TestingCandidates)
    +SHS: validation number 3790
    +DRBG: validation number 1555

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136

    Version 10.0.15063

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -PKV: CURVES( P-256 P-384 P-521 )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
    -SHS: Val#3790
    -DRBG: Val# 1555 +PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    +PKV: CURVES(P-256 P-384 P-521)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    +SHS: validation number 3790
    +DRBG: validation number 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135

    Version 10.0.15063

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -PKV: CURVES( P-256 P-384 P-521 )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
    -SHS: Val#3790
    -DRBG: Val# 1555 +PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    +PKV: CURVES(P-256 P-384 P-521)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    +SHS: validation number 3790
    +DRBG: validation number 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133

    Version 10.0.15063

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -PKV: CURVES( P-256 P-384 P-521 )
    -SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
    -SHS:Val# 3649
    -DRBG:Val# 1430 +PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    +PKV: CURVES(P-256 P-384 P-521)
    +SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))
    +SHS:validation number 3649
    +DRBG:validation number 1430

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073

    Version 7.00.2872

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -PKV: CURVES( P-256 P-384 P-521 )
    -SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
    -SHS:Val#3648
    -DRBG:Val# 1429 +PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    +PKV: CURVES(P-256 P-384 P-521)
    +SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))
    +SHS:validation number 3648
    +DRBG:validation number 1429

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072

    Version 8.00.6246

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 TestingCandidates )
    -PKV: CURVES( P-256 P-384 )
    -SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )

    -

    SHS: Val# 3347
    -DRBG: Val# 1222

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920

    +PKG: CURVES(P-256 P-384 TestingCandidates)
    +PKV: CURVES(P-256 P-384)
    +SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384))

    +

    SHS: validation number 3347
    +DRBG: validation number 1222

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920

    Version 10.0.14393

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -PKV: CURVES( P-256 P-384 P-521 )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

    -

    SHS: Val# 3347
    -DRBG: Val# 1217

    +PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    +PKV: CURVES(P-256 P-384 P-521)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))

    +

    SHS: validation number 3347
    +DRBG: validation number 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911

    Version 10.0.14393

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

    -

    SHS: Val# 3047
    -DRBG: Val# 955

    +PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))

    +

    SHS: validation number 3047
    +DRBG: validation number 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760

    Version 10.0.10586

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

    -

    SHS: Val# 2886
    -DRBG: Val# 868

    +PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))

    +

    SHS: validation number 2886
    +DRBG: validation number 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706

    Version 10.0.10240

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

    -

    SHS: Val#2373
    -DRBG: Val# 489

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505

    +PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))

    +

    SHS: validation number 2373
    +DRBG: validation number 489

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505

    Version 6.3.9600

    FIPS186-2:
    -PKG: CURVES    ( P-256 P-384 P-521 )
    +PKG: CURVES(P-256 P-384 P-521)
    SHS: #1903
    DRBG: #258
    -SIG(ver):CURVES( P-256 P-384 P-521 )
    +SIG(ver): CURVES(P-256 P-384 P-521)
    SHS: #1903
    DRBG: #258

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
    +PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    SHS: #1903
    DRBG: #258
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341.

    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 341.

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341

    FIPS186-2:
    -PKG: CURVES    ( P-256 P-384 P-521 )
    -SHS: Val#1773
    -DRBG: Val# 193
    -SIG(ver): CURVES( P-256 P-384 P-521 )
    -SHS: Val#1773
    -DRBG: Val# 193

    +PKG: CURVES(P-256 P-384 P-521)
    +SHS: validation number 1773
    +DRBG: validation number 193
    +SIG(ver): CURVES(P-256 P-384 P-521)
    +SHS: validation number 1773
    +DRBG: validation number 193

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
    -SHS: Val#1773
    -DRBG: Val# 193
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295.

    +PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    +SHS: validation number 1773
    +DRBG: validation number 193
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 295.

    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295 FIPS186-2:
    -PKG: CURVES    ( P-256 P-384 P-521 )
    -SHS: Val#1081
    -DRBG: Val# 23
    -SIG(ver): CURVES( P-256 P-384 P-521 )
    -SHS: Val#1081
    -DRBG: Val# 23
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141. +PKG: CURVES(P-256 P-384 P-521)
    +SHS: validation number 1081
    +DRBG: validation number 23
    +SIG(ver): CURVES(P-256 P-384 P-521)
    +SHS: validation number 1081
    +DRBG: validation number 23
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 142. See Historical ECDSA List validation number 141.

    Windows Server 2008 R2 and SP1 CNG algorithms #142

    Windows 7 Ultimate and SP1 CNG algorithms #141

    FIPS186-2:
    -PKG: CURVES    ( P-256 P-384 P-521 )
    -SHS: Val#753
    -SIG(ver): CURVES( P-256 P-384 P-521 )
    -SHS: Val#753
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82. +PKG: CURVES(P-256 P-384 P-521)
    +SHS: validation number 753
    +SIG(ver): CURVES(P-256 P-384 P-521)
    +SHS: validation number 753
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 83. See Historical ECDSA List validation number 82.

    Windows Server 2008 CNG algorithms #83

    Windows Vista Ultimate SP1 CNG algorithms #82

    FIPS186-2:
    -PKG: CURVES    ( P-256 P-384 P-521 )
    -SHS: Val#618
    -RNG: Val# 321
    -SIG(ver): CURVES( P-256 P-384 P-521 )
    -SHS: Val#618
    -RNG: Val# 321
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60. +PKG: CURVES(P-256 P-384 P-521)
    +SHS: validation number 618
    +RNG: validation number 321
    +SIG(ver): CURVES(P-256 P-384 P-521)
    +SHS: validation number 618
    +RNG: validation number 321
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 60. Windows Vista CNG algorithms #60 @@ -3886,7 +4032,7 @@ Some of the previously validated components for this validation have been remove

    Prerequisite: SHS #4009

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270

    Version 10.0.16299

    @@ -3979,269 +4125,269 @@ Some of the previously validated components for this validation have been remove

    Prerequisite: SHS #4009

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267

    Version 10.0.16299

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3790

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3790

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3790

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062

    Version 10.0.15063

    -

    HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    +

    HMAC-SHA1(Key Sizes Ranges Tested: KSBS) SHS validation number 3790

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3790

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3790

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS validation number 3790

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061

    Version 10.0.15063

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3652

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3652

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3652

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3652

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946

    Version 7.00.2872

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3651

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3651

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3651

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3651

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945

    Version 8.00.6246

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3649

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3649

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3649

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3649

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943

    Version 7.00.2872

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3648

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3648

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3648

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3648

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942

    Version 8.00.6246

    -

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
    -SHS Val# 3347

    -

    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
    -SHS Val# 3347

    -

    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
    -SHS Val# 3347

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661

    +

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    +SHS validation number 3347

    +

    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    +SHS validation number 3347

    +

    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    +SHS validation number 3347

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661

    Version 10.0.14393

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3347

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3347

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3347

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS validation number 3347

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651

    Version 10.0.14393

    -

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
    -SHS Val# 3047

    -

    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
    -SHS Val# 3047

    -

    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
    -SHS Val# 3047

    -

    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
    -SHS Val# 3047

    +

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    +SHS validation number 3047

    +

    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    +SHS validation number 3047

    +

    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    +SHS validation number 3047

    +

    HMAC-SHA512 (Key Size Ranges Tested:  KSBS)
    +SHS validation number 3047

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381

    Version 10.0.10586

    -

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
    -SHSVal# 2886

    -

    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
    -SHSVal# 2886

    -

    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
    - SHSVal# 2886

    -

    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
    -SHSVal# 2886

    +

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    +SHSvalidation number 2886

    +

    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    +SHSvalidation number 2886

    +

    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    + SHSvalidation number 2886

    +

    HMAC-SHA512 (Key Size Ranges Tested:  KSBS)
    +SHSvalidation number 2886

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233

    Version 10.0.10240

    -

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
    -SHS Val#2373

    -

    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
    -SHS Val#2373

    -

    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
    -SHS Val#2373

    -

    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
    -SHS Val#2373

    -

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773

    +

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    +SHS validation number 2373

    +

    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    +SHS validation number 2373

    +

    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    +SHS validation number 2373

    +

    HMAC-SHA512 (Key Size Ranges Tested:  KSBS)
    +SHS validation number 2373

    +

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773

    Version 6.3.9600

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 2764

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 2764

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 2764

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS validation number 2764

    Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122

    Version 5.2.29344

    HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KS#1902

    +

    HMAC-SHA256 (Key Size Ranges Tested: KS#1902

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS#1902

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS#1902

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS#1902

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS#1902

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)

    SHS#1903

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS )

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS)

    SHS#1903

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS )

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS)

    SHS#1903

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS )

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS)

    SHS#1903

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

    -

    Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 1773

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 1773

    +

    Tinker HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 1773

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 1773

    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 1774

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 1774

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 1774

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 1774

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 1081

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 1081

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 1081

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 1081

    Windows Server 2008 R2 and SP1 CNG algorithms #686

    Windows 7 and SP1 CNG algorithms #677

    Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687

    Windows 7 Enhanced Cryptographic Provider (RSAENH) #673

    -

    HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081

    +

    HMAC-SHA1(Key Sizes Ranges Tested: KSvalidation number 1081

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 1081

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 816

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 816

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 816

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 816

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSvalidation number 753

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 753

    Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS)SHS validation number 753

    Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408

    Windows Vista Enhanced Cryptographic Provider (RSAENH) #407

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)SHSvalidation number 618

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    Windows Vista Enhanced Cryptographic Provider (RSAENH) #297 -HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785 +HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 785

    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429

    Windows XP, vendor-affirmed

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 783

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 783

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 783

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 783

    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 613

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 613

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 613

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 613

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289 -HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610 +HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 610 Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 753

    Windows Server 2008 CNG algorithms #413

    Windows Vista Ultimate SP1 CNG algorithms #412

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSvalidation number 737

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 737

    Windows Vista Ultimate BitLocker Drive Encryption #386 -

    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 618

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    Windows Vista CNG algorithms #298 -

    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 589

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS)SHSvalidation number 589

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 589

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 589

    Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267 -

    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 578

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 578

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 578

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 578

    Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSvalidation number 495

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 495

    Windows Vista BitLocker Drive Encryption #199 -HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364 +HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 364

    Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99

    Windows XP, vendor-affirmed

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 305

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 305

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 305

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 305

    Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31 @@ -4325,7 +4471,7 @@ SHS #4009, ECDSA #1252, DRBG #1733

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #149

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #149

    Version 10.0.16299

    @@ -4361,7 +4507,7 @@ SHS -
  • One Pass DH:
    • +
  • One-Pass DH:

  • Prerequisite: SHS #4009, DSA #1301, DRBG #1730

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146

    Version 10.0.16299

    -

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ]

    -

    SHS Val#3790
    -DSA Val#1135
    -DRBG Val#1556

    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration) SCHEMES [FullUnified (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC)]

    +

    SHS validation number 3790
    +DSA validation number 1135
    +DRBG validation number 1556

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #128

    Version 10.0.15063

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
    -SHS Val#3790
    -DSA Val#1223
    -DRBG Val#1555

    -

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES [dhEphem (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (FB: SHA256) (FC: SHA256)] [dhStatic (No_KC &lt; KARole(s): Initiator / Responder&gt;) (FB: SHA256 HMAC) (FC: SHA256   HMAC)]
    +SHS validation number 3790
    +DSA validation number 1223
    +DRBG validation number 1555

    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES [EphemeralUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]

    -SHS Val#3790
    -ECDSA Val#1133
    -DRBG Val#1555

    +SHS validation number 3790
    +ECDSA validation number 1133
    +DRBG validation number 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #127

    Version 10.0.15063

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
    -SHS Val# 3649
    -DSA Val#1188
    -DRBG Val#1430

    -

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES [dhEphem (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (KARole(s): Initiator / Responder) (FB: SHA256) (FC: SHA256)] [dhStatic (No_KC &lt; KARole(s): Initiator / Responder&gt;) (FB: SHA256 HMAC) (FC: SHA256   HMAC)]
    +SHS validation number 3649
    +DSA validation number 1188
    +DRBG validation number 1430

    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES [EphemeralUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #115

    Version 7.00.2872

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhHybridOneFlow ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
    -[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
    -SHS Val#3648
    -DSA Val#1187
    -DRBG Val#1429

    -

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES [dhEphem (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhHybridOneFlow (No_KC &lt; KARole(s): Initiator / Responder&gt;) (FB:SHA256 HMAC) (FC: SHA256   HMAC)]
    +[dhStatic (No_KC &lt; KARole(s): Initiator / Responder&gt;) (FB:SHA256 HMAC) (FC: SHA256   HMAC)]
    +SHS validation number 3648
    +DSA validation number 1187
    +DRBG validation number 1429

    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES [EphemeralUnified (No_KC) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]

    -SHS Val#3648
    -ECDSA Val#1072
    -DRBG Val#1429

    +SHS validation number 3648
    +ECDSA validation number 1072
    +DRBG validation number 1429

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #114

    Version 8.00.6246

    -

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration )
    -SCHEMES  [ FullUnified  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; &lt; KDF: CONCAT &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ]

    -

    SHS Val# 3347 ECDSA Val#920 DRBG Val#1222

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration)
    +SCHEMES  [FullUnified  (No_KC  &lt; KARole(s): Initiator / Responder &gt; &lt; KDF: CONCAT &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC)]

    +

    SHS validation number 3347 ECDSA validation number 920 DRBG validation number 1222

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93

    Version 10.0.14393

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation )
    -SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

    -

    SHS Val# 3347 DSA Val#1098 DRBG Val#1217

    -

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    -

    SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651

    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation)
    +SCHEMES  [dhEphem  (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (KARole(s): Initiator / Responder) (FB:  SHA256) (FC:  SHA256)] [dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (FB:  SHA256 HMAC) (FC:  SHA256   HMAC)]

    +

    SHS validation number 3347 DSA validation number 1098 DRBG validation number 1217

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH  (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]

    +

    SHS validation number 3347 DSA validation number 1098 ECDSA validation number 911 DRBG validation number 1217 HMAC validation number 2651

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #92

    Version 10.0.14393

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

    -

    SHS Val# 3047 DSA Val#1024 DRBG Val#955

    -

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    -

    SHS Val# 3047 ECDSA Val#760 DRBG Val#955

    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES  [dhEphem  (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (KARole(s): Initiator / Responder) (FB:  SHA256) (FC:  SHA256)] [dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (FB:  SHA256 HMAC) (FC:  SHA256   HMAC)]

    +

    SHS validation number 3047 DSA validation number 1024 DRBG validation number 955

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH  (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]

    +

    SHS validation number 3047 ECDSA validation number 760 DRBG validation number 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #72

    Version 10.0.10586

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

    -

    SHS Val# 2886 DSA Val#983 DRBG Val#868

    -

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    -

    SHS Val# 2886 ECDSA Val#706 DRBG Val#868

    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES  [dhEphem  (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (KARole(s): Initiator / Responder) (FB:  SHA256) (FC:  SHA256)] [dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (FB:  SHA256 HMAC) (FC:  SHA256   HMAC)]

    +

    SHS validation number 2886 DSA validation number 983 DRBG validation number 868

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH  (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]

    +

    SHS validation number 2886 ECDSA validation number 706 DRBG validation number 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #64

    Version 10.0.10240

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

    -

    SHS Val#2373 DSA Val#855 DRBG Val#489

    -

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    -

    SHS Val#2373 ECDSA Val#505 DRBG Val#489

    -

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47

    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES  [dhEphem  (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (KARole(s): Initiator / Responder) (FB:  SHA256) (FC:  SHA256)] [dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (FB:  SHA256 HMAC) (FC:  SHA256   HMAC)]

    +

    SHS validation number 2373 DSA validation number 855 DRBG validation number 489

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH  (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]

    +

    SHS validation number 2373 ECDSA validation number 505 DRBG validation number 489

    +

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47

    Version 6.3.9600

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
    -( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
    -SHS #1903 DSA Val#687 DRBG #258

    -

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
    -[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation) SCHEMES [dhEphem (KARole(s): Initiator / Responder)
    +(FA: SHA256) (FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (KARole(s): Initiator / Responder) (FA: SHA256) (FB: SHA256) (FC: SHA256)]
    +[dhStatic (No_KC &lt; KARole(s): Initiator / Responder&gt;) (FA: SHA256 HMAC) (FB: SHA256 HMAC) (FC: SHA256 HMAC)]
    +SHS #1903 DSA validation number 687 DRBG #258

    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration) SCHEMES [EphemeralUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH(No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256 SHA256) (ED: P-384 SHA384) (EE: P-521 (SHA512, HMAC_SHA512)))]
    +[StaticUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512))]

    -SHS #1903 ECDSA Val#341 DRBG #258

    +SHS #1903 ECDSA validation number 341 DRBG #258

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36

    KAS (SP 800–56A)

    key agreement

    -

    key establishment methodology provides 80 to 256 bits of encryption strength

    +

    key establishment methodology provides 80 bits to 256 bits of encryption strength

    Windows 7 and SP1, vendor-affirmed

    Windows Server 2008 R2 and SP1, vendor-affirmed

    @@ -4960,7 +5106,7 @@ SP 800-108 Key-Based Key Derivation Functions (KBKDF)

    K prerequisite: DRBG #1733, KAS #149

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160

    Version 10.0.16299

    @@ -5017,61 +5163,61 @@ SP 800-108 Key-Based Key Derivation Functions (KBKDF)

    K prerequisite: KAS #146

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157

    Version 10.0.16299

    -CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
    +CTR_Mode: (Llength(Min0 Max0) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA384]) LocationCounter([BeforeFixedData]) rlength([32]))

    -KAS Val#128
    -DRBG Val#1556
    -MAC Val#3062 +KAS validation number 128
    +DRBG validation number 1556
    +MAC validation number 3062

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #141

    Version 10.0.15063

    -CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
    +CTR_Mode: (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

    -KAS Val#127
    -AES Val#4624
    -DRBG Val#1555
    -MAC Val#3061 +KAS validation number 127
    +AES validation number 4624
    +DRBG validation number 1555
    +MAC validation number 3061

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #140

    Version 10.0.15063

    -

    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    -

    KAS Val#93 DRBG Val#1222 MAC Val#2661

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102

    +

    CTR_Mode:  (Llength(Min20 Max64) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA384]) LocationCounter([BeforeFixedData]) rlength([32]))

    +

    KAS validation number 93 DRBG validation number 1222 MAC validation number 2661

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102

    Version 10.0.14393

    -

    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    -

    KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651

    +

    CTR_Mode:  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

    +

    KAS validation number 92 AES validation number 4064 DRBG validation number 1217 MAC validation number 2651

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101

    Version 10.0.14393

    -

    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    -

    KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381

    +

    CTR_Mode:  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

    +

    KAS validation number 72 AES validation number 3629 DRBG validation number 955 MAC validation number 2381

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72

    Version 10.0.10586

    -

    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    -

    KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233

    +

    CTR_Mode:  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

    +

    KAS validation number 64 AES validation number 3497 RBG validation number 868 MAC validation number 2233

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66

    Version 10.0.10240

    -

    CTR_Mode:  ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    -

    DRBG Val#489 MAC Val#1773

    -

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30

    +

    CTR_Mode:  (Llength(Min0 Max0) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

    +

    DRBG validation number 489 MAC validation number 1773

    +

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30

    Version 6.3.9600

    -

    CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    -

    DRBG #258 HMAC Val#1345

    +

    CTR_Mode: (Llength(Min0 Max4) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

    +

    DRBG #258 HMAC validation number 1345

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3 @@ -5092,12 +5238,12 @@ Random Number Generator (RNG)

    FIPS 186-2 General Purpose

    -

    [ (x-Original); (SHA-1) ]

    +

    [(x-Original); (SHA-1)]

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110 FIPS 186-2
    -[ (x-Original); (SHA-1) ]     +[(x-Original); (SHA-1)]

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060

    Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292

    Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286

    @@ -5105,16 +5251,16 @@ Random Number Generator (RNG)

    FIPS 186-2
    -[ (x-Change Notice); (SHA-1) ]

    +[(x-Change Notice); (SHA-1)]

    FIPS 186-2 General Purpose
    -[ (x-Change Notice); (SHA-1) ]

    +[(x-Change Notice); (SHA-1)]

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649

    Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435

    Windows Vista RNG implementation #321

    FIPS 186-2 General Purpose
    -[ (x-Change Notice); (SHA-1) ]     +[(x-Change Notice); (SHA-1)]

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #470

    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #449

    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #447

    @@ -5123,7 +5269,7 @@ Random Number Generator (RNG) FIPS 186-2
    -[ (x-Change Notice); (SHA-1) ]     +[(x-Change Notice); (SHA-1)]

    Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #448

    Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #314

    @@ -5228,7 +5374,7 @@ Random Number Generator (RNG)

    • Prerequisite: SHS #4009, DRBG #1733

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676

    Version 10.0.16299

    @@ -5263,7 +5409,7 @@ Random Number Generator (RNG)

    Prerequisite: SHS #4009, DRBG #1730

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674

    Version 10.0.16299

    @@ -5637,7 +5783,7 @@ Random Number Generator (RNG)

    Prerequisite: SHS #4009, DRBG #1730

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668

    Version 10.0.16299

    @@ -5707,424 +5853,424 @@ Random Number Generator (RNG)

    Prerequisite: SHS #4009, DRBG #1730

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667

    Version 10.0.16299

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
    -SHA Val#3790 +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384)) (2048 SHA(1, 256, 384))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48)))
    +SHA validation number 3790

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524

    Version 10.0.15063

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    -SHA Val#3790 +ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    +SHA validation number 3790

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523

    Version 10.0.15063

    FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e ( 10001 ) ;
    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    -SHA Val#3790
    -DRBG: Val# 1555 +186-4KEY(gen): FIPS186-4_Fixed_e (10001);
    +PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
    +SHA validation number 3790
    +DRBG: validation number 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522

    Version 10.0.15063

    FIPS186-4:
    186-4KEY(gen):
    -PGM(ProbRandom:     ( 2048 , 3072 ) PPTT:( C.2 )
    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    -SHA Val#3790 +PGM(ProbRandom: (2048, 3072) PPTT:(C.2)
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
    +SHA validation number 3790

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521

    Version 10.0.15063

    FIPS186-2:
    ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652

    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3652
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256validation number 3652, SHA-384validation number 3652, SHA-512validation number 3652
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3652, SHA-256validation number 3652, SHA-384validation number 3652, SHA-512validation number 3652

    FIPS186-4:
    -ALG[ANSIX9.31]     Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
    -SIG(gen) with SHA-1 affirmed for use with protocols only.     Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    -SHA Val#3652

    +ALG[ANSIX9.31] Sig(Gen): (2048 SHA(1)) (3072 SHA(1))
    +SIG(gen) with SHA-1 affirmed for use with protocols only.     Sig(Ver): (1024 SHA(1)) (2048 SHA(1)) (3072 SHA(1))
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    +SHA validation number 3652

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415

    Version 7.00.2872

    FIPS186-2:
    ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651

    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3651
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256validation number 3651, SHA-384validation number 3651, SHA-512validation number 3651
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3651, SHA-256validation number 3651, SHA-384validation number 3651, SHA-512validation number 3651

    FIPS186-4:
    -ALG[ANSIX9.31]     Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
    -SIG(gen) with SHA-1 affirmed for use with protocols only.     Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    -SHA Val#3651

    +ALG[ANSIX9.31] Sig(Gen): (2048 SHA(1)) (3072 SHA(1))
    +SIG(gen) with SHA-1 affirmed for use with protocols only.     Sig(Ver): (1024 SHA(1)) (2048 SHA(1)) (3072 SHA(1))
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    +SHA validation number 3651

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414

    Version 8.00.6246

    FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649

    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256validation number 3649, SHA-384validation number 3649, SHA-512validation number 3649
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3649, SHA-256validation number 3649, SHA-384validation number 3649, SHA-512validation number 3649

    FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e (10001) ;
    -PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    -SHA Val# 3649
    -DRBG: Val# 1430

    +186-4KEY(gen): FIPS186-4_Fixed_e (10001);
    +PGM(ProbRandom: (2048, 3072) PPTT:(C.2)
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    +SHA validation number 3649
    +DRBG: validation number 1430

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412

    Version 7.00.2872

    FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648

    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256validation number 3648, SHA-384validation number 3648, SHA-512validation number 3648
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3648, SHA-256validation number 3648, SHA-384validation number 3648, SHA-512validation number 3648

    FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e (10001) ;
    -PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    -SHA Val#3648
    -DRBG: Val# 1429

    +186-4KEY(gen): FIPS186-4_Fixed_e (10001);
    +PGM(ProbRandom: (2048, 3072) PPTT:(C.2)
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    +SHA validation number 3648
    +DRBG: validation number 1429

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411

    Version 8.00.6246

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))

    -

    SHA Val# 3347

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206

    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +SIG(Ver) (1024 SHA(1, 256, 384)) (2048 SHA(1, 256, 384))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48)))

    +

    SHA validation number 3347

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206

    Version 10.0.14393

    FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e ( 10001 ) ;
    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

    -

    SHA Val# 3347 DRBG: Val# 1217

    +186-4KEY(gen): FIPS186-4_Fixed_e (10001);
    +PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)

    +

    SHA validation number 3347 DRBG: validation number 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195

    Version 10.0.14393

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    -

    SHA Val#3346

    +ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    +

    SHA validation number 3346

    soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194

    Version 10.0.14393

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
    -SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    -

    SHA Val# 3347 DRBG: Val# 1217

    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
    +SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    +

    SHA validation number 3347 DRBG: validation number 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193

    Version 10.0.14393

    FIPS186-4:
    -[RSASSA-PSS]: Sig(Gen):     (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    -

    Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    -

    SHA Val# 3347 DRBG: Val# 1217

    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

    +

    Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

    +

    SHA validation number 3347 DRBG: validation number 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192

    Version 10.0.14393

    FIPS186-4:
    -186-4KEY(gen)    :  FIPS186-4_Fixed_e ( 10001 ) ;
    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

    -

    SHA Val# 3047 DRBG: Val# 955

    +186-4KEY(gen):  FIPS186-4_Fixed_e (10001);
    +PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)

    +

    SHA validation number 3047 DRBG: validation number 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889

    Version 10.0.10586

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    -

    SHA Val#3048

    +ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    +

    SHA validation number 3048

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871

    Version 10.0.10586

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
    -SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    -

    SHA Val# 3047

    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
    +SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    +

    SHA validation number 3047

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888

    Version 10.0.10586

    FIPS186-4:
    -[RSASSA-PSS]: Sig(Gen)    : (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    -Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    -

    SHA Val# 3047

    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
    +Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

    +

    SHA validation number 3047

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887

    Version 10.0.10586

    FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e ( 10001 ) ;
    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

    -

    SHA Val# 2886 DRBG: Val# 868

    +186-4KEY(gen): FIPS186-4_Fixed_e (10001);
    +PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)

    +

    SHA validation number 2886 DRBG: validation number 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798

    Version 10.0.10240

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    -

    SHA Val#2871

    +ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    +

    SHA validation number 2871

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784

    Version 10.0.10240

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    -

    SHA Val#2871

    +ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    +

    SHA validation number 2871

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783

    Version 10.0.10240

    FIPS186-4:
    -[RSASSA-PSS]:     Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    -Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    -

    SHA Val# 2886

    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
    +Sig(Ver): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

    +

    SHA validation number 2886

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802

    Version 10.0.10240

    FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e ;
    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

    -

    SHA Val#2373 DRBG: Val# 489

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487

    +186-4KEY(gen): FIPS186-4_Fixed_e;
    +PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)

    +

    SHA validation number 2373 DRBG: validation number 489

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487

    Version 6.3.9600

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    -

    SHA Val#2373

    +ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    +

    SHA validation number 2373

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494

    Version 6.3.9600

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5    ] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
    -SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    -

    SHA Val#2373

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493

    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
    +SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    +

    SHA validation number 2373

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493

    Version 6.3.9600

    FIPS186-4:
    -[RSASSA-PSS]:     Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    - Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    -

    SHA Val#2373

    -

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519

    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
    + Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

    +

    SHA validation number 2373

    +

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519

    Version 6.3.9600

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
    -SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA( 1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-256 ))
    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
    -Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(256, 384, 512-256)) (3072 SHA(256, 384, 512-256))
    +SIG(Ver) (1024 SHA(1, 256, 384, 512-256)) (2048 SHA(1, 256, 384, 512-256)) (3072 SHA(1, 256, 384, 512-256))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
    +Sig(Ver): (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512, 512))
    SHA #1903

    -

    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134.

    +

    Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1134.

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134 FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
    +186-4KEY(gen): FIPS186-4_Fixed_e, FIPS186-4_Fixed_e_Value
    +PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)
    SHA #1903 DRBG: #258 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133 FIPS186-2:
    -ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132. +ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: #258
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1132. Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132 FIPS186-2:
    ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1774
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1774, SHA-384validation number 1774, SHA-512validation number 1774,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1774, SHA-256validation number 1774, SHA-384validation number 1774, SHA-512validation number 1774,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1052. Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052 FIPS186-2:
    -ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051. +ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: validation number 193
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1773, SHA-384validation number 1773, SHA-512validation number 1773,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1773, SHA-256validation number 1773, SHA-384validation number 1773, SHA-512validation number 1773,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1051. Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051 FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1081, SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 568. Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568 FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    -ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1081, SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
    +ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1081, SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 567. See Historical RSA List validation number 560.

    Windows Server 2008 R2 and SP1 CNG algorithms #567

    Windows 7 and SP1 CNG algorithms #560

    FIPS186-2:
    -ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559. +ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: validation number 23
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 559. Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559 FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1081, SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 557. Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557 FIPS186-2:
    ALG[ANSIX9.31]:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 816, SHA-384validation number 816, SHA-512validation number 816,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 816, SHA-256validation number 816, SHA-384validation number 816, SHA-512validation number 816,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 395. Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395 FIPS186-2:
    ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 783
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 783, SHA-384validation number 783, SHA-512validation number 783,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 371. Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371 FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    -ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 753, SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753,
    +ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 753, SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 358. See Historical RSA List validation number 357.

    Windows Server 2008 CNG algorithms #358

    Windows Vista SP1 CNG algorithms #357

    FIPS186-2:
    ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 753
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 753, SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 355. See Historical RSA List validation number 354.

    Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355

    Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354

    FIPS186-2:
    -ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353. +ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 353. Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353 FIPS186-2:
    -ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258. +ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 RNG: validation number 321
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 258. Windows Vista RSA key generation implementation #258 FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    -ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 618, SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618,
    +ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 618, SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 257. Windows Vista CNG algorithms #257 FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255. +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 618, SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 255. Windows Vista Enhanced Cryptographic Provider (RSAENH) #255 FIPS186-2:
    ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 613
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 613, SHA-384validation number 613, SHA-512validation number 613,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 613, SHA-256validation number 613, SHA-384validation number 613, SHA-512validation number 613,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 245. Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245 FIPS186-2:
    ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 589
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 589, SHA-384validation number 589, SHA-512validation number 589,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 589, SHA-256validation number 589, SHA-384validation number 589, SHA-512validation number 589,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 230. Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230 FIPS186-2:
    ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 578
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 578, SHA-384validation number 578, SHA-512validation number 578,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 578, SHA-256validation number 578, SHA-384validation number 578, SHA-512validation number 578,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 222. Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222 FIPS186-2:
    ALG[RSASSA-PKCS1_V1_5]:
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81. +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 364
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 81. Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81 FIPS186-2:
    ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52. +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 305
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 305, SHA-384validation number 305, SHA-512validation number 305,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 305, SHA-256validation number 305, SHA-384validation number 305, SHA-512validation number 305,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 52. Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52

    FIPS186-2:

    -

    – PKCS#1 v1.5, signature generation and verification

    +

    – PKCS#1 v1.5, signature generation, and verification

    – Mod sizes: 1024, 1536, 2048, 3072, 4096

    – SHS: SHA–1/256/384/512

    Windows XP, vendor-affirmed

    @@ -6209,7 +6355,7 @@ Some of the previously validated components for this validation have been remove
  • Supports Empty Message
    • -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009

    Version 10.0.16299

    @@ -6313,7 +6459,7 @@ Version 6.3.9600 SHA-256 (BYTE-only)
    SHA-384 (BYTE-only)
    SHA-512 (BYTE-only) -Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
    +Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
    Version 6.3.9600 @@ -6495,106 +6641,106 @@ Version 6.3.9600
  • Keying Option: 1
    • -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556

    Version 10.0.16299

    -TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, ) +TECB(KO 1 e/d); TCBC(KO 1 e/d); TCFB8(KO 1 e/d); TCFB64(KO 1 e/d)

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459

    Version 10.0.15063

    -

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, )

    +

    TECB(KO 1 e/d);

    +

    TCBC(KO 1 e/d)

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384

    Version 8.00.6246

    -

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, )

    +

    TECB(KO 1 e/d);

    +

    TCBC(KO 1 e/d)

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383

    Version 8.00.6246

    -

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, ) ;

    -

    CTR ( int only )

    +

    TECB(KO 1 e/d);

    +

    TCBC(KO 1 e/d);

    +

    CTR (int only)

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382

    Version 7.00.2872

    -

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, )

    +

    TECB(KO 1 e/d);

    +

    TCBC(KO 1 e/d)

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381

    Version 8.00.6246

    -

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, ) ;

    -

    TCFB8( KO 1 e/d, ) ;

    -

    TCFB64( KO 1 e/d, )

    +

    TECB(KO 1 e/d);

    +

    TCBC(KO 1 e/d);

    +

    TCFB8(KO 1 e/d);

    +

    TCFB64(KO 1 e/d)

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227

    Version 10.0.14393

    -

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, ) ;

    -

    TCFB8( KO 1 e/d, ) ;

    -

    TCFB64( KO 1 e/d, )

    +

    TECB(KO 1 e/d);

    +

    TCBC(KO 1 e/d);

    +

    TCFB8(KO 1 e/d);

    +

    TCFB64(KO 1 e/d)

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024

    Version 10.0.10586

    -

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, ) ;

    -

    TCFB8( KO 1 e/d, ) ;

    -

    TCFB64( KO 1 e/d, )

    +

    TECB(KO 1 e/d);

    +

    TCBC(KO 1 e/d);

    +

    TCFB8(KO 1 e/d);

    +

    TCFB64(KO 1 e/d)

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969

    Version 10.0.10240

    -

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, ) ;

    -

    TCFB8( KO 1 e/d, ) ;

    -

    TCFB64( KO 1 e/d, )

    -

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692

    +

    TECB(KO 1 e/d);

    +

    TCBC(KO 1 e/d);

    +

    TCFB8(KO 1 e/d);

    +

    TCFB64(KO 1 e/d)

    +

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692

    Version 6.3.9600

    -

    TECB( e/d; KO 1,2 ) ;

    -

    TCBC( e/d; KO 1,2 ) ;

    -

    TCFB8( e/d; KO 1,2 ) ;

    -

    TCFB64( e/d; KO 1,2 )

    +

    TECB(e/d; KO 1, 2);

    +

    TCBC(e/d; KO 1, 2);

    +

    TCFB8(e/d; KO 1, 2);

    +

    TCFB64(e/d; KO 1, 2)

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387 -

    TECB( e/d; KO 1,2 ) ;

    -

    TCBC( e/d; KO 1,2 ) ;

    -

    TCFB8( e/d; KO 1,2 )

    +

    TECB(e/d; KO 1, 2);

    +

    TCBC(e/d; KO 1, 2);

    +

    TCFB8(e/d; KO 1, 2)

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386 -

    TECB( e/d; KO 1,2 ) ;

    -

    TCBC( e/d; KO 1,2 ) ;

    -

    TCFB8( e/d; KO 1,2 )

    +

    TECB(e/d; KO 1, 2);

    +

    TCBC(e/d; KO 1, 2);

    +

    TCFB8(e/d; KO 1, 2)

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846 -

    TECB( e/d; KO 1,2 ) ;

    -

    TCBC( e/d; KO 1,2 ) ;

    -

    TCFB8( e/d; KO 1,2 )

    +

    TECB(e/d; KO 1, 2);

    +

    TCBC(e/d; KO 1, 2);

    +

    TCFB8(e/d; KO 1, 2)

    Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656 -

    TECB( e/d; KO 1,2 ) ;

    -

    TCBC( e/d; KO 1,2 ) ;

    -

    TCFB8( e/d; KO 1,2 )

    +

    TECB(e/d; KO 1, 2);

    +

    TCBC(e/d; KO 1, 2);

    +

    TCFB8(e/d; KO 1, 2)

    Windows Vista Symmetric Algorithm Implementation #549 @@ -6603,8 +6749,8 @@ Version 6.3.9600

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed

    -

    TECB( e/d; KO 1,2 ) ;

    -

    TCBC( e/d; KO 1,2 )

    +

    TECB(e/d; KO 1, 2);

    +

    TCBC(e/d; KO 1, 2)

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308

    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691

    @@ -6631,7 +6777,7 @@ Version 6.3.9600 -#### SP 800-132 Password Based Key Derivation Function (PBKDF) +#### SP 800-132 Password-Based Key Derivation Function (PBKDF) @@ -6685,7 +6831,7 @@ Version 6.3.9600

    Prerequisite: DRBG #489

    - @@ -6707,7 +6853,7 @@ Version 6.3.9600
  • Padding Algorithms: PKCS 1.5
    • - @@ -6717,7 +6863,7 @@ Version 6.3.9600
  • Modulus Size: 2048 (bits)
    • - @@ -6988,7 +7134,7 @@ Version 6.3.9600

    Prerequisite: DRBG #1730

    - @@ -6998,7 +7144,7 @@ Version 6.3.9600
  • Modulus Size: 2048 (bits)
    • - @@ -7009,7 +7155,7 @@ Version 6.3.9600
  • Padding Algorithms: PKCS 1.5
    • - @@ -7022,7 +7168,7 @@ Version 6.3.9600

    Prerequisite: DRBG #1730

    - @@ -7032,7 +7178,7 @@ Version 6.3.9600
  • Modulus Size: 2048 (bits)
    • - @@ -7044,7 +7190,7 @@ Version 6.3.9600
  • Padding Algorithms: PKCS 1.5
    • - @@ -7110,23 +7256,23 @@ Version 6.3.9600

    Prerequisite: SHS #4009, HMAC #3267

    - +

    ECDSA SigGen Component: CURVES(P-256 P-384 P-521)

    @@ -7139,11 +7285,11 @@ Version 10.0.15063

    Version 10.0.15063

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1280
    Version 10.0.15063

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893
    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893
    Version 10.0.14393

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #888
    Version 10.0.14393

    -

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
    +

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
    Version 10.0.10586

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #572
    Version  10.0.10240

    @@ -7158,7 +7304,7 @@ Version 6.3.9600

    Version 10.0.15063

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1281
    Version 10.0.15063

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895
    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895
    Version 10.0.14393

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #887
    Version 10.0.14393

    @@ -7170,7 +7316,7 @@ Version  10.0.10240

    - @@ -7196,10 +7342,7 @@ fips@microsoft.com ## References -\[[FIPS 140](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)\] - FIPS 140-2, Security Requirements for Cryptographic Modules - -\[[FIPS FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)\] - Cryptographic Module Validation Program (CMVP) FAQ - -\[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\] - Recommendation for Key Management – Part 1: General (Revised) - -\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths +* [FIPS 140-2, Security Requirements for Cryptographic Modules](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)) +* [Cryptographic Module Validation Program (CMVP) FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf) +* [SP 800-57 - Recommendation for Key Management – Part 1: General (Revised)](https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final) +* [SP 800-131A - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf) diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md index 81f5a796f3..c8b8c76461 100644 --- a/windows/security/threat-protection/get-support-for-security-baselines.md +++ b/windows/security/threat-protection/get-support-for-security-baselines.md @@ -40,7 +40,7 @@ The toolkit supports formats created by the Windows GPO backup feature (.pol, .i Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features. -**Does SCT support the creation of Microsoft Endpoint Configuration Manager DCM packs?** +**Does SCT support the creation of Microsoft Endpoint Manager DCM packs?** No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement). diff --git a/windows/security/threat-protection/images/linux-mdatp-1.png b/windows/security/threat-protection/images/linux-mdatp-1.png new file mode 100644 index 0000000000..f8c9c07b16 Binary files /dev/null and b/windows/security/threat-protection/images/linux-mdatp-1.png differ diff --git a/windows/security/threat-protection/images/linux-mdatp.png b/windows/security/threat-protection/images/linux-mdatp.png new file mode 100644 index 0000000000..f8c9c07b16 Binary files /dev/null and b/windows/security/threat-protection/images/linux-mdatp.png differ diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 279b1a69a3..88ac6667fb 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -1,6 +1,6 @@ --- title: Threat Protection (Windows 10) -description: Microsoft Defender Advanced Threat Protection is a unified platform for preventative protection, post-breach detection, automated investigation, and response. +description: Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -17,27 +17,27 @@ ms.topic: conceptual --- # Threat Protection -[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture. +[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture. ->[!TIP] +> [!TIP] > Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/). -

    Microsoft Defender ATP

    +

    Microsoft Defender for Endpoint

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540

    Version 6.3.9600

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518

    Version 10.0.16299

    Microsoft Surface Hub MsBignum Cryptographic Implementations #1517

    +

    Microsoft Surface Hub MsBignum Cryptographic Implementations #1517

    Version 10.0.15063.674

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503

    Version 10.0.16299

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502

    Version 10.0.16299

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501

    Version 10.0.16299

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499

    Version 10.0.16299

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498

    Version 10.0.16299

     

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1497

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1497

    Version 10.0.16299

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

    Version 10.0.16299

    FIPS186-4 ECDSA

    Signature Generation of hash sized messages

    -

    ECDSA SigGen Component: CURVES( P-256 P-384 P-521 )

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1284
    Version 10.0. 15063

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1279
    Version 10.0. 15063

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #922
    Version 10.0.14393

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
    Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #666
    Version 10.0.10586

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
    Version 6.3.9600

    SP800-135

    Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

    Version 10.0.16299

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1278
    Version 10.0.15063

    @@ -7184,7 +7330,7 @@ Version 10.0.14393

    Version 10.0.10586

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp #575
    Version  10.0.10240

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323
    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323
    Version 6.3.9600
    - - - - - - + + + + + + - +

    Threat & Vulnerability Management

    Attack surface reduction

    Next-generation protection

    Endpoint detection and response

    Automated investigation and remediation

    Microsoft Threat Experts
    threat and vulnerability icon
    Threat & vulnerability management
    attack surface reduction icon
    Attack surface reduction
    next generation protection icon
    Next-generation protection
    endpoint detection and response icon
    Endpoint detection and response
    automated investigation and remediation icon
    Automated investigation and remediation
    microsoft threat experts icon
    Microsoft Threat Experts
    Centralized configuration and administration, APIs
    Microsoft Threat Protection
    Microsoft 365 Defender

    @@ -47,19 +47,14 @@ ms.topic: conceptual >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq] -**[Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**
    +**[Threat & vulnerability management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**
    This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. -- [Risk-based Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md) -- [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md) -- [Exposure score](microsoft-defender-atp/tvm-exposure-score.md) -- [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md) -- [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md) -- [Remediation](microsoft-defender-atp/tvm-remediation.md) -- [Software inventory](microsoft-defender-atp/tvm-software-inventory.md) -- [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md) -- [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md) +- [Threat & vulnerability management overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) +- [Get started](microsoft-defender-atp/tvm-prerequisites.md) +- [Access your security posture](microsoft-defender-atp/tvm-dashboard-insights.md) +- [Improve your security posture and reduce risk](microsoft-defender-atp/tvm-security-recommendation.md) +- [Understand vulnerabilities on your devices](microsoft-defender-atp/tvm-software-inventory.md) @@ -78,7 +73,7 @@ The attack surface reduction set of capabilities provide the first line of defen **[Next-generation protection](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)**
    -To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next-generation protection designed to catch all types of emerging threats. +To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats. - [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) - [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus) @@ -103,50 +98,41 @@ Endpoint detection and response capabilities are put in place to detect, investi **[Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)**
    -In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. +In addition to quickly responding to advanced attacks, Microsoft Defender for Endpoint offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. - [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md) - [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md) - [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md) - - -**[Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)**
    - -Microsoft Defender ATP includes a Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. - -- [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md) -- [Threat analytics](microsoft-defender-atp/threat-analytics.md) - **[Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)**
    -Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. +Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. - [Targeted attack notification](microsoft-defender-atp/microsoft-threat-experts.md) - [Experts-on-demand](microsoft-defender-atp/microsoft-threat-experts.md) -- [Configure your Microsoft Threat Protection managed hunting service](microsoft-defender-atp/configure-microsoft-threat-experts.md) +- [Configure your Microsoft 365 Defender managed hunting service](microsoft-defender-atp/configure-microsoft-threat-experts.md) **[Centralized configuration and administration, APIs](microsoft-defender-atp/management-apis.md)**
    -Integrate Microsoft Defender Advanced Threat Protection into your existing workflows. +Integrate Microsoft Defender for Endpoint into your existing workflows. - [Onboarding](microsoft-defender-atp/onboard-configure.md) - [API and SIEM integration](microsoft-defender-atp/configure-siem.md) - [Exposed APIs](microsoft-defender-atp/apis-intro.md) - [Role-based access control (RBAC)](microsoft-defender-atp/rbac.md) -- [Reporting and trends](microsoft-defender-atp/powerbi-reports.md) +- [Reporting and trends](microsoft-defender-atp/threat-protection-reports.md) **[Integration with Microsoft solutions](microsoft-defender-atp/threat-protection-integration.md)**
    - Microsoft Defender ATP directly integrates with various Microsoft solutions, including: + Microsoft Defender for Endpoint directly integrates with various Microsoft solutions, including: - Intune -- Office 365 ATP -- Azure ATP -- Azure Security Center +- Microsoft Defender for Office 365 +- Microsoft Defender for Identity +- Azure Defender - Skype for Business - Microsoft Cloud App Security -**[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
    - With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks. +**[Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
    + With Microsoft 365 Defender, Microsoft Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks. diff --git a/windows/security/threat-protection/intelligence/TOC.md b/windows/security/threat-protection/intelligence/TOC.md index 48c382b306..9919f7d8d2 100644 --- a/windows/security/threat-protection/intelligence/TOC.md +++ b/windows/security/threat-protection/intelligence/TOC.md @@ -10,7 +10,9 @@ ### [Macro malware](macro-malware.md) -### [Phishing](phishing.md) +### [Phishing attacks](phishing.md) + +#### [Phishing trends and techniques](phishing-trends.md) ### [Ransomware](ransomware-malware.md) @@ -46,7 +48,7 @@ ### [Coordinated malware eradication](coordinated-malware-eradication.md) -## [Information for developers](developer-info.md) +## [Information for developers]() ### [Software developer FAQ](developer-faq.md) diff --git a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md index 1a57f85019..3cb57c45ef 100644 --- a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md +++ b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md @@ -38,6 +38,6 @@ Go to the [MVI program page](virus-initiative-criteria.md) for more information. CME is open to organizations who are involved in cybersecurity and antimalware or interested in fighting cybercrime. -The program aims to bring organizations in cybersecurity and other industries together to pool tools, information and actions to drive coordinated campaigns against malware. The ultimate goal is to create efficient and long-lasting results for better protection of our collective communities, customers, and businesses. +The program aims to bring organizations in cybersecurity and other industries together to pool tools, information, and actions to drive coordinated campaigns against malware. The ultimate goal is to create efficient and long-lasting results for better protection of our communities, customers, and businesses. Go to the [CME program page](coordinated-malware-eradication.md) for more information. diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md index e3d47a044c..06734edb7a 100644 --- a/windows/security/threat-protection/intelligence/developer-faq.md +++ b/windows/security/threat-protection/intelligence/developer-faq.md @@ -23,19 +23,19 @@ This page provides answers to common questions we receive from software develope ## Does Microsoft accept files for a known list or false-positive prevention program? -No. We do not accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list or, far less frequently, in adding your digital certificate to a list of trusted publishers. +No. We don't accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list. Far less frequently, in will add your digital certificate to a list of trusted publishers. ## How do I dispute the detection of my program? Submit the file in question as a software developer. Wait until your submission has a final determination. -If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We will use the information you provide to investigate further if necessary. +If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We'll use the information you provide to investigate further if necessary. We encourage all software vendors and developers to read about [how Microsoft identifies malware and Potentially Unwanted Applications (PUA)](criteria.md). ## Why is Microsoft asking for a copy of my program? -This can help us with our analysis. Participants of the [Microsoft Active Protection Service (MAPS)](https://www.microsoft.com/msrc/mapp) may occasionally receive these requests. The requests will stop once our systems have received and processed the file. +Providing copies can help us with our analysis. Participants of the [Microsoft Active Protection Service (MAPS)](https://www.microsoft.com/msrc/mapp) may occasionally receive these requests. The requests will stop once our systems have received and processed the file. ## Why does Microsoft classify my installer as a software bundler? @@ -43,8 +43,8 @@ It contains instructions to offer a program classified as unwanted software. You ## Why is the Windows Defender Firewall blocking my program? -This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security). +Firewall blocks aren't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security). -## Why does the Microsoft Defender SmartScreen say my program is not commonly downloaded? +## Why does the Microsoft Defender Windows Defender SmartScreen say my program isn't commonly downloaded? -This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) +This isn't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender Windows Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) diff --git a/windows/security/threat-protection/intelligence/developer-info.md b/windows/security/threat-protection/intelligence/developer-info.md deleted file mode 100644 index 19d1a76072..0000000000 --- a/windows/security/threat-protection/intelligence/developer-info.md +++ /dev/null @@ -1,29 +0,0 @@ ---- -title: Information for developers -ms.reviewer: -description: This page provides answers to common questions we receive from software developers and other useful resources -keywords: software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: ellevin -author: levinec -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Information for developers - -Learn about the common questions we receive from software developers and get other developer resources such as detection criteria and file submissions. - -## In this section - -Topic | Description -:---|:--- -[Software developer FAQ](developer-faq.md) | Provides answers to common questions we receive from software developers. -[Developer resources](developer-resources.md) | Provides information about how to submit files, detection criteria, and how to check your software against the latest security intelligence and cloud protection from Microsoft. diff --git a/windows/security/threat-protection/intelligence/exploits-malware.md b/windows/security/threat-protection/intelligence/exploits-malware.md index beff687643..f7895be9f2 100644 --- a/windows/security/threat-protection/intelligence/exploits-malware.md +++ b/windows/security/threat-protection/intelligence/exploits-malware.md @@ -1,7 +1,7 @@ --- title: Exploits and exploit kits ms.reviewer: -description: Learn about how exploits use vulnerabilities in common software to give an attackers access to your computer and to install other malware. +description: Learn about how exploits use vulnerabilities in common software to give attackers access to your computer and install other malware. keywords: security, malware, exploits, exploit kits, prevention, vulnerabilities, Microsoft, Exploit malware family, exploits, java, flash, adobe, update software, prevent exploits, exploit pack, vulnerability, 0-day, holes, weaknesses, attack, Flash, Adobe, out-of-date software, out of date software, update, update software, reinfection, Java cache, reinfected, won't remove, won't clean, still detects, full scan, MSE, Defender, WDSI, MMPC, Microsoft Malware Protection Center ms.prod: w10 ms.mktglfcycl: secure @@ -21,27 +21,27 @@ Exploits take advantage of vulnerabilities in software. A vulnerability is like ## How exploits and exploit kits work -Exploits are often the first part of a larger attack. Hackers scan for outdated systems that contain critical vulnerabilities, which they then exploit by deploying targeted malware. Exploits often include what's called "shellcode". This is a small malware payload that's used to download additional malware from attacker-controlled networks. This allows hackers to infect devices and infiltrate organizations. +Exploits are often the first part of a larger attack. Hackers scan for outdated systems that contain critical vulnerabilities, which they then exploit by deploying targeted malware. Exploits often include shellcode, which is a small malware payload used to download additional malware from attacker-controlled networks. Shellcode allows hackers to infect devices and infiltrate organizations. -Exploit kits are more comprehensive tools that contain a collection of exploits. These kits scan devices for different kinds of software vulnerabilities and, if any are detected, deploys additional malware to further infect a device. Kits can use exploits targeting a variety of software, including Adobe Flash Player, Adobe Reader, Internet Explorer, Oracle Java and Sun Java. +Exploit kits are more comprehensive tools that contain a collection of exploits. These kits scan devices for different kinds of software vulnerabilities and, if any are detected, deploy additional malware to further infect a device. Kits can use exploits targeting a variety of software, including Adobe Flash Player, Adobe Reader, Internet Explorer, Oracle Java, and Sun Java. The most common method used by attackers to distribute exploits and exploit kits is through webpages, but exploits can also arrive in emails. Some websites unknowingly and unwillingly host malicious code and exploits in their ads. -The infographic below shows how an exploit kit might attempt to exploit a device when a compromised webpage is visited. +The infographic below shows how an exploit kit might attempt to exploit a device after you visit a compromised webpage. -![example of how exploit kits work](./images/ExploitKit.png) +![example of how exploit kits work.](./images/ExploitKit.png) -*Figure 1. Example of how exploit kits work* +*Figure 1. Example of how to exploit kits work* Several notable threats, including Wannacry, exploit the Server Message Block (SMB) vulnerability CVE-2017-0144 to launch malware. Examples of exploit kits: -- Angler / [Axpergle](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=JS%2fAxpergle) +- Angler / [Axpergle](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/Axpergle) -- [Neutrino](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=JS%2fNeutrino) +- [Neutrino](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/NeutrinoEK) -- [Nuclear](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Exploit:JS/Neclu) +- [Nuclear](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/Neclu) To learn more about exploits, read this blog post on [taking apart a double zero-day sample discovered in joint hunt with ESET.](https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset/) @@ -56,6 +56,6 @@ You can read more on the [CVE website](https://cve.mitre.org/). ## How to protect against exploits -The best prevention for exploits is to keep your organization's [software up to date](https://portal.msrc.microsoft.com/). Software vendors provide updates for many known vulnerabilities and making sure these updates are applied to all devices is an important step to prevent malware. +The best prevention for exploits is to keep your organization's [software up to date](https://portal.msrc.microsoft.com/). Software vendors provide updates for many known vulnerabilities, so make sure these updates are applied to all devices. For more general tips, see [prevent malware infection](prevent-malware-infection.md). diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index 747950168f..9be24dcbe2 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -18,9 +18,9 @@ search.appverid: met150 # Fileless threats -What exactly are fileless threats? The term "fileless" suggests that a threat does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition for fileless malware. The term is used broadly; it's also used to describe malware families that do rely on files to operate. +What exactly are fileless threats? The term "fileless" suggests that a threat doesn't come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no one definition for fileless malware. The term is used broadly, and sometimes to describe malware families that do rely on files to operate. -Given that attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, or information theft, some parts of the attack chain may be fileless, while others may involve the filesystem in some form. +Attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, or information theft. Some parts of the attack chain may be fileless, while others may involve the file system in some form. For clarity, fileless threats are grouped into different categories. @@ -29,42 +29,42 @@ For clarity, fileless threats are grouped into different categories. Fileless threats can be classified by their entry point, which indicates how fileless malware can arrive on a machine. They can arrive via an exploit, through compromised hardware, or via regular execution of applications and scripts. -Next, list the form of entry point. For example, exploits can be based on files or network data, PCI peripherals are a type of hardware vector, and scripts and executables are sub-categories of the execution vector. +Next, list the form of entry point. For example, exploits can be based on files or network data, PCI peripherals are a type of hardware vector, and scripts and executables are subcategories of the execution vector. -Finally, classify the host of the infection. For example, a Flash application that may contain an exploit, a simple executable, malicious firmware from a hardware device, or an infected MBR, which could bootstrap the execution of a malware before the operating system even loads. +Finally, classify the host of the infection. For example, a Flash application may contain a variety of threats such as an exploit, a simple executable, and malicious firmware from a hardware device. -This helps you divide and categorize the various kinds of fileless threats. Clearly, the categories are not all the same: some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced. +Classifying helps you divide and categorize the various kinds of fileless threats. Some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced. From this categorization, you can glean three main types of fileless threats based on how much fingerprint they may leave on infected machines. ## Type I: No file activity performed -A completely fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? An example scenario could be a target machine receiving malicious network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file. +A fully fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? One example is where a target machine receives malicious network packets that exploit the EternalBlue vulnerability. The vulnerability allows the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there's no file or any data written on a file. -Another scenario could involve compromised devices, where malicious code could be hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or even in the firmware of a network card. All these examples do not require a file on the disk to run and can theoretically live only in memory, surviving even reboots, disk reformats, and OS reinstalls. +A compromised device may also have malicious code hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or in the firmware of a network card. All these examples don't require a file on the disk to run, and can theoretically live only in memory. The malicious code would survive reboots, disk reformats, and OS reinstalls. -Infections of this type can be extra difficult to detect and remediate. Antivirus products usually don’t have the capability to access firmware for inspection; even if they did, it would be extremely challenging to detect and remediate threats at this level. Because this type of fileless malware requires high levels of sophistication and often depend on particular hardware or software configuration, it’s not an attack vector that can be exploited easily and reliably. For this reason, while extremely dangerous, threats of this type tend to be very uncommon and not practical for most attacks. +Infections of this type can be particularly difficult to detect because most antivirus products don’t have the capability to inspect firmware. In cases where a product does have the ability to inspect and detect malicious firmware, there are still significant challenges associated with remediation of threats at this level. This type of fileless malware requires high levels of sophistication and often depends on particular hardware or software configuration. It’s not an attack vector that can be exploited easily and reliably. While dangerous, threats of this type are uncommon and not practical for most attacks. ## Type II: Indirect file activity -There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type doesn't directly write files on the file system, but they can end up using files indirectly. This is the case for [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html). Attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run such command periodically. +There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type doesn't directly write files on the file system, but they can end up using files indirectly. For example, with the [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run the command periodically. -It’s possible to carry out such installation via command line without requiring the presence of the backdoor to be on a file in the first place. The malware can thus be installed and theoretically run without ever touching the file system. However, the WMI repository is stored on a physical file that is a central storage area managed by the CIM Object Manager and usually contains legitimate data. Therefore, while the infection chain does technically use a physical file, for practical purposes it’s considered a fileless attack given that the WMI repository is a multi-purpose data container that cannot be simply detected and removed. +It’s possible to carry out such installation via command line without requiring a backdoor to already be on the file. The malware can be installed and theoretically run without ever touching the file system. However, the WMI repository is stored on a physical file in a central storage area managed by the CIM Object Manager, and usually contains legitimate data. Even though the infection chain does technically use a physical file, it’s considered a fileless attack because the WMI repository is a multi-purpose data container that can't be detected and removed. ## Type III: Files required to operate -Some malware can have some sort of fileless persistence but not without using files to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. This action means that opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe. +Some malware can have a sort of fileless persistence, but not without using files to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. Opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe. ![Image of Kovter's registry key](images/kovter-reg-key.png)
    *Figure 2. Kovter’s registry key* -When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-run key configured to open such file when the machine starts. +When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an autorun key configured to open such file when the machine starts. -Kovter is considered a fileless threat because the file system is of no practical use: the files with random extension contain junk data that is not usable in verifying the presence of the threat, and the files that store the registry are containers that cannot be detected and deleted if malicious content is present. +Kovter is considered a fileless threat because the file system is of no practical use. The files with random extensions contain junk data that isn't usable in verifying the presence of the threat. The files that store the registry are containers that can't be detected and deleted if malicious content is present. ## Categorizing fileless threats by infection host -Having described the broad categories, we can now dig into the details and provide a breakdown of the infection hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure malware does not get the upper hand in the arms race. +Having described the broad categories, we can now dig into the details and provide a breakdown of the infection hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure malware doesn't get the upper hand in the arms race. ### Exploits @@ -76,26 +76,28 @@ Having described the broad categories, we can now dig into the details and provi **Device-based** (Type I: network card, hard disk): Devices like hard disks and network cards require chipsets and dedicated software to function. Software residing and running in the chipset of a device is called firmware. Although a complex task, the firmware can be infected by malware, as the [Equation espionage group has been caught doing](https://www.kaspersky.com/blog/equation-hdd-malware/7623/). -**CPU-based** (Type I): Modern CPUs are extremely complex and may include subsystems running firmware for management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code that would hence operate from within the CPU. In December 2017, two researchers reported a vulnerability that can allow attackers to execute code inside the [Management Engine (ME)](https://en.wikipedia.org/wiki/Intel_Management_Engine) present in any modern CPU from Intel. Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's [Active Management Technology (AMT)](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology) to perform [invisible network communications](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/) bypassing the installed operating system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a very low level. Because these technologies’ purpose is to provide remote manageability, they have direct access to hardware, are independent of the operating system, and can run even if the computer is turned off. Besides being vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware circuitry. This attack has been [researched and proved possible](https://www.emsec.rub.de/media/crypto/veroeffentlichungen/2015/03/19/beckerStealthyExtended.pdf) in the past. Just recently it has been reported that certain models of x86 processors contain a secondary embedded RISC-like CPU core that can [effectively provide a backdoor](https://www.theregister.co.uk/2018/08/10/via_c3_x86_processor_backdoor/) through which regular applications can gain privileged execution. +**CPU-based** (Type I): Modern CPUs are complex and may include subsystems running firmware for management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code that would operate from within the CPU. In December 2017, two researchers reported a vulnerability that can allow attackers to execute code inside the [Management Engine (ME)](https://en.wikipedia.org/wiki/Intel_Management_Engine) present in any modern CPU from Intel. Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's [Active Management Technology (AMT)](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology) to perform [invisible network communications](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/), bypassing the installed operating system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a very low level. Because these technologies’ purpose is to provide remote manageability, they have direct access to hardware, are independent of the operating system, and can run even if the computer is turned off. -**USB-based** (Type I): USB devices of all kinds can be reprogrammed with malicious firmware capable of interacting with the operating system in nefarious ways. This is the case of the [BadUSB technique](https://arstechnica.com/information-technology/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/), demonstrated few years ago, which allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via keystrokes, or as a network card that can redirect traffic at will. +Besides being vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware circuitry. This attack has been [researched and proved possible](https://www.emsec.rub.de/media/crypto/veroeffentlichungen/2015/03/19/beckerStealthyExtended.pdf) in the past. It has been reported that certain models of x86 processors contain a secondary embedded RISC-like CPU core that can [effectively provide a backdoor](https://www.theregister.co.uk/2018/08/10/via_c3_x86_processor_backdoor/) through which regular applications can gain privileged execution. -**BIOS-based** (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on, initializes the hardware, and then transfers control to the boot sector. It’s a very important component that operates at a very low level and executes before the boot sector. It’s possible to reprogram the BIOS firmware with malicious code, as has happened in the past with the [Mebromi rootkit](https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/). +**USB-based** (Type I): USB devices of all kinds can be reprogrammed with malicious firmware capable of interacting with the operating system in nefarious ways. For example, the [BadUSB technique](https://arstechnica.com/information-technology/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/) allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via keystrokes, or as a network card that can redirect traffic at will. -**Hypervisor-based** (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits [have been observed](http://seclists.org/fulldisclosure/2017/Jun/29), although very few are known to date. +**BIOS-based** (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on, initializes the hardware, and then transfers control to the boot sector. The BIOS is an important component that operates at a low level and executes before the boot sector. It’s possible to reprogram the BIOS firmware with malicious code, as has happened in the past with the [Mebromi rootkit](https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/). + +**Hypervisor-based** (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits [have been observed](http://seclists.org/fulldisclosure/2017/Jun/29), although few are known to date. ### Execution and injection -**File-based** (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple executable can be launched as a first-stage malware to run an additional payload in memory or inject it into other legitimate running processes. +**File-based** (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple executable can be launched as a first-stage malware to run an additional payload in memory, or injected into other legitimate running processes. -**Macro-based** (Type III: Office documents): The [VBA language](https://msdn.microsoft.com/vba/office-shared-vba/articles/getting-started-with-vba-in-office) is a flexible and powerful tool designed to automate editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire ransomware, like in [the case of qkG](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/). Macros are executed within the context of an Office process (e.g., Winword.exe), and they’re implemented in a scripting language, so there is no binary executable that an antivirus can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers use social engineering techniques to trick users into allowing macros to execute. +**Macro-based** (Type III: Office documents): The [VBA language](https://msdn.microsoft.com/vba/office-shared-vba/articles/getting-started-with-vba-in-office) is a flexible and powerful tool designed to automate editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire ransomware, like in [the case of qkG](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/). Macros are executed within the context of an Office process (e.g., Winword.exe) and implemented in a scripting language. There's no binary executable that an antivirus can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers use social engineering techniques to trick users into allowing macros to execute. -**Script-based** (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting languages are available by default on Windows platforms. Scripts have the same advantages as macros: they are textual files (not binary executables) and run within the context of the interpreter (e.g., wscript.exe, powershell.exe, etc.), which is a clean and legitimate component. Scripts are very versatile; they can be run from a file (e.g., by double-clicking them) or, in some cases, executed directly on the command line of an interpreter. Being able to run on the command line can allow malware to encode malicious command-line scripts as auto-start services inside [autorun registry keys](https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file) as [WMI event subscriptions](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) from the WMI repo. Furthermore, an attacker who has gained access to an infected machine may input the script on the command prompt. +**Script-based** (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting languages are available by default on Windows platforms. Scripts have the same advantages as macros, they are textual files (not binary executables) and run within the context of the interpreter (like wscript.exe, powershell.exe), which is a clean and legitimate component. Scripts are versatile and can be run from a file (by double-clicking them) or executed directly on the command line of an interpreter. Running on the command line allows malware to encode malicious scripts as autostart services inside [autorun registry keys](https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file) as [WMI event subscriptions](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) from the WMI repo. Furthermore, an attacker who has gained access to an infected machine may input the script on the command prompt. -**Disk-based** (Type II: Boot Record): The [Boot Record](https://en.wikipedia.org/wiki/Boot_sector) is the first sector of a disk or volume and contains executable code required to start the boot process of the operating system. Threats like [Petya](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc) are capable of infecting the Boot Record by overwriting it with malicious code, so that when the machine is booted the malware immediately gains control (and in the case of Petya, with disastrous consequences). The Boot Record resides outside the file system, but it’s accessible by the operating system, and modern antivirus products have the capability to scan and restore it. +**Disk-based** (Type II: Boot Record): The Boot Record is the first sector of a disk or volume, and contains executable code required to start the boot process of the operating system. Threats like [Petya](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc) are capable of infecting the Boot Record by overwriting it with malicious code. When the machine is booted, the malware immediately gains control. The Boot Record resides outside the file system, but it’s accessible by the operating system. Modern antivirus products have the capability to scan and restore it. ## Defeating fileless malware -At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender Advanced Threat Protection [(Microsoft Defender ATP)](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. +At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender for Endpoint](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md index ec97b244a7..45dd414624 100644 --- a/windows/security/threat-protection/intelligence/macro-malware.md +++ b/windows/security/threat-protection/intelligence/macro-malware.md @@ -21,18 +21,18 @@ Macros are a powerful way to automate common tasks in Microsoft Office and can m ## How macro malware works -Macro malware hides in Microsoft Office files and are delivered as email attachments or inside ZIP files. These files use names that are intended to entice or scare people into opening them. They often look like invoices, receipts, legal documents, and more. +Macro malware hides in Microsoft Office files and is delivered as email attachments or inside ZIP files. These files use names that are intended to entice or scare people into opening them. They often look like invoices, receipts, legal documents, and more. -Macro malware was fairly common several years ago because macros ran automatically whenever a document was opened. However, in recent versions of Microsoft Office, macros are disabled by default. This means malware authors need to convince users to turn on macros so that their malware can run. They do this by showing fake warnings when a malicious document is opened. +Macro malware was fairly common several years ago because macros ran automatically whenever a document was opened. In recent versions of Microsoft Office, macros are disabled by default. Now, malware authors need to convince users to turn on macros so that their malware can run. They try to scare users by showing fake warnings when a malicious document is opened. We've seen macro malware download threats from the following families: -* [Ransom:MSIL/Swappa](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Swappa.A) -* [Ransom:Win32/Teerac](Ransom:Win32/Teerac) -* [TrojanDownloader:Win32/Chanitor](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A) -* [TrojanSpy:Win32/Ursnif](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif) -* [Win32/Fynloski](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski) -* [Worm:Win32/Gamarue](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue) +* [Ransom:MSIL/Swappa](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Swappa.A) +* [Ransom:Win32/Teerac](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Teerac&threatId=-2147277789) +* [TrojanDownloader:Win32/Chanitor](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A) +* [TrojanSpy:Win32/Ursnif](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif) +* [Win32/Fynloski](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski) +* [Worm:Win32/Gamarue](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue) ## How to protect against macro malware @@ -43,8 +43,8 @@ We've seen macro malware download threats from the following families: * Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads. -* Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#enable-and-audit-attack-surface-reduction-rules) +* Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction) -For more tips on protecting yourself from suspicious emails, see [phishing](phishing.md). +For more tips on protecting yourself from suspicious emails, see [phishing](phishing.md). -For more general tips, see [prevent malware infection](prevent-malware-infection.md). +For more general tips, see [prevent malware infection](prevent-malware-infection.md). diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md index 001d356c59..d920870809 100644 --- a/windows/security/threat-protection/intelligence/malware-naming.md +++ b/windows/security/threat-protection/intelligence/malware-naming.md @@ -21,7 +21,7 @@ We name the malware and unwanted software that we detect according to the Comput ![coordinated-malware-eradication](images/NamingMalware1.png) -When our analysts research a particular threat, they will determine what each of the components of the name will be. +When our analysts research a particular threat, they'll determine what each of the components of the name will be. ## Type @@ -61,7 +61,7 @@ Describes what the malware does on your computer. Worms, viruses, trojans, backd ## Platforms -Indicates the operating system (such as Windows, Mac OS X, and Android) that the malware is designed to work on. The platform is also used to indicate programming languages and file formats. +Platforms indicate the operating system (such as Windows, masOS X, and Android) the malware is designed to work on. The platform is also used to indicate programming languages and file formats. ### Operating systems @@ -71,8 +71,8 @@ Indicates the operating system (such as Windows, Mac OS X, and Android) that the * FreeBSD: FreeBSD platform * iPhoneOS: iPhone operating system * Linux: Linux platform -* MacOS: MAC 9.x platform or earlier -* MacOS_X: MacOS X or later +* macOS: MAC 9.x platform or earlier +* macOS_X: MacOS X or later * OS2: OS2 platform * Palm: Palm operating system * Solaris: System V-based Unix platforms @@ -105,11 +105,11 @@ Indicates the operating system (such as Windows, Mac OS X, and Android) that the * INF: Install scripts * IRC: mIRC/pIRC scripts * Java: Java binaries (classes) -* JS: Javascript scripts +* JS: JavaScript scripts * LOGO: LOGO scripts * MPB: MapBasic scripts * MSH: Monad shell scripts -* MSIL: .Net intermediate language scripts +* MSIL: .NET intermediate language scripts * Perl: Perl scripts * PHP: Hypertext Preprocessor scripts * Python: Python scripts @@ -125,7 +125,7 @@ Indicates the operating system (such as Windows, Mac OS X, and Android) that the * A97M: Access 97, 2000, XP, 2003, 2007, and 2010 macros * HE: macro scripting -* O97M: Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and Powerpoint +* O97M: Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and PowerPoint * PP97M: PowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros * V5M: Visio5 macros * W1M: Word1Macro diff --git a/windows/security/threat-protection/intelligence/phishing-trends.md b/windows/security/threat-protection/intelligence/phishing-trends.md new file mode 100644 index 0000000000..dcb01fd998 --- /dev/null +++ b/windows/security/threat-protection/intelligence/phishing-trends.md @@ -0,0 +1,69 @@ +--- +title: Phishing trends and techniques +ms.reviewer: +description: Learn about how to spot phishing techniques +keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack, spear phishing, whaling +ms.prod: w10 +ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium +ms.author: ellevin +author: levinec +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +search.appverid: met150 +--- + +# Phishing trends and techniques + +Phishing attacks are scams that often use social engineering bait or lure content. Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics sign in pages that require users to input credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information. + +Below are some of the most common phishing techniques attackers will employ to try to steal information or gain access to your devices. + +## Invoice phishing + +In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a known vendor or company. They then provide a link for you to access and pay your invoice. When you access the site, the attacker is poised to steal your personal information and funds. + +## Payment/delivery scam + +You're asked to provide a credit card or other personal information so that your payment information can be updated with a commonly known vendor or supplier. The update is requested so that you can take delivery of your ordered goods. Generally, you may be familiar with the company and have likely done business with them in the past. However, you aren't aware of any items you have recently purchased from them. + +## Tax-themed phishing scams + +A common IRS phishing scam is receiving an urgent email letter indicating that you owe money to the IRS. Often the email threatens legal action if you don't access the site in a timely manner and pay your taxes. When you access the site, the attackers can steal your personal credit card or bank information and drain your accounts. + +## Downloads + +An attacker sends a fraudulent email requesting you to open or download a document attachment, such as a PDF. The attachment often contains a message asking you to sign in to another site, such as email or file sharing websites, to open the document. When you access these phishing sites using your sign-in credentials, the attacker now has access to your information and can gain additional personal information about you. + +## Phishing emails that deliver other threats + +Phishing emails are often effective, so attackers sometimes use them to distribute [ransomware](ransomware-malware.md) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files. + +We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites. These websites use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems. + +## Spear phishing + +Spear phishing is a targeted phishing attack that involves highly customized lure content. Attackers will typically do reconnaissance work by surveying social media and other information sources about their intended target. + +Spear phishing may involve tricking you into logging into fake sites and divulging credentials. I may also lure you into opening documents by clicking on links that automatically install malware. With this malware in place, attackers can remotely manipulate the infected computer. + +The implanted malware serves as the point of entry for a more sophisticated attack, known as an advanced persistent threat (APT). APTs are designed to establish control and steal data over extended periods. Attackers may try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks. + +## Whaling + +Whaling is a form of phishing directed at high-level or senior executives within specific companies to gain access to their credentials and/or bank information. The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can also lead to an APT attack within an organization. + +## Business email compromise + +Business email compromise (BEC) is a sophisticated scam that targets businesses who frequently work with foreign suppliers or do money wire transfers. One of the most common schemes used by BEC attackers involves gaining access to a company’s network through a spear phishing attack. The attacker creates a domain similar to the company they're targeting, or spoofs their email to scam users into releasing personal account information for money transfers. + +## More information about phishing attacks + +For information on the latest phishing attacks, techniques, and trends, you can read these entries on the [Microsoft Security blog](https://www.microsoft.com/security/blog/product/windows/): + +- [Phishers unleash simple but effective social engineering techniques using PDF attachments](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/?source=mmpc) +- [Tax themed phishing and malware attacks proliferate during the tax filing season](https://cloudblogs.microsoft.com/microsoftsecure/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/?source=mmpc) +- [Phishing like emails lead to tech support scam](https://cloudblogs.microsoft.com/microsoftsecure/2017/08/07/links-in-phishing-like-emails-lead-to-tech-support-scam/?source=mmpc) diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md index 4f5d3c7278..f2cd0a919e 100644 --- a/windows/security/threat-protection/intelligence/phishing.md +++ b/windows/security/threat-protection/intelligence/phishing.md @@ -1,5 +1,5 @@ --- -title: Phishing +title: How to protect against phishing attacks ms.reviewer: description: Learn about how phishing work, deliver malware do your devices, and what you can do to protect yourself keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack @@ -16,130 +16,86 @@ ms.topic: article search.appverid: met150 --- -# Phishing +# How to protect against phishing attacks -Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of electronic communication that often look to be official communication from legitimate companies or individuals. +Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of electronic communication. They try to look like official communication from legitimate companies or individuals. -The information that phishers (as the cybercriminals behind phishing attacks are called) attempt to steal can be user names and passwords, credit card details, bank account information, or other credentials. Attackers can then use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from bank accounts and credit cards. Phishers can also sell the information in cybercriminal underground marketplaces. - -## How phishing works - -Phishing attacks are scams that often use social engineering bait or lure content. For example, during tax season, bait content involves tax-filing announcements that attempt to lure you into providing your personal information such as your Social Security number or bank account information. - -Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics sign-in pages that require users to input login credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information. - -Another common phishing technique is the use of emails that direct you to open a malicious attachment, for example a PDF file. The attachment often contains a message asking you to provide login credentials to another site such as email or file sharing websites to open the document. When you access these phishing sites using your login credentials, the attacker now has access to your information and can gain additional personal information about you. - -## Phishing trends and techniques - -### Invoice phishing - -In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a known vendor or company and provides a link for you to access and pay your invoice. When you access the site, the attacker is poised to steal your personal information and funds. - -### Payment/delivery scam - -You are asked to provide a credit card or other personal information so that your payment information can be updated with a commonly known vendor or supplier. The update is requested so that you can take delivery of your ordered goods. Generally, you may be familiar with the company and have likely done business with them in the past, but you are not aware of any items you have recently purchased from them. - -### Tax-themed phishing scams - -A common IRS phishing scams is one in which an urgent email letter is sent indicating that you owe money to the IRS. Often the email threatens legal action if you do not access the site in a timely manner and pay your taxes. When you access the site, the attackers can steal your personal credit card or bank information and drain your accounts. - -### Downloads - -Another frequently-used phishing scam is one in which an attacker sends a fraudulent email requesting you to open or download a document, often one requiring you to sign in. - -### Phishing emails that deliver other threats - -Phishing emails can be very effective, and so attackers can using them to distribute [ransomware](ransomware-malware.md) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files. - -We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites, which use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems. - -## Targeted attacks against enterprises - -### Spear phishing - -Spear phishing is a targeted phishing attack that involves highly customized lure content. To perform spear phishing, attackers will typically do reconnaissance work, surveying social media and other information sources about their intended target. - -Spear phishing may involve tricking you into logging into fake sites and divulging credentials. Spear phishing may also be designed to lure you into opening documents by clicking on links that automatically install malware. With this malware in place, attackers can remotely manipulate the infected computer. - -The implanted malware serves as the point of entry for a more sophisticated attack known as an advanced persistent threat (APT). APTs are generally designed to establish control and steal data over extended periods. As part of the attack, attackers often try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks. - -### Whaling - -Whaling is a form of phishing in which the attack is directed at high-level or senior executives within specific companies with the direct goal of gaining access to their credentials and/or bank information. The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can also lead to an APT attack within an organization. When the links or attachment are opened, it can assist the attacker in accessing credentials and other personal information, or launch a malware that will lead to an APT. - -### Business email compromise - -Business email compromise (BEC) is a sophisticated scam that targets businesses often working with foreign suppliers and businesses that regularly perform wire transfer payments. One of the most common schemes used by BEC attackers involves gaining access to a company’s network through a spear phishing attack, where the attacker creates a domain similar to the company they are targeting or spoofs their email to scam users into releasing personal account information for money transfers. - -## How to protect against phishing attacks +Cybercriminals often attempt to steal usernames, passwords, credit card details, bank account information, or other credentials. They use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from bank accounts and credit cards. The information can also be sold in cybercriminal underground markets. Social engineering attacks are designed to take advantage of a user's possible lapse in decision-making. Be aware and never provide sensitive or personal information through email or unknown websites, or over the phone. Remember, phishing emails are designed to appear legitimate. -### Awareness +## Learn the signs of a phishing scam -The best protection is awareness and education. Don’t open attachments or click links in unsolicited emails, even if the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and verify the URL. +The best protection is awareness and education. Don’t open attachments or links in unsolicited emails, even if the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and verify the URL. -Enterprises should educate and train their employees to be wary of any communication that requests personal or financial information, and instruct them to report the threat to the company’s security operations team immediately. +Enterprises should educate and train their employees to be wary of any communication that requests personal or financial information. They should also instruct employees to report the threat to the company’s security operations team immediately. Here are several telltale signs of a phishing scam: -* The links or URLs provided in emails are **not pointing to the correct location** or are attempting to have you access a third-party site that is not affiliated with the sender of the email. For example, in the image below the URL provided does not match the URL that you will be taken to. +* The links or URLs provided in emails are **not pointing to the correct location** or are pointing to a third-party site not affiliated with the sender of the email. For example, in the image below the URL provided doesn't match the URL that you'll be taken to. ![example of how exploit kits work](./images/URLhover.png) -* There is a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email. +* There's a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email. -* **Items in the email address will be changed** so that it is similar enough to a legitimate email address but has added numbers or changed letters. +* **Items in the email address will be changed** so that it is similar enough to a legitimate email address, but has added numbers or changed letters. * The message is **unexpected and unsolicited**. If you suddenly receive an email from an entity or a person you rarely deal with, consider this email suspect. -* The message or the attachment asks you to **enable macros, adjust security settings, or install applications**. Normal emails will not ask you to do this. +* The message or the attachment asks you to **enable macros, adjust security settings, or install applications**. Normal emails won't ask you to do this. * The message contains **errors**. Legitimate corporate messages are less likely to have typographic or grammatical errors or contain wrong information. -* The **sender address does not match** the signature on the message itself. For example, an email is purported to be from Mary of Contoso Corp, but the sender address is john@example.com. +* The **sender address doesn't match the signature** on the message itself. For example, an email is purported to be from Mary of Contoso Corp, but the sender address is john@example.com. * There are **multiple recipients** in the “To” field and they appear to be random addresses. Corporate messages are normally sent directly to individual recipients. -* The greeting on the message itself **does not personally address you**. Apart from messages that mistakenly address a different person, those that misuse your name or pull your name directly from your email address tend to be malicious. +* The greeting on the message itself **doesn't personally address you**. Apart from messages that mistakenly address a different person, greetings that misuse your name or pull your name directly from your email address tend to be malicious. -* The website looks familiar but there are **inconsistencies or things that are not quite right** such as outdated logos, typos, or ask users to give additional information that is not asked by legitimate sign-in websites. +* The website looks familiar but there are **inconsistencies or things that aren't quite right**. Warning signs include outdated logos, typos, or ask users to give additional information that is not asked by legitimate sign-in websites. -* The page that opens is **not a live page** but rather an image that is designed to look like the site you are familiar with. A pop-up may appear that requests credentials. +* The page that opens is **not a live page**, but rather an image that is designed to look like the site you are familiar with. A pop-up may appear that requests credentials. If in doubt, contact the business by known channels to verify if any suspicious emails are in fact legitimate. -For more information, download and read this Microsoft [e-book on preventing social engineering attacks](https://info.microsoft.com/Protectyourweakestlink.html?ls=social), especially in enterprise environments. +## Software solutions for organizations -### Software solutions for organizations - -* [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) and [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) offer protection from the increasing threat of targeted attacks using Microsoft's industry leading Hyper-V virtualization technology. If a browsed website is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby preventing access to your enterprise data. +* [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) and [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) offer protection from the increasing threat of targeted attacks using Microsoft's industry-leading Hyper-V virtualization technology. If a browsed website is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby preventing access to your enterprise data. * [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies. Using various layers of filtering, EOP can provide different controls for spam filtering, such as bulk mail controls and international spam, that will further enhance your protection services. -* Use [Office 365 Advanced Threat Protection (ATP)](https://products.office.com/exchange/online-email-threat-protection?ocid=cx-blog-mmpc) to help protect your email, files, and online storage against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection. +* Use [Microsoft Defender for Office 365](https://products.office.com/exchange/online-email-threat-protection?ocid=cx-blog-mmpc) to help protect your email, files, and online storage against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection. -For more tips and software solutions, see [prevent malware infection](prevent-malware-infection.md). +## What to do if you've been a victim of a phishing scam -## What do I do if I've already been a victim of a phishing scam? +If you feel you've been a victim of a phishing attack: -If you feel that you have been a victim of a phishing attack, contact your IT Admin. You should also immediately change all passwords associated with the accounts, and report any fraudulent activity to your bank, credit card company, etc. +1. Contact your IT admin if you are on a work computer +2. Immediately change all passwords associated with the accounts +3. Report any fraudulent activity to your bank and credit card company ### Reporting spam -Submit phishing scam emails to **Microsoft** by sending an email with the scam as an attachment to: phish@office365.microsoft.com. For more information on submitting messages to Microsoft, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis). +- **Outlook.com**: If you receive a suspicious email message that asks for personal information, select the check box next to the message in your Outlook inbox. Select the arrow next to **Junk**, and then select **Phishing**. -For Outlook and Outlook on the web users, use the **Report Message Add-in** for Microsoft Outlook. For information about how to install and use this tool, see [Enable the Report Message add-in](https://support.office.com/article/4250c4bc-6102-420b-9e0a-a95064837676). +- **Microsoft Office Outlook**: While in the suspicious message, select **Report message** from the ribbon, and then select **Phishing**. -Send an email with the phishing scam to **The Anti-Phishing Working Group**: reportphishing@apwg.org. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions and law enforcement agencies are involved. +- **Microsoft**: Create a new, blank email message with the one of the following recipients: + - Junk: junk@office365.microsoft.com + - Phishing: phish@office365.microsoft.com -## Where to find more information about phishing attacks + Drag and drop the junk or phishing message into the new message. This will save the junk or phishing message as an attachment in the new message. Don't copy and paste the content of the message or forward the message (we need the original message so we can inspect the message headers). For more information, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis). -For information on the latest phishing attacks, techniques, and trends, you can read these entries on the [Microsoft Security blog](https://www.microsoft.com/security/blog/product/windows/): +- **Anti-Phishing Working Group**: phishing-report@us-cert.gov. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions, and law enforcement agencies are involved. -* [Phishers unleash simple but effective social engineering techniques using PDF attachments](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/?source=mmpc) +### If you’re on a suspicious website -* [Tax themed phishing and malware attacks proliferate during the tax filing season](https://cloudblogs.microsoft.com/microsoftsecure/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/?source=mmpc) +- **Microsoft Edge**: While you’re on a suspicious site, select the **More (…) icon** > **Help and feedback** > **Report Unsafe site**. Follow the instructions on the webpage that displays to report the website. -* [Phishing like emails lead to tech support scam](https://cloudblogs.microsoft.com/microsoftsecure/2017/08/07/links-in-phishing-like-emails-lead-to-tech-support-scam/?source=mmpc) +- **Internet Explorer**: While you’re on a suspicious site, select the gear icon, point to **Safety**, and then select **Report Unsafe Website**. Follow the instructions on the webpage that displays to report the website. + +## More information about phishing attacks + +- [Protect yourself from phishing](https://support.microsoft.com/help/4033787/windows-protect-yourself-from-phishing) +- [Phishing trends](phishing-trends.md) +- [Microsoft e-book on preventing social engineering attacks](https://info.microsoft.com/Protectyourweakestlink.html?ls=social), especially in enterprise environments. diff --git a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md index df44f6142a..bd1b4f57e7 100644 --- a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md +++ b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md @@ -17,22 +17,22 @@ search.appverid: met150 --- # Troubleshooting malware submission errors caused by administrator block -In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this. +In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this problem. ## Review your settings Open your Azure [Enterprise application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/). Under **Enterprise Applications** > **Users can consent to apps accessing company data on their behalf**, check whether Yes or No is selected. -- If this is set to **No**, an AAD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with AAD, users might be able to submit a request right from the same dialog box. If there’s no option to ask for admin consent, users need to request for these permissions to be added to their AAD admin. Go to the following section for more information. +- If **No** is selected, an Azure AD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with Azure AD, users might be able to submit a request right from the same dialog box. If there’s no option to ask for admin consent, users need to request for these permissions to be added to their Azure AD admin. Go to the following section for more information. -- It this is set to **Yes**, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign-in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If this is set to **No** you'll need to request an AAD admin enable it. +- If **Yes** is selected, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If **No** is selected, you'll need to request an Azure AD admin enable it.   ## Implement Required Enterprise Application permissions This process requires a global or application admin in the tenant. 1. Open [Enterprise Application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). - 2. Click **Grant admin consent for organization**. - 3. If you're able to do so, Review the API permissions required for this application. This should be exactly the same as in the following image. Provide consent for the tenant. + 2. Select **Grant admin consent for organization**. + 3. If you're able to do so, review the API permissions required for this application, as the following image shows. Provide consent for the tenant. - ![grant consent image](images/msi-grant-admin-consent.jpg) + ![grant consent image](images/msi-grant-admin-consent.jpg) 4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds.   @@ -59,15 +59,15 @@ This process requires that global admins go through the Enterprise customer sign ![Consent sign in flow](images/msi-microsoft-permission-required.jpg) -Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and click **Accept**. +Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and then select **Accept**. All users in the tenant will now be able to use this application. -## Option 3: Delete and re-add app permissions +## Option 3: Delete and readd app permissions If neither of these options resolve the issue, try the following steps (as an admin): 1. Remove previous configurations for the application. Go to [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/982e94b2-fea9-4d1f-9fca-318cda92f90b) -and click **delete**. +and select **delete**. ![Delete app permissions](images/msi-properties.png) @@ -78,7 +78,7 @@ and click **delete**. ![Permissions needed](images/msi-microsoft-permission-requested-your-organization.png) -4. Review the permissions required by the application, and then click **Accept**. +4. Review the permissions required by the application, and then select **Accept**. 5. Confirm the permissions are applied in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/ce60a464-5fca-4819-8423-bcb46796b051). diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md index 3313e1d680..026d1653b0 100644 --- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md +++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md @@ -103,11 +103,11 @@ Microsoft provides comprehensive security capabilities that help protect against * [Microsoft 365](https://docs.microsoft.com/microsoft-365/enterprise/) includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources power productivity while providing intelligent security across users, devices, and data. -* [Office 365 Advanced Threat Protection](https://docs.microsoft.com/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders. +* [Microsoft Defender for Office 365](https://docs.microsoft.com/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders. * [OneDrive for Business](https://support.office.com/article/restore-a-previous-version-of-a-file-in-onedrive-159cad6d-d76e-4981-88ef-de6e96c93893?ui=en-US&rs=en-US&ad=US) can back up files, which you would then use to restore files in the event of an infection. -* [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender ATP alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender ATP free of charge. +* [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender for Endpoint alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender for Endpoint free of charge. * [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication on your devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. It lets user authenticate to an Active Directory or Azure Active Directory account. @@ -117,6 +117,6 @@ Microsoft provides comprehensive security capabilities that help protect against ## What to do with a malware infection -Microsoft Defender ATP antivirus capabilities help reduce the chances of infection and will automatically remove threats that it detects. +Microsoft Defender for Endpoint antivirus capabilities help reduce the chances of infection and will automatically remove threats that it detects. In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware). diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md index b91211e7da..2936cf36c4 100644 --- a/windows/security/threat-protection/intelligence/ransomware-malware.md +++ b/windows/security/threat-protection/intelligence/ransomware-malware.md @@ -31,7 +31,7 @@ Most ransomware infections start with: Once ransomware infects a device, it starts encrypting files, folders, entire hard drive partitions using encryption algorithms like RSA or RC4. -Ransomware is one of the most lucrative revenue channels for cybercriminals, so malware authors continually improve their malware code to better target enterprise environments. Ransomware-as-a-service is a cybercriminal business model in which malware creators sell their ransomware and other services to cybercriminals, who then operate the ransomware attacks. The business model also defines profit sharing between the malware creators, ransomware operators, and other parties that may be involved. For cybercriminals, ransomware is a big business, at the expense of individuals and businesses. +Ransomware is one of the most lucrative revenue channels for cybercriminals, so malware authors continually improve their malware code to better target enterprise environments. Ransomware-as-a-service is a cybercriminal business model where malware creators sell their ransomware and other services to cybercriminals, who then operate the ransomware attacks. The business model also defines profit sharing between the malware creators, ransomware operators, and other parties that may be involved. For cybercriminals, ransomware is big business at the expense of individuals and businesses. ### Examples @@ -43,9 +43,9 @@ Sophisticated ransomware like **Spora**, **WannaCrypt** (also known as WannaCry) * A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks. -Older ransomware like **Reveton** locks screens instead of encrypting files. They display a full screen image and then disable Task Manager. The files are safe, but they are effectively inaccessible. The image usually contains a message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal activities and fine needs to be paid. Because of this, Reveton is nicknamed "Police Trojan" or "Police ransomware". +Older ransomware like **Reveton** (nicknamed "Police Trojan" or "Police ransomware") locks screens instead of encrypting files. They display a full screen image and then disable Task Manager. The files are safe, but they're effectively inaccessible. The image usually contains a message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal activities and a fine needs to be paid. -Ransomware like **Cerber** and **Locky** search for and encrypt specific file types, typically document and media files. When the encryption is complete, the malware leaves a ransom note using text, image, or an HTML file with instructions to pay a ransom to recover files. +Ransomware like **Cerber** and **Locky** search for and encrypt specific file types, typically document and media files. When the encryption is complete, the malware leaves a ransom note using text, image, or an HTML file with instructions to pay a ransom to recover files. **Bad Rabbit** ransomware was discovered attempting to spread across networks using hardcoded usernames and passwords in brute force attacks. diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md index ad80fad7fe..f5ea7e21b2 100644 --- a/windows/security/threat-protection/intelligence/rootkits-malware.md +++ b/windows/security/threat-protection/intelligence/rootkits-malware.md @@ -17,15 +17,15 @@ search.appverid: met150 --- # Rootkits -Malware authors use rootkits to hide malware on your device, allowing malware to persist as long as possible. A successful rootkit can potentially remain in place for years if it is undetected. During this time it will steal information and resources. +Malware authors use rootkits to hide malware on your device, allowing malware to persist as long as possible. A successful rootkit can potentially remain in place for years if it's undetected. During this time, it will steal information and resources. ## How rootkits work Rootkits intercept and change standard operating system processes. After a rootkit infects a device, you can’t trust any information that device reports about itself. -For example, if you were to ask a device to list all of the programs that are running, the rootkit might stealthily remove any programs it doesn’t want you to know about. Rootkits are all about hiding things. They want to hide both themselves and their malicious activity on a device. +If you were to ask a device to list all of the programs that are running, the rootkit might stealthily remove any programs it doesn’t want you to know about. Rootkits are all about hiding things. They want to hide both themselves and their malicious activity on a device. -Many modern malware families use rootkits to try and avoid detection and removal, including: +Many modern malware families use rootkits to try to avoid detection and removal, including: * [Alureon](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fAlureon) @@ -53,12 +53,12 @@ For more general tips, see [prevent malware infection](prevent-malware-infection ### What if I think I have a rootkit on my device? -Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you might have a rootkit on your device and your antimalware software isn’t detecting it, you might need an extra tool that lets you boot to a known trusted environment. +Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you have a rootkit that your antimalware software isn’t detecting, you may need an extra tool that lets you boot to a known trusted environment. -[Microsoft Defender Offline](https://support.microsoft.com/help/17466/microsoft-defender-offline-help-protect-my-pc) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible malware infection. +[Microsoft Defender Offline](https://support.microsoft.com/help/17466/microsoft-defender-offline-help-protect-my-pc) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly because of a possible malware infection. [System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/) in Windows 10 protects against rootkits and threats that impact system integrity. ### What if I can’t remove a rootkit? -If the problem persists, we strongly recommend reinstalling the operating system and security software. You should then restore your data from a backup. +If the problem persists, we strongly recommend reinstalling the operating system and security software. Then restore your data from a backup. diff --git a/windows/security/threat-protection/intelligence/submission-guide.md b/windows/security/threat-protection/intelligence/submission-guide.md index 7b4028fb4a..7e771ce477 100644 --- a/windows/security/threat-protection/intelligence/submission-guide.md +++ b/windows/security/threat-protection/intelligence/submission-guide.md @@ -26,7 +26,7 @@ You can send us files that you think might be malware or files that have been in We receive a large number of samples from many sources. Our analysis is prioritized by the number of file detections and the type of submission. You can help us complete a quick analysis by providing detailed information about the product you were using and what you were doing when you found the file. -If you sign in before you submit a sample, you will be able to track your submissions. +After you sign in, you will be able to track your submissions. ## Can I send a sample by email? @@ -34,9 +34,7 @@ No, we only accept submissions through our [sample submission portal](https://ww ## Can I submit a sample without signing in? -Yes, you many submit a file as an anonymous home customer. You will get a link to a webpage where you can view the status of the submission. - -If you're an enterprise customer, you need to sign in so that we can prioritize your submission appropriately. If you are currently experiencing a virus outbreak or security-related incident, you should contact your designated Microsoft support professional or go to [Microsoft Support](https://support.microsoft.com/) for immediate assistance. +No. If you're an enterprise customer, you need to sign in so that we can prioritize your submission appropriately. If you are currently experiencing a virus outbreak or security-related incident, you should contact your designated Microsoft support professional or go to [Microsoft Support](https://support.microsoft.com/) for immediate assistance. ## What is the Software Assurance ID (SAID)? @@ -52,9 +50,7 @@ We encourage all software vendors and developers to read about [how Microsoft id ## How do I track or view past sample submissions? -You can track your submissions through the [submission history page](https://www.microsoft.com/wdsi/submissionhistory). Your submission will only appear on this page if you were signed in when you submitted it. - -If you’re not signed in when you submit a sample, you will be redirected to a tracking page. Bookmark this page if you want to come back and check on the status of your submission. +You can track your submissions through the [submission history page](https://www.microsoft.com/wdsi/submissionhistory). ## What does the submission status mean? @@ -66,7 +62,7 @@ Each submission is shown to be in one of the following status types: * Closed—a final determination has been given by an analyst -If you are signed in, you can see the status of any files you submit to us on the [submission history page](https://www.microsoft.com/wdsi/submissionhistory). +You can see the status of any files you submit to us on the [submission history page](https://www.microsoft.com/wdsi/submissionhistory). ## How does Microsoft prioritize submissions diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md index eb417b74dd..87e0080d20 100644 --- a/windows/security/threat-protection/intelligence/understanding-malware.md +++ b/windows/security/threat-protection/intelligence/understanding-malware.md @@ -21,7 +21,7 @@ Malware is a term used to describe malicious applications and code that can caus Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims. -As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)), businesses can stay protected with next-generation protection and other security capabilities. +As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), businesses can stay protected with next-generation protection and other security capabilities. For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic. diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md index 5aded1e416..fa58868aa8 100644 --- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md @@ -18,21 +18,28 @@ ms.topic: article The Virus Information Alliance (VIA) is a public antimalware collaboration program for security software providers, security service providers, antimalware testing organizations, and other organizations involved in fighting cybercrime. -Members of the VIA program collaborate by exchanging technical information on malicious software with Microsoft, with the goal of improving protection for Microsoft customers. +Members of the VIA program collaborate by exchanging technical information on malicious software with Microsoft. The goal is to improve protection for Microsoft customers. ## Better protection for customers against malware -The VIA program gives members access to information that will help improve protection for Microsoft customers. For example, the program provides malware telemetry and samples to security product teams to identify gaps in their protection and prioritize new threat coverage. +The VIA program gives members access to information that will help them improve protection. For example, the program provides malware telemetry and samples to security teams so they can identify gaps and prioritize new threat coverage. -Malware prevalence data is provided to antimalware testers to assist them in selecting sample sets and setting scoring criteria that represent the real-world threat landscape. Service organizations, such as a CERT, can leverage our data to help assess the impact of policy changes or to help shut down malicious activity. +Malware prevalence data is provided to antimalware testers to assist them in selecting sample sets. The data also helps set scoring criteria that represent the real-world threat landscape. Service organizations, such as a CERT, can leverage our data to help assess the impact of policy changes or to help shut down malicious activity. Microsoft is committed to continuous improvement to help reduce the impact of malware on customers. By sharing malware-related information, Microsoft enables members of this community to work towards better protection for customers. ## Becoming a member of VIA -Microsoft has well-defined, objective, measurable, and tailored membership criteria for prospective members of the Virus Information Alliance (VIA). The criteria is designed to ensure that Microsoft is able to work with security software providers, security service providers, antimalware testing organizations, and other organizations involved in the fight against cybercrime to protect a broad range of customers. +Microsoft has well-defined, objective, measurable, and tailored membership criteria for prospective members of the Virus Information Alliance (VIA). -Members will receive information to facilitate effective malware detection, deterrence, and eradication. This includes technical information on malware as well as metadata on malicious activity. Information shared through VIA is governed by the VIA membership agreement and a Microsoft non-disclosure agreement, where applicable. +The criteria is designed to ensure that Microsoft can work with the following groups to protect a broad range of customers: + +- Security software providers +- Security service providers +- Antimalware testing organizations +- Other organizations involved in the fight against cybercrime + +Members will receive information to facilitate effective malware detection, deterrence, and eradication. This information includes technical information on malware as well as metadata on malicious activity. Information shared through VIA is governed by the VIA membership agreement and a Microsoft non-disclosure agreement, where applicable. VIA has an open enrollment for potential members. @@ -43,11 +50,12 @@ To be eligible for VIA your organization must: 1. Be willing to sign a non-disclosure agreement with Microsoft. 2. Fit into one of the following categories: - * Your organization develops antimalware technology that can run on Windows and your organization’s product is commercially available. - * Your organization provides security services to Microsoft customers or for Microsoft products. - * Your organization publishes antimalware testing reports on a regular basis. - * Your organization has a research or response team dedicated to fighting malware to protect your organization, your customers, or the general public. + + - Your organization develops antimalware technology that can run on Windows and your organization’s product is commercially available. + - Your organization provides security services to Microsoft customers or for Microsoft products. + - Your organization publishes antimalware testing reports on a regular basis. + - Your organization has a research or response team dedicated to fighting malware to protect your organization, your customers, or the general public. 3. Be willing to sign and adhere to the VIA membership agreement. -If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). +If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index a896140ce6..5f8f3c8139 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -19,13 +19,13 @@ ms.topic: article The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with Windows. -MVI members receive access to Windows APIs and other technologies including IOAV, AMSI and Cloud files. Members also get malware telemetry and samples and invitations to security related events and conferences. +MVI members receive access to Windows APIs and other technologies including IOAV, AMSI, and Cloud files. Members also get malware telemetry and samples and invitations to security-related events and conferences. ## Become a member -A request for membership is made by an individual as a representative of an organization that develops and produces antimalware or antivirus technology. Your organization must meet the following eligibility requirements to qualify for the MVI program: +You can request membership if you're a representative for an organization that develops and produces antimalware or antivirus technology. Your organization must meet the following requirements to qualify for the MVI program: -1. Offer an antimalware or antivirus product that is one of the following: +1. Offer an antimalware or antivirus product that meets one of the following criteria: * Your organization's own creation. * Developed by using an SDK (engine and other components) from another MVI Partner company and your organization adds a custom UI and/or other functionality. @@ -34,7 +34,7 @@ A request for membership is made by an individual as a representative of an orga 3. Be active and have a positive reputation in the antimalware industry. - * Activity can include participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT or Gartner. + * Activity can include participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT, or Gartner. 4. Be willing to sign a non-disclosure agreement (NDA) with Microsoft. @@ -49,14 +49,14 @@ A request for membership is made by an individual as a representative of an orga Test Provider | Lab Test Type | Minimum Level / Score ------------- |---------------|---------------------- AV-Comparatives | Real-World Protection Test
    https://www.av-comparatives.org/testmethod/real-world-protection-tests/ |“Approved” rating from AV Comparatives -AV-Test | Must pass tests for Windows. Certifications for Mac and Linux are not accepted
    https://www.av-test.org/en/about-the-institute/certification/ | Achieve "AV-TEST Certified" (for home users) or "AV-TEST Approved” (for corporate users) +AV-Test | Must pass tests for Windows. Certifications for Mac and Linux aren't accepted
    https://www.av-test.org/en/about-the-institute/certification/ | Achieve "AV-TEST Certified" (for home users) or "AV-TEST Approved” (for corporate users) ICSA Labs | Endpoint Anti-Malware Detection
    https://www.icsalabs.com/technology-program/anti-virus/criteria |PASS/Certified NSS Labs | Advanced Endpoint Protection AEP 3.0, which covers automatic threat prevention and threat event reporting capabilities
    https://www.nsslabs.com/tested-technologies/advanced-endpoint-protection/ |“Neutral” rating from NSS -SKD Labs | Certification Requirements Product: Anti-virus or Antimalware
    http://www.skdlabs.com/html/english/
    http://www.skdlabs.com/cert/ |SKD Labs Star Check Certification Requirements Pass >= 98.5 % with On Demand, On Access and Total Detection tests +SKD Labs | Certification Requirements Product: Anti-virus or Antimalware
    http://www.skdlabs.com/html/english/
    http://www.skdlabs.com/cert/ |SKD Labs Star Check Certification Requirements Pass >= 98.5% with On Demand, On Access and Total Detection tests SE Labs | Protection A rating or Small Business EP A rating or Enterprise EP Protection A rating
    https://selabs.uk/en/reports/consumers |Home or Enterprise “A” rating VB 100 | VB100 Certification Test V1.1
    https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1/ | VB100 Certification West Coast Labs | Checkmark Certified
    http://www.checkmarkcertified.com/sme/ | “A” Rating on Product Security Performance ## Apply now -If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). +If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md index 04c8f8280f..ca62c08fd9 100644 --- a/windows/security/threat-protection/intelligence/worms-malware.md +++ b/windows/security/threat-protection/intelligence/worms-malware.md @@ -22,19 +22,19 @@ A worm is a type of malware that can copy itself and often spreads through a net ## How worms work -Worms represent a large category of malware. Different worms use different methods to infect devices. Depending on the variant, they can steal sensitive information, change security settings, send information to malicious hackers, stop users from accessing files, and other malicious activities. +Worms represent a large category of malware. Different worms use different methods to infect devices. Depending on the variant, they can steal sensitive information, change security settings, send information to malicious hackers, stop users from accessing files, and other malicious activities. -Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the top of the list of malware that infect users running Microsoft security software. Although these worms share some commonalities, it is interesting to note that they also have distinct characteristics. +Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the top of the list of malware that infects users running Microsoft software. Although these worms share some commonalities, it's interesting to note that they also have distinct characteristics. * **Jenxcus** has capabilities of not only infecting removable drives but can also act as a backdoor that connects back to its server. This threat typically gets into a device from a drive-by download attack, meaning it's installed when users just visit a compromised web page. -* **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as infostealers, spammers, clickers, downloaders, and rogues. +* **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as info stealers, spammers, clickers, downloaders, and rogues. * **Bondat** typically arrives through fictitious Nullsoft Scriptable Install System (NSIS), Java installers, and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server. -Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they are doing, they try to avoid detection by security software. +Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they're doing, they try to avoid detection by security software. -* [**WannaCrypt**](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WannaCrypt) also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (e.g. ransomware). +* [**WannaCrypt**](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WannaCrypt) also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (like ransomware). This image shows how a worm can quickly spread through a shared USB drive. diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index 771169d40b..24bcf88c2d 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -6,8 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: dansimp -author: dulcemontemayor -ms.date: 10/05/2018 +author: dansimp ms.reviewer: manager: dansimp --- @@ -17,6 +16,9 @@ manager: dansimp Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these additional checks had not been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive. MBSA was largely used in situations where neither Microsoft Update nor a local WSUS or Configuration Manager server was available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016. + +> [!NOTE] +> In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file. ## The Solution A script can help you with an alternative to MBSA’s patch-compliance checking: diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md index a0e3d27f66..273298bf6c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md @@ -20,9 +20,12 @@ ms.topic: article # What to do with false positives/negatives in Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Microsoft Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware, and spyware across email, apps, the cloud, and the web. @@ -41,7 +44,7 @@ What if something gets detected wrongly as malware, or something is missed? We c ## Create an "Allow" indicator to prevent a false positive from recurring -If a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create an "Allow" indicator. This indicator tells Microsoft Defender Antivirus (and Microsoft Defender Advanced Threat Protection) that the item is safe. +If a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create an "Allow" indicator. This indicator tells Microsoft Defender Antivirus (and Microsoft Defender for Endpoint) that the item is safe. To set up your "Allow" indicator, follow the guidance in [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). @@ -69,6 +72,6 @@ To learn more, see: ## Related articles -[What is Microsoft Defender Advanced Threat Protection?](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) +[What is Microsoft Defender for Endpoint?](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) -[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) +[Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md index 072cc3c421..586598290d 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md @@ -18,9 +18,12 @@ manager: dansimp # Collect Update Compliance diagnostic data for Microsoft Defender AV Assessment +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV Assessment section in the Update Compliance add-in. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md index 9c9ec19ea9..b98d9268b6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md @@ -1,7 +1,7 @@ --- title: Collect diagnostic data of Microsoft Defender Antivirus description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus -keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av +keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av, group policy object, setting, diagnostic data search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: manage @@ -18,11 +18,14 @@ manager: dansimp # Collect Microsoft Defender AV diagnostic data +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV. +This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you might encounter when using the Microsoft Defender AV. > [!NOTE] > As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices). @@ -51,7 +54,7 @@ On at least two devices that are experiencing the same issue, obtain the .cab di 4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`. > [!NOTE] -> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation `
    For more information see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share). +> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation `
    For more information, see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share). 5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us. @@ -75,7 +78,7 @@ mpcmdrun.exe -GetFiles -SupportLogLocation Copies the diagnostic data to the specified path. If the path is not specified, the diagnostic data will be copied to the location specified in the Support Log Location Configuration. -When the SupportLogLocation parameter is used, a folder structure as below will be created in the destination path: +When the SupportLogLocation parameter is used, a folder structure like as follows will be created in the destination path: ```Dos \\MpSupport--.cab @@ -83,13 +86,30 @@ When the SupportLogLocation parameter is used, a folder structure as below will | field | Description | |:----|:----| -| path | The path as specified on the commandline or retrieved from configuration -| MMDD | Month Day when the diagnostic data was collected (eg 0530) -| hostname | the hostname of the device on which the diagnostic data was collected. -| HHMM | Hours Minutes when the diagnostic data was collected (eg 1422) +| path | The path as specified on the command line or retrieved from configuration +| MMDD | Month and day when the diagnostic data was collected (for example, 0530) +| hostname | The hostname of the device on which the diagnostic data was collected +| HHMM | Hours and minutes when the diagnostic data was collected (for example, 1422) > [!NOTE] -> When using a File share please make sure that account used to collect the diagnostic package has write access to the share. +> When using a file share please make sure that account used to collect the diagnostic package has write access to the share. + +## Specify location where diagnostic data is created + +You can also specify where the diagnostic .cab file will be created using a Group Policy Object (GPO). + +1. Open the Local Group Policy Editor and find the SupportLogLocation GPO at: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SupportLogLocation` + +1. Select **Define the directory path to copy support log files**. + + ![Screenshot of local group policy editor](images/GPO1-SupportLogLocationDefender.png) + + ![Screenshot of define path for log files setting](images/GPO2-SupportLogLocationGPPage.png) +3. Inside the policy editor, select **Enabled**. + +4. Specify the directory path where you want to copy the support log files in the **Options** field. + ![Screenshot of Enabled directory path custom setting](images/GPO3-SupportLogLocationGPPageEnabledExample.png) +5. Select **OK** or **Apply**. ## See also diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md index 8bf5563e09..f6c285389b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md @@ -17,9 +17,12 @@ ms.date: 08/17/2020 # Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md index 53d9dc6877..c4401ca56a 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md @@ -16,138 +16,43 @@ manager: dansimp --- # Common mistakes to avoid when defining exclusions + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable. -This topic describes some common mistake that you should avoid when defining exclusions. +This article describes some common mistake that you should avoid when defining exclusions. Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions). ## Excluding certain trusted items -There are certain files, file types, folders, or processes that you should not exclude from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning. -**Do not add exclusions for the following folder locations:** +Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious. -- %systemdrive% -- C: -- C:\ -- C:\* -- %ProgramFiles%\Java -- C:\Program Files\Java -- %ProgramFiles%\Contoso\ -- C:\Program Files\Contoso\ -- %ProgramFiles(x86)%\Contoso\ -- C:\Program Files (x86)\Contoso\ -- C:\Temp -- C:\Temp\ -- C:\Temp\* -- C:\Users\ -- C:\Users\* -- C:\Users\\AppData\Local\Temp\ -- C:\Users\\AppData\LocalLow\Temp\ -- C:\Users\\AppData\Roaming\Temp\ -- %Windir%\Prefetch -- C:\Windows\Prefetch -- C:\Windows\Prefetch\ -- C:\Windows\Prefetch\* -- %Windir%\System32\Spool -- C:\Windows\System32\Spool -- C:\Windows\System32\CatRoot2 -- %Windir%\Temp -- C:\Windows\Temp -- C:\Windows\Temp\ -- C:\Windows\Temp\* +Do not define exclusions for the folder locations, file extensions, and processes that are listed in the following table: -**Do not add exclusions for the following file extensions:** -- .7zip -- .bat -- .bin -- .cab -- .cmd -- .com -- .cpl -- .dll -- .exe -- .fla -- .gif -- .gz -- .hta -- .inf -- .java -- .jar -- .job -- .jpeg -- .jpg -- .js -- .ko -- .ko.gz -- .msi -- .ocx -- .png -- .ps1 -- .py -- .rar -- .reg -- .scr -- .sys -- .tar -- .tmp -- .url -- .vbe -- .vbs -- .wsf -- .zip +| Folder locations | File extensions | Processes | +|:--|:--|:--| +| `%systemdrive%`
    `C:`
    `C:\`
    `C:\*`
    `%ProgramFiles%\Java`
    `C:\Program Files\Java`
    `%ProgramFiles%\Contoso\`
    `C:\Program Files\Contoso\`
    `%ProgramFiles(x86)%\Contoso\`
    `C:\Program Files (x86)\Contoso\`
    `C:\Temp`
    `C:\Temp\`
    `C:\Temp\*`
    `C:\Users\`
    `C:\Users\*`
    `C:\Users\\AppData\Local\Temp\`
    `C:\Users\\AppData\LocalLow\Temp\`
    `C:\Users\\AppData\Roaming\Temp\`
    `%Windir%\Prefetch`
    `C:\Windows\Prefetch`
    `C:\Windows\Prefetch\`
    `C:\Windows\Prefetch\*`
    `%Windir%\System32\Spool`
    `C:\Windows\System32\Spool`
    `C:\Windows\System32\CatRoot2`
    `%Windir%\Temp`
    `C:\Windows\Temp`
    `C:\Windows\Temp\`
    `C:\Windows\Temp\*` | `.7zip`
    `.bat`
    `.bin`
    `.cab`
    `.cmd`
    `.com`
    `.cpl`
    `.dll`
    `.exe`
    `.fla`
    `.gif`
    `.gz`
    `.hta`
    `.inf`
    `.java`
    `.jar`
    `.job`
    `.jpeg`
    `.jpg`
    `.js`
    `.ko`
    `.ko.gz`
    `.msi`
    `.ocx`
    `.png`
    `.ps1`
    `.py`
    `.rar`
    `.reg`
    `.scr`
    `.sys`
    `.tar`
    `.tmp`
    `.url`
    `.vbe`
    `.vbs`
    `.wsf`
    `.zip` | `AcroRd32.exe`
    `bitsadmin.exe`
    `excel.exe`
    `iexplore.exe`
    `java.exe`
    `outlook.exe`
    `psexec.exe`
    `powerpnt.exe`
    `powershell.exe`
    `schtasks.exe`
    `svchost.exe`
    `wmic.exe`
    `winword.exe`
    `wuauclt.exe`
    `addinprocess.exe`
    `addinprocess32.exe`
    `addinutil.exe`
    `bash.exe`
    `bginfo.exe`[1]
    `cdb.exe`
    `csi.exe`
    `dbghost.exe`
    `dbgsvc.exe`
    `dnx.exe`
    `fsi.exe`
    `fsiAnyCpu.exe`
    `kd.exe`
    `ntkd.exe`
    `lxssmanager.dll`
    `msbuild.exe`[2]
    `mshta.exe`
    `ntsd.exe`
    `rcsi.exe`
    `system.management.automation.dll`
    `windbg.exe` | >[!NOTE] -> You can chose to exclude file types, such as .gif, .jpg, .jpeg, .png if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities. - -**Do not add exclusions for the following processes:** -- AcroRd32.exe -- bitsadmin.exe -- excel.exe -- iexplore.exe -- java.exe -- outlook.exe -- psexec.exe -- powerpnt.exe -- powershell.exe -- schtasks.exe -- svchost.exe -- wmic.exe -- winword.exe -- wuauclt.exe -- addinprocess.exe -- addinprocess32.exe -- addinutil.exe -- bash.exe -- bginfo.exe[1] -- cdb.exe -- csi.exe -- dbghost.exe -- dbgsvc.exe -- dnx.exe -- fsi.exe -- fsiAnyCpu.exe -- kd.exe -- ntkd.exe -- lxssmanager.dll -- msbuild.exe[2] -- mshta.exe -- ntsd.exe -- rcsi.exe -- system.management.automation.dll -- windbg.exe +> You can chose to exclude file types, such as `.gif`, `.jpg`, `.jpeg`, or `.png` if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities. ## Using just the file name in the exclusion list -A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude **Filename.exe** from scanning, use the complete path to the file, such as **C:\program files\contoso\Filename.exe**. + +A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude `Filename.exe` from scanning, use the complete path to the file, such as `C:\program files\contoso\Filename.exe`. ## Using a single exclusion list for multiple server workloads + Do not use a single exclusion list to define exclusions for multiple server workloads. Split the exclusions for different application or service workloads into multiple exclusion lists. For example, the exclusion list for your IIS Server workload must be different from the exclusion list for your SQL Server workload. ## Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists + Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system environment variables. + See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists. -## Related topics +## Related articles - [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) - [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md index ac38745a10..756111f940 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Manage Windows Defender in your business +title: Manage Windows Defender in your business description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Microsoft Defender AV keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection search.product: eADQiWindows 10XVcnh @@ -11,34 +11,35 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 12/16/2020 ms.reviewer: manager: dansimp --- # Manage Microsoft Defender Antivirus in your business +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can manage and configure Microsoft Defender Antivirus with the following tools: -- Microsoft Intune -- Microsoft Endpoint Configuration Manager -- Group Policy -- PowerShell cmdlets -- Windows Management Instrumentation (WMI) -- The mpcmdrun.exe utility +- [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security-antivirus-policy) (now part of Microsoft Endpoint Manager) +- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) (now part of Microsoft Endpoint Manager) +- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) +- [PowerShell cmdlets](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus) +- [Windows Management Instrumentation (WMI)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus) +- The [Microsoft Malware Protection Command Line Utility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) (referred to as the *mpcmdrun.exe* utility -The articles in this section provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus. +The following articles provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus. -## In this section - -Article | Description ----|--- -[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus -[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates -[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters -[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties) -[Manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus +| Article | Description | +|:---|:---| +|[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus | +|[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates | +|[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters | +|[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties) | +|[Manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus | diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md index 9800bbf096..6d63b6ef5a 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md @@ -18,17 +18,20 @@ manager: dansimp # Configure Microsoft Defender Antivirus scanning options +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Use Microsoft Intune to configure scanning options See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. -## Use Microsoft Endpoint Configuration Manager to configure scanning options +## Use Microsoft Endpoint Manager to configure scanning options -See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Manager (current branch). ## Use Group Policy to configure scanning options @@ -56,8 +59,8 @@ Specify the level of subfolders within an archive folder to scan | Scan > Specif Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available ->[!NOTE] ->If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. +> [!NOTE] +> If real-time protection is turned on, files are scanned before they are accessed and executed. The scanning scope includes all files, including files on mounted removable media, such as USB drives. If the device performing the scan has real-time protection or on-access protection turned on, the scan will also include network shares. ## Use PowerShell to configure scanning options diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md index f11dc35650..c3ec759d81 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Enable Block at First Sight to detect malware in seconds -description: Turn on the block at first sight feature to detect and block malware within seconds, and validate that it is configured correctly. +title: Enable block at first sight to detect malware in seconds +description: Turn on the block at first sight feature to detect and block malware within seconds. keywords: scan, BAFS, malware, first seen, first sight, cloud, defender search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -12,134 +12,103 @@ ms.author: deniseb ms.reviewer: manager: dansimp ms.custom: nextgen -ms.date: 08/26/2020 +ms.date: 10/22/2020 --- # Turn on block at first sight +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention. +Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are enabled. These settings include cloud-delivered protection, a specified sample submission timeout (such as 50 seconds), and a file-blocking level of high. In most enterprise organizations, these settings are enabled by default with Microsoft Defender Antivirus deployments. -You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. +You can [specify how long a file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. >[!TIP] ->Visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. +>Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. ## How it works When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or not a threat. -Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, intelligent, and real-time protection. To learn more, see this blog: [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). +Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, intelligent, and real-time protection. To learn more, see this blog: [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). ![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) In Windows 10, version 1803 or later, block at first sight can block non-portable executable files (such as JS, VBS, or macros) as well as executable files. -Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file. +Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if the file is a previously undetected file. If the cloud backend is unable to make a determination, Microsoft Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe. In many cases, this process can reduce the response time for new malware from hours to seconds. -## Confirm and validate that block at first sight is turned on +## Turn on block at first sight with Microsoft Intune -Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Microsoft Defender Antivirus deployments. +> [!TIP] +> Microsoft Intune is now part of Microsoft Endpoint Manager. -### Confirm block at first sight is turned on with Intune +1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Devices** > **Configuration profiles**. -1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Microsoft Defender Antivirus**. +2. Select or create a profile using the **Device restrictions** profile type. - > [!NOTE] - > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type. +3. In the **Configuration settings** for the Device restrictions profile, set or confirm the following settings under **Microsoft Defender Antivirus**: -2. Verify these settings are configured as follows: - - - **Cloud-delivered protection**: **Enable** - - **File Blocking Level**: **High** - - **Time extension for file scanning by the cloud**: **50** - - **Prompt users before sample submission**: **Send all data without prompting** + - **Cloud-delivered protection**: Enabled + - **File Blocking Level**: High + - **Time extension for file scanning by the cloud**: 50 + - **Prompt users before sample submission**: Send all data without prompting ![Intune config](images/defender/intune-block-at-first-sight.png) - > [!WARNING] - > Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus). +4. Save your settings. -For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +> [!TIP] +> - Setting the file blocking level to **High** applies a strong level of detection. In the unlikely event that file blocking causes a false positive detection of legitimate files, you can [restore quarantined files](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus). +> - For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +> - For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus). -For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus). +## Turn on block at first sight with Microsoft Endpoint Manager -### Turn on block at first sight with Microsoft Endpoint Configuration Manager +> [!TIP] +> If you're looking for Microsoft Endpoint Configuration Manager, it's now part of Microsoft Endpoint Manager. -1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**. +1. In Microsoft Endpoint Manager ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), go to **Endpoint security** > **Antivirus**. -2. Click **Home** > **Create Antimalware Policy**. +2. Select an existing policy, or create a new policy using the **Microsoft Defender Antivirus** profile type. -3. Enter a name and a description, and add these settings: - - **Real time protection** - - **Advanced** - - **Cloud Protection Service** +3. Set or confirm the following configuration settings: -4. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. - ![Enable real-time protection](images/defender/sccm-real-time-protection.png) + - **Turn on cloud-delivered protection**: Yes + - **Cloud-delivered protection level**: High + - **Defender Cloud Extended Timeout in Seconds**: 50 -5. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. - ![Enable Advanced settings](images/defender/sccm-advanced-settings.png) + :::image type="content" source="images/endpointmgr-antivirus-cloudprotection.png" alt-text="Block at first sight settings in Endpoint Manager"::: -6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking suspicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds. - ![Enable Cloud Protection Service](images/defender/sccm-cloud-protection-service.png) +4. Apply the Microsoft Defender Antivirus profile to a group, such as **All users**, **All devices**, or **All users and devices**. -7. Click **OK** to create the policy. +## Turn on block at first sight with Group Policy -### Confirm block at first sight is turned on with Group Policy +> [!NOTE] +> We recommend using Intune or Microsoft Endpoint Manager to turn on block at first sight. -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. Using the **Group Policy Management Editor** go to **Computer configuration** > **Administrative templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS**. -3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**: +3. In the MAPS section, double-click **Configure the 'Block at First Sight' feature**, and set it to **Enabled**, and then select **OK**. - 1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. - - 2. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**. - - > [!WARNING] + > [!IMPORTANT] > Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function. -4. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Real-time Protection**: +4. In the MAPS section, double-click **Send file samples when further analysis is required**, and set it to **Enabled**. Under **Send file samples when further analysis is required**, select **Send all samples**, and then click **OK**. - 1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**, and then click **OK**. +5. If you changed any settings, redeploy the Group Policy Object across your network to ensure all endpoints are covered. - 2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**, and then click **OK**. - -5. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MpEngine**: - - 1. Double-click **Select cloud protection level** and ensure the option is set to **Enabled**. - - 2. Ensure that **Select cloud blocking level** section on the same page is set to **High blocking level**, and then click **OK**. - -If you had to change any of the settings, you should redeploy the Group Policy Object across your network to ensure all endpoints are covered. - -### Confirm block at first sight is turned on with Registry editor - -1. Start Registry Editor. - -2. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet`, and make sure that - - 1. **SpynetReporting** key is set to **1** - - 2. **SubmitSamplesConsent** key is set to either **1** (Send safe samples) or **3** (Send all samples) - -3. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection`, and make sure that - - 1. **DisableIOAVProtection** key is set to **0** - - 2. **DisableRealtimeMonitoring** key is set to **0** - -4. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine`, and make sure that the **MpCloudBlockLevel** key is set to **2** - -### Confirm Block at First Sight is enabled on individual clients +## Confirm block at first sight is enabled on individual clients You can confirm that block at first sight is enabled on individual clients using Windows security settings. @@ -154,24 +123,43 @@ Block at first sight is automatically enabled as long as **Cloud-delivered prote 3. Confirm that **Cloud-delivered protection** and **Automatic sample submission** are both turned on. > [!NOTE] -> If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. +> - If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. +> - Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. -### Validate block at first sight is working +## Validate block at first sight is working -You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud). +To validate that the feature is working, follow the guidance in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud). ## Turn off block at first sight -> [!WARNING] -> Turning off block at first sight will lower the protection state of the endpoint and your network. +> [!CAUTION] +> Turning off block at first sight will lower the protection state of your device(s) and your network. -You may choose to disable block at first sight if you want to retain the prerequisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network. +You might choose to disable block at first sight if you want to retain the prerequisite settings without actually using block at first sight protection. You might do temporarily turn block at first sight off if you are experiencing latency issues or you want to test the feature's impact on your network. However, we do not recommend disabling block at first sight protection permanently. + +### Turn off block at first sight with Microsoft Endpoint Manager + +1. Go to Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. + +2. Go to **Endpoint security** > **Antivirus**, and then select your Microsoft Defender Antivirus policy. + +3. Under **Manage**, choose **Properties**. + +4. Next to **Configuration settings**, choose **Edit**. + +5. Change one or more of the following settings: + + - Set **Turn on cloud-delivered protection** to **No** or **Not configured**. + - Set **Cloud-delivered protection level** to **Not configured**. + - Clear the **Defender Cloud Extended Timeout In Seconds** box. + +6. Review and save your settings. ### Turn off block at first sight with Group Policy 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and then click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. Using the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 3. Expand the tree through **Windows components** > **Microsoft Defender Antivirus** > **MAPS**. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md index 3d86286bb7..2555377694 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md @@ -18,9 +18,12 @@ manager: dansimp # Configure the cloud block timeout period +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md index 0c3ce33cac..93e3d5c543 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md @@ -17,9 +17,12 @@ manager: dansimp # Configure end-user interaction with Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can configure how users of the endpoints on your network can interact with Microsoft Defender Antivirus. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md index e7d0bb0417..55b286bcf0 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md @@ -10,16 +10,18 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 03/12/2020 ms.reviewer: manager: dansimp --- # Configure and validate exclusions for Microsoft Defender Antivirus scans +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection. @@ -38,11 +40,14 @@ Defining exclusions lowers the protection offered by Microsoft Defender Antiviru The following is a list of recommendations that you should keep in mind when defining exclusions: - Exclusions are technically a protection gap—always consider additional mitigations when defining exclusions. Additional mitigations could be as simple as making sure the excluded location has the appropriate access-control lists (ACLs), audit policy, is processed by an up-to-date software, etc. + - Review the exclusions periodically. Re-check and re-enforce the mitigations as part of the review process. + - Ideally, avoid defining proactive exclusions. For instance, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues—mostly around performance, or sometimes around application compatibility that exclusions could mitigate. + - Audit the exclusion list changes. The security admin should preserve enough context around why a certain exclusion was added. You should be able to provide answer with specific reasoning as to why a certain path was excluded. ## Related articles - [Microsoft Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md) -- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md) \ No newline at end of file +- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md index d9e2707453..2d5abc1960 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md @@ -16,49 +16,49 @@ manager: dansimp # Configure and validate exclusions based on file extension and folder location +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) > [!IMPORTANT] -> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender ATP [custom indicators](../microsoft-defender-atp/manage-indicators.md). +> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender for Endpoint [custom indicators](../microsoft-defender-atp/manage-indicators.md). ## Exclusion lists -You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. +You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. > [!NOTE] > Automatic exclusions apply only to Windows Server 2016 and above. These exclusions are not visible in the Windows Security app and in PowerShell. This article describes how to configure exclusion lists for the files and folders. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. -Exclusion | Examples | Exclusion list ----|---|--- -Any file with a specific extension | All files with the specified extension, anywhere on the machine.
    Valid syntax: `.test` and `test` | Extension exclusions -Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions -A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions -A specific process | The executable file `c:\test\process.exe` | File and folder exclusions +| Exclusion | Examples | Exclusion list | +|:---|:---|:---| +|Any file with a specific extension | All files with the specified extension, anywhere on the machine.
    Valid syntax: `.test` and `test` | Extension exclusions | +|Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions | +| A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions | +| A specific process | The executable file `c:\test\process.exe` | File and folder exclusions | Exclusion lists have the following characteristics: - Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately. - File extensions apply to any file name with the defined extension if a path or folder is not defined. ->[!IMPORTANT] ->Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work. -> ->You cannot exclude mapped network drives. You must specify the actual network path. -> ->Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. +> [!IMPORTANT] +> - Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work. +> - You cannot exclude mapped network drives. You must specify the actual network path. +> - Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). The exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md). ->[!IMPORTANT] ->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). -> ->Changes made in the Windows Security app **will not show** in the Group Policy lists. +> [!IMPORTANT] +> Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). +> Changes made in the Windows Security app **will not show** in the Group Policy lists. By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence when there are conflicts. @@ -74,39 +74,37 @@ See the following articles: ### Use Configuration Manager to configure file name, folder, or file extension exclusions -See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Manager (current branch). ### Use Group Policy to configure folder or file extension exclusions >[!NOTE] >If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded. -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**. -3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**. +3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**. -4. Double-click the **Path Exclusions** setting and add the exclusions. +4. Open the **Path Exclusions** setting for editing, and add your exclusions. - Set the option to **Enabled**. - Under the **Options** section, click **Show...**. - Specify each folder on its own line under the **Value name** column. - If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. -5. Click **OK**. +5. Choose **OK**. ![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png) -6. Double-click the **Extension Exclusions** setting and add the exclusions. +6. Open the **Extension Exclusions** setting for editing and add your exclusions. - Set the option to **Enabled**. - - Under the **Options** section, click **Show...**. + - Under the **Options** section, select **Show...**. - Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column. -7. Click **OK**. - - ![The Group Policy setting for extension exclusions](images/defender/wdav-extension-exclusions.png) +7. Choose **OK**. @@ -122,21 +120,21 @@ The format for the cmdlets is as follows: The following are allowed as the ``: -Configuration action | PowerShell cmdlet ----|--- -Create or overwrite the list | `Set-MpPreference` -Add to the list | `Add-MpPreference` -Remove item from the list | `Remove-MpPreference` +| Configuration action | PowerShell cmdlet | +|:---|:---| +|Create or overwrite the list | `Set-MpPreference` | +|Add to the list | `Add-MpPreference` | +|Remove item from the list | `Remove-MpPreference` | The following are allowed as the ``: -Exclusion type | PowerShell parameter ----|--- -All files with a specified file extension | `-ExclusionExtension` -All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath` +| Exclusion type | PowerShell parameter | +|:---|:---| +| All files with a specified file extension | `-ExclusionExtension` | +| All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath` | ->[!IMPORTANT] ->If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. +> [!IMPORTANT] +> If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. For example, the following code snippet would cause Microsoft Defender AV scans to exclude any file with the `.test` file extension: @@ -171,29 +169,26 @@ See [Add exclusions in the Windows Security app](microsoft-defender-security-cen You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations. ->[!IMPORTANT] ->There are key limitations and usage scenarios for these wildcards: -> ->- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. ->- You cannot use a wildcard in place of a drive letter. ->- An asterisk `*` in a folder exclusion stands in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names. +> [!IMPORTANT] +> There are key limitations and usage scenarios for these wildcards: +> - Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. +> - You cannot use a wildcard in place of a drive letter. +> - An asterisk `*` in a folder exclusion stands in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names. The following table describes how the wildcards can be used and provides some examples. |Wildcard |Examples | -|---------|---------| +|:---------|:---------| |`*` (asterisk)

    In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument.

    In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`

    `C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders`

    `C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` | -|`?` (question mark)

    In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument.

    In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my` would include `C:\MyData\my1.zip`

    `C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders

    `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders | +|`?` (question mark)

    In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument.

    In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my?` would include `C:\MyData\my1.zip`

    `C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders

    `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders | |Environment variables

    The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` | ->[!IMPORTANT] ->If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders. -> ->For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`. -> ->This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`. +> [!IMPORTANT] +> If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders. +> For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`. +> This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`. @@ -201,273 +196,68 @@ The following table describes how the wildcards can be used and provides some ex The following table lists and describes the system account environment variables. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    System environment variablesWill redirect to:
    %APPDATA%C:\Users\UserName.DomainName\AppData\Roaming
    %APPDATA%\Microsoft\Internet Explorer\Quick LaunchC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
    %APPDATA%\Microsoft\Windows\Start MenuC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu
    %APPDATA%\Microsoft\Windows\Start Menu\ProgramsC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
    %LOCALAPPDATA% C:\Windows\System32\config\systemprofile\AppData\Local
    %ProgramData%C:\ProgramData
    %ProgramFiles%C:\Program Files
    %ProgramFiles%\Common Files C:\Program Files\Common Files
    %ProgramFiles%\Windows Sidebar\Gadgets C:\Program Files\Windows Sidebar\Gadgets
    %ProgramFiles%\Common FilesC:\Program Files\Common Files
    %ProgramFiles(x86)% C:\Program Files (x86)
    %ProgramFiles(x86)%\Common Files C:\Program Files (x86)\Common Files
    %SystemDrive%C:
    %SystemDrive%\Program FilesC:\Program Files
    %SystemDrive%\Program Files (x86) C:\Program Files (x86)
    %SystemDrive%\Users C:\Users
    %SystemDrive%\Users\PublicC:\Users\Public
    %SystemRoot% C:\Windows
    %windir%C:\Windows
    %windir%\FontsC:\Windows\Fonts
    %windir%\Resources C:\Windows\Resources
    %windir%\resources\0409C:\Windows\resources\0409
    %windir%\system32C:\Windows\System32
    %ALLUSERSPROFILE%C:\ProgramData
    %ALLUSERSPROFILE%\Application DataC:\ProgramData\Application Data
    %ALLUSERSPROFILE%\DocumentsC:\ProgramData\Documents
    %ALLUSERSPROFILE%\Documents\My Music\Sample Music -

    C:\ProgramData\Documents\My Music\Sample Music

    -

    .

    -
    %ALLUSERSPROFILE%\Documents\My Music C:\ProgramData\Documents\My Music
    %ALLUSERSPROFILE%\Documents\My Pictures -

    C:\ProgramData\Documents\My Pictures -

    -
    %ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures C:\ProgramData\Documents\My Pictures\Sample Pictures
    %ALLUSERSPROFILE%\Documents\My Videos C:\ProgramData\Documents\My Videos
    %ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore C:\ProgramData\Microsoft\Windows\DeviceMetadataStore
    %ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer C:\ProgramData\Microsoft\Windows\GameExplorer
    %ALLUSERSPROFILE%\Microsoft\Windows\Ringtones C:\ProgramData\Microsoft\Windows\Ringtones
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu C:\ProgramData\Microsoft\Windows\Start Menu
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs C:\ProgramData\Microsoft\Windows\Start Menu\Programs
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative ToolsC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
    %ALLUSERSPROFILE%\Microsoft\Windows\Templates C:\ProgramData\Microsoft\Windows\Templates
    %ALLUSERSPROFILE%\Start Menu C:\ProgramData\Start Menu
    %ALLUSERSPROFILE%\Start Menu\Programs C:\ProgramData\Start Menu\Programs
    %ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools C:\ProgramData\Start Menu\Programs\Administrative Tools
    %ALLUSERSPROFILE%\Templates C:\ProgramData\Templates
    %LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates
    %LOCALAPPDATA%\Microsoft\Windows\History C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History
    -

    -%PUBLIC%

    -    		C:\Users\Public
    %PUBLIC%\AccountPictures C:\Users\Public\AccountPictures
    %PUBLIC%\Desktop C:\Users\Public\Desktop
    %PUBLIC%\Documents C:\Users\Public\Documents
    %PUBLIC%\Downloads C:\Users\Public\Downloads
    %PUBLIC%\Music\Sample Music -

    C:\Users\Public\Music\Sample Music

    -

    .

    -
    %PUBLIC%\Music\Sample Playlists -

    C:\Users\Public\Music\Sample Playlists

    -

    .

    -
    %PUBLIC%\Pictures\Sample Pictures C:\Users\Public\Pictures\Sample Pictures
    %PUBLIC%\RecordedTV.library-msC:\Users\Public\RecordedTV.library-ms
    %PUBLIC%\VideosC:\Users\Public\Videos
    %PUBLIC%\Videos\Sample Videos -

    C:\Users\Public\Videos\Sample Videos

    -

    .

    -
    %USERPROFILE% C:\Windows\System32\config\systemprofile
    %USERPROFILE%\AppData\Local C:\Windows\System32\config\systemprofile\AppData\Local
    %USERPROFILE%\AppData\LocalLow C:\Windows\System32\config\systemprofile\AppData\LocalLow
    %USERPROFILE%\AppData\Roaming C:\Windows\System32\config\systemprofile\AppData\Roaming
    +| This system environment variable... | Redirects to this | +|:--|:--| +| `%APPDATA%`| `C:\Users\UserName.DomainName\AppData\Roaming` | +| `%APPDATA%\Microsoft\Internet Explorer\Quick Launch` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch` | +| `%APPDATA%\Microsoft\Windows\Start Menu` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu` | +| `%APPDATA%\Microsoft\Windows\Start Menu\Programs` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs` | +| `%LOCALAPPDATA%` | `C:\Windows\System32\config\systemprofile\AppData\Local` | +| `%ProgramData%` | `C:\ProgramData` | +| `%ProgramFiles%` | `C:\Program Files` | +| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` | +| `%ProgramFiles%\Windows Sidebar\Gadgets` | `C:\Program Files\Windows Sidebar\Gadgets` | +| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` | +| `%ProgramFiles(x86)%` | `C:\Program Files (x86)` | +| `%ProgramFiles(x86)%\Common Files` | `C:\Program Files (x86)\Common Files` | +| `%SystemDrive%` | `C:` | +| `%SystemDrive%\Program Files` | `C:\Program Files` | +| `%SystemDrive%\Program Files (x86)` | `C:\Program Files (x86)` | +| `%SystemDrive%\Users` | `C:\Users` | +| `%SystemDrive%\Users\Public` | `C:\Users\Public` | +| `%SystemRoot%` | `C:\Windows` | +| `%windir%` | `C:\Windows` | +| `%windir%\Fonts` | `C:\Windows\Fonts` | +| `%windir%\Resources` | `C:\Windows\Resources` | +| `%windir%\resources\0409` | `C:\Windows\resources\0409` | +| `%windir%\system32` | `C:\Windows\System32` | +| `%ALLUSERSPROFILE%` | `C:\ProgramData` | +| `%ALLUSERSPROFILE%\Application Data` | `C:\ProgramData\Application Data` | +| `%ALLUSERSPROFILE%\Documents` | `C:\ProgramData\Documents` | +| `%ALLUSERSPROFILE%\Documents\My Music\Sample Music` | `C:\ProgramData\Documents\My Music\Sample Music` | +| `%ALLUSERSPROFILE%\Documents\My Music` | `C:\ProgramData\Documents\My Music` | +| `%ALLUSERSPROFILE%\Documents\My Pictures` | `C:\ProgramData\Documents\My Pictures` | +| `%ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures` | `C:\ProgramData\Documents\My Pictures\Sample Pictures` | +| `%ALLUSERSPROFILE%\Documents\My Videos` | `C:\ProgramData\Documents\My Videos` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore` | `C:\ProgramData\Microsoft\Windows\DeviceMetadataStore` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer` | `C:\ProgramData\Microsoft\Windows\GameExplorer` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones` | `C:\ProgramData\Microsoft\Windows\Ringtones` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu` | `C:\ProgramData\Microsoft\Windows\Start Menu` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\Templates` | `C:\ProgramData\Microsoft\Windows\Templates` | +| `%ALLUSERSPROFILE%\Start Menu` | `C:\ProgramData\Start Menu` | +| `%ALLUSERSPROFILE%\Start Menu\Programs` | C:\ProgramData\Start Menu\Programs | +| `%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Start Menu\Programs\Administrative Tools` | +| `%ALLUSERSPROFILE%\Templates` | `C:\ProgramData\Templates` | +| `%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates` | +| `%LOCALAPPDATA%\Microsoft\Windows\History` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History` | +| `%PUBLIC%` | `C:\Users\Public` | +| `%PUBLIC%\AccountPictures` | `C:\Users\Public\AccountPictures` | +| `%PUBLIC%\Desktop` | `C:\Users\Public\Desktop` | +| `%PUBLIC%\Documents` | `C:\Users\Public\Documents` | +| `%PUBLIC%\Downloads` | `C:\Users\Public\Downloads` | +| `%PUBLIC%\Music\Sample Music` | `C:\Users\Public\Music\Sample Music` | +| `%PUBLIC%\Music\Sample Playlists` | `C:\Users\Public\Music\Sample Playlists` | +| `%PUBLIC%\Pictures\Sample Pictures` | `C:\Users\Public\Pictures\Sample Pictures` | +| `%PUBLIC%\RecordedTV.library-ms` | `C:\Users\Public\RecordedTV.library-ms` | +| `%PUBLIC%\Videos` | `C:\Users\Public\Videos` | +| `%PUBLIC%\Videos\Sample Videos` | `C:\Users\Public\Videos\Sample Videos` | +| `%USERPROFILE%` | `C:\Windows\System32\config\systemprofile` | +| `%USERPROFILE%\AppData\Local` | `C:\Windows\System32\config\systemprofile\AppData\Local` | +| `%USERPROFILE%\AppData\LocalLow` | `C:\Windows\System32\config\systemprofile\AppData\LocalLow` | +| `%USERPROFILE%\AppData\Roaming` | `C:\Windows\System32\config\systemprofile\AppData\Roaming` | ## Review the list of exclusions @@ -486,7 +276,7 @@ You can retrieve the items in the exclusion list using one of the following meth If you use PowerShell, you can retrieve the list in two ways: -- Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists are displayed on separate lines, but the items within each list are combined into the same line. +- Retrieve the status of all Microsoft Defender Antivirus preferences. Each list is displayed on separate lines, but the items within each list are combined into the same line. - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. ### Validate the exclusion list by using MpCmdRun diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md index e77c12eda2..e9c99642d5 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md @@ -18,9 +18,12 @@ manager: dansimp # Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) By default, Microsoft Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md index c705e4b465..fd9d16d4b6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md @@ -11,16 +11,19 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 11/18/2020 ms.reviewer: manager: dansimp --- # Configure Microsoft Defender Antivirus features +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can configure Microsoft Defender Antivirus with a number of tools, including: @@ -34,15 +37,16 @@ The following broad categories of features can be configured: - Cloud-delivered protection - Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection -- How end-users interact with the client on individual endpoints +- How end users interact with the client on individual endpoints -The topics in this section describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools). +The following articles describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each article includes instructions for the applicable configuration tool (or tools). -You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help. +|Article |Description | +|---------|---------| +|[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Use cloud-delivered protection for advanced, fast, robust antivirus detection. | +|[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) |Enable behavior-based, heuristic, and real-time antivirus protection. | +|[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) | Configure how end users in your organization interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings. | + +> [!TIP] +> You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help. -## In this section -Topic | Description -:---|:--- -[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection -[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection -[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)|Configure how end-users interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md index 1901905edb..e4896f9709 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md @@ -11,16 +11,19 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 07/08/2020 +ms.date: 12/28/2020 ms.reviewer: manager: dansimp --- # Configure and validate Microsoft Defender Antivirus network connections +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. @@ -29,7 +32,7 @@ This article lists the connections that must be allowed, such as by using firewa See the blog post [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) for some details about network connectivity. >[!TIP] ->You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: +>You can also visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: > >- Cloud-delivered protection >- Fast learning (including block at first sight) @@ -46,7 +49,7 @@ See [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defend After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints. -Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. +Because your protection is a cloud service, computers must have access to the internet and reach the Microsoft Defender for Office 365 machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication. @@ -57,9 +60,9 @@ The table below lists the services and their associated URLs. Make sure that the | Microsoft Update Service (MU)
    Windows Update Service (WU)| Security intelligence and product updates |`*.update.microsoft.com`
    `*.delivery.mp.microsoft.com`
    `*.windowsupdate.com`

    For details see [Connection endpoints for Windows Update](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints#windows-update)| |Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`
    `*.download.windowsupdate.com`
    `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`| | Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
    `ussus1westprod.blob.core.windows.net`
    `usseu1northprod.blob.core.windows.net`
    `usseu1westprod.blob.core.windows.net`
    `ussuk1southprod.blob.core.windows.net`
    `ussuk1westprod.blob.core.windows.net`
    `ussas1eastprod.blob.core.windows.net`
    `ussas1southeastprod.blob.core.windows.net`
    `ussau1eastprod.blob.core.windows.net`
    `ussau1southeastprod.blob.core.windows.net` | -| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/`
    `https://www.microsoft.com/pkiops/certs`
    `https://crl.microsoft.com/pki/crl/products`
    `https://www.microsoft.com/pki/certs` | +| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `http://www.microsoft.com/pkiops/crl/`
    `http://www.microsoft.com/pkiops/certs`
    `http://crl.microsoft.com/pki/crl/products`
    `http://www.microsoft.com/pki/certs` | | Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | -| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
    `settings-win.data.microsoft.com`| +| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses telemetry for product quality monitoring purposes | The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
    `settings-win.data.microsoft.com`| ## Validate connections between your network and the cloud @@ -82,8 +85,7 @@ For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun You can download a sample file that Microsoft Defender Antivirus will detect and block if you are properly connected to the cloud. -Download the file by visiting the following link: -- https://aka.ms/ioavtest +Download the file by visiting [https://aka.ms/ioavtest](https://aka.ms/ioavtest). >[!NOTE] >This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud. @@ -102,16 +104,16 @@ You will also see a detection under **Quarantined threats** in the **Scan histor 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label: +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label: ![Screenshot of the Scan history label in the Windows Security app](images/defender/wdav-history-wdsc.png) -3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware. +3. Under the **Quarantined threats** section, select **See full history** to see the detected fake malware. > [!NOTE] > Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md). - The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-microsoft-defender-antivirus.md). + The Windows event log will also show [Windows Defender client event ID 1116](troubleshoot-microsoft-defender-antivirus.md). ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md index db3e3a162e..ac51c3d326 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md @@ -18,9 +18,12 @@ manager: dansimp # Configure the notifications that appear on endpoints +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise. @@ -73,7 +76,7 @@ You can use Group Policy to: Hiding notifications can be useful in situations where you can't hide the entire Microsoft Defender Antivirus interface. See [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) for more information. > [!NOTE] -> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). +> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). See [Customize the Windows Security app for your organization](../windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md index 31d62322c4..bbb7a6b79c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md @@ -17,21 +17,25 @@ manager: dansimp # Configure exclusions for files opened by processes +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. -This topic describes how to configure exclusion lists for the following: +This article describes how to configure exclusion lists. - +## Examples of exclusions + +|Exclusion | Example | +|---|---| +|Any file on the machine that is opened by any process with a specific file name | Specifying `test.exe` would exclude files opened by:
    `c:\sample\test.exe`
    `d:\internal\files\test.exe` | +|Any file on the machine that is opened by any process under a specific folder | Specifying `c:\test\sample\*` would exclude files opened by:
    `c:\test\sample\test.exe`
    `c:\test\sample\test2.exe`
    `c:\test\sample\utility.exe` | +|Any file on the machine that is opened by a specific process in a specific folder | Specifying `c:\test\process.exe` would exclude files only opened by `c:\test\process.exe` | -Exclusion | Example ----|--- -Any file on the machine that is opened by any process with a specific file name | Specifying "test.exe" would exclude files opened by:
    • c:\sample\test.exe
    • d:\internal\files\test.exe
    -Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:
    • c:\test\sample\test.exe
    • c:\test\sample\test2.exe
    • c:\test\sample\utility.exe
    -Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md). @@ -39,25 +43,23 @@ The exclusions only apply to [always-on real-time protection and monitoring](con Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists. -You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. +You can add, remove, and review the lists for exclusions in Group Policy, Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists. -You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists. +You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists. -By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. +By default, local changes made to the lists (by users with administrator privileges; changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. ## Configure the list of exclusions for files opened by specified processes - - ### Use Microsoft Intune to exclude files that have been opened by specified processes from scans See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. -### Use Microsoft Endpoint Configuration Manager to exclude files that have been opened by specified processes from scans +### Use Microsoft Endpoint Manager to exclude files that have been opened by specified processes from scans -See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Manager (current branch). ### Use Group Policy to exclude files that have been opened by specified processes from scans @@ -71,14 +73,10 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// 1. Set the option to **Enabled**. 2. Under the **Options** section, click **Show...**. - 3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes. + 3. Enter each process on its own line under the **Value name** column. See the example table for the different types of process exclusions. Enter **0** in the **Value** column for all processes. 5. Click **OK**. -![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png) - - - ### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender). @@ -91,11 +89,11 @@ The format for the cmdlets is: The following are allowed as the \: -Configuration action | PowerShell cmdlet ----|--- -Create or overwrite the list | `Set-MpPreference` -Add to the list | `Add-MpPreference` -Remove items from the list | `Remove-MpPreference` +|Configuration action | PowerShell cmdlet | +|---|---| +|Create or overwrite the list | `Set-MpPreference` | +|Add to the list | `Add-MpPreference` | +|Remove items from the list | `Remove-MpPreference` | >[!IMPORTANT] >If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. @@ -106,11 +104,11 @@ For example, the following code snippet would cause Microsoft Defender AV scans Add-MpPreference -ExclusionProcess "c:\internal\test.exe" ``` -See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Microsoft Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. +For more information on how to use PowerShell with Microsoft Defender Antivirus, see Manage antivirus with PowerShell cmdlets and [Microsoft Defender Antivirus cmdlets](https://docs.microsoft.com/powershell/module/defender). ### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans -Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://docs.microsoft.com/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties: ```WMI ExclusionProcess @@ -118,33 +116,24 @@ ExclusionProcess The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. -See the following for more information and allowed parameters: - -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) - - +For more information and allowed parameters, see [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal). ### Use the Windows Security app to exclude files that have been opened by specified processes from scans See [Add exclusions in the Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions) for instructions. - - ## Use wildcards in the process exclusion list The use of wildcards in the process exclusion list is different from their use in other exclusion lists. -In particular, you cannot use the question mark ? wildcard, and the asterisk \* wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list. +In particular, you cannot use the question mark (`?`) wildcard, and the asterisk (`*`) wildcard can only be used at the end of a complete path. You can still use environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the process exclusion list. The following table describes how the wildcards can be used in the process exclusion list: -Wildcard | Use | Example use | Example matches ----|---|---|--- -\* (asterisk) | Replaces any number of characters |
    • C:\MyData\\*
    |
    • Any file opened by C:\MyData\file.exe
    -? (question mark) | Not available | \- | \- -Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
    • %ALLUSERSPROFILE%\CustomLogFiles\file.exe
    |
    • Any file opened by C:\ProgramData\CustomLogFiles\file.exe
    - - +|Wildcard | Example use | Example matches | +|:---|:---|:---| +|`*` (asterisk)

    Replaces any number of characters | `C:\MyData\*` | Any file opened by `C:\MyData\file.exe` | +|Environment variables

    The defined variable is populated as a path when the exclusion is evaluated | `%ALLUSERSPROFILE%\CustomLogFiles\file.exe` | Any file opened by `C:\ProgramData\CustomLogFiles\file.exe` | ## Review the list of exclusions @@ -163,8 +152,8 @@ To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https:// MpCmdRun.exe -CheckExclusion -path ``` ->[!NOTE] ->Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. +> [!NOTE] +> Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. ### Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell @@ -175,7 +164,7 @@ Use the following cmdlet: Get-MpPreference ``` -See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender) for more information on how to use PowerShell with Microsoft Defender Antivirus. ### Retrieve a specific exclusions list by using PowerShell @@ -186,7 +175,7 @@ $WDAVprefs = Get-MpPreference $WDAVprefs.ExclusionProcess ``` -See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender) for more information on how to use PowerShell with Microsoft Defender Antivirus. ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md index 20f94ac46b..5e47aa185b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md @@ -18,9 +18,12 @@ manager: dansimp # Configure behavioral, heuristic, and real-time protection +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender Antivirus uses several methods to provide threat protection: diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md index 6bcef11259..83078c2db2 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md @@ -18,9 +18,12 @@ ms.custom: nextgen # Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md index 8b66efba75..b080c70faa 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md @@ -11,16 +11,19 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 01/06/2021 ms.reviewer: manager: dansimp --- # Configure remediation for Microsoft Defender Antivirus scans +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) When Microsoft Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Microsoft Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. @@ -36,20 +39,20 @@ To configure these settings: 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below. -4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. +4. Select the policy **Setting** as specified in the table below, and set the option to your desired configuration. Select **OK**, and repeat for any other settings. -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled -Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days -Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) -Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed -Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable -Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable +|Location | Setting | Description | Default setting (if not configured) | +|:---|:---|:---|:---| +|Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled| +|Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days | +|Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) | +|Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed | +|Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable | +|Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable | > [!IMPORTANT] > Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md index ab7fa39e3c..3ac64a1e57 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md @@ -17,6 +17,13 @@ ms.custom: nextgen # Configure Microsoft Defender Antivirus exclusions on Windows Server +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + + Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). > [!NOTE] @@ -154,7 +161,7 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r - The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage` - - `%systemroot%\Sysvol\*\Nntfrs_cmp*\` + - `%systemroot%\Sysvol\*\Ntfrs_cmp*\` - The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory` @@ -197,43 +204,11 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r #### Hyper-V exclusions -This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role +The following table lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role. -- File type exclusions: - - - `*.vhd` - - - `*.vhdx` - - - `*.avhd` - - - `*.avhdx` - - - `*.vsv` - - - `*.iso` - - - `*.rct` - - - `*.vmcx` - - - `*.vmrs` - -- Folder exclusions: - - - `%ProgramData%\Microsoft\Windows\Hyper-V` - - - `%ProgramFiles%\Hyper-V` - - - `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots` - - - `%Public%\Documents\Hyper-V\Virtual Hard Disks` - -- Process exclusions: - - - `%systemroot%\System32\Vmms.exe` - - - `%systemroot%\System32\Vmwp.exe` +|File type exclusions |Folder exclusions | Process exclusions | +|:--|:--|:--| +| `*.vhd`
    `*.vhdx`
    `*.avhd`
    `*.avhdx`
    `*.vsv`
    `*.iso`
    `*.rct`
    `*.vmcx`
    `*.vmrs` | `%ProgramData%\Microsoft\Windows\Hyper-V`
    `%ProgramFiles%\Hyper-V`
    `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots`
    `%Public%\Documents\Hyper-V\Virtual Hard Disks` | `%systemroot%\System32\Vmms.exe`
    `%systemroot%\System32\Vmwp.exe` | #### SYSVOL files diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md index 440b53b85c..0651cae7a7 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md @@ -18,9 +18,12 @@ manager: dansimp # Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md index 440b53b85c..6b950c1ad9 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md @@ -16,21 +16,24 @@ ms.reviewer: manager: dansimp --- -# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation +# Customize, initiate, and review the results of Microsoft Defender Antivirus scans & remediation + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans. ## In this section -Topic | Description ----|--- -[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning -[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning -[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder -[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans -[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app -[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app +| Article | Description | +|:---|:---| +|[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning | +|[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning | +|[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder | +|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans | +|[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app | +|[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app | diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md index 0036dd3c81..a8268af781 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md @@ -18,15 +18,18 @@ manager: dansimp # Deploy, manage, and report on Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can deploy, manage, and report on Microsoft Defender Antivirus in a number of ways. Because the Microsoft Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply. -However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Azure Security Center, or Group Policy Objects, which is described in the following table. +However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Azure Defender, or Group Policy Objects, which is described in the following table. You'll also see additional links for: @@ -39,13 +42,13 @@ You'll also see additional links for: Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options ---|---|---|--- Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/intune/device-management) -Microsoft Endpoint Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] +Microsoft Endpoint Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Microsoft Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Microsoft Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][] Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] -Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Microsoft Defender Antivirus events][] and add that tool as an app in AAD. +Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Defender*](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Microsoft Defender Antivirus events][] and add that tool as an app in AAD. -1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Configuration Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) +1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Manager (Current Branch). See [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) 2. In Windows 10, Microsoft Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](microsoft-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Microsoft Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md index 56d1a243c9..56d70bda19 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md @@ -11,26 +11,29 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 01/06/2021 ms.reviewer: manager: dansimp --- # Deploy and enable Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Depending on the management tool you are using, you may need to specifically enable or configure Microsoft Defender Antivirus protection. See the table in [Deploy, manage, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI). -Some scenarios require additional guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments. +Some scenarios require more guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments. -The remaining topic in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md). +The remaining article in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md). -## Related topics +## Related articles - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - [Deploy, manage updates, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index c2f2824510..172fb7952f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -10,22 +10,25 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 01/31/2020 -ms.reviewer: +ms.date: 12/28/2020 +ms.reviewer: jesquive manager: dansimp --- # Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) In addition to standard on-premises or hardware configurations, you can also use Microsoft Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment. See [Windows Virtual Desktop Documentation](https://docs.microsoft.com/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support. -For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection) topic. +For Azure-based virtual machines, see [Install Endpoint Protection in Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection). With the ability to easily deploy updates to VMs running in VDIs, we've shortened this guide to focus on how you can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a periodic basis, as updates are expanded into their component bits on the host server and then downloaded directly to the VM when it's turned on. @@ -44,69 +47,11 @@ You can also download the whitepaper [Microsoft Defender Antivirus on Virtual De > [!IMPORTANT] > Although the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
    There are performance and feature improvements to the way in which Microsoft Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607. -### Set up a dedicated VDI file share +## Set up a dedicated VDI file share -In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine - thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), Group Policy, or PowerShell. +In Windows 10, version 1903, we introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machine—thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with a Group Policy, or PowerShell. -> [!TIP] -> If you don't already have Intune, [try it for free](https://docs.microsoft.com/intune/fundamentals/free-trial-sign-up)! - -Open the Intune Management Portal either by searching for Intune on [https://portal.azure.com](https://portal.azure.com) or going to [https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com) and logging in. - -#### To create a group with only the devices or users you specify - -1. Go to **Groups** > **New group**. - -2. Specify the following values: - - Group type: **Security** - - Group name: **VDI test VMs** - - Group description: *Optional* - - Membership type: **Assigned** - -3. Add the devices or users you want to be a part of this test and then click **Create** to save the group. - -It’s a good idea to create a couple of groups, one with VMs running the latest Insider Preview build and with the shared security intelligence update feature enabled, and another with VMs that are running Windows 10 1809 or earlier versions. This will help when you create dashboards to test the performance changes. - -#### To create a group that will include any machine in your tenant that is a VM, even when they are newly created - -1. Go to **Groups** > **New group**. - -2. Specify the following values: - - Group type: **Security** - - Group name: **VDI test VMs** - - Group description: *Optional* - - Membership type: **Dynamic Device** - -3. Click **Simple rule**, and select **deviceModel**, **Equals**, and enter **Virtual Machine**. - -4. Click **Add query** and then **Create** to save the group. - -5. Go to **Device configuration**, then **Profiles**. You can modify an existing custom profile or create a new one. - -#### Create a new device configuration profile - -In this example, we create a new device configuration profile by clicking **Create profile**. - -1. Name it, choose **Windows 10 and later** as the Platform and – most importantly – select **Custom** as the profile type. - -2. The **Custom OMA-URI Settings** blade is opened automatically. Click **Add** then enter the following values: - - Name: **VDI shared sig location** - - Description: *Optional* - - OMA-URI: **./Vendor/MSFT/Defender/SharedSignatureRoot** - - Data type: **String** - - `\\\wdav-update\` (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be) - -3. Click **Ok** to close the details blade, then **OK** again to close the **Custom OMA-URI Settings** blade. - -4. Click **Create** to save the new profile. The profile details page now appears. - -5. Click **Assignments**. The **Include** tab is automatically selected. In the drop-down menu, select **Selected Groups**, then click **Select groups to include**. Click the **VDI test VMs** group and then **Select**. - -6. Click **Evaluate** to see how many users/devices will be impacted. If the number makes sense, click **Save**. If the number doesn’t make sense, go back to the groups blade and confirm the group contains the right users or devices. - -The profile will now be deployed to the impacted devices. This may take some time. - -#### Use Group Policy to enable the shared security intelligence feature: +### Use Group Policy to enable the shared security intelligence feature: 1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and then click **Edit**. @@ -118,148 +63,175 @@ The profile will now be deployed to the impacted devices. This may take some tim 5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears. -6. Enter `\\\wdav-update` (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be). +6. Enter `\\\wdav-update` (for help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates)). 7. Click **OK**. 8. Deploy the GPO to the VMs you want to test. -#### Use PowerShell to enable the shared security intelligence feature +### Use PowerShell to enable the shared security intelligence feature Use the following cmdlet to enable the feature. You’ll need to then push this as you normally would push PowerShell-based configuration policies onto the VMs: - + ```PowerShell Set-MpPreference -SharedSignaturesPath \\\wdav-update ``` See the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what the \ will be. -### Download and unpackage the latest updates +## Download and unpackage the latest updates -Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those). +Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those scripts). ```PowerShell -$vdmpathbase = 'c:\wdav-update\{00000000-0000-0000-0000-' +$vdmpathbase = "$env:systemdrive\wdav-update\{00000000-0000-0000-0000-" $vdmpathtime = Get-Date -format "yMMddHHmmss" $vdmpath = $vdmpathbase + $vdmpathtime + '}' $vdmpackage = $vdmpath + '\mpam-fe.exe' -$args = @("/x") New-Item -ItemType Directory -Force -Path $vdmpath | Out-Null Invoke-WebRequest -Uri 'https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64' -OutFile $vdmpackage -cmd /c "cd $vdmpath & c: & mpam-fe.exe /x" +cmd /c "cd $vdmpath & c: & mpam-fe.exe /x" ``` You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs will receive the new update. -We suggest starting with once a day – but you should experiment with increasing or decreasing the frequency to understand the impact. +We suggest starting with once a day—but you should experiment with increasing or decreasing the frequency to understand the impact. Security intelligence packages are typically published once every three to four hours. Setting a frequency shorter than four hours isn’t advised because it will increase the network overhead on your management machine for no benefit. -#### Set a scheduled task to run the powershell script +### Set a scheduled task to run the PowerShell script 1. On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task…** on the side panel. -2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Click **New…** Select **Daily** and click **OK**. +2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Select **New…** > **Daily**, and select **OK**. -3. Go to the **Actions** tab. Click **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Click **OK**. +3. Go to the **Actions** tab. Select **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Select **OK**. -4. You can choose to configure additional settings if you wish. +4. You can choose to configure additional settings if you wish. -5. Click **OK** to save the scheduled task. +5. Select **OK** to save the scheduled task. - You can initiate the update manually by right-clicking on the task and clicking **Run**. -#### Download and unpackage manually +### Download and unpackage manually -If you would prefer to do everything manually, this what you would need to do to replicate the script’s behavior: +If you would prefer to do everything manually, here's what to do to replicate the script’s behavior: 1. Create a new folder on the system root called `wdav_update` to store intelligence updates, for example, create the folder `c:\wdav_update`. -2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`; for example `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`. +2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}` - Note: In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time. +Here's an example: `c:\wdav_update\{00000000-0000-0000-0000-000000000000}` + + > [!NOTE] + > In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time. 3. Download a security intelligence package from [https://www.microsoft.com/wdsi/definitions](https://www.microsoft.com/wdsi/definitions) into the GUID folder. The file should be named `mpam-fe.exe`. 4. Open a cmd prompt window and navigate to the GUID folder you created. Use the **/X** extraction command to extract the files, for example `mpam-fe.exe /X`. - Note: The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package. + > [!NOTE] + > The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package. -### Randomize scheduled scans +## Randomize scheduled scans Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-microsoft-defender-antivirus.md). -The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime, ScheduleQuickScanTime. Randomization will cause Microsoft Defender AV to start a scan on each machine within a 4 hour window from the time set for the scheduled scan. +The start time of the scan itself is still based on the scheduled scan policy (**ScheduleDay**, **ScheduleTime**, and **ScheduleQuickScanTime**). Randomization will cause Microsoft Defender Antivirus to start a scan on each machine within a 4-hour window from the time set for the scheduled scan. See [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) for other configuration options available for scheduled scans. -### Use quick scans +## Use quick scans -You can specify the type of scan that should be performed during a scheduled scan. -Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. +You can specify the type of scan that should be performed during a scheduled scan. Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. The following procedure describes how to set up quick scans using Group Policy. -1. Expand the tree to **Windows components > Windows Defender > Scan**. +1. In your Group Policy Editor, go to **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus** > **Scan**. -2. Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**. +2. Select **Specify the scan type to use for a scheduled scan** and then edit the policy setting. -3. Click **OK**. +3. Set the policy to **Enabled**, and then under **Options**, select **Quick scan**. -### Prevent notifications +4. Select **OK**. -Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Microsoft Defender Antivirus user interface. +5. Deploy your Group Policy object as you usually do. -1. Expand the tree to **Windows components > Windows Defender > Client Interface**. +## Prevent notifications -2. Double-click **Suppress all notifications** and set the option to **Enabled**. +Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can lock down the Microsoft Defender Antivirus user interface. The following procedure describes how to suppress notifications with Group Policy. -3. Click **OK**. +1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**. -This prevents notifications from Microsoft Defender AV appearing in the action center on Windows 10 when scans or remediation is performed. +2. Select **Suppress all notifications** and then edit the policy settings. -### Disable scans after an update +3. Set the policy to **Enabled**, and then select **OK**. -This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as you've already scanned it when you created the base image). +4. Deploy your Group Policy object as you usually do. + +Suppressing notifications prevents notifications from Microsoft Defender Antivirus from showing up in the Action Center on Windows 10 when scans are done or remediation actions are taken. However, your security operations team will see the results of the scan in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). + +> [!TIP] +> To open the Action Center on Windows 10, take one of the following steps: +> - On the right end of the taskbar, select the Action Center icon. +> - Press the Windows logo key button + A. +> - On a touchscreen device, swipe in from the right edge of the screen. + +## Disable scans after an update + +Disabling a scan after an update will prevent a scan from occurring after receiving an update. You can apply this setting when creating the base image if you have also run a quick scan. This way, you can prevent the newly updated VM from performing a scan again (as you've already scanned it when you created the base image). > [!IMPORTANT] > Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image. -1. Expand the tree to **Windows components > Windows Defender > Signature Updates**. +1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**. -2. Double-click **Turn on scan after signature update** and set the option to **Disabled**. +2. Select **Turn on scan after security intelligence update** and then edit the policy setting. -3. Click **OK**. +3. Set the policy to **Disabled**. -This prevents a scan from running immediately after an update. +4. Select **OK**. -### Scan VMs that have been offline +5. Deploy your Group Policy object as you usually do. -1. Expand the tree to **Windows components > Windows Defender > Scan**. +This policy prevents a scan from running immediately after an update. -2. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. +## Scan VMs that have been offline -3. Click **OK**. +1. In your Group Policy Editor, go to to **Windows components** > **Microsoft Defender Antivirus** > **Scan**. -This forces a scan if the VM has missed two or more consecutive scheduled scans. +2. Select **Turn on catch-up quick scan** and then edit the policy setting. +3. Set the policy to **Enabled**. -### Enable headless UI mode +4. Select **OK**. -1. Double-click **Enable headless UI mode** and set the option to **Enabled**. +5. Deploy your Group Policy Object as you usually do. -2. Click **OK**. +This policy forces a scan if the VM has missed two or more consecutive scheduled scans. -This hides the entire Microsoft Defender AV user interface from users. +## Enable headless UI mode -### Exclusions +1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**. -On Windows Server 2016, Microsoft Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus). +2. Select **Enable headless UI mode** and edit the policy. +3. Set the policy to **Enabled**. + +4. Click **OK**. + +5. Deploy your Group Policy Object as you usually do. + +This policy hides the entire Microsoft Defender Antivirus user interface from end users in your organization. + +## Exclusions + +Exclusions can be added, removed, or customized to suit your needs. + +For more information, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-exclusions-microsoft-defender-antivirus.md). ## Additional resources -- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( https://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s) +- [Tech Community Blog: Configuring Microsoft Defender Antivirus for non-persistent VDI machines](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/configuring-microsoft-defender-antivirus-for-non-persistent-vdi/ba-p/1489633) - [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS) - [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index f996b8c772..8d04445395 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -11,130 +11,140 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen audience: ITPro -ms.date: +ms.date: 01/08/2021 ms.reviewer: manager: dansimp --- # Detect and block potentially unwanted applications +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge) > [!NOTE] -> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might not be be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. +> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. -Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. +Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender for Endpoint, due to certain kinds of undesirable behavior. -For example: +Here are some examples: -* **Advertising software**: Software that displays advertisements or promotions, including software that inserts advertisements to webpages. -* **Bundling software**: Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. -* **Evasion software**: Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. +- **Advertising software** that displays advertisements or promotions, including software that inserts advertisements to webpages. +- **Bundling software** that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. +- **Evasion software** that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. -For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md). +> [!TIP] +> For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md). Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. -## How it works +PUA protection is supported on Windows 10, Windows Server 2019, and Windows Server 2016. -### Microsoft Edge +## Microsoft Edge -The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md). +The [new Microsoft Edge](https://support.microsoft.com/microsoft-edge/get-to-know-microsoft-edge-3f4bb0ff-58de-2188-55c0-f560b7e20bea), which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md). -#### Enable PUA protection in Chromium-based Microsoft Edge +### Enable PUA protection in Chromium-based Microsoft Edge Although potentially unwanted application protection in Microsoft Edge (Chromium-based, version 80.0.361.50) is turned off by default, it can easily be turned on from within the browser. 1. Select the ellipses, and then choose **Settings**. -2. Select **Privacy and services**. -3. Under the **Services** section, turn on **Block potentially unwanted apps**. +2. Select **Privacy, search, and services**. +3. Under the **Security** section, turn on **Block potentially unwanted apps**. > [!TIP] -> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/). +> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our [Microsoft Defender SmartScreen demo pages](https://demo.smartscreen.msft.net/). -#### Blocking URLs with Windows Defender SmartScreen +### Blocking URLs with Microsoft Defender SmartScreen -In Chromium-based Edge with PUA protection turned on, Windows Defender SmartScreen will protect you from PUA-associated URLs. +In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen will protect you from PUA-associated URLs. -Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Windows Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows +Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can -[configure Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Windows Defender SmartScreen on or off. +[configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off. -Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender ATP portal, Windows Defender SmartScreen will respect the new settings. +Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen will respect the new settings. -### Microsoft Defender Antivirus +## Microsoft Defender Antivirus The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUAs on endpoints in your network. > [!NOTE] -> This feature is only available in Windows 10. +> This feature is available in Windows 10, Windows Server 2019, and Windows Server 2016. Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. -When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. +When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification is prefaced with `PUA:` to indicate its content. The notification appears in the usual [quarantine list within the Windows Security app](microsoft-defender-security-center-antivirus.md#detection-history). -#### Configure PUA protection in Microsoft Defender Antivirus +### Configure PUA protection in Microsoft Defender Antivirus -You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets. +You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve-view=true). -You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log. +You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections will be captured in the Windows event log. > [!TIP] -> You can visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. +> Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. -PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. +PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. -##### Use Intune to configure PUA protection +#### Use Intune to configure PUA protection See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. -##### Use Configuration Manager to configure PUA protection +#### Use Configuration Manager to configure PUA protection -PUA protection is enabled by default in the Microsoft Endpoint Configuration Manager (Current Branch). +PUA protection is enabled by default in the Microsoft Endpoint Manager (Current Branch). -See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Configuration Manager (Current Branch). +See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Manager (Current Branch). For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). > [!NOTE] > PUA events blocked by Microsoft Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager. -##### Use Group Policy to configure PUA protection +#### Use Group Policy to configure PUA protection -1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure, and select **Edit**. +1. Download and install [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) -2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. +2. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). -3. Expand the tree to **Windows components > Microsoft Defender Antivirus**. +3. Select the Group Policy Object you want to configure, and then choose **Edit**. -4. Double-click **Configure protection for potentially unwanted applications**. +4. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. -5. Select **Enabled** to enable PUA protection. +5. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**. -6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. +6. Double-click **Configure detection for potentially unwanted applications**. -##### Use PowerShell cmdlets to configure PUA protection +7. Select **Enabled** to enable PUA protection. -###### To enable PUA protection +8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. + +9. Deploy your Group Policy object as you usually do. + +#### Use PowerShell cmdlets to configure PUA protection + +##### To enable PUA protection ```PowerShell Set-MpPreference -PUAProtection enable ``` Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. -###### To set PUA protection to audit mode +##### To set PUA protection to audit mode ```PowerShell Set-MpPreference -PUAProtection auditmode ``` Setting `AuditMode` will detect PUAs without blocking them. -###### To disable PUA protection +##### To disable PUA protection We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet: @@ -145,17 +155,19 @@ Setting the value for this cmdlet to `Disabled` will turn the feature off if it See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. -#### View PUA events +### View PUA events -PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Configuration Manager or in Intune. +PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. You can turn on email notifications to receive mail about PUA detections. See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID **1160**. -#### Allow-listing apps +### Allow-listing apps -Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Microsoft Defender Antivirus. +Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. + +For more information, see [Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients](https://docs.microsoft.com/troubleshoot/mem/configmgr/recommended-antivirus-exclusions#exclusions). ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md index dbd8db2df4..69956ae919 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Enable cloud-delivered protection in Microsoft Defender Antivirus -description: Enable cloud-delivered protection to benefit from fast and advanced protection features. +title: Turn on cloud-delivered protection in Microsoft Defender Antivirus +description: Turn on cloud-delivered protection to benefit from fast and advanced protection features. keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -9,72 +9,80 @@ ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb +ms.date: 11/13/2020 ms.reviewer: manager: dansimp ms.custom: nextgen --- -# Enable cloud-delivered protection +# Turn on cloud-delivered protection + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) > [!NOTE] > The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. -Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). +Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). ![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) -You can enable or disable Microsoft Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. +You can turn Microsoft Defender Antivirus cloud-delivered protection on or off in several ways: + +- Microsoft Intune +- Microsoft Endpoint Configuration Manager +- Group Policy +- PowerShell cmdlets. + + You can also turn it on or off in individual clients with the Windows Security app. See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for an overview of Microsoft Defender Antivirus cloud-delivered protection. -There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md) for more details. +For more information about the specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service, see [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md). > [!NOTE] -> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect. +> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. For more information on what we collect, see the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839). -## Use Intune to enable cloud-delivered protection +## Use Intune to turn on cloud-delivered protection -1. Sign in to the [Azure portal](https://portal.azure.com). -2. Select **All services > Intune**. -3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). -4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**. +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in. +2. On the **Home** pane, select **Device configuration > Profiles**. +3. Select the **Device restrictions** profile type you want to configure. If you need to create a new **Device restrictions** profile type, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +4. Select **Properties** > **Configuration settings: Edit** > **Microsoft Defender Antivirus**. 5. On the **Cloud-delivered protection** switch, select **Enable**. -6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. -7. In the **Submit samples consent** dropdown, select one of the following: - - - **Send safe samples automatically** - - **Send all samples automatically** - - >[!NOTE] - > The **Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. - - > [!WARNING] - > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work. - -8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. +6. In the **Prompt users before sample submission** dropdown, select **Send all data automatically**. For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) -## Use Configuration Manager to enable cloud-delivered protection +## Use Microsoft Endpoint Manager to turn on cloud-delivered protection -See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in. +2. Choose **Endpoint security** > **Antivirus**. +3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +4. Select **Properties**. Then, next to **Configuration settings**, choose **Edit**. +5. Expand **Cloud protection**, and then in the **Cloud-delivered protection level** list, select one of the following: + 1. **High**: Applies a strong level of detection. + 2. **High plus**: Uses the **High** level and applies additional protection measures (may impact client performance). + 3. **Zero tolerance**: Blocks all unknown executables. +6. Select **Review + save**, then choose **Save**. -## Use Group Policy to enable cloud-delivered protection +For more information about configuring Microsoft Endpoint Configuration Manager, see [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service). -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +## Use Group Policy to turn on cloud-delivered protection -2. In the **Group Policy Management Editor** go to **Computer configuration**. +1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. + +2. In the **Group Policy Management Editor**, go to **Computer configuration**. 3. Select **Administrative templates**. 4. Expand the tree to **Windows components > Microsoft Defender Antivirus > MAPS** -5. Double-click **Join Microsoft MAPS**. Ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**. +5. Double-click **Join Microsoft MAPS**. Ensure the option is turned on and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**. -6. Double-click **Send file samples when further analysis is required**. Ensure that the option is set to **Enabled** and that the other options are either of the following: +6. Double-click **Send file samples when further analysis is required**. Ensure that the first option is set to **Enabled** and that the other options are set to either: 1. **Send safe samples** (1) 2. **Send all samples** (3) @@ -83,28 +91,28 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht > The **Send safe samples** (1) option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. > [!WARNING] - > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work. + > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work. -7. Click **OK**. +7. Select **OK**. -## Use PowerShell cmdlets to enable cloud-delivered protection +## Use PowerShell cmdlets to turn on cloud-delivered protection -Use the following cmdlets to enable cloud-delivered protection: +The following cmdlets can turn on cloud-delivered protection: ```PowerShell Set-MpPreference -MAPSReporting Advanced Set-MpPreference -SubmitSamplesConsent SendAllSamples ``` -See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). +For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx). [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). >[!NOTE] > You can also set **-SubmitSamplesConsent** to `SendSafeSamples` (the default setting), `NeverSend`, or `AlwaysPrompt`. The `SendSafeSamples` setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. >[!WARNING] -> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work. +> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work. -## Use Windows Management Instruction (WMI) to enable cloud-delivered protection +## Use Windows Management Instruction (WMI) to turn on cloud-delivered protection Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn439474(v=vs.85).aspx) class for the following properties: @@ -113,33 +121,31 @@ MAPSReporting SubmitSamplesConsent ``` -See the following for more information and allowed parameters: +For more information about allowed parameters, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) - -## Enable cloud-delivered protection on individual clients with the Windows Security app +## Turn on cloud-delivered protection on individual clients with the Windows Security app > [!NOTE] > If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by selecting the shield icon in the task bar, or by searching the start menu for **Defender**. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) 3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. ->[!NOTE] ->If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable. +> [!NOTE] +> If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable. -## Related topics +## Related articles - [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) - [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) - [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) - [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)] - [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) -- [Utilize Microsoft cloud-delivered protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) +- [Use Microsoft cloud-delivered protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) - [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md index f6fcbbbeda..0cba7e0b50 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md @@ -17,14 +17,17 @@ manager: dansimp # Evaluate Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Use this guide to determine how well Microsoft Defender Antivirus protects you from viruses, malware, and potentially unwanted applications. >[!TIP] ->You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work: +>You can also visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work: >- Cloud-delivered protection >- Fast learning (including Block at first sight) >- Potentially unwanted application blocking diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO-diagpath.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO-diagpath.png new file mode 100644 index 0000000000..7f5019db43 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO-diagpath.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO1-SupportLogLocationDefender.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO1-SupportLogLocationDefender.png new file mode 100644 index 0000000000..f93b4ad4dc Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO1-SupportLogLocationDefender.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO2-SupportLogLocationGPPage.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO2-SupportLogLocationGPPage.png new file mode 100644 index 0000000000..bf839465f9 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO2-SupportLogLocationGPPage.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO3-SupportLogLocationGPPageEnabledExample.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO3-SupportLogLocationGPPageEnabledExample.png new file mode 100644 index 0000000000..6d5d59ee31 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO3-SupportLogLocationGPPageEnabledExample.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/endpointmgr-antivirus-cloudprotection.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/endpointmgr-antivirus-cloudprotection.png new file mode 100644 index 0000000000..d9751a4953 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/endpointmgr-antivirus-cloudprotection.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/mem-antivirus-scan-on-demand.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mem-antivirus-scan-on-demand.png new file mode 100644 index 0000000000..5a8def8136 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/mem-antivirus-scan-on-demand.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-MEM.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-MEM.png new file mode 100644 index 0000000000..0b0516183a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-MEM.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/win-security- exp-policy-endpt-security.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/win-security- exp-policy-endpt-security.png new file mode 100644 index 0000000000..e4b306fd92 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/win-security- exp-policy-endpt-security.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md index 75c974ae9b..1edd31f232 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md @@ -19,9 +19,12 @@ manager: dansimp # Use limited periodic scanning in Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md index 8b91ba2fde..6cd83a72ce 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md @@ -11,16 +11,19 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: +ms.date: 09/17/2018 +ms.reviewer: pahuijbr manager: dansimp --- # Manage event-based forced updates +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service. @@ -30,7 +33,7 @@ You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell c ### Use Configuration Manager to check for protection updates before running a scan -1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Scheduled scans** section and set **Check for the latest security intelligence updates before running a scan** to **Yes**. @@ -82,7 +85,7 @@ You can use Group Policy to force Microsoft Defender Antivirus to check and down 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**. 5. Double-click **Check for the latest virus and spyware definitions on startup** and set the option to **Enabled**. @@ -140,16 +143,16 @@ If you have enabled cloud-delivered protection, Microsoft Defender AV will send 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**. 5. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**. 6. **Allow notifications to disable definitions-based reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**. > [!NOTE] -> "Allow notifications to disable definitions based reports" enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work. +> **Allow notifications to disable definitions based reports** enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work. -## Related articles +## See also - [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) - [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md index 690a9eee6a..204266480c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md @@ -18,9 +18,12 @@ manager: dansimp # Manage Microsoft Defender Antivirus updates and scans for endpoints that are out of date +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis. @@ -34,7 +37,7 @@ If Microsoft Defender Antivirus did not download protection updates for a specif ### Use Configuration Manager to configure catch-up protection updates -1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Security intelligence updates** section and configure the following settings: @@ -163,7 +166,7 @@ See the following for more information and allowed parameters: ### Use Configuration Manager to configure catch-up scans -1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Scheduled scans** section and **Force a scan of the selected scan type if client computer is offline...** to **Yes**. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md index b626c962ef..1147a164e1 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md @@ -12,16 +12,18 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: +ms.reviewer: pahuijbr manager: dansimp --- # Manage the schedule for when protection updates should be downloaded and applied +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender Antivirus lets you determine when it should look for and download updates. @@ -35,7 +37,7 @@ You can also randomize the times when each endpoint checks and downloads protect ## Use Configuration Manager to schedule protection updates -1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Security intelligence updates** section. @@ -58,10 +60,10 @@ You can also randomize the times when each endpoint checks and downloads protect 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following settings: +5. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Intelligence Updates** and configure the following settings: - 1. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**. - 2. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**. + 1. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**. + 2. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**. 3. Double-click the **Specify the time to check for security intelligence updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**. @@ -100,8 +102,3 @@ See the following for more information and allowed parameters: - [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - - - - - diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md index 38a6d28737..d45869f99e 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Manage how and where Microsoft Defender AV receives updates +title: Manage how and where Microsoft Defender Antivirus receives updates description: Manage the fallback order for how Microsoft Defender Antivirus receives protection updates. keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus search.product: eADQiWindows 10XVcnh @@ -10,16 +10,19 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.reviewer: +ms.reviewer: pahuijbr manager: dansimp ms.custom: nextgen --- # Manage the sources for Microsoft Defender Antivirus protection updates +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=22146631) @@ -68,7 +71,7 @@ Each source has typical scenarios that depend on how your network is configured, |Windows Server Update Service | You are using Windows Server Update Service to manage updates for your network.| |Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use Windows Server Update Service to manage your updates.| |File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.| -|Microsoft Endpoint Configuration Manager | You are using Microsoft Endpoint Configuration Manager to update your endpoints.| +|Microsoft Endpoint Manager | You are using Microsoft Endpoint Manager to update your endpoints.| |Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively.
    Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-microsoft-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).| You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI. @@ -108,7 +111,7 @@ The procedures in this article first describe how to set the order, and then how ## Use Configuration Manager to manage the update location -See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Manager (current branch). ## Use PowerShell cmdlets to manage the update location @@ -167,7 +170,7 @@ Set up a network file share (UNC/mapped drive) to download security intelligence MD C:\Temp\TempSigs\x86 ``` -3. Download the Powershell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4). +3. Download the PowerShell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4). 4. Click **Manual Download**. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index 6f73b79b2b..b0d94c4785 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -11,52 +11,183 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.reviewer: +ms.reviewer: pahuijbr manager: dansimp +ms.date: 01/07/2021 --- # Manage Microsoft Defender Antivirus updates and apply baselines +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) There are two types of updates related to keeping Microsoft Defender Antivirus up to date: - - Security intelligence updates - - Product updates +- Security intelligence updates +- Product updates > [!IMPORTANT] > Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. -> This also applies to devices where Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). +> Make sure to update your antivirus protection even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). +> +> To see the most current engine, platform, and signature date, visit the [Microsoft security encyclopedia](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info). ## Security intelligence updates -Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection. +Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection. -The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the security intelligence updates occur on a scheduled cadence (configurable via policy). See the [Utilize Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. +> [!NOTE] +> Updates are released under the below KB numbers: +> Microsoft Defender Antivirus: KB2267602 +> System Center Endpoint Protection: KB2461484 -Engine updates are included with the security intelligence updates and are released on a monthly cadence. +Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). + +For a list of recent security intelligence updates, see [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/wdsi/definitions/antimalware-definition-release-notes). + +Engine updates are included with security intelligence updates and are released on a monthly cadence. ## Product updates -Microsoft Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases. +Microsoft Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as *platform updates*), and will receive major feature updates alongside Windows 10 releases. + +You can manage the distribution of updates through one of the following methods: + +- [Windows Server Update Service (WSUS)](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus) +- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction) +- The usual method you use to deploy Microsoft and Windows updates to endpoints in your network. -You can manage the distribution of updates through [Windows Server Update Service (WSUS)](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus). > [!NOTE] -> We release these monthly updates in phases. This results in multiple packages showing up in your WSUS server. +> Monthly updates are released in phases, resulting in multiple packages visible in your [Window Server Update Services](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). ## Monthly platform and engine versions -For information how to update or how to install the platform update, please see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform). +For information how to update or install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform). -All our updates contain: -* performance improvements -* serviceability improvements -* integration improvements (Cloud, MTP) +All our updates contain +- performance improvements; +- serviceability improvements; and +- integration improvements (Cloud, Microsoft 365 Defender). +

    + + +
    + November-2020 (Platform: 4.18.2011.6 | Engine: 1.1.17700.4) + + Security intelligence update version: **1.327.1854.0** + Released: **December 03, 2020** + Platform: **4.18.2011.6** + Engine: **1.1.17700.4** + Support phase: **Security and Critical Updates** + +### What's new + +- Improved SmartScreen status support logging +- Apply CPU throttling policy to manually initiated scans + +### Known Issues +No known issues
    +
    + October-2020 (Platform: 4.18.2010.7 | Engine: 1.1.17600.5) + + Security intelligence update version: **1.327.7.0** + Released: **October 29, 2020** + Platform: **4.18.2010.7** + Engine: **1.1.17600.5** + Support phase: **Security and Critical Updates** + +### What's new + +- New descriptions for special threat categories +- Improved emulation capabilities +- Improved host address allow/block capabilities +- New option in Defender CSP to Ignore merging of local user exclusions + +### Known Issues + +No known issues +
    +
    + September-2020 (Platform: 4.18.2009.7 | Engine: 1.1.17500.4) + + Security intelligence update version: **1.325.10.0** + Released: **October 01, 2020** + Platform: **4.18.2009.7** + Engine: **1.1.17500.4** + Support phase: **Security and Critical Updates** + +### What's new + +- Admin permissions are required to restore files in quarantine +- XML formatted events are now supported +- CSP support for ignoring exclusion merges +- New management interfaces for: + - UDP Inspection + - Network Protection on Server 2019 + - IP Address exclusions for Network Protection +- Improved visibility into TPM measurements +- Improved Office VBA module scanning + +### Known Issues + +No known issues +
    +
    + +### Previous version updates: Technical upgrade support only + +After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only. +

    + +
    + August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5) + + Security intelligence update version: **1.323.9.0** + Released: **August 27, 2020** + Platform: **4.18.2008.9** + Engine: **1.1.17400.5** + +### What's new + +- Add more telemetry events +- Improved scan event telemetry +- Improved behavior monitoring for memory scans +- Improved macro streams scanning +- Added `AMRunningMode` to Get-MpComputerStatus PowerShell cmdlet +- [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) is ignored. Microsoft Defender Antivirus automatically turns itself off when it detects another antivirus program. + + +### Known Issues +No known issues +
    +
    + +
    + July-2020 (Platform: 4.18.2007.8 | Engine: 1.1.17300.4) + + Security intelligence update version: **1.321.30.0** + Released: **July 28, 2020** + Platform: **4.18.2007.8** + Engine: **1.1.17300.4** + Support phase: **Technical upgrade support (only)** + +### What's new + +- Improved telemetry for BITS +- Improved Authenticode code signing certificate validation + +### Known Issues +No known issues +
    +
    +
    June-2020 (Platform: 4.18.2006.10 | Engine: 1.1.17200.2) @@ -64,15 +195,16 @@ All our updates contain:  Released: **June 22, 2020**  Platform: **4.18.2006.10**  Engine: **1.1.17200.2** - Support phase: **Security and Critical Updates** + Support phase: **Technical upgrade support (only)** ### What's new -* Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data) -* Skipping aggressive catchup scan in Passive mode. -* Allow Defender to update on metered connections -* Fixed performance tuning when caching is disabled -* Fixed registry query -* Fixed scantime randomization in ADMX + +- Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data) +- Skipping aggressive catchup scan in Passive mode. +- Allow Defender to update on metered connections +- Fixed performance tuning when caching is disabled +- Fixed registry query +- Fixed scantime randomization in ADMX ### Known Issues No known issues @@ -86,15 +218,16 @@ No known issues  Released: **May 26, 2020**  Platform: **4.18.2005.4**  Engine: **1.1.17100.2** - Support phase: **Security and Critical Updates** + Support phase: **Technical upgrade support (only)** ### What's new -* Improved logging for scan events -* Improved user mode crash handling. -* Added event tracing for Tamper protection -* Fixed AMSI Sample submission -* Fixed AMSI Cloud blocking -* Fixed Security update install log + +- Improved logging for scan events +- Improved user mode crash handling. +- Added event tracing for Tamper protection +- Fixed AMSI Sample submission +- Fixed AMSI Cloud blocking +- Fixed Security update install log ### Known Issues No known issues @@ -108,16 +241,16 @@ No known issues  Released: **April 30, 2020**  Platform: **4.18.2004.6**  Engine: **1.1.17000.2** - Support phase: **Security and Critical Updates** + Support phase: **Technical upgrade support (only)** ### What's new -* WDfilter improvements -* Add more actionable event data to ASR detection events -* Fixed version information in diagnostic data and WMI -* Fixed incorrect platform version in UI after platform update -* Dynamic URL intel for Fileless threat protection -* UEFI scan capability -* Extend logging for updates +- WDfilter improvements +- Add more actionable event data to attack surface reduction detection events +- Fixed version information in diagnostic data and WMI +- Fixed incorrect platform version in UI after platform update +- Dynamic URL intel for Fileless threat protection +- UEFI scan capability +- Extend logging for updates ### Known Issues No known issues @@ -131,15 +264,15 @@ No known issues  Released: **March 24, 2020**  Platform: **4.18.2003.8**  Engine: **1.1.16900.4** - Support phase: **Technical upgrade Support (Only)** + Support phase: **Technical upgrade support (only)** ### What's new -* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) -* Improve diagnostic capability -* reduce Security intelligence timeout (5min) -* Extend AMSI engine internal log capability -* Improve notification for process blocking +- CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) +- Improve diagnostic capability +- reduce Security intelligence timeout (5 min) +- Extend AMSI engine internal log capability +- Improve notification for process blocking ### Known Issues [**Fixed**] Microsoft Defender Antivirus is skipping files when running a scan. @@ -152,11 +285,11 @@ No known issues February-2020 (Platform: - | Engine: 1.1.16800.2) - Security intelligence update version: **1.311.4.0** - Released: **February 25, 2020** - Platform/Client: **-** - Engine: **1.1.16800.2** - Support phase: **N/A** + Security intelligence update version: **1.311.4.0** + Released: **February 25, 2020** + Platform/Client: **-** + Engine: **1.1.16800.2** + Support phase: **Technical upgrade support (only)** ### What's new @@ -174,54 +307,57 @@ Security intelligence update version: **1.309.32.0** Released: **January 30, 2020** Platform/Client: **4.18.2001.10** Engine: **1.1.16700.2** -Support phase: **Technical upgrade Support (Only)** + Support phase: **Technical upgrade support (only)** ### What's new -* Fixed BSOD on WS2016 with Exchange -* Support platform updates when TMP is redirected to network path -* Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates) -* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility) -* Fix 4.18.1911.10 hang +- Fixed BSOD on WS2016 with Exchange +- Support platform updates when TMP is redirected to network path +- Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates) +- extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility) +- Fix 4.18.1911.3 hang ### Known Issues [**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.
    > [!IMPORTANT] -> This updates is needed by RS1 devices running lower version of the platform to support SHA2.
    This update has reboot flag for systems that are experiencing the hang issue.
    the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability. +> This update is: +> - needed by RS1 devices running lower version of the platform to support SHA2; +> - has a reboot flag for systems that have hanging issues; +> - is re-released in April 2020 and will not be superseded by newer updates to keep future availability; +> - is categorized as an update due to the reboot requirement; and +> - is only be offered with [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update).
    - November-2019 (Platform: 4.18.1911.2 | Engine: 1.1.16600.7) + November-2019 (Platform: 4.18.1911.3 | Engine: 1.1.16600.7) Security intelligence update version: **1.307.13.0** Released: **December 7, 2019** -Platform: **4.18.1911.2** +Platform: **4.18.1911.3** Engine: **1.1.17000.7** Support phase: **No support** ### What's new -* Fixed MpCmdRun tracing level -* Fixed WDFilter version info -* Improve notifications (PUA) -* add MRT logs to support files +- Fixed MpCmdRun tracing level +- Fixed WDFilter version info +- Improve notifications (PUA) +- add MRT logs to support files ### Known Issues -No known issues +When this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version.
    + ## Microsoft Defender Antivirus platform support -As stated above, platform and engine updates are provided on a monthly cadence. -Customers must stay current with the latest platform update to be fully supported. Our support structure is now dynamic, evolving into two phases depending on the availability of the latest platform version: +Platform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform version: - -* **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform. +- **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform. - -* **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.* +- **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.* \* Technical support will continue to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version. @@ -231,24 +367,103 @@ During the technical support (only) phase, commercially reasonable support incid The below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases: |Windows 10 release |Platform version |Engine version |Support phase | -|-|-|-|-| -|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade Support (Only) | -|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade Support (Only) | -|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade Support (Only) | -|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade Support (Only) | -|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade Support (Only) | -|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade Support (Only) | -|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade Support (Only) | +|:---|:---|:---|:---| +|2004 (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade support (only) | +|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade support (only) | +|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade support (only) | +|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade support (only) | +|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade support (only) | +|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade support (only) | +|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade support (only) | +|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade support (only) | -Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet). +For Windows 10 release information, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet). +## Updates for Deployment Image Servicing and Management (DISM) -## In this section +We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 OS installation images with the latest antivirus and antimalware updates. Keeping your OS installation images up to date helps avoid a gap in protection. -Article | Description ----|--- -[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through a number of sources. -[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded. -[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next log on. -[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. -[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines. +For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images). + +
    +1.1.2101.02 + + Package version: **1.1.2101.02** + Platform version: **4.18.2011.6** + Engine version: **1.17700.4** + Signature version: **1.329.1796.0** + +### Fixes +- None + +### Additional information +- None +
    +
    +1.1.2012.01 + + Package version: **1.1.2012.01** + Platform version: **4.18.2010.7** + Engine version: **1.17600.5** + Signature version: **1.327.1991.0** + +### Fixes +- None + +### Additional information +- None +
    +
    +1.1.2011.02 + + Package version: **1.1.2011.02** + Platform version: **4.18.2010.7** + Engine version: **1.17600.5** + Signature version: **1.327.658.0** + +### Fixes +- None + +### Additional information +- Refreshed Microsoft Defender Antivirus signatures +
    +
    +1.1.2011.01 + + Package version: **1.1.2011.01** + Platform version: **4.18.2009.7** + Engine version: **1.17600.5** + Signature version: **1.327.344.0** + +### Fixes +- None + +### Additional information +- None +
    +
    +1.1.2009.10 + + Package version: **1.1.2011.01** + Platform version: **4.18.2008.9** + Engine version: **1.17400.5** + Signature version: **1.327.2216.0** + +### Fixes +- None + +### Additional information +- Added support for Windows 10 RS1 or later OS install images. +
    +
    + +## Additional resources + +| Article | Description | +|:---|:---| +|[Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images) | Review antimalware update packages for your OS installation images (WIM and VHD files). Get Microsoft Defender Antivirus updates for Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 installation images. | +|[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through many sources. | +|[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded. | +|[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan the next time a user signs in. | +|[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. | +|[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines. | diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md index 86217f98d9..e2fb5173d8 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Define how mobile devices are updated by Microsoft Defender AV -description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender AV protection updates. +title: Define how mobile devices are updated by Microsoft Defender Antivirus +description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender Antivirus protection updates. keywords: updates, protection, schedule updates, battery, mobile device, laptop, notebook, opt-in, microsoft update, wsus, override search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -11,64 +11,69 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 ms.reviewer: manager: dansimp --- # Manage updates for mobile devices and virtual machines (VMs) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates. +Mobile devices and VMs may require more configuration to ensure performance is not impacted by updates. -There are two settings that are particularly useful for these devices: +There are two settings that are useful for these devices: -- Opt-in to Microsoft Update on mobile computers without a WSUS connection +- Opt in to Microsoft Update on mobile computers without a WSUS connection - Prevent Security intelligence updates when running on battery power -The following topics may also be useful in these situations: +The following articles may also be useful in these situations: - [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) - [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) - [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md) -## Opt-in to Microsoft Update on mobile computers without a WSUS connection +## Opt in to Microsoft Update on mobile computers without a WSUS connection You can use Microsoft Update to keep Security intelligence on mobile devices running Microsoft Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection. This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update. -You can opt-in to Microsoft Update on the mobile device in one of the following ways: +You can opt in to Microsoft Update on the mobile device in one of the following ways: -1. Change the setting with Group Policy -2. Use a VBScript to create a script, then run it on each computer in your network. -3. Manually opt-in every computer on your network through the **Settings** menu. +- Change the setting with Group Policy. +- Use a VBScript to create a script, then run it on each computer in your network. +- Manually opt in every computer on your network through the **Settings** menu. -### Use Group Policy to opt-in to Microsoft Update +### Use Group Policy to opt in to Microsoft Update -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +2. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Policies** then **Administrative templates**. +3. Select **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. -6. Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**. +5. Set **Allow security intelligence updates from Microsoft Update** to **Enabled**, and then select **OK**. -### Use a VBScript to opt-in to Microsoft Update +### Use a VBScript to opt in to Microsoft Update -1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript. -2. Run the VBScript you created on each computer in your network. +1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript. -### Manually opt-in to Microsoft Update +2. Run the VBScript you created on each computer in your network. -1. Open **Windows Update** in **Update & security** settings on the computer you want to opt-in. -2. Click **Advanced** options. -3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**. +### Manually opt in to Microsoft Update + +1. Open **Windows Update** in **Update & security** settings on the computer you want to opt in. + +2. Select **Advanced** options. + +3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**. ## Prevent Security intelligence updates when running on battery power @@ -76,17 +81,15 @@ You can configure Microsoft Defender Antivirus to only download protection updat ### Use Group Policy to prevent security intelligence updates on battery power -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), choose the Group Policy Object you want to configure, and open it for editing. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +2. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Policies** then **Administrative templates**. +3. Select **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following setting: - - 1. Double-click the **Allow security intelligence updates when running on battery power** setting and set the option to **Disabled**. - 2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**, and then set **Allow security intelligence updates when running on battery power** to **Disabled**. Then select **OK**. +This action prevents protection updates from downloading when the PC is on battery power. ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 200a5cd47a..d1fbec7602 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -1,7 +1,7 @@ --- title: Microsoft Defender Antivirus compatibility with other security products -description: Microsoft Defender Antivirus operates in different ways depending on what other security products you have installed, and the operating system you are using. -keywords: windows defender, atp, advanced threat protection, compatibility, passive mode +description: Get an overview of what to expect from Microsoft Defender Antivirus with other security products and the operating systems you are using. +keywords: windows defender, next-generation, atp, advanced threat protection, compatibility, passive mode search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -11,33 +11,35 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.reviewer: +ms.reviewer: tewchen, pahuijbr, shwjha manager: dansimp -ms.date: 08/26/2020 +ms.date: 01/11/2021 --- # Microsoft Defender Antivirus compatibility +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Overview -Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection. -- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus automatically goes into disabled mode. -- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.) -- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) (currently in preview) enabled, then whenever a malicious artifact is detected, Microsoft Defender ATP takes action to block and remediate the artifact. +Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection. +- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender for Endpoint is not used, then Microsoft Defender Antivirus automatically goes into disabled mode. +- If your organization is using Microsoft Defender for Endpoint together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.) +- If your organization is using Microsoft Defender for Endpoint together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) enabled, then whenever a malicious artifact is detected, Microsoft Defender for Endpoint takes action to block and remediate the artifact. -## Antivirus and Microsoft Defender ATP +## Antivirus and Microsoft Defender for Endpoint -The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP. +The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender for Endpoint. -| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Microsoft Defender Antivirus state | +| Windows version | Antimalware protection | Microsoft Defender for Endpoint enrollment | Microsoft Defender Antivirus state | |------|------|-------|-------| | Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode | -| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode | +| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode | | Windows 10 | Microsoft Defender Antivirus | Yes | Active mode | | Windows 10 | Microsoft Defender Antivirus | No | Active mode | | Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] | @@ -45,13 +47,13 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh | Windows Server 2016 or 2019 | Microsoft Defender Antivirus | Yes | Active mode | | Windows Server 2016 or 2019 | Microsoft Defender Antivirus | No | Active mode | -(1) On Windows Server 2016 or 2019, Microsoft Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Microsoft Defender Antivirus on Windows Server 2016 or 2019](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-microsoft-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine. +(1) On Windows Server 2016 or 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server. -If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key: +If you are using Windows Server, version 1803 or Windows Server 2019, you set Microsoft Defender Antivirus to passive mode by setting this registry key: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` -- Name: ForceDefenderPassiveMode -- Type: REG_DWORD -- Value: 1 +- Name: `ForceDefenderPassiveMode` +- Type: `REG_DWORD` +- Value: `1` See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations. @@ -64,38 +66,41 @@ See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-def ## Functionality and features available in each state -The following table summarizes the functionality and features that are available in each state: +The table in this section summarizes the functionality and features that are available in each state. + +> [!IMPORTANT] +> The following table is informational, and it is designed to describe the features & capabilities that are turned on or off according to whether Microsoft Defender Antivirus is in Active mode, in Passive mode, or disabled/uninstalled. Do not turn off capabilities, such as real-time protection, if you are using Microsoft Defender Antivirus in passive mode or are using EDR in block mode. |State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | |--|--|--|--|--|--| |Active mode

    |Yes |No |Yes |Yes |Yes | -|Passive mode |No |No |Yes |No |Yes | +|Passive mode |No |No |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes | |[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md) |No |No |Yes |Yes |Yes | |Automatic disabled mode |No |Yes |No |No |No | - In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself). -- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service. -- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) (currently in private preview) is turned on, Microsoft Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items. -- In Automatic disabled mode, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. +- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode. +- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items. +- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended. ## Keep the following points in mind -If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. +- If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. -When Microsoft Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. +- When Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the protection offered by a non-Microsoft antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. Automatic re-enabling helps to ensure that antivirus protection is maintained on your devices. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. -In passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. +- When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have an up-to-date, non-Microsoft antivirus product providing real-time protection from malware. -If you uninstall the other product, and choose to use Microsoft Defender Antivirus to provide protection to your endpoints, Microsoft Defender Antivirus will automatically return to its normal active mode. + If you uninstall the non-Microsoft antivirus product, and use Microsoft Defender Antivirus to provide protection to your devices, Microsoft Defender Antivirus will return to its normal active mode automatically. > [!WARNING] -> You should not attempt to disable, stop, or modify any of the associated services used by Microsoft Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md). +> Do not disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md). -## Related topics +## See also - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) - [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) - [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) -- [Configure Endpoint Protection on a standalone client](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure-standalone-client) +- [Learn about Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md index 3952f63c4c..fb9db59528 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md @@ -1,45 +1,47 @@ --- title: Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 -description: Learn how to manage, configure, and use Microsoft Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016 +description: Learn how to manage, configure, and use Microsoft Defender Antivirus, built-in antimalware and antivirus protection. keywords: Microsoft Defender Antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium +ms.localizationpriority: high author: denisebmsft ms.author: deniseb -ms.date: 02/25/2020 +ms.date: 12/16/2020 ms.reviewer: manager: dansimp ms.custom: nextgen --- -# Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 +# Next-generation protection in Windows + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Microsoft Defender Antivirus: Your next-generation protection -Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Next-generation protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Next-generation protection services include the following: +Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender for Endpoint. This protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Your next-generation protection services include the following capabilities: -- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-microsoft-defender-antivirus.md). This includes always-on scanning using file and process behavior monitoring and other heuristics (also known as "real-time protection"). It also includes detecting and blocking apps that are deemed unsafe, but may not be detected as malware. -- [Cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). This includes near-instant detection and blocking of new and emerging threats. -- [Dedicated protection and product updates](manage-updates-baselines-microsoft-defender-antivirus.md). This includes updates related to keeping Microsoft Defender Antivirus up to date. +- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-microsoft-defender-antivirus.md), which includes always-on scanning using file and process behavior monitoring and other heuristics (also known as *real-time protection*). It also includes detecting and blocking apps that are deemed unsafe, but might not be detected as malware. +- [Cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md), which includes near-instant detection and blocking of new and emerging threats. +- [Dedicated protection and product updates](manage-updates-baselines-microsoft-defender-antivirus.md), which includes updates related to keeping Microsoft Defender Antivirus up to date. ## Try a demo! -Visit the [Microsoft Defender ATP demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios: +Visit the [Microsoft Defender for Endpoint demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios: - Cloud-delivered protection - Block at first sight (BAFS) protection - Potentially unwanted applications (PUA) protection ## Minimum system requirements -Microsoft Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see: +Microsoft Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see the following resources: - [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) - [Hardware component guidelines](https://docs.microsoft.com/windows-hardware/design/component-guidelines/components) @@ -51,8 +53,8 @@ For information on how to configure next-generation protection services, see [Co > [!Note] > Configuration and management is largely the same in Windows Server 2016 and Windows Server 2019, while running Microsoft Defender Antivirus; however, there are some differences. To learn more, see [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md). -## Related articles +## See also +- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) - [Microsoft Defender Antivirus management and configuration](configuration-management-reference-microsoft-defender-antivirus.md) - - [Evaluate Microsoft Defender Antivirus protection](evaluate-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md index a4a959b83d..c16f2a4930 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md @@ -10,21 +10,22 @@ ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 02/25/2020 -ms.reviewer: +ms.date: 01/04/2021 +ms.reviewer: pahuijbr, shwjha manager: dansimp --- -# Microsoft Defender Antivirus on Windows Server 2016 and 2019 +# Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019 + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- Windows Server 2016 -- Windows Server 2019 +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Microsoft Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Microsoft Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same. +Microsoft Defender Antivirus is available on Windows Server 2016 and 2019. In some instances, Microsoft Defender Antivirus is referred to as *Endpoint Protection*; however, the protection engine is the same. -While the functionality, configuration, and management are largely the same for Microsoft Defender Antivirus on Windows 10, there are a few key differences on Windows Server 2016 or Windows Server 2019: +While the functionality, configuration, and management are largely the same for [Microsoft Defender Antivirus on Windows 10](microsoft-defender-antivirus-in-windows-10.md), there are a few key differences on Windows Server 2016 and 2019: - In Windows Server, [automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md) are applied based on your defined Server Role. - In Windows Server, Microsoft Defender Antivirus does not automatically disable itself if you are running another antivirus product. @@ -33,23 +34,17 @@ While the functionality, configuration, and management are largely the same for The process of setting up and running Microsoft Defender Antivirus on a server platform includes several steps: -1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019) - -2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server-2016-or-2019) - -2. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running) - -3. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence) - -4. (As needed) [Submit samples](#submit-samples) - -5. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions) - -6. (Only if necessary) [Uninstall Microsoft Defender Antivirus](#need-to-uninstall-microsoft-defender-antivirus) +1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019). +2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server-2016-or-2019). +3. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running). +4. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence). +5. (As needed) [Submit samples](#submit-samples). +6. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions). +7. (Only if necessary) [Set Microsoft Defender Antivirus to passive mode](#need-to-set-microsoft-defender-antivirus-to-passive-mode). ## Enable the user interface on Windows Server 2016 or 2019 -By default, Microsoft Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or PowerShell. +By default, Microsoft Defender Antivirus is installed and functional on Windows Server 2016 and 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or by using PowerShell. ### Turn on the GUI using the Add Roles and Features Wizard @@ -118,14 +113,14 @@ The `sc query` command returns information about the Microsoft Defender Antiviru In order to get updated antimalware Security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage. -By default, Windows Update does not download and install updates automatically on Windows Server 2016 or 2019. You can change this configuration by using one of the following methods: +By default, Windows Update does not download and install updates automatically on Windows Server 2019 or Windows Server 2016. You can change this configuration by using one of the following methods: |Method |Description | |---------|---------| |**Windows Update** in Control Panel |- **Install updates automatically** results in all updates being automatically installed, including Windows Defender Security intelligence updates.
    - **Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. | |**Group Policy** | You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates** | -|The **AUOptions** registry key |The following two values allow Windows Update to automatically download and install Security intelligence updates:
    - **4** Install updates automatically. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates.
    - **3** Download updates but let me choose whether to install them. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. | +|The **AUOptions** registry key |The following two values allow Windows Update to automatically download and install Security intelligence updates:
    - **4** - **Install updates automatically**. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates.
    - **3** - **Download updates but let me choose whether to install them**. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. | To ensure that protection from malware is maintained, we recommend that you enable the following services: @@ -159,10 +154,10 @@ To enable automatic sample submission, start a Windows PowerShell console as an |Setting |Description | |---------|---------| -|**0** Always prompt |The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. | -|**1** Send safe samples automatically |The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. | -|**2** Never send |The Microsoft Defender Antivirus service does not prompt and does not send any files. | -|**3** Send all samples automatically |The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. | +|**0** - **Always prompt** |The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. | +|**1** - **Send safe samples automatically** |The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. | +|**2** - **Never send** |The Microsoft Defender Antivirus service does not prompt and does not send any files. | +|**3** - **Send all samples automatically** |The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. | ## Configure automatic exclusions @@ -170,38 +165,29 @@ To help ensure security and performance, certain exclusions are automatically ad See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md). -## Need to uninstall Microsoft Defender Antivirus? +## Need to set Microsoft Defender Antivirus to passive mode? -If you are using a third-party antivirus solution and you're running into issues with that solution and Microsoft Defender Antivirus, you can consider uninstalling Microsoft Defender Antivirus. Before you do that, review the following resources: +If you are using a non-Microsoft antivirus product as your primary antivirus solution, set Microsoft Defender Antivirus to passive mode. -- See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/wdsi/help/antimalware-faq#multiple-products). +### Set Microsoft Defender Antivirus to passive mode using a registry key -- See [Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus). This article describes 10 advantages to using Microsoft Defender Antivirus together with Microsoft Defender Advanced Threat Protection. +If you are using Windows Server, version 1803 or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key: +- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` +- Name: `ForceDefenderPassiveMode` +- Type: `REG_DWORD` +- Value: `1` -If you determine you do want to uninstall Microsoft Defender Antivirus, follow the steps in the following sections. +### Disable Microsoft Defender Antivirus using the Remove Roles and Features wizard -### Uninstall Microsoft Defender Antivirus using the Remove Roles and Features wizard +1. See [Install or Uninstall Roles, Role Services, or Features](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**. -1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**. +2. When you get to the **Features** step of the wizard, clear the **Windows Defender Features** option. -2. When you get to the **Features** step of the wizard, unselect the **Windows Defender Features** option. - - If you unselect **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**. + If you clear **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**. - Microsoft Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature. + Microsoft Defender Antivirus will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature. -### Uninstall Microsoft Defender Antivirus using PowerShell - ->[!NOTE] ->You can't uninstall the Windows Security app, but you can disable the interface with these instructions. - -The following PowerShell cmdlet will also uninstall Microsoft Defender AV on Windows Server 2016 or 2019: - -```PowerShell -Uninstall-WindowsFeature -Name Windows-Defender -``` - -### Turn off the GUI using PowerShell +### Turn off the Microsoft Defender Antivirus user interface using PowerShell To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell cmdlet: @@ -209,8 +195,7 @@ To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell c Uninstall-WindowsFeature -Name Windows-Defender-GUI ``` - -## Related topics +## See also - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md index e824427101..fa33dd9526 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md @@ -17,9 +17,12 @@ manager: dansimp # Run and review the results of a Microsoft Defender Offline scan +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR). @@ -55,7 +58,7 @@ See the [Manage Microsoft Defender Antivirus Security intelligence updates](man In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Microsoft Defender Offline needs to run, it will prompt the user on the endpoint. -The need to perform an offline scan will also be revealed in Microsoft Endpoint Configuration Manager if you're using it to manage your endpoints. +The need to perform an offline scan will also be revealed in Microsoft Endpoint Manager if you're using it to manage your endpoints. The prompt can occur via a notification, similar to the following: @@ -67,7 +70,7 @@ In Configuration Manager, you can identify the status of endpoints by navigating Microsoft Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**. -![Microsoft Endpoint Configuration Manager indicating a Microsoft Defender Offline scan is required](images/defender/sccm-wdo.png) +![Microsoft Endpoint Manager indicating a Microsoft Defender Offline scan is required](images/defender/sccm-wdo.png) ## Configure notifications diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md index d32346b285..e4f4d4c952 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md @@ -17,9 +17,12 @@ manager: dansimp # Microsoft Defender Antivirus in the Windows Security app +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Security. @@ -36,7 +39,7 @@ Settings that were previously part of the Windows Defender client and main Windo See the [Windows Security article](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app. -The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md). +The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md). ## Review virus and threat protection settings in the Windows Security app diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md index 55931f992b..3ca4e0239b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md @@ -20,16 +20,19 @@ manager: dansimp # Better together: Microsoft Defender Antivirus and Office 365 -**Applies to:** +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Microsoft Defender Antivirus -- Office 365 +- Microsoft 365 You might already know that: - **Microsoft Defender Antivirus protects your Windows 10 device from software threats, such as viruses, malware, and spyware**. Microsoft Defender Antivirus is your complete, ongoing protection, built into Windows 10 and ready to go. [Microsoft Defender Antivirus is your next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). -- **Office 365 includes antiphishing, antispam, and antimalware protection**. With your Office 365 subscription, you get premium email and calendars, Office apps, 1 TB of cloud storage (via OneDrive), and advanced security across all your devices. This is true for home and business users. And if you're a business user, and your organization is using Office 365 E5, you get even more protection through Office 365 Advanced Threat Protection. [Protect against threats with Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats). +- **Office 365 includes antiphishing, antispam, and antimalware protection**. With your Office 365 subscription, you get premium email and calendars, Office apps, 1 TB of cloud storage (via OneDrive), and advanced security across all your devices. This is true for home and business users. And if you're a business user, and your organization is using Office 365 E5, you get even more protection through Microsoft Defender for Office 365 [Protect against threats with Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats). - **OneDrive, included in Office 365, enables you to store your files and folders online, and share them as you see fit**. You can work together with people (for work or fun), and coauthor files that are stored in OneDrive. You can also access your files across all your devices (your PC, phone, and tablet). [Manage sharing in OneDrive](https://docs.microsoft.com/OneDrive/manage-sharing). @@ -45,9 +48,9 @@ Read the following sections to learn more. When you save your files to [OneDrive](https://docs.microsoft.com/onedrive), and [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) detects a ransomware threat on your device, the following things occur: -1. **You are told about the threat**. (If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (ATP), your security operations team is notified, too.) +1. **You are told about the threat**. (If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection), your security operations team is notified, too.) -2. **Microsoft Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender ATP, your security operations team can determine whether other devices are infected and take appropriate action, too.) +2. **Microsoft Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender for Endpoint, your security operations team can determine whether other devices are infected and take appropriate action, too.) 3. **You get the option to recover your files in OneDrive**. With the OneDrive Files Restore feature, you can recover your files in OneDrive to the state they were in before the ransomware attack occurred. See [Ransomware detection and recovering your files](https://support.office.com/article/0d90ec50-6bfd-40f4-acc7-b8c12c73637f). @@ -55,19 +58,19 @@ Think of the time and hassle this can save. ## Integration means better protection -Office 365 Advanced Threat Protection integrated with Microsoft Defender Advanced Threat Protection means better protection for your organization. Here's how: +Microsoft Defender for Office 365 integrated with Microsoft Defender for Endpoint means better protection for your organization. Here's how: -- [Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) safeguards your organization against malicious threats posed in email messages, email attachments, and links (URLs) in Office documents. +- [Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) safeguards your organization against malicious threats posed in email messages, email attachments, and links (URLs) in Office documents. AND -- [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) protects your devices from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves your security posture. +- [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) protects your devices from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves your security posture. SO - Once integration is enabled, your security operations team can see a list of devices that are used by the recipients of any detected URLs or email messages, along with recent alerts for those devices, in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). -If you haven't already done so, [integrate Office 365 Advanced Threat Protection with Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/office-365-security/integrate-office-365-ti-with-wdatp). +If you haven't already done so, [integrate Microsoft Defender for Office 365 with Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/office-365-security/integrate-office-365-ti-with-wdatp). ## More good reasons to use OneDrive @@ -79,8 +82,8 @@ Protection from ransomware is one great reason to put your files in OneDrive. An [OneDrive](https://docs.microsoft.com/onedrive) -[Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp?view=o365-worldwide) +[Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp?view=o365-worldwide) -[Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) +[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 52690f977b..ad05cd6b37 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -1,6 +1,6 @@ --- title: Protect security settings with tamper protection -ms.reviewer: +ms.reviewer: shwjha, hayhov manager: dansimp description: Use tamper protection to prevent malicious apps from changing important security settings. keywords: malware, defender, antivirus, tamper protection @@ -14,17 +14,26 @@ audience: ITPro author: denisebmsft ms.author: deniseb ms.custom: nextgen +ms.date: 01/07/2021 --- # Protect security settings with tamper protection +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +Tamper protection is available on devices running the following versions of Windows: + - Windows 10 +- Windows Server 2016 and 2019 (if using tenant attach with [Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006)) ## Overview -During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring. +During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent these kinds of things from occurring. With tamper protection, malicious apps are prevented from taking actions such as: @@ -37,19 +46,20 @@ With tamper protection, malicious apps are prevented from taking actions such as ### How it works - Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as: +Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as: - Configuring settings in Registry Editor on your Windows machine - Changing settings through PowerShell cmdlets - Editing or removing security settings through group policies -Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; this is managed by your security team. +Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; tamper protection is managed by your security team. ### What do you want to do? 1. Turn tamper protection on
    - [For an individual machine, use Windows Security](#turn-tamper-protection-on-or-off-for-an-individual-machine). - [For your organization, use Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune). + - [Use tenant attach with Configuration Manager, version 2006, for devices running Windows 10 or Windows Server 2019](#manage-tamper-protection-with-configuration-manager-version-2006) 2. [View information about tampering attempts](#view-information-about-tampering-attempts). @@ -66,9 +76,9 @@ Tamper protection doesn't prevent you from viewing your security settings. And, > > Once you’ve made this update, tamper protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors. -If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do this. +If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do change security settings, such as tamper protection. -1. Click **Start**, and start typing *Defender*. In the search results, select **Windows Security**. +1. Click **Start**, and start typing *Security*. In the search results, select **Windows Security**. 2. Select **Virus & threat protection** > **Virus & threat protection settings**. @@ -80,36 +90,32 @@ If you are a home user, or you are not subject to settings managed by a security ## Turn tamper protection on (or off) for your organization using Intune -If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the Microsoft 365 Device Management portal ([https://aka.ms/intuneportal](https://aka.ms/intuneportal)). - -> [!NOTE] -> The ability to manage tamper protection in Intune is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below. +If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) portal. You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task. -1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune: +1. Make sure your organization meets all of the following requirements to use Intune to manage tamper protection: - - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)). - - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.) - - Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.) + - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; Intune is included in Microsoft 365 E5.) + - Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).) - You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above). - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).) -2. Go to the Microsoft 365 Device Management portal ([https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com)) and sign in with your work or school account. +2. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) and sign in with your work or school account. -3. Select **Device configuration** > **Profiles**. +3. Select **Devices** > **Configuration Profiles**. -4. Create a profile as follows: +4. Create a profile that includes the following settings: - - Platform: **Windows 10 and later** + - **Platform: Windows 10 and later** - - Profile type: **Endpoint protection** + - **Profile type: Endpoint protection** - - Category: **Microsoft Defender Security Center** + - **Category: Microsoft Defender Security Center** - - Tamper Protection: **Enabled** + - **Tamper Protection: Enabled** - ![Turn tamper protection on with Intune](images/turnontamperprotect-intune.png) + ![Turn tamper protection on with Intune](images/turnontamperprotect-MEM.png) 5. Assign the profile to one or more groups. @@ -121,10 +127,38 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release 1. Open the Windows PowerShell app. -2. Use the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) PowerShell cmdlet. +2. Use the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) PowerShell cmdlet. 3. In the list of results, look for `IsTamperProtected`. (A value of *true* means tamper protection is enabled.) +## Manage tamper protection with Configuration Manager, version 2006 + +> [!IMPORTANT] +> The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Make sure to review the prerequisites and other information in the resources mentioned in this procedure. + +If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10, Windows Server 2016, and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices. + +1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions). + +2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and choose **+ Create Policy**.
    + + - In the **Platform** list, select **Windows 10 and Windows Server (ConfigMgr)**. + + - In the **Profile** list, select **Windows Security experience (preview)**.
    + + The following screenshot illustrates how to create your policy: + + :::image type="content" source="images/win-security- exp-policy-endpt-security.png" alt-text="Windows security experience in Endpoint Manager"::: + +3. Deploy the policy to your device collection. + +Need help? See the following resources: + +- [Settings for the Windows Security experience profile in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/antivirus-security-experience-windows-settings) + +- [Tech Community Blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin) + + ## View information about tampering attempts Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats. @@ -133,7 +167,7 @@ When a tampering attempt is detected, an alert is raised in the [Microsoft Defen ![Microsoft Defender Security Center](images/tamperattemptalert.png) -Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender ATP, your security operations team can investigate and address such attempts. +Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts. ## Review your security recommendations @@ -151,54 +185,45 @@ To learn more about Threat & Vulnerability Management, see [Threat & Vulnerabili ### To which Windows OS versions is configuring tamper protection is applicable? -Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). +Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). -### Is configuring tamper protection in Intune supported on servers? +If you are using Configuration Manager, version 2006, with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy). -No - -### Will tamper protection have any impact on third party antivirus registration? +### Will tamper protection have any impact on third-party antivirus registration? No. Third-party antivirus offerings will continue to register with the Windows Security application. ### What happens if Microsoft Defender Antivirus is not active on a device? -Tamper protection will not have any impact on such devices. +Devices that are onboarded to Microsoft Defender for Endpoint will have Microsoft Defender Antivirus running in passive mode. Tamper protection will continue to protect the service and its features. ### How can I turn tamper protection on/off? If you are a home user, see [Turn tamper protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine). -If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune). +If you are an organization using [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article: + +- [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune) + +- [Manage tamper protection with Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006) ### How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus through my group policy? Your regular group policy doesn’t apply to tamper protection, and changes to Microsoft Defender Antivirus settings are ignored when tamper protection is on. -> [!NOTE] -> A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Microsoft Defender Antivirus features protected by tamper protection. +### For Microsoft Defender for Endpoint, is configuring tamper protection in Intune targeted to the entire organization only? -To avoid any potential delays, we recommend that you remove settings that control Microsoft Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Microsoft Defender Antivirus settings. - -Some sample Microsoft Defender Antivirus settings: - -- *Turn off real-time protection*
    - Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\\
    - Value `DisableRealtimeMonitoring` = 0 - -### For Microsoft Defender ATP E5, is configuring tamper protection in Intune targeted to the entire organization only? - -Configuring tamper protection in Intune can be targeted to your entire organization as well as to specific devices and user groups. +Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization and to specific devices and user groups. ### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager? -Currently we do not have support to manage Tamper Protection through Microsoft Endpoint Configuration Manager. +If you are using tenant attach, you can use Microsoft Endpoint Configuration Manager. See [Manage tamper protection with Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006) and [Tech Community blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin). ### I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune? -Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). +Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). -### What happens if I try to change Microsoft Defender ATP settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device? +### What happens if I try to change Microsoft Defender for Endpoint settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device? You won’t be able to change the features that are protected by tamper protection; such change requests are ignored. @@ -206,28 +231,24 @@ You won’t be able to change the features that are protected by tamper protecti No. Local admins cannot change or modify tamper protection settings. -### What happens if my device is onboarded with Microsoft Defender ATP and then goes into an off-boarded state? +### What happens if my device is onboarded with Microsoft Defender for Endpoint and then goes into an off-boarded state? -In this case, tamper protection status changes, and this feature is no longer applied. +If a device is off-boarded from Microsoft Defender for Endpoint, tamper protection is turned on, which is the default state for unmanaged devices. ### Will there be an alert about tamper protection status changing in the Microsoft Defender Security Center? Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**. -In addition, your security operations team can use hunting queries, such as the following: +In addition, your security operations team can use hunting queries, such as the following example: `DeviceAlertEvents | where Title == "Tamper Protection bypass"` [View information about tampering attempts](#view-information-about-tampering-attempts). -### Will there be a group policy setting for tamper protection? - -No. - -## Related articles +## See also [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) -[Get an overview of Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) +[Get an overview of Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) -[Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](why-use-microsoft-defender-antivirus.md) +[Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md index a2c6bdee36..bc77598593 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md @@ -18,9 +18,12 @@ manager: dansimp # Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can use Group Policy to prevent users on endpoints from seeing the Microsoft Defender Antivirus interface. You can also prevent them from pausing scans. @@ -37,7 +40,7 @@ With the setting set to **Disabled** or not configured: ![Screenshot of Windows Security showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png) >[!NOTE] ->Hiding the interface will also prevent Microsoft Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) +>Hiding the interface will also prevent Microsoft Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender for Endpoint notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app." @@ -61,6 +64,9 @@ See [Prevent users from locally modifying policy settings](configure-local-polic You can prevent users from pausing scans, which can be helpful to ensure scheduled or on-demand scans are not interrupted by users. +> [!NOTE] +> This setting is not supported on Windows 10. + ### Use Group Policy to prevent users from pausing a scan 1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md index da205310f1..5219b4f3eb 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md @@ -11,18 +11,23 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 12/07/2020 ms.reviewer: manager: dansimp --- # Report on Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). +Microsoft Defender Antivirus is built into Windows 10, Windows Server 2019, and Windows Server 2016. Microsoft Defender Antivirus is of your next-generation protection in Microsoft Defender for Endpoint. Next-generation protection helps protect your devices from software threats like viruses, malware, and spyware across email, apps, the cloud, and the web. + +With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Microsoft Defender Antivirus issues, including protection updates and real-time protection settings. @@ -39,5 +44,5 @@ For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, s ## Related articles - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - +- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016) - [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md index 434a02f941..e2ce17b208 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md @@ -18,9 +18,12 @@ manager: dansimp # Restore quarantined files in Microsoft Defender AV +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) If Microsoft Defender Antivirus is configured to detect and remediate threats on your device, Microsoft Defender Antivirus quarantines suspicious files. If you are certain a quarantined file is not a threat, you can restore it. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md index d23aa3b802..44079dd62b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md @@ -11,26 +11,23 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 09/28/2020 ms.reviewer: manager: dansimp --- # Review Microsoft Defender Antivirus scan results +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -After an Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results. +After a Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results. -## Use Microsoft Intune to review scan results - -1. In Intune, go to **Devices > All Devices** and select the device you want to scan. - -2. Click the scan results in **Device actions status**. - ## Use Configuration Manager to review scan results See [How to monitor Endpoint Protection status](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). @@ -43,7 +40,7 @@ The following cmdlet will return each detection on the endpoint. If there are mu Get-MpThreatDetection ``` -![IMAGEALT](images/defender/wdav-get-mpthreatdetection.png) +![screenshot of PowerShell cmdlets and outputs](images/defender/wdav-get-mpthreatdetection.png) You can specify `-ThreatID` to limit the output to only show the detections for a specific threat. @@ -53,7 +50,7 @@ If you want to list threat detections, but combine detections of the same threat Get-MpThreat ``` -![IMAGEALT](images/defender/wdav-get-mpthreat.png) +![screenshot of PowerShell](images/defender/wdav-get-mpthreat.png) See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md index 5266967e27..3f93858b01 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md @@ -11,52 +11,64 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 11/13/2020 ms.reviewer: manager: dansimp --- # Configure and run on-demand Microsoft Defender Antivirus scans +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type. - ## Quick scan versus full scan -Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. +Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. -Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. +> [!IMPORTANT] +> Microsoft Defender Antivirus runs in the context of the [LocalSystem](https://docs.microsoft.com/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share. -In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection. +Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they're opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. -A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans. +In most instances, a quick scan is adequate to find malware that wasn't picked up by real-time protection. ->[!NOTE] ->By default, quick scans run on mounted removable devices, such as USB drives. +A full scan can be useful on endpoints that have reported a malware threat. The scan can identify if there are any inactive components that require a more thorough clean-up. This is ideal if your organization is running on-demand scans. -## Use Configuration Manager to run a scan +> [!NOTE] +> By default, quick scans run on mounted removable devices, such as USB drives. -See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using Microsoft Endpoint Configuration Manager (current branch) to run a scan. +## Use Microsoft Endpoint Manager to run a scan + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in. +2. Choose **Endpoint security** > **Antivirus**. +3. In the list of tabs, select **Windows 10 unhealthy endpoints**. +4. From the list of actions provided, select **Quick Scan** or **Full Scan**. + +[ ![IMAGE](images/mem-antivirus-scan-on-demand.png) ](images/mem-antivirus-scan-on-demand.png#lightbox) + +> [!TIP] +> For more information about using Microsoft Endpoint Manager to run a scan, see [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers). ## Use the mpcmdrun.exe command-line utility to run a scan Use the following `-scan` parameter: -```DOS +```console mpcmdrun.exe -scan -scantype 1 ``` -See [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths. + +For more information about how to use the tool and additional parameters, including starting a full scan, or defining paths, see [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md). ## Use Microsoft Intune to run a scan -1. In Intune, go to **Devices > All Devices** and select the device you want to scan. - -2. Select **...More** and then select **Quick Scan** or **Full Scan**. - +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in. +2. From the sidebar, select **Devices > All Devices** and choose the device you want to scan. +3. Select **...More**. From the options, select **Quick Scan** or **Full Scan**. ## Use the Windows Security app to run a scan @@ -69,15 +81,14 @@ Use the following cmdlet: ```PowerShell Start-MpScan ``` -See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. + +For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). ## Use Windows Management Instruction (WMI) to run a scan -Use the [**Start** method of the **MSFT_MpScan**](https://msdn.microsoft.com/library/dn455324(v=vs.85).aspx#methods) class. - -See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) +Use the [**Start** method](https://docs.microsoft.com/previous-versions/windows/desktop/defender/start-msft-mpscan) of the **MSFT_MpScan** class. +For more information about which parameters are allowed, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md index 7c297d11d4..153100cb9f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Schedule regular quick and full scans with Microsoft Defender AV +title: Schedule regular quick and full scans with Microsoft Defender Antivirus description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans keywords: quick scan, full scan, quick vs full, schedule scan, daily, weekly, time, scheduled, recurring, regular search.product: eADQiWindows 10XVcnh @@ -11,28 +11,31 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 07/22/2020 -ms.reviewer: +ms.date: 11/02/2020 +ms.reviewer: pauhijbr manager: dansimp --- # Configure scheduled quick or full Microsoft Defender Antivirus scans +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + > [!NOTE] > By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default. - In addition to always-on real-time protection and [on-demand](run-scan-microsoft-defender-antivirus.md) scans, you can set up regular, scheduled scans. You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur. -This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +This article describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10). -To configure the Group Policy settings described in this topic: +## To configure the Group Policy settings described in this article 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -42,7 +45,9 @@ To configure the Group Policy settings described in this topic: 5. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below. -6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. +6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. + +7. Click **OK**, and repeat for any other settings. Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) topics. @@ -72,12 +77,13 @@ Scheduled scans will run at the day and time you specify. You can use Group Poli ### Use Group Policy to schedule scans -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Scan | Specify the scan type to use for a scheduled scan | Quick scan -Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never -Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am -Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
    In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled +|Location | Setting | Description | Default setting (if not configured) | +|:---|:---|:---|:---| +|Scan | Specify the scan type to use for a scheduled scan | Quick scan | +|Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never | +|Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.). | 2 a.m. | +|Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
    In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled | + ### Use PowerShell cmdlets to schedule scans @@ -98,8 +104,10 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI -SignatureFallbackOrder -SignatureDefinitionUpdateFileSharesSouce +ScanParameters +ScanScheduleDay +ScanScheduleTime +RandomizeScheduleTaskTimes ``` See the following for more information and allowed parameters: @@ -117,9 +125,9 @@ You can set the scheduled scan to only occur when the endpoint is turned on but ### Use Group Policy to schedule scans -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled +|Location | Setting | Description | Default setting (if not configured) | +|:---|:---|:---|:---| +|Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled | ### Use PowerShell cmdlets @@ -136,8 +144,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI -SignatureFallbackOrder -SignatureDefinitionUpdateFileSharesSouce +ScanOnlyIfIdleEnabled ``` See the following for more information and allowed parameters: @@ -150,10 +157,10 @@ Some threats may require a full scan to complete their removal and remediation. ### Use Group Policy to schedule remediation-required scans -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never -Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am +| Location | Setting | Description | Default setting (if not configured) | +|---|---|---|---| +|Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never | +|Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. | ### Use PowerShell cmdlets @@ -171,8 +178,8 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI -SignatureFallbackOrder -SignatureDefinitionUpdateFileSharesSouce +RemediationScheduleDay +RemediationScheduleTime ``` See the following for more information and allowed parameters: @@ -188,17 +195,18 @@ You can enable a daily quick scan that can be run in addition to your other sche ### Use Group Policy to schedule daily scans -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never -Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am + +|Location | Setting | Description | Default setting (if not configured) | +|:---|:---|:---|:---| +|Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never | +|Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. | ### Use PowerShell cmdlets to schedule daily scans Use the following cmdlets: ```PowerShell -Set-MpPreference -ScanScheduleQuickTime +Set-MpPreference -ScanScheduleQuickScanTime ``` See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. @@ -208,8 +216,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI -SignatureFallbackOrder -SignatureDefinitionUpdateFileSharesSouce +ScanScheduleQuickScanTime ``` See the following for more information and allowed parameters: @@ -222,13 +229,11 @@ You can force a scan to occur after every [protection update](manage-protection- ### Use Group Policy to schedule scans after protection updates -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled - -## Related topics - +|Location | Setting | Description | Default setting (if not configured)| +|:---|:---|:---|:---| +|Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled | +## See also - [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) - [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md) - [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md index 07f45f646e..770bc4a2bb 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Specify cloud-delivered protection level in Microsoft Defender Antivirus -description: Set the aggressiveness of cloud-delivered protection in Microsoft Defender Antivirus. +title: Specify the cloud-delivered protection level for Microsoft Defender Antivirus +description: Set your level of cloud-delivered protection for Microsoft Defender Antivirus. keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -10,7 +10,7 @@ ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 08/12/2020 +ms.date: 10/26/2020 ms.reviewer: manager: dansimp ms.custom: nextgen @@ -18,60 +18,70 @@ ms.custom: nextgen # Specify the cloud-delivered protection level +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -You can specify the level of cloud-protection offered by Microsoft Defender Antivirus with Group Policy and Microsoft Endpoint Configuration Manager. +You can specify your level of cloud-delivered protection offered by Microsoft Defender Antivirus by using Microsoft Endpoint Manager (recommended) or Group Policy. ->[!NOTE] ->The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. +> [!TIP] +> Cloud protection is not simply protection for files that are stored in the cloud. The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and devices (also called endpoints). Cloud protection with Microsoft Defender Antivirus uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional security intelligence updates. +> Microsoft Intune and Microsoft Endpoint Manager are now part of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). -## Use Intune to specify the level of cloud-delivered protection -1. Sign in to the [Azure portal](https://portal.azure.com). -2. Select **All services > Intune**. -3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). -4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**. -5. On the **File Blocking Level** switch, select one of the following: +## Use Microsoft Endpoint Manager to specify the level of cloud-delivered protection + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. + +2. Choose **Endpoint security** > **Antivirus**. + +3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). + +4. Select **Properties**. Then, next to **Configuration settings**, choose **Edit**. + +5. Expand **Cloud protection**, and then in the **Cloud-delivered protection level** list, select one of the following: 1. **High**: Applies a strong level of detection. - 2. **High +**: Uses the **High** level and applies additional protection measures (may impact client performance). + 2. **High plus**: Uses the **High** level and applies additional protection measures (may impact client performance). 3. **Zero tolerance**: Blocks all unknown executables. -8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. +6. Choose **Review + save**, and then choose **Save**. -For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) +> [!TIP] +> Need some help? See the following resources: +> - [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) +> - [Add endpoint protection settings in Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-configure) -## Use Configuration Manager to specify the level of cloud-delivered protection - -See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). - ## Use Group Policy to specify the level of cloud-delivered protection 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx). 2. Right-click the Group Policy Object you want to configure, and then click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +3. In the **Group Policy Management Editor** go to **Computer Configuration** > **Administrative templates**. -4. Click **Administrative templates**. +4. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus** > **MpEngine**. -5. Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine**. - -6. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection: +5. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection: - **Default blocking level** provides strong detection without increasing the risk of detecting legitimate files. - **Moderate blocking level** provides moderate only for high confidence detections - - **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives). - - **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives). + - **High blocking level** applies a strong level of detection while optimizing client performance (but can also give you a greater chance of false positives). + - **High + blocking level** applies additional protection measures (might impact client performance and increase your chance of false positives). - **Zero tolerance blocking level** blocks all unknown executables. > [!WARNING] > While unlikely, setting this switch to **High** or **High +** may cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection). -7. Click **OK**. +6. Click **OK**. +7. Deploy your updated Group Policy Object. See [Group Policy Management Console](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx) + +> [!TIP] +> Are you using Group Policy Objects on premises? See how they translate in the cloud. [Analyze your on-premises group policy objects using Group Policy analytics in Microsoft Endpoint Manager - Preview](https://docs.microsoft.com/mem/intune/configuration/group-policy-analytics). ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md new file mode 100644 index 0000000000..6c91515428 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md @@ -0,0 +1,135 @@ +--- +title: Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution +description: Troubleshoot common errors when migrating to Microsoft Defender Antivirus +keywords: event, error code, logging, troubleshooting, microsoft defender antivirus, windows defender antivirus, migration +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: medium +author: martyav +ms.author: v-maave +ms.custom: nextgen +ms.date: 09/11/2018 +ms.reviewer: +manager: dansimp +--- + +# Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + + +You can find help here if you encounter issues while migrating from a third-party security solution to Microsoft Defender Antivirus. + +## Review event logs + +Open the Event viewer app by selecting the **Search** icon in the taskbar, and searching for *event viewer*. + +Information about Microsoft Defender Antivirus can be found under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender**. + +From there, select **Open** underneath **Operational**. + +Selecting an event from the details pane will show you more information about an event in the lower pane, under the **General** and **Details** tabs. + +## Microsoft Defender Antivirus won't start + +This issue can manifest in the form of several different event IDs, all of which have the same underlying cause. + +### Associated event IDs + + Event ID | Log name | Description | Source +-|-|-|- +15 | Application | Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF. | Security Center +5007 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.

    **Old value:** Default\IsServiceRunning = 0x0
    **New value:** HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 | Windows Defender +5010 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus scanning for spyware and other potentially unwanted software is disabled. | Windows Defender + +### How to tell if Microsoft Defender Antivirus won't start because a third-party antivirus is installed + +On a Windows 10 device, if you are not using Microsoft Defender for Endpoint, and you have a third-party antivirus installed, then Microsoft Defender Antivirus will be automatically turned off. If you are using Microsoft Defender for Endpoint with a third-party antivirus installed, Microsoft Defender Antivirus will start in passive mode, with reduced functionality. + +> [!TIP] +> The scenario just described applies only to Windows 10. Other versions of Windows have [different responses](microsoft-defender-antivirus-compatibility.md) to Microsoft Defender Antivirus being run alongside third-party security software. + +#### Use Services app to check if Microsoft Defender Antivirus is turned off + +To open the Services app, select the **Search** icon from the taskbar and search for *services*. You can also open the app from the command-line by typing *services.msc*. + +Information about Microsoft Defender Antivirus will be listed within the Services app under **Windows Defender** > **Operational**. The antivirus service name is *Windows Defender Antivirus Service*. + +While checking the app, you may see that *Windows Defender Antivirus Service* is set to manual — but when you try to start this service manually, you get a warning stating, *The Windows Defender Antivirus Service service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.* + +This indicates that Microsoft Defender Antivirus has been automatically turned off to preserve compatibility with a third-party antivirus. + +#### Generate a detailed report + +You can generate a detailed report about currently active group policies by opening a command prompt in **Run as admin** mode, then entering the following command: + +```powershell +GPresult.exe /h gpresult.html +``` + +This will generate a report located at *./gpresult.html*. Open this file and you might see the following results, depending on how Microsoft Defender Antivirus was turned off. + +##### Group policy results + +##### If security settings are implemented via group policy (GPO) at the domain or local level, or though System center configuration manager (SCCM) + +Within the GPResults report, under the heading, *Windows Components/Windows Defender Antivirus*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off. + +Policy | Setting | Winning GPO +-|-|- +Turn off Windows Defender Antivirus | Enabled | Win10-Workstations + +###### If security settings are implemented via Group policy preference (GPP) + +Under the heading, *Registry item (Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, Value name: DisableAntiSpyware)*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off. + +DisableAntiSpyware | - +-|- +Winning GPO | Win10-Workstations +Result: Success | +**General** | +Action | Update +**Properties** | +Hive | HKEY_LOCAL_MACHINE +Key path | SOFTWARE\Policies\Microsoft\Windows Defender +Value name | DisableAntiSpyware +Value type | REG_DWORD +Value data | 0x1 (1) + +###### If security settings are implemented via registry key + +The report may contain the following text, indicating that Microsoft Defender Antivirus is turned off: + +> Registry (regedit.exe) +> +> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender +> DisableAntiSpyware (dword) 1 (hex) + +###### If security settings are set in Windows or your Windows Server image + +Your imagining admin might have set the security policy, **[DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**, locally via *GPEdit.exe*, *LGPO.exe*, or by modifying the registry in their task sequence. You can [configure a Trusted Image Identifier](https://docs.microsoft.com/windows-hardware/manufacture/desktop/configure-a-trusted-image-identifier-for-windows-defender) for Microsoft Defender Antivirus. + +### Turn Microsoft Defender Antivirus back on + +Microsoft Defender Antivirus will automatically turn on if no other antivirus is currently active. You'll need to turn the third-party antivirus completely off to ensure Microsoft Defender Antivirus can run with full functionality. + +> [!WARNING] +> Solutions suggesting that you edit the *Windows Defender* start values for *wdboot*, *wdfilter*, *wdnisdrv*, *wdnissvc*, and *windefend* in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services are unsupported, and may force you to re-image your system. + +Passive mode is available if you start using Microsoft Defender for Endpoint and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender to scan files and update itself, but it will not remediate threats. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) is not available under passive mode, unless [Endpoint data loss prevention (DLP)](../microsoft-defender-atp/information-protection-in-windows-overview.md) is deployed. + +Another feature, known as [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), is available to end-users when Microsoft Defender Antivirus is set to automatically turn off. This feature allows Microsoft Defender Antivirus to scan files periodically alongside a third-party antivirus, using a limited number of detections. + +> [!IMPORTANT] +> Limited periodic scanning is not recommended in enterprise environments. The detection, management and reporting capabilities available when running Microsoft Defender Antivirus in this mode are reduced as compared to active mode. + +### See also + +* [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md) +* [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md index 6bc4a4a744..ba1346ed98 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md @@ -17,9 +17,12 @@ manager: dansimp # Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) If you encounter a problem with Microsoft Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution. @@ -30,7 +33,7 @@ The tables list: - [Internal Microsoft Defender Antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes) > [!TIP] -> You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: +> You can also visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: > > - Cloud-delivered protection > - Fast learning (including Block at first sight) @@ -48,7 +51,7 @@ The table in this section lists the main Microsoft Defender Antivirus event IDs ## To view a Microsoft Defender Antivirus event 1. Open **Event Viewer**. -2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Microsoft Defender Antivirus**. +2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**. 3. Double-click on **Operational**. 4. In the details pane, view the list of individual events to find your event. 5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md index a2747a705d..4693016f63 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md @@ -17,14 +17,17 @@ manager: dansimp # Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) > [!IMPORTANT] > On March 31, 2020, the Microsoft Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates. -You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx). +You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender for Endpoint portal](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx). When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of devices or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Microsoft Defender Antivirus, you might encounter problems or issues. @@ -56,7 +59,7 @@ In order for devices to properly show up in Update Compliance, you have to meet > - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level). > - It has been 3 days since all requirements have been met -“You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal (https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options" +“You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender for Endpoint portal (https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options" If the above prerequisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md index 97fb2041b9..87f46b0cd9 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Configure Microsoft Defender Antivirus with Group Policy -description: Learn how to use a Group Policy to configure and manage Microsoft Defender Antivirus on your endpoints in Microsoft Defender ATP. +description: Learn how to use a Group Policy to configure and manage Microsoft Defender Antivirus on your endpoints in Microsoft Defender for Endpoint. keywords: group policy, GPO, configuration, settings search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -10,16 +10,19 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: +ms.date: 10/01/2018 +ms.reviewer: ksarens manager: dansimp --- # Use Group Policy settings to configure and manage Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx) to configure and manage Microsoft Defender Antivirus on your endpoints. @@ -93,7 +96,7 @@ Root | Allow antimalware service to start up with normal priority | [Configure r Root | Allow antimalware service to remain running always | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) Root | Turn off routine remediation | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) Root | Randomize scheduled task times | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md) -Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) +Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) (Not supported on Windows 10) Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md index 71edcfc785..40f6f950ca 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Configure Microsoft Defender Antivirus with Configuration Manager and Intune -description: Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure Microsoft Defender AV and Endpoint Protection +description: Use Microsoft Endpoint Manager and Microsoft Intune to configure Microsoft Defender AV and Endpoint Protection keywords: scep, intune, endpoint protection, configuration search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -11,24 +11,37 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 10/26/2018 ms.reviewer: manager: dansimp --- -# Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage Microsoft Defender Antivirus +# Use Microsoft Endpoint Manager and Microsoft Intune to configure and manage Microsoft Defender Antivirus + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -If you are using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Microsoft Defender Antivirus scans. +If you were using Microsoft Endpoint Manager or Microsoft Intune to manage the endpoints on your network, you can now use Microsoft Endpoint Manager to manage Microsoft Defender Antivirus scans. -In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Microsoft Defender Antivirus. +1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Endpoint Security**. -See the [Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager. +2. Under **Manage**, choose **Antivirus**. -For Microsoft Intune, consult the [Microsoft Intune library](https://docs.microsoft.com/intune/introduction-intune) and [Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +3. Select your Microsoft Defender Antivirus policy. + +4. Under **Manage**, choose **Properties**. + +5. Next to **Configuration settings**, choose **Edit**. + +6. Expand the **Scan** section, and review or edit your scanning settings. + +7. Choose **Review + save** + +Need help? See [Manage endpoint security in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security). ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md index 2bfad82a62..ae51436faa 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md @@ -18,9 +18,12 @@ manager: dansimp # Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration. You can read more about it at the [PowerShell hub on MSDN](https://docs.microsoft.com/previous-versions/msdn10/mt173057(v=msdn.10)). diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md index 5247002bbc..51137f3e9e 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Configure Microsoft Defender Antivirus with WMI -description: Learn how to configure and manage Microsoft Defender Antivirus by using WMI scripts to retrieve, modify, and update settings in Microsoft Defender ATP. +description: Learn how to configure and manage Microsoft Defender Antivirus by using WMI scripts to retrieve, modify, and update settings in Microsoft Defender for Endpoint. keywords: wmi, scripts, windows management instrumentation, configuration search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -18,9 +18,12 @@ manager: dansimp # Use Windows Management Instrumentation (WMI) to configure and manage Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md index 9eb816975e..c79e1ae87f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md @@ -16,13 +16,16 @@ ms.custom: nextgen # Use next-generation technologies in Microsoft Defender Antivirus through cloud-delivered protection +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models. -Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). +Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). ![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) To take advantage of the power and speed of these next-generation technologies, Microsoft Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense. @@ -65,7 +68,7 @@ The following table describes the differences in cloud-delivered protection betw |Windows 10, version 1607 (Group Policy) |Microsoft Advanced Protection Service |Advanced |No | |Windows 10, version 1703 or greater (Group Policy) |Cloud-based Protection |Advanced |Configurable | |System Center 2012 Configuration Manager | N/A |Dependent on Windows version |Not configurable | -|Microsoft Endpoint Configuration Manager (Current Branch) |Cloud protection service |Dependent on Windows version |Configurable | +|Microsoft Endpoint Manager (Current Branch) |Cloud protection service |Dependent on Windows version |Configurable | |Microsoft Intune |Microsoft Advanced Protection Service |Dependent on Windows version |Configurable | You can also [configure Microsoft Defender Antivirus to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-microsoft-defender-antivirus.md#cloud-report-updates). @@ -79,6 +82,6 @@ You can also [configure Microsoft Defender Antivirus to automatically receive ne - [Configure and validate network connections for Microsoft Defender Antivirus](configure-network-connections-microsoft-defender-antivirus.md). There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This article lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection. -- [Configure the block at first sight feature](configure-block-at-first-sight-microsoft-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy. +- [Configure the block at first sight feature](configure-block-at-first-sight-microsoft-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Manager and Group Policy. -- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md). Microsoft Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy. +- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md). Microsoft Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Manager and Group Policy. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md index 91d3f43edb..56c8f7668f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: "Why you should use Microsoft Defender Antivirus together with Microsoft Defender Advanced Threat Protection" +title: "Why you should use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint" description: "For best results, use Microsoft Defender Antivirus together with your other Microsoft offerings." keywords: windows defender, antivirus, third party av search.product: eADQiWindows 10XVcnh @@ -16,36 +16,39 @@ ms.reviewer: manager: dansimp --- -# Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection +# Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) +- [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) -Microsoft Defender Antivirus is the next-generation protection component of [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender ATP). +Microsoft Defender Antivirus is the next-generation protection component of [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender for Endpoint). -Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to using Microsoft Defender Antivirus together with Microsoft Defender ATP. Not only is Microsoft Defender Antivirus an excellent next-generation antivirus solution, but combined with other Microsoft Defender ATP capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you get better protection that's coordinated across products and services. +Although you can use a non-Microsoft antivirus solution with Microsoft Defender for Endpoint, there are advantages to using Microsoft Defender Antivirus together with Defender for Endpoint. Not only is Microsoft Defender Antivirus an excellent next-generation antivirus solution, but combined with other Defender for Endpoint capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you get better protection that's coordinated across products and services. -## 11 reasons to use Microsoft Defender Antivirus together with Microsoft Defender ATP +## 11 reasons to use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint | |Advantage |Why it matters | |--|--|--| -|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Microsoft Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). | +|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Microsoft Defender for Endpoint](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). | |2|Threat analytics and your score for devices |Microsoft Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [Microsoft Secure Score for Devices](../microsoft-defender-atp/tvm-microsoft-secure-score-devices.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. | -|3|Performance |Microsoft Defender ATP is designed to work with Microsoft Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md) and [Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md).| -|4|Details about blocked malware |More details and actions for blocked malware are available with Microsoft Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).| +|3|Performance |Microsoft Defender for Endpoint is designed to work with Microsoft Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md) and [Microsoft Defender for Endpoint](../microsoft-defender-atp/evaluate-atp.md).| +|4|Details about blocked malware |More details and actions for blocked malware are available with Microsoft Defender Antivirus and Microsoft Defender for Endpoint. [Understand malware & other threats](../intelligence/understanding-malware.md).| |5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).| |6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).| |7|Attack Surface Reduction |Your organization's security team can reduce your vulnerabilities (attack surfaces), giving attackers fewer ways to perform attacks. Attack surface reduction uses cloud protection for a number of rules. [Get an overview of attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction).| |8|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) | |9|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). | |10|File recovery via OneDrive |If you are using Microsoft Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).| -|11|Technical support |By using Microsoft Defender ATP together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md). | +|11|Technical support |By using Microsoft Defender for Endpoint together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md). | ## Learn more -[Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) +[Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) [Threat & Vulnerability Management](../microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md index 35f40da2a5..52b3bb034e 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md @@ -4,4 +4,5 @@ ## [Install WDAG](install-md-app-guard.md) ## [Configure WDAG policies](configure-md-app-guard.md) ## [Test scenarios](test-scenarios-md-app-guard.md) +## [Microsoft Defender Application Guard Extension](md-app-guard-browser-extension.md) ## [FAQ](faq-md-app-guard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 121ed70fbe..aa6d77cbd0 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -17,7 +17,7 @@ ms.custom: asr # Configure Microsoft Defender Application Guard policy settings **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index 4dcd95abef..ab42d2eb12 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 08/17/2020 +ms.date: 11/03/2020 ms.reviewer: manager: dansimp ms.custom: asr @@ -16,24 +16,24 @@ ms.custom: asr # Frequently asked questions - Microsoft Defender Application Guard -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) Answering frequently asked questions about Microsoft Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration. ## Frequently Asked Questions -### Can I enable Application Guard on machines equipped with 4GB RAM? | -We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. +### Can I enable Application Guard on machines equipped with 4-GB RAM? +We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. -`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is 4 cores.) +`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.) -`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8GB.) +`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.) -`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5GB.) +`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.) ### Can employees download documents from the Application Guard Edge session onto host devices? -In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy. +In Windows 10 Enterprise edition 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy. In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. @@ -43,20 +43,16 @@ Depending on your organization's settings, employees can copy and paste images ( ### Why don't employees see their Favorites in the Application Guard Edge session? -To help keep the Application Guard Edge session secure and isolated from the host device, favorites that are stored in an Application Guard Edge session are not copied to the host device. +To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device. -### Are extensions supported in the Application Guard? +### Why aren’t employees able to see their Extensions in the Application Guard Edge session? -Extension installs in the container are supported from Microsoft Edge version 81. For more details, see [Extension support inside the container](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard#extension-support-inside-the-container). +Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this. ### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? Microsoft Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. -If Application Guard is used with network proxies, they need to be specified by fully qualified domain name (FQDN) in the system proxy settings (likewise in a PAC script if that is the type of proxy configuration used). Additionally these proxies need to be marked as *neutral* in the **Application trust** list. The FQDNs for the PAC file and the proxy servers the PAC file redirects to must be added as neutral resources in the network isolation policies that are used by Application Guard. You can verify this by going to `edge://application-guard-internals/#utilities` and entering the FQDN for the pac/proxy in the **check url trust** field. Verify that it says *Neutral.* - -Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the enterprise IP ranges in the network isolation policies that are used by Application Guard. Additionally, go to `edge://application-guard-internals/#utilities` to view the Application Guard proxy configuration. This step can be done in both the host and within Application Guard to verify that each side is using the proxy setup you expect. - ### Which Input Method Editors (IME) in 19H1 are not supported? The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard. @@ -75,47 +71,47 @@ The following Input Method Editors (IME) introduced in Windows 10, version 1903 ### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? -This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and we’ll work with you to enable the feature. +This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. ### What is the WDAGUtilityAccount local account? -This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware. +This account is part of Application Guard beginning with Windows 10, version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware. ### How do I trust a subdomain in my site list? -To trust a subdomain, you must precede your domain with two dots, for example: `..contoso.com` will ensure `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted. +To trust a subdomain, you must precede your domain with two dots, for example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted. ### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? -When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's standalone mode. However, when using Windows Enterprise you will have access to Application Guard's enterprise-managed mode. This mode has some extra features that the standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard). +When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard). ### Is there a size limit to the domain lists that I need to configure? -Yes, both the enterprise resource domains hosted in the cloud and the domains categorized as both work and personal have a 16383B limit. +Yes, both the Enterprise Resource domains hosted in the cloud and the Domains categorized as both work and personal have a 16383-B limit. ### Why does my encryption driver break Microsoft Defender Application Guard? -Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Microsoft Defender Application Guard will not work, and will result in an error message (*0x80070013 ERROR_WRITE_PROTECT*). +Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). -### Why do the network isolation policies in Group Policy and CSP look different? +### Why do the Network Isolation policies in Group Policy and CSP look different? -There is not a one-to-one mapping among all the network isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP. +There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. -Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources" -Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)" +Mandatory network isolation GP policy to deploy Application Guard: "DomainSubnets or CloudResources" +Mandatory network isolation CSP policy to deploy Application Guard: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)" For EnterpriseNetworkDomainNames, there is no mapped CSP policy. -Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (*0x80070013 ERROR_WRITE_PROTECT*). +Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). ### Why did Application Guard stop working after I turned off hyperthreading? -If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility that Microsoft Defender Application Guard no longer meets the minimum requirements. +If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. -### Why am I getting the error message ("ERROR_VIRTUAL_DISK_LIMITATION")? +### Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"? -Application Guard may not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. +Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. -### Why am I getting the error message ("ERR_NAME_NOT_RESOLVED") after not being able to reach PAC file? +### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach PAC file? This is a known issue. To mitigate this you need to create two firewall rules. For guidance on how to create a firewall rule by using group policy, see: @@ -124,51 +120,45 @@ For guidance on how to create a firewall rule by using group policy, see: First rule (DHCP Server): 1. Program path: `%SystemRoot%\System32\svchost.exe` -2. Local Service: Sid: `S-1-5-80-2009329905-444645132-2728249442-922493431-93864177` (Internet Connection Service (SharedAccess)) +2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))` 3. Protocol UDP 4. Port 67 Second rule (DHCP Client) This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps: -1. Right click on inbound rules, create a new rule. -2. Choose **custom rule**. -3. Program path: **%SystemRoot%\System32\svchost.exe**. -4. Protocol Type: UDP, Specific ports: 67, Remote port: any. -5. Any IP addresses. -6. Allow the connection. -7. All profiles. -8. The new rule should show up in the user interface. Right click on the **rule** > **properties**. -9. In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. +1. Right click on inbound rules, create a new rule. +2. Choose **custom rule**. +3. Program path: `%SystemRoot%\System32\svchost.exe`. +4. Protocol Type: UDP, Specific ports: 67, Remote port: any. +5. Any IP addresses. +6. Allow the connection. +7. All profiles. +8. The new rule should show up in the user interface. Right click on the **rule** > **properties**. +9. In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. ### Why can I not launch Application Guard when Exploit Guard is enabled? -There is a known issue where if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to the **use default**. +There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**. ### How can I have ICS in enabled state yet still use Application Guard? -This is a two step process. +ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. -Step 1: +1. In the Group Policy setting called, *Prohibit use of Internet Connection Sharing on your DNS domain network*, set it to **Disabled**. -Enable Internet Connection sharing by changing the Group Policy setting **Prohibit use of Internet Connection Sharing on your DNS domain network.** This setting is part of the Microsoft security baseline. Change it from **Enabled** to **Disabled**. - -Step 2: - -1. Disable IpNat.sys from ICS load: -`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`. -2. Configure ICS (SharedAccess) to enabled: -`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`. -3. Disable IPNAT (Optional): -`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`. -4. Restart the device. +2. Disable IpNat.sys from ICS load as follows:
    +`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` -### Why doesn't Application Guard work, even though it's enabled through Group Policy? +3. Configure ICS (SharedAccess) to enabled as follows:
    +`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3` -Application Guard must meet all these prerequisites to be enabled in Enterprise mode: [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard). -To understand why it is not enabled in Enterprise mode, check the status of the evaluation to understand what's missing. +4. (This is optional) Disable IPNAT as follows:
    +`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4` -For CSP (Intune) you can query the status node by using **Get**. This is described in the [Application Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/windowsdefenderapplicationguard-csp). On this page, you will see the **status** node as well as the meaning of each bit. If the status is not 63, you are missing a prerequisite. +5. Reboot the device. -For Group Policy you need to look at the registry. See **Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HVSIGP** Status. The meaning of each bit is the same as the CSP. +## See also + +[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png new file mode 100644 index 0000000000..4ad77f8a06 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png new file mode 100644 index 0000000000..25e3ef533b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png new file mode 100644 index 0000000000..779f647b33 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png index 1afbd303b0..7ee172b509 100644 Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png and b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png index 56acb4be53..99e590e6ca 100644 Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png and b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index 8aba080ae4..2ead755621 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 02/19/2019 +ms.date: 10/21/2020 ms.reviewer: manager: dansimp ms.custom: asr @@ -17,7 +17,7 @@ ms.custom: asr # Prepare to install Microsoft Defender Application Guard **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Review system requirements diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md new file mode 100644 index 0000000000..a84686a871 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md @@ -0,0 +1,98 @@ +--- +title: Microsoft Defender Application Guard Extension +description: Learn about the Microsoft Defender Application Guard browser extension, which extends Application Guard's protection to more web browsers. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: martyav +ms.author: v-maave +ms.date: 06/12/2020 +ms.reviewer: +manager: dansimp +ms.custom: asr +--- + +# Microsoft Defender Application Guard Extension + +**Applies to:** + +- Windows 10 + +[Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/). + +[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers. + +> [!TIP] +> Application Guard, by default, offers [native support](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard) to both Microsoft Edge and Internet Explorer. These browsers do not need the extension described here for Application Guard to protect them. + +Microsoft Defender Application Guard Extension defends devices in your organization from advanced attacks, by redirecting untrusted websites to an isolated version of [Microsoft Edge](https://www.microsoft.com/edge). If an untrusted website turns out to be malicious, it remains within Application Guard's secure container, keeping the device protected. + +## Prerequisites + +Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version 1803 or later: + +- Windows 10 Professional +- Windows 10 Enterprise +- Windows 10 Education + +Application Guard itself is required for the extension to work. It has its own set of [requirements](reqs-md-app-guard.md). Check the Application Guard [installation guide](install-md-app-guard.md) for further steps, if you don't have it installed already. + +## Installing the extension + +Application Guard can be run under [managed mode](install-md-app-guard.md#enterprise-managed-mode) or [standalone mode](install-md-app-guard.md#standalone-mode). The main difference between the two modes is whether policies have been set to define the organization's boundaries. + +Enterprise administrators running Application Guard under managed mode should first define Application Guard's [network isolation settings](configure-md-app-guard.md#network-isolation-settings), so a set of enterprise sites is already in place. + +From there, the steps for installing the extension are similar whether Application Guard is running in managed or standalone mode. + +1. On the local device, download and install the Application Guard extension for Google [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and/or Mozilla [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/). +1. Install the [Microsoft Defender Application Guard companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8#activetab=pivot:overviewtab) from the Microsoft Store. This companion app enables Application Guard to work with web browsers other than Microsoft Edge or Internet Explorer. +1. Restart the device. + +### Recommended browser group policies + +Both Chrome and Firefox have their own browser-specific group policies. We recommend that admins use the following policy settings. + +#### Chrome policies + +These policies can be found along the filepath, *Software\Policies\Google\Chrome\\*, with each policy name corresponding to the file name (e.g., IncognitoModeAvailability is located at *Software\Policies\Google\Chrome\IncognitoModeAvailability*). + +Policy name | Values | Recommended setting | Reason +-|-|-|- +[IncognitoModeAvailability](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=IncognitoModeAvailability) | `0` = Enabled
    `1` = Disabled
    `2` = Forced (i.e. forces pages to only open in Incognito mode) | Disabled | This policy allows users to start Chrome in Incognito mode. In this mode, all extensions are turned off by default. +[BrowserGuestModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BrowserGuestModeEnabled) | `false` or `0` = Disabled
    `true`, `1`, or not configured = Enabled | Disabled | This policy allows users to login as *Guest*, which opens a session in Incognito mode. In this mode, all extensions are turned off by default. +[BackgroundModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BackgroundModeEnabled) | `false` or `0` = Disabled
    `true` or `1` = Enabled

    **Note:** If this policy is not set, the user can enable or disable background mode through local browser settings. | Enabled | This policy keeps Chrome running in the background, ensuring that navigation is always passed to the extension. +[ExtensionSettings](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) | This policy accepts a dictionary that configures multiple other management settings for Chrome. See the [Google Cloud documentation](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) for complete schema. | Include an entry for `force_installed` | This policy prevents users from manually removing the extension. + +#### Firefox policies + +These policies can be found along the filepath, *Software\Policies\Mozilla\Firefox\\*, with each policy name corresponding to the file name (e.g., DisableSafeMode is located at *Software\Policies\Mozilla\Firefox\DisableSafeMode*). + +Policy name | Values | Recommended setting | Reason +-|-|-|- +[DisableSafeMode](https://github.com/mozilla/policy-templates/blob/master/README.md#DisableSafeMode) | `false` or `0` = Safe mode is enabled
    `true` or `1` = Safe mode is disabled | True (i.e. the policy is enabled and Safe mode is *not* allowed to run) | Safe mode can allow users to circumvent Application Guard +[BlockAboutConfig](https://github.com/mozilla/policy-templates/blob/master/README.md#BlockAboutConfig) | `false` or `0` = User access to *about:config* is allowed
    `true` or `1` = User access to *about:config* is not allowed | True (i.e. the policy is enabled and access to about:config is *not* allowed) | *About:config* is a special page within Firefox that offers control over many settings that may compromise security +[Extensions - Locked](https://github.com/mozilla/policy-templates/blob/master/README.md#Extensions) | This setting accepts a list of UUIDs for extensions (these can be found by searching `extensions.webextensions.uuids` within the about:config page) | Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "`ApplicationGuardRel@microsoft.com`" | This setting allows you to lock the extension, so the user cannot disable or uninstall it. + +## Troubleshooting guide + + + +Error message | Cause | Actions +-|-|- +Application Guard undetermined state | The extension was unable to communicate with the companion app during the last information request. | 1. Install the [companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab) and reboot
    2. If the companion app is already installed, reboot and see if that resolves the error
    3. If you still see the error after rebooting, uninstall and re-install the companion app
    4. Check for updates in both the Microsoft store and the respective web store for the affected browser +ExceptionThrown | An unexpected exception was thrown. | 1. [File a bug](https://aka.ms/wdag-fb)
    2. Retry the operation +Failed to determine if Application Guard is enabled | The extension was able to communicate with the companion app, but the information request failed in the app. | 1. Restart the browser
    2. Check for updates in both the Microsoft store and the respective web store for the affected browser +Launch in WDAG failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed
    2. If the companion app is installed, reboot and see if that resolves the error
    3. If you still see the error after rebooting, uninstall and re-install the companion app
    4. Check for updates in both the Microsoft store and the respective web store for the affected browser +Main page navigation caught an unexpected error | An unexpected exception was thrown during the main page navigation. | 1. [File a bug](https://aka.ms/wdag-fb)
    2. Retry the operation +Process trust response failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running.| 1. Make sure the companion app is installed.
    2. If the companion app is installed, reboot and see if that resolves the error
    3. If you still see the error after rebooting, uninstall and re-install the companion app
    4. Check for updates in both the Microsoft store and the respective web store for the affected browser +Protocol out of sync | The extension and native app cannot communicate with each other. This is likely caused by one being updated without supporting the protocol of the other. | Check for updates in both the Microsoft store, and the web store for the affected browser +Security patch level does not match | Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. | Check for updates in both the Microsoft store, and the web store for the affected browser +Unexpected response while processing trusted state | The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. | 1. [File a bug](https://aka.ms/wdag-fb)
    2. Check if Edge is working
    3. Retry the operation + +## Related articles + +- [Microsoft Defender Application Guard overview](md-app-guard-overview.md) +- [Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 9a278e3b9b..98150e0f15 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 03/28/2019 +ms.date: 12/17/2020 ms.reviewer: manager: dansimp ms.custom: asr @@ -16,36 +16,39 @@ ms.custom: asr # Microsoft Defender Application Guard overview -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. +Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. ## What is Application Guard and how does it work? -Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. +For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container. + +For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials. -If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials. ![Hardware isolation diagram](images/appguard-hardware-isolation.png) ### What types of devices should use Application Guard? -Application Guard has been created to target several types of systems: +Application Guard has been created to target several types of devices: -- **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network. +- **Enterprise desktops**. These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network. -- **Enterprise mobile laptops.** These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network. +- **Enterprise mobile laptops**. These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network. -- **Bring your own device (BYOD) mobile laptops.** These personally-owned laptops are not domain-joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home. +- **Bring your own device (BYOD) mobile laptops**. These personally-owned laptops are not domain-joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home. -- **Personal devices.** These personally-owned desktops or mobile laptops are not domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside. +- **Personal devices**. These personally-owned desktops or mobile laptops are not domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside. ## Related articles |Article |Description | -|------|------------| +|:------|:------------| |[System requirements for Microsoft Defender Application Guard](reqs-md-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.| |[Prepare and install Microsoft Defender Application Guard](install-md-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.| |[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.| |[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.| +| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide | +| [Microsoft Defender Application Guard for Microsoft Office](https://docs.microsoft.com/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide | |[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 5757f18c10..81623005a4 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -16,7 +16,7 @@ ms.custom: asr # System requirements for Microsoft Defender Application Guard -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index e2a6d3e0ec..6ffce8a986 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -10,69 +10,68 @@ author: denisebmsft ms.author: deniseb ms.reviewer: manager: dansimp +ms.date: 09/14/2020 ms.custom: asr --- # Application Guard testing scenarios +**Applies to:** -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization. - ## Application Guard in standalone mode You can see how an employee would use standalone mode with Application Guard. ### To test Application Guard in Standalone mode -1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard). +1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard). -2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu. +2. Restart the device, start Microsoft Edge, and then select **New Application Guard window** from the menu. ![New Application Guard window setting option](images/appguard-new-window.png) - + 3. Wait for Application Guard to set up the isolated environment. >[!NOTE] - >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays. - + >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays. + 4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues. ![Untrusted website running in Application Guard](images/appguard-visual-cues.png) -## Application Guard in Enterprise-managed mode +## Application Guard in Enterprise-managed mode How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode. ### Install, set up, and turn on Application Guard -Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings. +Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings. 1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard#install-application-guard). -2. Restart the device and then start Microsoft Edge. +2. Restart the device, and then start Microsoft Edge. 3. Set up the Network Isolation settings in Group Policy: - a. Click on the **Windows** icon, type _Group Policy_, and then click **Edit Group Policy**. - + a. Click on the **Windows** icon, type `Group Policy`, and then click **Edit Group Policy**. + b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting. - c. For the purposes of this scenario, type _.microsoft.com_ into the **Enterprise cloud resources** box. + c. For the purposes of this scenario, type `.microsoft.com` into the **Enterprise cloud resources** box. ![Group Policy editor with Enterprise cloud resources setting](images/appguard-gp-network-isolation.png) d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting. - e. For the purposes of this scenario, type _bing.com_ into the **Neutral resources** box. + e. For the purposes of this scenario, type `bing.com` into the **Neutral resources** box. ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png) -4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Enterprise Mode** setting. +4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Managed Mode** setting. 5. Click **Enabled**, choose Option **1**, and click **OK**. @@ -81,14 +80,14 @@ Before you can use Application Guard in enterprise mode, you must install Window >[!NOTE] >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario. -6. Start Microsoft Edge and type www.microsoft.com. - +6. Start Microsoft Edge and type `https://www.microsoft.com`. + After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard. ![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png) 7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists. - + After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment. ![Untrusted website running in Application Guard](images/appguard-visual-cues.png) @@ -108,6 +107,7 @@ Application Guard provides the following default behavior for your employees: You have the option to change each of these settings to work with your enterprise from within Group Policy. **Applies to:** + - Windows 10 Enterprise edition, version 1709 or higher - Windows 10 Professional edition, version 1803 @@ -116,24 +116,24 @@ You have the option to change each of these settings to work with your enterpris 1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard clipboard settings**. 2. Click **Enabled** and click **OK**. - + ![Group Policy editor clipboard options](images/appguard-gp-clipboard.png) 3. Choose how the clipboard works: - + - Copy and paste from the isolated session to the host PC - + - Copy and paste from the host PC to the isolated session - + - Copy and paste both directions 4. Choose what can be copied: - - - **1.** Only text can be copied between the host PC and the isolated container. - - **2.** Only images can be copied between the host PC and the isolated container. + - Only text can be copied between the host PC and the isolated container. - - **3.** Both text and images can be copied between the host PC and the isolated container. + - Only images can be copied between the host PC and the isolated container. + + - Both text and images can be copied between the host PC and the isolated container. 5. Click **OK**. @@ -156,21 +156,26 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. ![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png) - + 3. Open Microsoft Edge and browse to an untrusted, but safe URL. - The website opens in the isolated session. + The website opens in the isolated session. 4. Add the site to your **Favorites** list and then close the isolated session. -5. Log out and back on to your device, opening Microsoft Edge in Application Guard again. +5. Log out and back on to your device, opening Microsoft Edge in Application Guard again. The previously added site should still appear in your **Favorites** list. - >[!NOTE] - >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

    If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

    **To reset the container, follow these steps:**
    1. Open a command-line program and navigate to Windows/System32.
    2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
    3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data. - + > [!NOTE] + > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10. + > + > If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data. + > + > **To reset the container, follow these steps:**
    1. Open a command-line program and navigate to Windows/System32.
    2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
    3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data. + **Applies to:** + - Windows 10 Enterprise edition, version 1803 - Windows 10 Professional edition, version 1803 @@ -181,10 +186,10 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. ![Group Policy editor Download options](images/appguard-gp-download.png) - + 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. -4. Download a file from Microsoft Defender Application Guard. +4. Download a file from Microsoft Defender Application Guard. 5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files. @@ -195,12 +200,13 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. ![Group Policy editor hardware acceleration options](images/appguard-gp-vgpu.png) - -3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. -4. Assess the visual experience and battery performance. +3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. + +4. Assess the visual experience and battery performance. **Applies to:** + - Windows 10 Enterprise edition, version 1809 - Windows 10 Professional edition, version 1809 @@ -210,11 +216,11 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled**, set **Options** to 2, and click **OK**. - ![Group Policy editor Download options](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png) - + ![Group Policy editor File trust options](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png) + 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. -4. Open a file in Edge, such an Office 365 file. +4. Open a file in Edge, such an Office 365 file. 5. Check to see that an antivirus scan completed before the file was opened. @@ -224,11 +230,11 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. - ![Group Policy editor Download options](images/appguard-gp-allow-camera-and-mic.png) - + ![Group Policy editor Camera and microphone options](images/appguard-gp-allow-camera-and-mic.png) + 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. -4. Open an application with video or audio capability in Edge. +4. Open an application with video or audio capability in Edge. 5. Check that the camera and microphone work as expected. @@ -238,7 +244,23 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**. - ![Group Policy editor Download options](images/appguard-gp-allow-root-certificates.png) - + ![Group Policy editor Root certificate options](images/appguard-gp-allow-root-certificates.png) + 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. +## Application Guard Extension for third-party web browsers + +The [Application Guard Extension](md-app-guard-browser-extension.md) available for Chrome and Firefox allows Application Guard to protect users even when they are running a web browser other than Microsoft Edge or Internet Explorer. + +Once a user has the extension and its companion app installed on their enterprise device, you can run through the following scenarios. + +1. Open either Firefox or Chrome — whichever browser you have the extension installed on. + +2. Navigate to an enterprise website, i.e. an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded. + ![The evaluation page displayed while the page is being loaded, explaining that the user must wait](images/app-guard-chrome-extension-evaluation-page.png) + +3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge. + ![A non-enterprise website being redirected to an Application Guard container -- the text displayed explains that the page is being opened in Application Guard for Microsoft Edge](images/app-guard-chrome-extension-launchIng-edge.png) + +4. Open a new Application Guard window, by select the Microsoft Defender Application Guard icon, then **New Application Guard Window** + ![The "New Application Guard Window" option is highlighted in red](images/app-guard-chrome-extension-new-app-guard-page.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md new file mode 100644 index 0000000000..72cf708d67 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md @@ -0,0 +1,131 @@ +--- +title: "Onboard Windows 10 multi-session devices in Windows Virtual Desktop" +description: "Read more in this article about Onboarding Windows 10 multi-session devices in Windows Virtual Desktop" +keywords: Windows Virtual Desktop, WVD, microsoft defender, endpoint, onboard +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.topic: article +author: dansimp +ms.author: dansimp +ms.custom: nextgen +ms.date: 09/10/2020 +ms.reviewer: +manager: dansimp +--- + +# Onboard Windows 10 multi-session devices in Windows Virtual Desktop +6 minutes to read + +Applies to: +- Windows 10 multi-session running on Windows Virtual Desktop (WVD) +> [!IMPORTANT] +> Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender for Endpoint. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future. + +> [!WARNING] +> Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-session scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However, single session scenarios on Windows Virtual Desktop are fully supported. + +Microsoft Defender for Endpoint supports monitoring both VDI as well as Windows Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Windows Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity. + + ## Before you begin +Familiarize yourself with the [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). While [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a golden Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment and thus impacts what entries are created and maintained in the Microsoft Defender for Endpoint portal, potentially reducing visibility for your security analysts. + +> [!NOTE] +> Depending on your choice of onboarding method, devices can appear in Microsoft Defender for Endpoint portal as either: +> - Single entry for each virtual desktop +> - Multiple entries for each virtual desktop + +Microsoft recommends onboarding Windows Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Endpoint portal is in the context of one device based on the machine name. Organizations that frequently delete and re-deploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender for Endpoint portal. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently. + +Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD golden image. This way, you can be sure that this onboarding script runs immediately at first boot. It is executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you are using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy. + +> [!NOTE] +> The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It is NOT recommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 & 2 take this into account. + +### Scenarios +There are several ways to onboard a WVD host machine: + +- Run the script in the golden image (or from a shared location) during startup. +- Use a management tool to run the script. + +#### *Scenario 1: Using local group policy* +This scenario requires placing the script in a golden image and uses local group policy to run early in the boot process. + +Use the instructions in [Onboard non-persistent virtual desktop infrastructure VDI devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). + +Follow the instructions for a single entry for each device. + +#### *Scenario 2: Using domain group policy* +This scenario uses a centrally located script and runs it using a domain-based group policy. You can also place the script in the golden image and run it in the same way. + +**Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center** +1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) + - In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**. + - Select Windows 10 as the operating system. + - In the **Deployment method** field, select VDI onboarding scripts for non-persistent endpoints. + - Click **Download package** and save the .zip file. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called **OptionalParamsPolicy** and the files **WindowsDefenderATPOnboardingScript.cmd** and **Onboard-NonPersistentMachine.ps1**. + +**Use Group Policy management console to run the script when the virtual machine starts** +1. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. +1. In the Group Policy Management Editor, go to **Computer configuration** \> **Preferences** \> **Control panel settings**. +1. Right-click **Scheduled tasks**, click **New**, and then click **Immediate Task** (At least Windows 7). +1. In the Task window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM. Click **Check Names** and then click OK. NT AUTHORITY\SYSTEM appears as the user account the task will run as. +1. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box. +1. Go to the **Actions** tab and click **New**. Ensure that **Start a program** is selected in the Action field. +Enter the following: + +> Action = "Start a program"
    +> Program/Script = C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
    +> Add Arguments (optional) = -ExecutionPolicy Bypass -command "& \\Path\To\Onboard-NonPersistentMachine.ps1" + +Click **OK** and close any open GPMC windows. + +#### *Scenario 3: Onboarding using management tools* + +If you plan to manage your machines using a management tool, you can onboard devices with Microsoft Endpoint Configuration Manager. + +For more information, see: [Onboard Windows 10 devices using Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm) + +> [!WARNING] +> If you plan to use [Attack Surface reduction Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), please note that rule “[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used as it is incompatible with management through Microsoft Endpoint Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly. + +> [!TIP] +> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test). + +#### Tagging your machines when building your golden image + +As part of your onboarding, you may want to consider setting a machine tag to be able to differentiate WVD machines more easily in the Microsoft Security Center. For more information, see +[Add device tags by setting a registry key value](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags#add-device-tags-by-setting-a-registry-key-value). + +#### Other recommended configuration settings + +When building your golden image, you may want to configure initial protection settings as well. For more information, see [Other recommended configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp#other-recommended-configuration-settings). + +In addition, if you are using FSlogix user profiles, we recommend you exclude the following files from always-on protection: + +**Exclude Files:** + +> %ProgramFiles%\FSLogix\Apps\frxdrv.sys
    +> %ProgramFiles%\FSLogix\Apps\frxdrvvt.sys
    +> %ProgramFiles%\FSLogix\Apps\frxccd.sys
    +> %TEMP%\*.VHD
    +> %TEMP%\*.VHDX
    +> %Windir%\TEMP\*.VHD
    +> %Windir%\TEMP\*.VHDX
    +> \\storageaccount.file.core.windows.net\share\*\*.VHD
    +> \\storageaccount.file.core.windows.net\share\*\*.VHDX
    + +**Exclude Processes:** + +> %ProgramFiles%\FSLogix\Apps\frxccd.exe
    +> %ProgramFiles%\FSLogix\Apps\frxccds.exe
    +> %ProgramFiles%\FSLogix\Apps\frxsvc.exe
    + +#### Licensing requirements + +Windows 10 Multi-session is a client OS. Licensing requirements for Microsoft Defender for endpoint can be found at: [Licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements). diff --git a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md index 647939803c..ccf8b5f19e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md +++ b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md @@ -19,11 +19,14 @@ ms.topic: article # Access the Microsoft Defender Security Center MSSP customer portal +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) @@ -53,4 +56,4 @@ Use the following steps to obtain the MSSP customer tenant ID and then use the I ## Related topics - [Grant MSSP access to the portal](grant-mssp-access.md) - [Configure alert notifications](configure-mssp-notifications.md) -- [Fetch alerts from customer tenant](fetch-alerts-mssp.md) \ No newline at end of file +- [Fetch alerts from customer tenant](fetch-alerts-mssp.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md index 85b5514ca3..2cb1370de1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md @@ -18,9 +18,17 @@ ms.topic: article # Add or Remove Machine Tags API -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -35,7 +43,7 @@ Adds or remove tag to a specific [Machine](machine.md). ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -51,7 +59,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine ## HTTP request ```http -POST https://api.securitycenter.windows.com/api/machines/{id}/tags +POST https://api.securitycenter.microsoft.com/api/machines/{id}/tags ``` ## Request headers @@ -81,10 +89,8 @@ If successful, this method returns 200 - Ok response code and the updated Machin Here is an example of a request that adds machine tag. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - ```http -POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags +POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags Content-type: application/json { "Value" : "test Tag 2", diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index d5802d8faf..50b285cef4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -17,15 +17,18 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Configure advanced features in Microsoft Defender ATP +# Configure advanced features in Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) -Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Microsoft Defender ATP with. +Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Defender for Endpoint with. Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations: @@ -39,6 +42,12 @@ Turn on this feature so that users with the appropriate permissions can start a For more information about role assignments, see [Create and manage roles](user-roles.md). +## Live response for servers +Turn on this feature so that users with the appropriate permissions can start a live response session on servers. + +For more information about role assignments, see [Create and manage roles](user-roles.md). + + ## Live response unsigned script execution Enabling this feature allows you to run unsigned scripts in a live response session. @@ -85,7 +94,7 @@ To use this feature, devices must be running Windows 10 version 1709 or later. T For more information, see [Manage indicators](manage-indicators.md). >[!NOTE] ->Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Microsoft Defender ATP data. +>Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Defender for Endpoint data. ## Show user details @@ -113,9 +122,9 @@ The integration with Azure Advanced Threat Protection allows you to pivot direct ## Microsoft Secure Score -Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data. +Forwards Defender for Endpoint signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data. -### Enable the Microsoft Defender ATP integration from the Azure ATP portal +### Enable the Defender for Endpoint integration from the Azure ATP portal To receive contextual device integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal. @@ -136,18 +145,18 @@ When you turn this feature on, you'll be able to incorporate data from Office 36 >[!NOTE] >You'll need to have the appropriate license to enable this feature. -To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Microsoft Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). +To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Defender for Endpoint settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). ## Microsoft Threat Experts -Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability. Experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Microsoft Defender ATP portal's alerts dashboard and via email if you configure it. +Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability. Experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Defender for Endpoint portal's alerts dashboard and via email if you configure it. >[!NOTE] ->The Microsoft Threat Experts capability in Microsoft Defender ATP is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security). +>The Microsoft Threat Experts capability in Defender for Endpoint is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security). ## Microsoft Cloud App Security -Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data. +Enabling this setting forwards Defender for Endpoint signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data. >[!NOTE] >This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. @@ -158,10 +167,10 @@ Turning on this setting allows signals to be forwarded to Azure Information Prot ## Microsoft Intune connection -Microsoft Defender ATP can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Microsoft Defender ATP device information with Intune, enhancing policy enforcement. +Defender for Endpoint can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Defender for Endpoint device information with Intune, enhancing policy enforcement. >[!IMPORTANT] ->You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature. For more information on specific steps, see [Configure Conditional Access in Microsoft Defender ATP](configure-conditional-access.md). +>You'll need to enable the integration on both Intune and Defender for Endpoint to use this feature. For more information on specific steps, see [Configure Conditional Access in Defender for Endpoint](configure-conditional-access.md). This feature is only available if you have the following: @@ -178,7 +187,7 @@ When you enable Intune integration, Intune will automatically create a classic C ## Preview features -Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. +Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience. You'll have access to upcoming features, which you can provide feedback on to help improve the overall experience before features are generally available. @@ -186,7 +195,7 @@ You'll have access to upcoming features, which you can provide feedback on to he Forwards endpoint security alerts and their triage status to Microsoft Compliance Center, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data. -After configuring the [Security policy violation indicators](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-settings.md#indicators) in the insider risk management settings, Microsoft Defender ATP alerts will be shared with insider risk management for applicable users. +After configuring the [Security policy violation indicators](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-settings.md#indicators) in the insider risk management settings, Defender for Endpoint alerts will be shared with insider risk management for applicable users. ## Enable advanced features @@ -198,4 +207,4 @@ After configuring the [Security policy violation indicators](https://docs.micros - [Update data retention settings](data-retention-settings.md) - [Configure alert notifications](configure-email-notifications.md) -- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md new file mode 100644 index 0000000000..46e60648d1 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md @@ -0,0 +1,80 @@ +--- +title: AssignedIPAddresses() function in advanced hunting for Microsoft Defender Advanced Threat Protection +description: Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 09/20/2020 +--- + +# AssignedIPAddresses() + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +Use the `AssignedIPAddresses()` function in your advanced hunting queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time. + +This function returns a table with the following columns: + +Column | Data type | Description +-|-|- +`Timestamp` | datetime | Latest time when the device was observed using the IP address +`IPAddress` | string | IP address used by the device +`IPType` | string | Indicates whether the IP address is a public or private address +`NetworkAdapterType` | int | Network adapter type used by the device that has been assigned the IP address. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype) +`ConnectedNetworks` | int | Networks that the adapter with the assigned IP address is connected to. Each JSON array contains the network name, category (public, private, or domain), a description, and a flag indicating if it's connected publicly to the internet + +## Syntax + +```kusto +AssignedIPAddresses(x, y) +``` + +## Arguments + +- **x**—`DeviceId` or `DeviceName` value identifying the device +- **y**—`Timestamp` (datetime) value instructing the function to obtain the most recent assigned IP addresses from a specific time. If not specified, the function returns the latest IP addresses. + +## Examples + +### Get the list of IP addresses used by a device 24 hours ago + +```kusto +AssignedIPAddresses('example-device-name', ago(1d)) +``` + +### Get IP addresses used by a device and find devices communicating with it + +This query uses the `AssignedIPAddresses()` function to get assigned IP addresses for the device (`example-device-name`) on or before a specific date (`example-date`). It then uses the IP addresses to find connections to the device initiated by other devices. + +```kusto +let Date = datetime(example-date); +let DeviceName = "example-device-name"; +// List IP addresses used on or before the specified date +AssignedIPAddresses(DeviceName, Date) +| project DeviceName, IPAddress, AssignedTime = Timestamp +// Get all network events on devices with the assigned IP addresses as the destination addresses +| join kind=inner DeviceNetworkEvents on $left.IPAddress == $right.RemoteIP +// Get only network events around the time the IP address was assigned +| where Timestamp between ((AssignedTime - 1h) .. (AssignedTime + 1h)) +``` + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index 669be788ad..bd47d4a12b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -13,19 +13,24 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: m365-security-compliance ms.topic: article --- # Advanced hunting query best practices -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink) +**Applies to:** + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink) ## Optimize query performance -Apply these recommendations to get results faster and avoid timeouts while running complex queries. + +Apply these recommendations to get results faster and avoid timeouts while running complex queries. + - When trying new queries, always use `limit` to avoid extremely large result sets. You can also initially assess the size of the result set using `count`. - Use time filters first. Ideally, limit your queries to seven days. - Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter. @@ -40,6 +45,7 @@ Apply these recommendations to get results faster and avoid timeouts while runni ## Query tips and pitfalls ### Queries with process IDs + Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific device, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the device identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`). The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares. @@ -54,6 +60,7 @@ DeviceNetworkEvents The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID. ### Queries with command lines + Command lines can vary. When applicable, filter on file names and do fuzzy matching. There are numerous ways to construct a command line to accomplish a task. For example, an attacker could reference an image file with or without a path, without a file extension, using environment variables, or with quotes. In addition, the attacker could also change the order of parameters or add multiple quotes and spaces. @@ -84,9 +91,12 @@ DeviceProcessEvents | where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc" ``` ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink) ## Related topics + - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) -- [Understand the schema](advanced-hunting-schema-reference.md) \ No newline at end of file +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Work with query results](advanced-hunting-query-results.md) +- [Custom detections overview](overview-custom-detections.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md index cad9c6214b..51940745aa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md @@ -20,11 +20,14 @@ ms.date: 01/22/2020 # DeviceAlertEvents +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceAlertEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about alerts in Microsoft Defender Security Center. Use this reference to construct queries that return information from the table. @@ -50,4 +53,4 @@ For information on other tables in the advanced hunting schema, see [the advance ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) -- [Understand the schema](advanced-hunting-schema-reference.md) \ No newline at end of file +- [Understand the schema](advanced-hunting-schema-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md index a3844f8f21..82be65bdc4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md @@ -19,11 +19,14 @@ ms.topic: article # DeviceEvents +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The miscellaneous device events or `DeviceEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Microsoft Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md index 2e1e4ccfe6..20c0ceb254 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md @@ -20,11 +20,14 @@ ms.date: 01/14/2020 # DeviceFileCertificateInfo +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceFileCertificateInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file signing certificates. This table uses data obtained from certificate verification activities regularly performed on files on endpoints. @@ -55,4 +58,4 @@ For information on other tables in the advanced hunting schema, see [the advance ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) -- [Understand the schema](advanced-hunting-schema-reference.md) \ No newline at end of file +- [Understand the schema](advanced-hunting-schema-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md index 351be8cfc8..2a453a4169 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md @@ -19,11 +19,14 @@ ms.topic: article # DeviceFileEvents +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceFileEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md index 2327ce1a4e..a00c2ef094 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md @@ -19,11 +19,14 @@ ms.topic: article # DeviceImageLoadEvents +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceImageLoadEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md index cc3663977a..8c806a1b38 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md @@ -19,11 +19,14 @@ ms.topic: article # DeviceInfo +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about devices in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table. @@ -35,7 +38,7 @@ For information on other tables in the advanced hunting schema, see [the advance | `DeviceId` | string | Unique identifier for the device in the service | | `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `ClientVersion` | string | Version of the endpoint agent or sensor running on the device | -| `PublicIP` | string | Public IP address used by the onboarded device to connect to the Microsoft Defender ATP service. This could be the IP address of the device itself, a NAT device, or a proxy | +| `PublicIP` | string | Public IP address used by the onboarded device to connect to the Defender for Endpoint service. This could be the IP address of the device itself, a NAT device, or a proxy | | `OSArchitecture` | string | Architecture of the operating system running on the device | | `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 | | `OSBuild` | string | Build version of the operating system running on the device | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md index 1f7e4db8a1..c04883052f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md @@ -19,11 +19,14 @@ ms.topic: article # DeviceLogonEvents +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceLogonEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md index 3defded189..467888a9d3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md @@ -19,11 +19,14 @@ ms.topic: article # DeviceNetworkEvents +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceNetworkEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table. @@ -64,4 +67,4 @@ For information on other tables in the advanced hunting schema, see [the advance ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) -- [Understand the schema](advanced-hunting-schema-reference.md) \ No newline at end of file +- [Understand the schema](advanced-hunting-schema-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md index 82d860e259..48ae9ead1e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md @@ -19,11 +19,14 @@ ms.topic: article # DeviceNetworkInfo +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceNetworkInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of devices, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md index 4c9e3d2d15..921304b30c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md @@ -19,11 +19,14 @@ ms.topic: article # DeviceProcessEvents +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceProcessEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md index bff256d499..ec6f722e98 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md @@ -19,11 +19,14 @@ ms.topic: article # DeviceRegistryEvents +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceRegistryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md index 0b1624d685..bf6dc4404d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md @@ -19,11 +19,14 @@ ms.topic: article # DeviceTvmSecureConfigurationAssessment +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] @@ -42,11 +45,13 @@ For information on other tables in the advanced hunting schema, see [the advance | `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | | `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) | | `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured | - +| `IsApplicable` | boolean | Indicates whether the configuration or policy applies to the device | +| `Context` | string | Additional contextual information about the configuration or policy | +| `IsExpectedUserImpactCompliant` | boolean | Indicates whether there will be user impact if the configuration or policy is applied | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) - [Understand the schema](advanced-hunting-schema-reference.md) -- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md index a50f7b4988..317e6e26c6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md @@ -19,11 +19,14 @@ ms.topic: article # DeviceTvmSecureConfigurationAssessmentKB +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md index 6e83ac102d..d61956dee5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md @@ -19,11 +19,14 @@ ms.topic: article # DeviceTvmSoftwareInventoryVulnerabilities +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md index aa46c9d8a9..0779d7d929 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md @@ -19,11 +19,14 @@ ms.topic: article # DeviceTvmSoftwareVulnerabilitiesKB +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md new file mode 100644 index 0000000000..ab53ab3585 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md @@ -0,0 +1,46 @@ +--- +title: Handle errors in advanced hunting for Microsoft Defender ATP +description: Understand errors displayed when using advanced hunting +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, m365, search, query, telemetry, schema, kusto, timeout, resources, errors, unknown error +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Handle advanced hunting errors + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) + + +Advanced hunting displays errors to notify for syntax mistakes and whenever queries hit [predefined limits](advanced-hunting-limits.md). Refer to the table below for tips on how to resolve or avoid errors. + +| Error type | Cause | Resolution | Error message examples | +|--|--|--|--| +| Syntax errors | The query contains unrecognized names, including references to nonexistent operators, columns, functions, or tables. | Ensure references to [Kusto operators and functions](https://docs.microsoft.com/azure/data-explorer/kusto/query/) are correct. Check [the schema](advanced-hunting-schema-reference.md) for the correct advanced hunting columns, functions, and tables. Enclose variable strings in quotes so they are recognized. While writing your queries, use the autocomplete suggestions from IntelliSense. | `A recognition error occurred.` | +| Semantic errors | While the query uses valid operator, column, function, or table names, there are errors in its structure and resulting logic. In some cases, advanced hunting identifies the specific operator that caused the error. | Check for errors in the structure of query. Refer to [Kusto documentation](https://docs.microsoft.com/azure/data-explorer/kusto/query/) for guidance. While writing your queries, use the autocomplete suggestions from IntelliSense. | `'project' operator: Failed to resolve scalar expression named 'x'`| +| Timeouts | A query can only run within a [limited period before timing out](advanced-hunting-limits.md). This error can happen more frequently when running complex queries. | [Optimize the query](advanced-hunting-best-practices.md) | `Query exceeded the timeout period.` | +| CPU throttling | Queries in the same tenant have exceeded the [CPU resources](advanced-hunting-limits.md) that have been allocated based on tenant size. | The service checks CPU resource usage every 15 minutes and daily and displays warnings after usage exceeds 10% of the allocated limit. If you reach 100% utilization, the service blocks queries until after the next daily or 15-minute cycle. [Optimize your queries to avoid hitting CPU limits](advanced-hunting-best-practices.md) | - `This query used X% of your organization's allocated resources for the current 15 minutes.`
    - `You have exceeded processing resources allocated to this tenant. You can run queries again in .` | +| Result size limit exceeded | The aggregate size of the result set for the query has exceeded the maximum limit. This error can occur if the result set is so large that truncation at the 10,000-record limit can't reduce it to an acceptable size. Results that have multiple columns with sizable content are more likely to be impacted by this error. | [Optimize the query](advanced-hunting-best-practices.md) | `Result size limit exceeded. Use "summarize" to aggregate results, "project" to drop uninteresting columns, or "take" to truncate results.` | +| Excessive resource consumption | The query has consumed excessive amounts of resources and has been stopped from completing. In some cases, advanced hunting identifies the specific operator that wasn't optimized. | [Optimize the query](advanced-hunting-best-practices.md) | -`Query stopped due to excessive resource consumption.`
    -`Query stopped. Adjust use of the operator to avoid excessive resource consumption.` | +| Unknown errors | The query failed because of an unknown reason. | Try running the query again. Contact Microsoft through the portal if queries continue to return unknown errors. | `An unexpected error occurred during query execution. Please try again in a few minutes.` + +## Related topics +- [Advanced hunting best practices](advanced-hunting-best-practices.md) +- [Service limits](advanced-hunting-limits.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Kusto Query Language overview](https://docs.microsoft.com/azure/data-explorer/kusto/query/) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md new file mode 100644 index 0000000000..60566f53f5 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md @@ -0,0 +1,48 @@ +--- +title: Extend advanced hunting coverage with the right settings +description: Check auditing settings on Windows devices and other settings to help ensure that you get the most comprehensive data in advanced hunting +keywords: advanced hunting, incident, pivot, entity, audit settings, user account management, security group management, threat hunting, cyber threat hunting, search, query, telemetry, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/10/2020 +--- + +# Extend advanced hunting coverage with the right settings + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +[Advanced hunting](advanced-hunting-overview.md) relies on data coming from across your organization. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources. + +## Advanced security auditing on Windows devices + +Turn on these advanced auditing settings to ensure you get data about activities on your devices, including local account management, local security group management, and service creation. + +Data | Description | Schema table | How to configure +-|-|-|- +Account management | Events captured as various `ActionType` values indicating local account creation, deletion, and other account-related activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit User Account Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-user-account-management)
    - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing) +Security group management | Events captured as various `ActionType` values indicating local security group creation and other local group management activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security Group Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-group-management)
    - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing) +Service installation | Events captured with the `ActionType` value `ServiceInstalled`, indicating that a service has been created | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security System Extension](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-system-extension)
    - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing) + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Work with query results](advanced-hunting-query-results.md) +- [Apply query best practices](advanced-hunting-best-practices.md) +- [Custom detections overview](overview-custom-detections.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md new file mode 100644 index 0000000000..365f8ef6ba --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md @@ -0,0 +1,85 @@ +--- +title: FileProfile() function in advanced hunting for Microsoft Defender Advanced Threat Protection +description: Learn how to use the FileProfile() to enrich information about files in your advanced hunting query results +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 09/20/2020 +--- + +# FileProfile() + +**Applies to:** + +- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +The `FileProfile()` function is an enrichment function in [advanced hunting](advanced-hunting-overview.md) that adds the following data to files found by the query. + +Column | Data type | Description +-|-|- +SHA1 | string | SHA-1 of the file that the recorded action was applied to +SHA256 | string | SHA-256 of the file that the recorded action was applied to +MD5 | string | MD5 hash of the file that the recorded action was applied to +FileSize | int | Size of the file in bytes +GlobalPrevalence | int | Number of instances of the entity observed by Microsoft globally +GlobalFirstSeen | datetime | Date and time when the entity was first observed by Microsoft globally +GlobalLastSeen | datetime | Date and time when the entity was last observed by Microsoft globally +Signer | string | Information about the signer of the file +Issuer | string | Information about the issuing certificate authority (CA) +SignerHash | string | Unique hash value identifying the signer +IsCertificateValid | boolean | Whether the certificate used to sign the file is valid +IsRootSignerMicrosoft | boolean | Indicates whether the signer of the root certificate is Microsoft +IsExecutable | boolean | Whether the file is a Portable Executable (PE) file +ThreatName | string | Detection name for any malware or other threats found +Publisher | string | Name of the organization that published the file +SoftwareName | string | Name of the software product + +## Syntax + +```kusto +invoke FileProfile(x,y) +``` + +## Arguments + +- **x** — file ID column to use: `SHA1`, `SHA256`, `InitiatingProcessSHA1` or `InitiatingProcessSHA256`; function uses `SHA1` if unspecified +- **y** — limit to the number of records to enrich, 1-1000; function uses 100 if unspecified + +## Examples + +### Project only the SHA1 column and enrich it + +```kusto +DeviceFileEvents +| where isnotempty(SHA1) and Timestamp > ago(1d) +| take 10 +| project SHA1 +| invoke FileProfile() +``` + +### Enrich the first 500 records and list low-prevalence files + +```kusto +DeviceFileEvents +| where ActionType == "FileCreated" and Timestamp > ago(1d) +| project CreatedOn = Timestamp, FileName, FolderPath, SHA1 +| invoke FileProfile("SHA1", 500) +| where GlobalPrevalence < 15 +``` + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md new file mode 100644 index 0000000000..9b8aed20bc --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md @@ -0,0 +1,107 @@ +--- +title: Get relevant info about an entity with go hunt +description: Learn how to use the "go hunt" tool to quickly query for relevant information about an entity or event using advanced hunting. +keywords: advanced hunting, incident, pivot, entity, go hunt, relevant events, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft Threat Protection +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +f1.keywords: +- NOCSH +ms.author: v-maave +author: martyav +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Quickly hunt for entity or event information with go hunt + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +With the *go hunt* action, you can quickly investigate events and various entity types using powerful query-based [advanced hunting](advanced-hunting-overview.md) capabilities. This action automatically runs an advanced hunting query to find relevant information about the selected event or entity. + +The *go hunt* action is available in various sections of the security center whenever event or entity details are displayed. For example, you can use *go hunt* from the following sections: + +- In the [incident page](investigate-incidents.md), you can review details about users, devices, and many other entities associated with an incident. When you select an entity, you get additional information as well as various actions you could take on that entity. In the example below, a device is selected, showing details about the device as well the option to hunt for more information about the device. + + ![Image showing device details with the go hunt option](./images/go-hunt-device.png) + +- In the incident page, you can also access a list of entities under the evidence tab. Selecting one of those entities provides an option to quickly hunt for information about that entity. + + ![Image showing selected url with the go hunt option in the Evidence tab](./images/go-hunt-evidence-url.png) + +- When viewing the timeline for a device, you can select an event in the timeline to view additional information about that event. Once an event is selected, you get the option to hunt for other relevant events in advanced hunting. + + ![Image showing event details with the go hunt option](./images/go-hunt-event.png) + +Selecting **Go hunt** or **Hunt for related events** passes different queries, depending on whether you've selected an entity or an event. + +## Query for entity information + +When using *go hunt* to query for information about a user, device, or any other type of entity, the query checks all relevant schema tables for any events involving that entity. To keep the results manageable, the query is scoped to around the same time period as the earliest activity in the past 30 days that involves the entity and is associated with the incident. + +Here is an example of the go hunt query for a device: + +```kusto +let selectedTimestamp = datetime(2020-06-02T02:06:47.1167157Z); +let deviceName = "fv-az770.example.com"; +let deviceId = "device-guid"; +search in (DeviceLogonEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceImageLoadEvents, DeviceEvents, DeviceImageLoadEvents, IdentityLogonEvents, IdentityQueryEvents) +Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h)) +and DeviceName == deviceName +// or RemoteDeviceName == deviceName +// or DeviceId == deviceId +| take 100 +``` + +### Supported entity types + +You can use *go hunt* after selecting any of these entity types: + +- Files +- Users +- Devices +- IP addresses +- URLs + +## Query for event information + +When using *go hunt* to query for information about a timeline event, the query checks all relevant schema tables for other events around the time of the selected event. For example, the following query lists events in various schema tables that occurred around the same time period on the same device: + +```kusto +// List relevant events 30 minutes before and after selected RegistryValueSet event +let selectedEventTimestamp = datetime(2020-10-06T21:40:25.3466868Z); +search in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents, DeviceLogonEvents) + Timestamp between ((selectedEventTimestamp - 30m) .. (selectedEventTimestamp + 30m)) + and DeviceId == "a305b52049c4658ec63ae8b55becfe5954c654a4" +| sort by Timestamp desc +| extend Relevance = iff(Timestamp == selectedEventTimestamp, "Selected event", iff(Timestamp < selectedEventTimestamp, "Earlier event", "Later event")) +| project-reorder Relevance +``` + +## Adjust the query + +With some knowledge of the [query language](advanced-hunting-query-language.md), you can adjust the query to your preference. For example, you can adjust this line, which determines the size of the time window: + +```kusto +Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h)) +``` + +In addition to modifying the query to get more relevant results, you can also: + +- [View the results as charts](advanced-hunting-query-results.md#view-query-results-as-a-table-or-chart) +- [Create a custom detection rule](custom-detection-rules.md) + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Work with query results](advanced-hunting-query-results.md) +- [Custom detection rules](custom-detection-rules.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md new file mode 100644 index 0000000000..0516afc2f2 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md @@ -0,0 +1,48 @@ +--- +title: Advanced hunting limits in Microsoft Defender ATP +description: Understand various service limits that keep the advanced hunting service responsive +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, schema, kusto, CPU limit, query limit, resources, maximum results +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Advanced hunting service limits + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** +- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) + +To keep the service performant and responsive, advanced hunting sets various limits for queries run manually and by [custom detection rules](custom-detection-rules.md). Refer to the following table to understand these limits. + +| Limit | Size | Refresh cycle | Description | +|--|--|--|--| +| Data range | 30 days | Every query | Each query can look up data from up to the past 30 days. | +| Result set | 10,000 rows | Every query | Each query can return up to 10,000 records. | +| Timeout | 10 minutes | Every query | Each query can run for up to 10 minutes. If it does not complete within 10 minutes, the service displays an error. +| CPU resources | Based on tenant size | - On the hour and then every 15 minutes
    - Daily at 12 midnight | The service enforces the daily and the 15-minute limit separately. For each limit, the [portal displays an error](advanced-hunting-errors.md) whenever a query runs and the tenant has consumed over 10% of allocated resources. Queries are blocked if the tenant has reached 100% until after the next daily or 15-minute cycle. | + +>[!NOTE] +>A separate set of limits apply to advanced hunting queries performed through the API. [Read about advanced hunting APIs](run-advanced-query-api.md) + +Customers who run multiple queries regularly should track consumption and [apply optimization best practices](advanced-hunting-best-practices.md) to minimize disruption resulting from exceeding these limits. + +## Related topics + +- [Advanced hunting best practices](advanced-hunting-best-practices.md) +- [Handle advanced hunting errors](advanced-hunting-errors.md) +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Custom detections rules](custom-detection-rules.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md index e6feab4594..e42dbf4cf3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md @@ -18,44 +18,61 @@ ms.topic: article --- # Proactively hunt for threats with advanced hunting + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) -Advanced hunting is a query-based threat-hunting tool that lets you explore raw data for the last 30 days. You can proactively inspect events in your network to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats. +Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats. -You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured devices. - -## Get started with advanced hunting Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast. -

    +
    +
    > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqo] -You can also go through each of the following steps to ramp up your advanced hunting knowledge. +You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings. + +>[!TIP] +>Use [advanced hunting in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview) to hunt for threats using data from Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity. [Turn on Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable) + +## Get started with advanced hunting + +Go through the following steps to ramp up your advanced hunting knowledge. + +We recommend going through several steps to quickly get up and running with advanced hunting. | Learning goal | Description | Resource | |--|--|--| -| **Get a feel for the language** | Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting-query-language.md) | +| **Learn the language** | Advanced hunting is based on [Kusto query language](https://docs.microsoft.com/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting-query-language.md) | | **Learn how to use the query results** | Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries and drill down to get richer information. | [Work with query results](advanced-hunting-query-results.md) | -| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. This will help you determine where to look for data and how to construct your queries. | [Schema reference](advanced-hunting-schema-reference.md) | +| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. Learn where to look for data when constructing your queries. | [Schema reference](advanced-hunting-schema-reference.md) | | **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) | -| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | - [Custom detections overview](overview-custom-detections.md)
    - [Custom detection rules](custom-detection-rules.md) | +| **Optimize queries and handle errors** | Understand how to create efficient and error-free queries. | - [Query best practices](advanced-hunting-best-practices.md)
    - [Handle errors](advanced-hunting-errors.md) | +| **Get the most complete coverage** | Use audit settings to provide better data coverage for your organization. | - [Extend advanced hunting coverage](advanced-hunting-extend-data.md) | +| **Run a quick investigation** | Quickly run an advanced hunting query to investigate suspicious activity. | - [Quickly hunt for entity or event information with *go hunt*](advanced-hunting-go-hunt.md) | +| **Contain threats and address compromises** | Respond to attacks by quarantining files, restricting app execution, and other actions | - [Take action on advanced hunting query results](advanced-hunting-take-action.md) | +| **Create custom detection rules** | Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. | - [Custom detections overview](overview-custom-detections.md)
    - [Custom detection rules](custom-detection-rules.md) | ## Data freshness and update frequency -Advanced hunting data can be categorized into two distinct types, each consolidated differently: -- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Microsoft Defender ATP. -- **Entity data**—populates tables with consolidated information about users and devices. To provide fresh data, tables are updated every 15 minutes with any new information, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity. +Advanced hunting data can be categorized into two distinct types, each consolidated differently. + +- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Defender for Endpoint. +- **Entity data**—populates tables with consolidated information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity. ## Time zone -All time information in advanced hunting is currently in the UTC time zone. + +Time information in advanced hunting is currently in the UTC time zone. ## Related topics + - [Learn the query language](advanced-hunting-query-language.md) - [Work with query results](advanced-hunting-query-results.md) - [Use shared queries](advanced-hunting-shared-queries.md) - [Understand the schema](advanced-hunting-schema-reference.md) - [Apply query best practices](advanced-hunting-best-practices.md) -- [Custom detections overview](overview-custom-detections.md) +- [Custom detections overview](overview-custom-detections.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md index 1b1ce276f6..76fd2bee7e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md @@ -19,12 +19,14 @@ ms.topic: article # Learn the advanced hunting query language +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) -Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for advanced hunting. To understand these concepts better, run your first query. +Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto operators and statements to construct queries that locate information in a specialized [schema](advanced-hunting-schema-reference.md). To understand these concepts better, run your first query. ## Try your first query @@ -49,26 +51,21 @@ union DeviceProcessEvents, DeviceNetworkEvents FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType | top 100 by Timestamp ``` - -This is how it will look like in advanced hunting. - -![Image of Microsoft Defender ATP advanced hunting query](images/advanced-hunting-query-example-2.png) - +**[Run this query in advanced hunting](https://securitycenter.windows.com/hunting?query=H4sIAAAAAAAEAI2TT0vDQBDF5yz4HUJPFcTqyZsXqyCIBFvxKNGWtpo_NVlbC8XP7m8mado0K5Zls8nkzdu3b2Z70pNAbmUmqYyk4D2UTJYyllwGMmWNGQHrN_NNvsSBzUBrbMFMiWieAx3xDEBl4GL4AuNd8B0bNgARENcdUmIZ3yM5liPwac3bN-YZPGPU5ET1rWDc7Ox4uod8YDp4MzI-GkjlX4Ne2nly0zEkKzFWh4ZE5sSuTN8Ehq5couvEMnvmUAhez-HsRBMipVa_W_OG6vEfGtT12JRHpqV064e1Kx04NsxFzXxW1aFjp_djXmDRPbfY3XMMcLogTz2bWZ2KqmIJI6q6wKe2WYnrRsa9KVeU9kCBBo2v7BzPxF_Bx2DKiqh63SGoRoc6Njti48z_yL71XHQAcgAur6rXRpcqH3l-4knZF23Utsbq2MircEqmw-G__xR1TdZ1r7zb7XLezmx3etkvGr-ze6NdGdW92azUfpcdluWvr-aqbh_nofnqcWI3aYyOsBV7giduRUO7187LMKTT5rxvHHX80_t8IeeMgLquvL7-Ak3q-kz8BAAA&runQuery=true&timeRangeId=week)** ### Describe the query and specify the tables to search -A short comment has been added to the beginning of the query to describe what it is for. This helps if you later decide to save the query and share it with others in your organization. +A short comment has been added to the beginning of the query to describe what it is for. This comment helps if you later decide to save the query and share it with others in your organization. ```kusto // Finds PowerShell execution events that could involve a download ``` - -The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by creating a union of two tables, `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed. +The query itself will typically start with a table name followed by several elements that start with a pipe (`|`). In this example, we start by creating a union of two tables, `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed. ```kusto union DeviceProcessEvents, DeviceNetworkEvents ``` ### Set the time range -The first piped element is a time filter scoped to the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out. +The first piped element is a time filter scoped to the previous seven days. Limiting the time range helps ensure that queries perform well, return manageable results, and don't time out. ```kusto | where Timestamp > ago(7d) @@ -77,7 +74,7 @@ The first piped element is a time filter scoped to the previous seven days. Keep ### Check specific processes The time range is immediately followed by a search for process file names representing the PowerShell application. -``` +```kusto // Pivoting on PowerShell processes | where FileName in~ ("powershell.exe", "powershell_ise.exe") ``` @@ -98,7 +95,7 @@ Afterwards, the query looks for strings in command lines that are typically used ``` ### Customize result columns and length -Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process. +Now that your query clearly identifies the data you want to locate, you can define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process. ```kusto | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, @@ -106,7 +103,7 @@ FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType | top 100 by Timestamp ``` -Click **Run query** to see the results. Select the expand icon at the top right of the query editor to focus on your hunting query and the results. +Select **Run query** to see the results. Use the expand icon at the top right of the query editor to focus on your hunting query and the results. ![Image of the Expand control in the advanced hunting query editor](images/advanced-hunting-expand.png) @@ -115,7 +112,7 @@ Click **Run query** to see the results. Select the expand icon at the top right ## Learn common query operators for advanced hunting -Now that you've run your first query and have a general idea of its components, it's time to backtrack a little bit and learn some basics. The Kusto query language used by advanced hunting supports a range of operators, including the following common ones. +You've just run your first query and have a general idea of its components. It's time to backtrack slightly and learn some basics. The Kusto query language used by advanced hunting supports a range of operators, including the following common ones. | Operator | Description and usage | |--|--| @@ -134,15 +131,17 @@ To see a live example of these operators, run them from the **Get started** sect ## Understand data types -Data in advanced hunting tables are generally classified into the following data types. +Advanced hunting supports Kusto data types, including the following common types: | Data type | Description and query implications | |--|--| -| `datetime` | Data and time information typically representing event timestamps | -| `string` | Character string | -| `bool` | True or false | -| `int` | 32-bit numeric value | -| `long` | 64-bit numeric value | +| `datetime` | Data and time information typically representing event timestamps. [See supported datetime formats](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/datetime) | +| `string` | Character string in UTF-8 enclosed in single quotes (`'`) or double quotes (`"`). [Read more about strings](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/string) | +| `bool` | This data type supports `true` or `false` states. [See supported literals and operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/bool) | +| `int` | 32-bit integer | +| `long` | 64-bit integer | + +To learn more about these data types, [read about Kusto scalar data types](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/). ## Get help as you write queries Take advantage of the following functionality to write queries faster: @@ -152,7 +151,7 @@ Take advantage of the following functionality to write queries faster: - **[Schema reference](advanced-hunting-schema-reference.md#get-schema-information-in-the-security-center)**—in-portal reference with table and column descriptions as well as supported event types (`ActionType` values) and sample queries ## Work with multiple queries in the editor -The query editor can serve as your scratch pad for experimenting with multiple queries. To use multiple queries: +You can use the query editor to experiment with multiple queries. To use multiple queries: - Separate each query with an empty line. - Place the cursor on any part of a query to select that query before running it. This will run only the selected query. To run another query, move the cursor accordingly and select **Run query**. @@ -168,7 +167,7 @@ The **Get started** section provides a few simple queries using commonly used op ![Image of the advanced hunting get started tab](images/atp-advanced-hunting.png) > [!NOTE] -> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository. +> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the [GitHub query repository](https://aka.ms/hunting-queries). ## Access comprehensive query language reference @@ -177,7 +176,6 @@ For detailed information about the query language, see [Kusto query language doc ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Work with query results](advanced-hunting-query-results.md) +- [Use shared queries](advanced-hunting-shared-queries.md) - [Understand the schema](advanced-hunting-schema-reference.md) - [Apply query best practices](advanced-hunting-best-practices.md) - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md index f036dd4418..34db3e0745 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md @@ -19,10 +19,13 @@ ms.topic: article # Work with advanced hunting query results -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) While you can construct your [advanced hunting](advanced-hunting-overview.md) queries to return very precise information, you can also work with the query results to gain further insight and investigate specific activities and indicators. You can take the following actions on your query results: @@ -113,6 +116,12 @@ After running a query, select **Export** to save the results to local file. Your ## Drill down from query results To view more information about entities, such as devices, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity. +To quickly inspect a record in your query results, select the corresponding row to open the Inspect record panel. The panel provides the following information based on the selected record: + +- **Assets** — A summarized view of the main assets (mailboxes, devices, and users) found in the record, enriched with available information, such as risk and exposure levels +- **Process tree** — A chart generated for records with process information and enriched using available contextual information; in general, queries that return more columns can result in richer process trees. +- **All details** — Lists all the values from the columns in the record + ## Tweak your queries from the results Right-click a value in the result set to quickly enhance your query. You can use the options to: @@ -123,9 +132,9 @@ Right-click a value in the result set to quickly enhance your query. You can use ![Image of advanced hunting result set](images/advanced-hunting-results-filter.png) ## Filter the query results -The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances. +The filters displayed in the right pane provide a summary of the result set. Every column has its own section in the pane, each of which lists the values found in that column, and the number of instances. -Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude and then selecting **Run query**. +Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude. Then select **Run query**. ![Image of advanced hunting filter](images/advanced-hunting-filter.png) @@ -137,4 +146,4 @@ Once you apply the filter to modify the query and then run the query, the result - [Use shared queries](advanced-hunting-shared-queries.md) - [Understand the schema](advanced-hunting-schema-reference.md) - [Apply query best practices](advanced-hunting-best-practices.md) -- [Custom detections overview](overview-custom-detections.md) \ No newline at end of file +- [Custom detections overview](overview-custom-detections.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index 0e2f6811ad..a0988a90d0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -20,10 +20,13 @@ ms.date: 01/14/2020 # Understand the advanced hunting schema -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] @@ -66,8 +69,11 @@ Table and column names are also listed within the Microsoft Defender Security Ce | **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices | | **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks | + ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) -- [Work with query results](advanced-hunting-query-results.md) - [Learn the query language](advanced-hunting-query-language.md) +- [Work with query results](advanced-hunting-query-results.md) +- [Apply query best practices](advanced-hunting-best-practices.md) +- [Custom detections overview](overview-custom-detections.md) - [Advanced hunting data schema changes](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md index 677a74ca65..0daf0cbfda 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md @@ -19,10 +19,13 @@ ms.topic: article # Use shared queries in advanced hunting -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) [Advanced hunting](advanced-hunting-overview.md) queries can be shared among users in the same organization. You can also find queries shared publicly on GitHub. These queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch. @@ -40,7 +43,7 @@ You can save a new or existing query so that it is only accessible to you or sha ![Image of saving a query](images/advanced-hunting-save-query.png) 4. Select the folder where you'd like to save the query. - - **Shared queries** — shared to all users in the your organization + - **Shared queries** — shared to all users in your organization - **My queries** — accessible only to you 5. Select **Save**. @@ -63,4 +66,8 @@ Microsoft security researchers regularly share advanced hunting queries in a [de ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) -- [Learn the query language](advanced-hunting-query-language.md) \ No newline at end of file +- [Learn the query language](advanced-hunting-query-language.md) +- [Work with query results](advanced-hunting-query-results.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Apply query best practices](advanced-hunting-best-practices.md) +- [Custom detections overview](overview-custom-detections.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md new file mode 100644 index 0000000000..d535b139e2 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md @@ -0,0 +1,82 @@ +--- +title: Take action on advanced hunting query results in Microsoft Threat Protection +description: Quickly address threats and affected assets in your advanced hunting query results +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 09/20/2020 +--- + +# Take action on advanced hunting query results + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +You can quickly contain threats or address compromised assets that you find in [advanced hunting](advanced-hunting-overview.md) using powerful and comprehensive action options. With these options, you can: + +- Take various actions on devices +- Quarantine files + +## Required permissions + +To be able to take action through advanced hunting, you need a role in Defender for Endpoint with [permissions to submit remediation actions on devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#permission-options). If you can't take action, contact a global administrator about getting the following permission: + +*Active remediation actions > Threat and vulnerability management - Remediation handling* + +## Take various actions on devices + +You can take the following actions on devices identified by the `DeviceId` column in your query results: + +- Isolate affected devices to contain an infection or prevent attacks from moving laterally +- Collect investigation package to obtain more forensic information +- Run an antivirus scan to find and remove threats using the latest security intelligence updates +- Initiate an automated investigation to check and remediate threats on the device and possibly other affected devices +- Restrict app execution to only Microsoft-signed executable files, preventing subsequent threat activity through malware or other untrusted executables + +To learn more about how these response actions are performed through Defender for Endpoint, [read about response actions on devices](respond-machine-alerts.md). + +## Quarantine files + +You can deploy the *quarantine* action on files so that they are automatically quarantined when encountered. When selecting this action, you can choose between the following columns to identify which files in your query results to quarantine: + +- `SHA1` — In most advanced hunting tables, this is the SHA-1 of the file that was affected by the recorded action. For example, if a file was copied, this would be the copied file. +- `InitiatingProcessSHA1` — In most advanced hunting tables, this is the file responsible for initiating the recorded action. For example, if a child process was launched, this would be the parent process. +- `SHA256` — This is the SHA-256 equivalent of the file identified by the `SHA1` column. +- `InitiatingProcessSHA256` — This is the SHA-256 equivalent of the file identified by the `InitiatingProcessSHA1` column. + +To learn more about how quarantine actions are taken and how files can be restored, [read about response actions on files](respond-file-alerts.md). + +>[!NOTE] +>To locate files and quarantine them, the query results should also include `DeviceId` values as device identifiers. + +## Take action + +To take any of the described actions, select one or more records in your query results and then select **Take actions**. A wizard will guide you through the process of selecting and then submitting your preferred actions. + +![Image of selected record with panel for inspecting the record](images/ah-take-actions.png) + +## Review actions taken + +Each action is individually recorded in the action center, under **Action center** > **History** ([security.microsoft.com/action-center/history](https://security.microsoft.com/action-center/history)). Go to the action center to check the status of each action. + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Work with query results](advanced-hunting-query-results.md) +- [Apply query best practices](advanced-hunting-best-practices.md) +- [Custom detections overview](overview-custom-detections.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md index 4a29f349d6..5e96430994 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md @@ -20,6 +20,9 @@ ms.date: 09/03/2018 --- # Alerts queue in Microsoft Defender Security Center + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as devices, files, or user accounts. diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md index c745548afb..e403e8465c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md @@ -18,13 +18,16 @@ ms.topic: article ms.date: 03/27/2020 --- -# View and organize the Microsoft Defender Advanced Threat Protection Alerts queue +# View and organize the Microsoft Defender for Endpoint Alerts queue + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink) The **Alerts queue** shows a list of alerts that were flagged from devices in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view. The most recent alerts are showed at the top of the list helping you see the most recent alerts first. @@ -58,15 +61,15 @@ Informational
    (Grey) | Alerts that might not be considered harmful to the n #### Understanding alert severity -Microsoft Defender Antivirus (Microsoft Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes. +Microsoft Defender Antivirus (Microsoft Defender AV) and Defender for Endpoint alert severities are different because they represent different scopes. The Microsoft Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual device, if infected. -The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the device but more importantly the potential risk to the organization. +The Defender for Endpoint alert severity represents the severity of the detected behavior, the actual risk to the device but more importantly the potential risk to the organization. So, for example: -- The severity of a Microsoft Defender ATP alert about a Microsoft Defender AV detected threat that was completely prevented and did not infect the device is categorized as "Informational" because there was no actual damage. +- The severity of a Defender for Endpoint alert about a Microsoft Defender AV detected threat that was completely prevented and did not infect the device is categorized as "Informational" because there was no actual damage. - An alert about a commercial malware was detected while executing, but blocked and remediated by Microsoft Defender AV, is categorized as "Low" because it may have caused some damage to the individual device but poses no organizational threat. - An alert about malware detected while executing which can pose a threat not only to the individual device but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". - Suspicious behavioral alerts, which weren't blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. @@ -115,7 +118,7 @@ You can choose between showing alerts that are assigned to you or automation. ### Detection source -Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts-managed hunting service. +Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts-managed hunting service. >[!NOTE] >The Antivirus filter will only appear if devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product. @@ -135,11 +138,11 @@ Use this filter to focus on alerts that are related to high profile threats. You ## Related topics -- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) -- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) -- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) -- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) -- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) -- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) -- [Investigate a user account in Microsoft Defender ATP](investigate-user.md) +- [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md) +- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md) +- [Investigate a file associated with a Microsoft Defender for Endpoint alert](investigate-files.md) +- [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md) +- [Investigate an IP address associated with a Microsoft Defender for Endpoint alert](investigate-ip.md) +- [Investigate a domain associated with a Microsoft Defender for Endpoint alert](investigate-domain.md) +- [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index 34ba31d9cb..0668c313a5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -18,9 +18,17 @@ ms.topic: article # Alert resource type -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## Methods @@ -68,7 +76,7 @@ comments | List of Alert comments | Alert Comment is an object that contains: co ### Response example for getting single alert: ``` -GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-292920499 +GET https://api.securitycenter.microsoft.com/api/alerts/da637084217856368682_-292920499 ``` ```json diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md index 9022d913df..f9f5d899e6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md @@ -14,40 +14,45 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- -# Configure Microsoft Defender ATP for Android features +# Configure Defender for Endpoint for Android features + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md) +- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md) -## Conditional Access with Microsoft Defender ATP for Android -Microsoft Defender ATP for Android along with Microsoft Intune and Azure Active +## Conditional Access with Defender for Endpoint for Android +Microsoft Defender for Endpoint for Android along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies -based on device risk levels. Microsoft Defender ATP is a Mobile Threat Defense +based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune. -For more information about how to set up Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and +For more information about how to set up Defender for Endpoint for Android and Conditional Access, see [Defender for Endpoint and Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). ## Configure custom indicators >[!NOTE] -> Microsoft Defender ATP for Android only supports creating custom indicators for IP addresses and URLs/domains. +> Defender for Endpoint for Android only supports creating custom indicators for IP addresses and URLs/domains. -Microsoft Defender ATP for Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see [Manage indicators](manage-indicators.md). +Defender for Endpoint for Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see [Manage indicators](manage-indicators.md). ## Configure web protection -Microsoft Defender ATP for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center. +Defender for Endpoint for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center. >[!NOTE] -> Microsoft Defender ATP for Android would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. +> Defender for Endpoint for Android would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-manage-android). ## Related topics -- [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md) -- [Deploy Microsoft Defender ATP for Android with Microsoft Intune](android-intune.md) +- [Overview of Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md) +- [Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune](android-intune.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md index d2f56eeeb1..52450260ef 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md @@ -14,183 +14,156 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual --- -# Deploy Microsoft Defender ATP for Android with Microsoft Intune +# Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md) +- [Defender for Endpoint](microsoft-defender-atp-android.md) -This topic describes deploying Microsoft Defender ATP for Android on Intune +Learn how to deploy Defender for Endpoint for Android on Intune Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll your device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-company-portal). > [!NOTE] -> During public preview, instructions to deploy Microsoft Defender ATP for Android on Intune enrolled Android devices are different across Device Administrator and Android Enterprise entrollment modes.
    -> **When Microsoft Defender ATP for Android reaches General Availability (GA), the app will be available on Google Play.** +> **Defender for Endpoint for Android is now available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx)**
    +> You can connect to Google Play from Intune to deploy Defender for Endpoint app across Device Administrator and Android Enterprise entrollment modes. + Updates to the app are automatic via Google Play. ## Deploy on Device Administrator enrolled devices -**Deploy Microsoft Defender ATP for Android on Intune Company Portal - Device +**Deploy Defender for Endpoint for Android on Intune Company Portal - Device Administrator enrolled devices** -This topic describes how to deploy Microsoft Defender ATP for Android on Intune Company Portal - Device Administrator enrolled devices. Upgrade from the Preview APK to the GA version on Google Play would be supported. +Learn how to deploy Defender for Endpoint for Android on Intune Company Portal - Device Administrator enrolled devices. -### Download the onboarding package - -Download the onboarding package from Microsoft Defender Security Center. - -1. In [Microsoft Defender Security -Center](https://securitycenter.microsoft.com), go to **Settings** \> **Machine Management** \> **Onboarding**. - -2. In the first drop-down, select **Android** as the Operating system. - -3. Select **Download Onboarding package** and save the downloaded .APK file. - - ![Image of onboarding package page](images/onboarding_package_1.png) - -### Add as Line of Business (LOB) App - -The downloaded Microsoft Defender ATP for Android onboarding package. It is a -.APK file can be deployed to user groups as a Line of Business app during the -preview from Microsoft Endpoint Manager Admin Center. +### Add as Android store app 1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \> -**Android Apps** \> **Add \> Line-of-business app** and click **Select**. +**Android Apps** \> **Add \> Android store app** and choose **Select**. - ![Image of Microsoft Endpoint Manager Admin Center](images/eba67e1a3adfec2c77c35a34cb030fba.png) + ![Image of Microsoft Endpoint Manager Admin Center](images/mda-addandroidstoreapp.png) -2. On the **Add app** page and in the *App Information* section, click **Select -add package file** and then click the ![Icon](images/1a62eac0222a9ba3c2fd62744bece76e.png) icon and select the MDATP Universal APK file that was downloaded from the *Download Onboarding package* step. +2. On the **Add app** page and in the *App Information* section enter: - ![Image of Microsoft Endpoint Manager Admin Center](images/e78d36e06495c2f70eb14230de6f7429.png) + - **Name** + - **Description** + - **Publisher** as Microsoft. + - **App store URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Defender for Endpoint app Google Play Store URL) + Other fields are optional. Select **Next**. -3. Select **OK**. + ![Image of Microsoft Endpoint Manager Admin Center](images/mda-addappinfo.png) -4. In the *App Information* section that comes up, enter the **Publisher** as -Microsoft. Other fields are optional and then select **Next**. - - ![Image of Microsoft Endpoint Manager Admin Center](images/190a979ec5b6a8f57c9067fe1304cda8.png) - -5. In the *Assignments* section, go to the **Required** section and select **Add -group.** You can then choose the user group(s) that you would like to target -Microsoft Defender ATP for Android app. Click **Select** and then **Next**. +3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Defender for Endpoint for Android app. Choose **Select** and then **Next**. >[!NOTE] >The selected user group should consist of Intune enrolled users. - ![Image of Microsoft Endpoint Manager Admin Center](images/363bf30f7d69a94db578e8af0ddd044b.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager Admin Center](images/363bf30f7d69a94db578e8af0ddd044b.png) -6. In the **Review+Create** section, verify that all the information entered is -correct and then select **Create**. +4. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**. - In a few moments, the Microsoft Defender ATP app would be created successfully, -and a notification would show up at the top-right corner of the page. + In a few moments, the Defender for Endpoint app would be created successfully, and a notification would show up at the top-right corner of the page. ![Image of Microsoft Endpoint Manager Admin Center](images/86cbe56f88bb6e93e9c63303397fc24f.png) -7. In the app information page that is displayed, in the **Monitor** section, +5. In the app information page that is displayed, in the **Monitor** section, select **Device install status** to verify that the device installation has completed successfully. - ![Image of Microsoft Endpoint Manager Admin Center](images/513cf5d59eaaef5d2b5bc122715b5844.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager Admin Center](images/513cf5d59eaaef5d2b5bc122715b5844.png) -During Public Preview, to **update** Microsoft Defender ATP for Android deployed -as a Line of Business app, download the latest APK. Following the steps in -*Download the onboarding package* section and follow instructions on how to [update -a Line of Business -App](https://docs.microsoft.com/mem/intune/apps/lob-apps-android#step-5-update-a-line-of-business-app). - ### Complete onboarding and check status -1. Once Microsoft Defender ATP for Android has been installed on the device, you'll see the app icon. +1. Once Defender for Endpoint for Android has been installed on the device, you'll see the app icon. ![Icon on mobile device](images/7cf9311ad676ec5142002a4d0c2323ca.jpg) 2. Tap the Microsoft Defender ATP app icon and follow the on-screen instructions -to complete onboarding the app. The details include end-user acceptance of Android permissions required by Microsoft Defender ATP for Android. +to complete onboarding the app. The details include end-user acceptance of Android permissions required by Defender for Endpoint for Android. 3. Upon successful onboarding, the device will start showing up on the Devices list in Microsoft Defender Security Center. - ![Image of device in Microsoft Defender ATP portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png) + ![Image of device in Defender for Endpoint portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png) ## Deploy on Android Enterprise enrolled devices -Microsoft Defender ATP for Android supports Android Enterprise enrolled devices. +Defender for Endpoint for Android supports Android Enterprise enrolled devices. For more information on the enrollment options supported by Intune, see -[Enrollment -Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll) . +[Enrollment Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll). -As Microsoft Defender ATP for Android is deployed via managed Google Play, -updates to the app are automatic via Google Play. - -Currently only Personal devices with Work Profile enrolled are supported for deployment. +**Currently, Personally owned devices with work profile and Corporate-owned fully managed user device enrollments are supported for deployment.** ->[!NOTE] ->During Public Preview, to access Microsoft Defender ATP in your managed Google Play, contact [atpm@microsoft.com](mailto:atpm@microsoft.com) with the organization ID of your managed Google Play for next steps. This can be found under the **Admin Settings** of [managed Google Play](https://play.google.com/work/).
    -> At General Availability (GA), Microsoft Defender ATP for Android will be available as a public app. Upgrades from preview to GA version will be supported. -## Add Microsoft Defender ATP for Android as a managed Google Play app +## Add Microsoft Defender for Endpoint for Android as a Managed Google Play app -After receiving a confirmation e-mail from Microsoft that your managed Google -Play organization ID has been approved, follow the steps below to add Microsoft -Defender ATP app into your managed Google Play. +Follow the steps below to add Microsoft Defender for Endpoint app into your managed Google Play. 1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \> -**Android Apps** \> **Add** and select **managed Google Play app**. +**Android Apps** \> **Add** and select **Managed Google Play app**. - ![Image of Microsoft Endpoint Manager admin center](images/579ff59f31f599414cedf63051628b2e.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager admin center](images/579ff59f31f599414cedf63051628b2e.png) 2. On your managed Google Play page that loads subsequently, go to the search box and lookup **Microsoft Defender.** Your search should display the Microsoft -Defender ATP app in your Managed Google Play. Click on the Microsoft Defender -ATP app from the Apps search result. +Defender for Endpoint app in your Managed Google Play. Click on the Microsoft Defender for Endpoint app from the Apps search result. ![Image of Microsoft Endpoint Manager admin center](images/0f79cb37900b57c3e2bb0effad1c19cb.png) 3. In the App description page that comes up next, you should be able to see app -details on Microsoft Defender ATP. Review the information on the page and then +details on Defender for Endpoint. Review the information on the page and then select **Approve**. - ![A screenshot of a Managed Google Play](images/07e6d4119f265037e3b80a20a73b856f.png) + > [!div class="mx-imgBorder"] + > ![A screenshot of a Managed Google Play](images/07e6d4119f265037e3b80a20a73b856f.png) -4. You should now be presented with the permissions that Microsoft Defender ATP +4. You'll be presented with the permissions that Defender for Endpoint obtains for it to work. Review them and then select **Approve**. - ![A screenshot of Microsoft Defender ATP preview app approval](images/206b3d954f06cc58b3466fb7a0bd9f74.png) + ![A screenshot of Defender for Endpoint preview app approval](images/206b3d954f06cc58b3466fb7a0bd9f74.png) 5. You'll be presented with the Approval settings page. The page confirms -your preference to handle new app permissions that Microsoft Defender ATP for +your preference to handle new app permissions that Defender for Endpoint for Android might ask. Review the choices and select your preferred option. Select **Done**. By default, managed Google Play selects *Keep approved when app requests new permissions* - ![Image of notifications tab](images/ffecfdda1c4df14148f1526c22cc0236.png) + > [!div class="mx-imgBorder"] + > ![Image of notifications tab](images/ffecfdda1c4df14148f1526c22cc0236.png) -6. After the permissions handling selection is made, select **Sync** to sync -Microsoft Defender ATP to your apps list. +6. After the permissions handling selection is made, select **Sync** to sync Microsoft +Defender for Endpoint to your apps list. - ![Image of sync page](images/34e6b9a0dae125d085c84593140180ed.png) + > [!div class="mx-imgBorder"] + > ![Image of sync page](images/34e6b9a0dae125d085c84593140180ed.png) 7. The sync will complete in a few minutes. @@ -200,54 +173,61 @@ Microsoft Defender ATP to your apps list. 8. Select the **Refresh** button in the Android apps screen and Microsoft Defender ATP should be visible in the apps list. - ![Image of list of Android apps](images/fa4ac18a6333335db3775630b8e6b353.png) + > [!div class="mx-imgBorder"] + > ![Image of list of Android apps](images/fa4ac18a6333335db3775630b8e6b353.png) -9. Microsoft Defender ATP supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s). +9. Defender for Endpoint supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s). - a. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**. + 1. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**. - ![Image of Microsoft Endpoint Manager admin center](images/android-mem.png) + ![Image of Microsoft Endpoint Manager admin center](images/android-mem.png) - b. In the **Create app configuration policy** page, enter the following details: + 1. In the **Create app configuration policy** page, enter the following details: + - Name: Microsoft Defender ATP. - Choose **Android Enterprise** as platform. - Choose **Work Profile only** as Profile Type. - Click **Select App**, choose **Microsoft Defender ATP**, select **OK** and then **Next**. - ![Image of create app configuration policy page](images/android-create-app.png) + > [!div class="mx-imgBorder"] + > ![Image of create app configuration policy page](images/android-create-app.png) - c. In the **Settings** page, go to the Permissions section click on Add to view the list of supported permissions. In the Add Permissions section, select the following permissions - - External storage (read) - - External storage (write) + 1. In the **Settings** page, go to the Permissions section click on Add to view the list of supported permissions. In the Add Permissions section, select the following permissions: - Then select **OK**. + - External storage (read) + - External storage (write) - ![Image of create app configuration policy](images/android-create-app-config.png) + Then select **OK**. + + > [!div class="mx-imgBorder"] + > ![Image of create app configuration policy](images/android-create-app-config.png) - d. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**. + 1. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**. - ![Image of create app configuration policy](images/android-auto-grant.png) + > [!div class="mx-imgBorder"] + > ![Image of create app configuration policy](images/android-auto-grant.png) - e. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender ATP Android app. + 1. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app. - ![Image of create app configuration policy](images/android-select-group.png) + > [!div class="mx-imgBorder"] + > ![Image of create app configuration policy](images/android-select-group.png) - f. In the **Review + Create** page that comes up next, review all the information and then select **Create**.
    + 1. In the **Review + Create** page that comes up next, review all the information and then select **Create**.
    - The app configuration policy for Microsoft Defender ATP auto-granting the storage permission is now assigned to the selected user group. - - ![Image of create app configuration policy](images/android-review-create.png) + The app configuration policy for Defender for Endpoint autogranting the storage permission is now assigned to the selected user group. + > [!div class="mx-imgBorder"] + > ![Image of create app configuration policy](images/android-review-create.png) 10. Select **Microsoft Defender ATP** app in the list \> **Properties** \> **Assignments** \> **Edit**. - ![Image of list of apps](images/9336bbd778cff5e666328bb3db7c76fd.png) + ![Image of list of apps](images/mda-properties.png) 11. Assign the app as a *Required* app to a user group. It is automatically installed in the *work profile* during the next sync of @@ -255,40 +235,79 @@ the device via Company Portal app. This assignment can be done by navigating to the *Required* section \> **Add group,** selecting the user group and click **Select**. - ![Image of edit application page](images/ea06643280075f16265a596fb9a96042.png) + > [!div class="mx-imgBorder"] + > ![Image of edit application page](images/ea06643280075f16265a596fb9a96042.png) 12. In the **Edit Application** page, review all the information that was entered above. Then select **Review + Save** and then **Save** again to commence assignment. +### Auto Setup of Always-on VPN +Defender for Endpoint supports Device configuration policies for managed devices via Intune. This capability can be leveraged to **Auto setup of Always-on VPN** on Android Enterprise enrolled devices, so the end user does not need to set up VPN service while onboarding. +1. On **Devices**, select **Configuration Profiles** > **Create Profile** > **Platform** > **Android Enterprise** +Select **Device restrictions** under one of the following, based on your device enrollment type +- **Fully Managed, Dedicated, and Corporate-Owned Work Profile** +- **Personally owned Work Profile** + +Select **Create**. + + > ![Image of devices configuration profile Create](images/1autosetupofvpn.png) + +2. **Configuration Settings** + Provide a **Name** and a **Description** to uniquely identify the configuration profile. + + > ![Image of devices configuration profile Name and Description](images/2autosetupofvpn.png) + + 3. Select **Connectivity** and configure VPN: +- Enable **Always-on VPN** +Setup a VPN client in the work profile to automatically connect and reconnect to the VPN whenever possible. Only one VPN client can be configured for always-on VPN on a given device, so be sure to have no more than one always-on VPN policy deployed to a single device. +- Select **Custom** in VPN client dropdown list +Custom VPN in this case is Defender for Endpoint VPN which is used to provide the Web Protection feature. + > [!NOTE] + > Microsoft Defender ATP app must be installed on user’s device, in order to functioning of auto setup of this VPN. + +- Enter **Package ID** of the Microsoft Defender ATP app in Google Play store. For the Defender app URL https://play.google.com/store/apps/details?id=com.microsoft.scmx, Package ID is **com.microsoft.scmx** +- **Lockdown mode** Not configured (Default) + + ![Image of devices configuration profile enable Always-on VPN](images/3autosetupofvpn.png) + +4. **Assignment** +In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups** to include and selecting the applicable group and then click **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app. + + ![Image of devices configuration profile Assignment](images/4autosetupofvpn.png) + +5. In the **Review + Create** page that comes up next, review all the information and then select **Create**. +The device configuration profile is now assigned to the selected user group. + + ![Image of devices configuration profile Review and Create](images/5autosetupofvpn.png) + ## Complete onboarding and check status -1. Confirm the installation status of Microsoft Defender ATP for Android by +1. Confirm the installation status of Microsoft Defender for Endpoint for Android by clicking on the **Device Install Status**. Verify that the device is displayed here. - ![Image of device installation status](images/900c0197aa59f9b7abd762ab2b32e80c.png) + > [!div class="mx-imgBorder"] + > ![Image of device installation status](images/900c0197aa59f9b7abd762ab2b32e80c.png) -2. On the device, you can confirm the same by going to the **work profile** and -confirm that Microsoft Defender ATP is available. +2. On the device, you can validate the onboarding status by going to the **work profile**. Confirm that Defender for Endpoint is available and that you are enrolled to the **Personally owned devices with work profile**. If you are enrolled to a **Corporate-owned, fully managed user device**, you will have a single profile on the device where you can confirm that Defender for Endpoint is available. ![Image of app in mobile device](images/c2e647fc8fa31c4f2349c76f2497bc0e.png) 3. When the app is installed, open the app and accept the permissions and then your onboarding should be successful. - ![Image of mobile device with Microsoft Defender ATP app](images/23c125534852dcef09b8e37c98e82148.png) + ![Image of mobile device with Microsoft Defender for Endpoint app](images/mda-devicesafe.png) -4. At this stage the device is successfully onboarded onto Microsoft Defender -ATP for Android. You can verify this on the [Microsoft Defender Security +4. At this stage the device is successfully onboarded onto Defender for Endpoint for Android. You can verify this on the [Microsoft Defender Security Center](https://securitycenter.microsoft.com) by navigating to the **Devices** page. - ![Image of Microsoft Defender ATP portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png) + ![Image of Microsoft Defender for Endpoint portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png) ## Related topics -- [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md) -- [Configure Microsoft Defender ATP for Android features](android-configure.md) +- [Overview of Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md) +- [Configure Microsoft Defender for Endpoint for Android features](android-configure.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md new file mode 100644 index 0000000000..66ec2fa838 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md @@ -0,0 +1,110 @@ +--- +title: Microsoft Defender ATP for Android - Privacy information +description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Android. +keywords: microsoft, defender, atp, android, privacy, diagnostic +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Microsoft Defender for Endpoint for Android - Privacy information + +**Applies to:** + +- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md) + + +Defender for Endpoint for Android collects information from your configured +Android devices and stores it in the same tenant where you have Defender for Endpoint. + +Information is collected to help keep Defender for Endpoint for Android secure, +up-to-date, performing as expected and to support the service. + +## Required Data + +Required data consists of data that is necessary to make Defender for Endpoint +for Android work as expected. This data is essential to the operation of the +service and can include data related to the end user, organization, device, and +apps. Here's a list of the types of data being collected: + +### App information + +Information about Android application packages (APKs) on the device including + +- Install source +- Storage location (file path) of the APK +- Time of install, size of APK and permissions + +### Web page / Network information + +- Full URL (on supported browsers), when clicked +- Connection information +- Protocol type (such as HTTP, HTTPS, etc.) + + +### Device and account information + +- Device information such as date & time, Android version, OEM model, CPU + info, and Device identifier +- Device identifier is one of the below: + - Wi-Fi adapter MAC address + - [Android + ID](https://developer.android.com/reference/android/provider/Settings.Secure#ANDROID_ID) + (as generated by Android at the time of first boot of the device) + - Randomly generated globally unique identifier (GUID) + +- Tenant, Device and User information + - Azure Active Directory (AD) Device ID and Azure User ID: Uniquely + identifies the device, User respectively at Azure Active directory. + + - Azure tenant ID - GUID that identifies your organization within + Azure Active Directory + + - Microsoft Defender ATP org ID - Unique identifier associated with + the enterprise that the device belongs to. Allows Microsoft to + identify whether issues are impacting a select set of enterprises + and how many enterprises are impacted  + + - User Principal Name – Email ID of the user + +### Product and service usage data +- App package info, including name, version, and app upgrade status + +- Actions performed in the app + +- Threat detection information, such as threat name, category, etc. + +- Crash report logs generated by Android + +## Optional Data + +Optional data includes diagnostic data and feedback data. Optional diagnostic +data is additional data that helps us make product improvements and provides +enhanced information to help us detect, diagnose, and fix issues. Optional +diagnostic data includes: + +- App, CPU, and network usage + +- State of the device from the app perspective, including scan status, scan + timings, app permissions granted, and upgrade status + +- Features configured by the admin + +- Basic information about the browsers on the device + +**Feedback Data** is collected through in-app feedback provided by the user + +- The user’s email address, if they choose to provide it + +- Feedback type (smile, frown, idea) and any feedback comments submitted by + the user diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md new file mode 100644 index 0000000000..34959bf022 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md @@ -0,0 +1,99 @@ +--- +title: Troubleshoot issues on Microsoft Defender ATP for Android +ms.reviewer: +description: Troubleshoot issues for Microsoft Defender ATP for Android +keywords: microsoft, defender, atp, android, cloud, connectivity, communication +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: conceptual +--- + +# Troubleshooting issues on Microsoft Defender for Endpoint for Android + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** + +- [Defender for Endpoint](microsoft-defender-atp-android.md) + +During onboarding, you might encounter sign in issues after the app is installed on your device. + +This article provides solutions to address the sign on issues. + +## Sign in failed - unexpected error +**Sign in failed:** *Unexpected error, try later* + +![Image of sign in failed error Unexpected error](images/f9c3bad127d636c1f150d79814f35d4c.png) + +**Message:** + +Unexpected error, try later + +**Cause:** + +You have an older version of "Microsoft Authenticator" app installed on your +device. + +**Solution:** + +Install latest version and of [Microsoft +Authenticator](https://play.google.com/store/apps/details?androidid=com.azure.authenticator) +from Google Play Store and try again + +## Sign in failed - invalid license + +**Sign in failed:** *Invalid license, please contact administrator* + +![Image of sign in failed please contact administrator](images/920e433f440fa1d3d298e6a2a43d4811.png) + +**Message:** *Invalid license, please contact administrator* + +**Cause:** + +You do not have Microsoft 365 license assigned, or your organization does not +have a license for Microsoft 365 Enterprise subscription. + +**Solution:** + +Contact your administrator for help. + +## Phishing pages are not blocked on specific OEM devices + +**Applies to:** Specific OEMs only + +- **Xiaomi** + +Phishing and harmful web connection threats detected by Defender for Endpoint +for Android are not blocked on some Xiaomi devices. The following functionality does not work on these devices. + +![Image of site reported unsafe](images/0c04975c74746a5cdb085e1d9386e713.png) + + +**Cause:** + +Xiaomi devices introduced a new permission that prevents Defender for Endpoint +for Android app from displaying pop-up windows while running in the background. + +Xiaomi devices permission: "Display pop-up windows while running in the +background." + +![Image of pop up setting](images/6e48e7b29daf50afddcc6c8c7d59fd64.png) + +**Solution:** + +Enable the required permission on Xiaomi devices. + +- Display pop-up windows while running in the background. diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md index c7309c2bb9..d8dd335aff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md @@ -19,12 +19,15 @@ ms.topic: conceptual hideEdit: true --- -# Microsoft Defender ATP for Android application license terms +# Microsoft Defender for Endpoint for Android application license terms + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md) +- [Microsoft Defender for Endpoint](microsoft-defender-atp-android.md) -## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER ATP +## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER FOR ENDPOINT These license terms ("Terms") are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They @@ -49,21 +52,21 @@ DO NOT USE THE APPLICATION.** 1. **INSTALLATION AND USE RIGHTS.** 1. **Installation and Use.** You may install and use any number of copies - of this application on Android enabled device or devices which you own + of this application on Android enabled device or devices that you own or control. You may use this application with your company's valid - subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or - an online service that includes MDATP functionalities. + subscription of Microsoft Defender for Endpoint or + an online service that includes Microsoft Defender for Endpoint functionalities. - 2. **Updates.** Updates or upgrades to MDATP may be required for full + 2. **Updates.** Updates or upgrades to Microsoft Defender for Endpoint may be required for full functionality. Some functionality may not be available in all countries. - 3. **Third Party Programs.** The application may include third party + 3. **Third-Party Programs.** The application may include third-party programs that Microsoft, not the third party, licenses to you under this agreement. Notices, if any, for the third-party program are included for your information only. 2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to - Internet access, data transfer and other services per the terms of the data + Internet access, data transfer, and other services per the terms of the data service plan and any other agreement you have with your network operator due to use of the application. You are solely responsible for any network operator charges. @@ -89,21 +92,21 @@ DO NOT USE THE APPLICATION.** improve Microsoft products and services and enhance your experience. You may limit or control collection of some usage and performance data through your device settings. Doing so may disrupt your use of - certain features of the application. For additional information on - Microsoft's data collection and use, see the [Online Services + certain features of the application. For more information about + Microsoft data collection and use, see the [Online Services Terms](https://go.microsoft.com/fwlink/?linkid=2106777). 2. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could harm it or impair anyone else's use of it or the wireless network. You may not use the service to try to gain - unauthorized access to any service, data, account or network by any + unauthorized access to any service, data, account, or network by any means. 4. **FEEDBACK.** If you give feedback about the application to Microsoft, you - give to Microsoft, without charge, the right to use, share and commercialize + give to Microsoft, without charge, the right to use, share, and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, - technologies and services to use or interface with any specific parts of a + technologies, and services to use or interface with any specific parts of a Microsoft software or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback @@ -127,35 +130,35 @@ DO NOT USE THE APPLICATION.** - publish the application for others to copy; - - rent, lease or lend the application; or + - rent, lease, or lend the application; or - transfer the application or this agreement to any third party. 6. **EXPORT RESTRICTIONS.** The application is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the application. These laws - include restrictions on destinations, end users and end use. For additional + include restrictions on destinations, end users, and end use. For more information, - see[www.microsoft.com/exporting](https://www.microsoft.com/exporting). + + see [www.microsoft.com/exporting](https://www.microsoft.com/exporting). 7. **SUPPORT SERVICES.** Because this application is "as is," we may not provide support services for it. If you have any issues or questions about your use of this application, including questions about your company's - privacy policy, please contact your company's admin. Do not contact the + privacy policy, contact your company's admin. Do not contact the application store, your network operator, device manufacturer, or Microsoft. The application store provider has no obligation to furnish support or maintenance with respect to the application. 8. **APPLICATION STORE.** - 1. If you obtain the application through an application store (e.g., Google - Play), please review the applicable application store terms to ensure + 1. If you obtain the application through an application store (for example, Google + Play), review the applicable application store terms to ensure your download and use of the application complies with such terms. - Please note that these Terms are between you and Microsoft and not with + Note that these Terms are between you and Microsoft and not with the application store. - 2. The respective application store provider and its subsidiaries are third - party beneficiaries of these Terms, and upon your acceptance of these + 2. The respective application store provider and its subsidiaries are third-party beneficiaries of these Terms, and upon your acceptance of these Terms, the application store provider(s) will have the right to directly enforce and rely upon any provision of these Terms that grants them a benefit or rights. @@ -210,20 +213,20 @@ DO NOT USE THE APPLICATION.** This limitation applies to: - anything related to the application, services, content (including code) on - third party Internet sites, or third party programs; and + third-party internet sites, or third-party programs; and -- claims for breach of contract, warranty, guarantee or condition; consumer +- claims for breach of contract, warranty, guarantee, or condition; consumer protection; deception; unfair competition; strict liability, negligence, - misrepresentation, omission, trespass or other tort; violation of statute or + misrepresentation, omission, trespass, or other tort; violation of statute or regulation; or unjust enrichment; all to the extent permitted by applicable law. It also applies even if: -a. Repair, replacement or refund for the application does not fully compensate +a. Repair, replacement, or refund for the application does not fully compensate you for any losses; or b. Covered Parties knew or should have known about the possibility of the damages. -The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. +The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential, or other damages. diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md index 09f3293f1a..c75879bafc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md @@ -20,13 +20,16 @@ ms.topic: conceptual # API Explorer +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -The Microsoft Defender ATP API Explorer is a tool that helps you explore various Microsoft Defender ATP APIs interactively. +The Microsoft Defender for Endpoint API Explorer is a tool that helps you explore various Defender for Endpoint APIs interactively. -The API Explorer makes it easy to construct and do API queries, test, and send requests for any available Microsoft Defender ATP API endpoint. Use the API Explorer to take actions or find data that might not yet be available through the user interface. +The API Explorer makes it easy to construct and do API queries, test, and send requests for any available Defender for Endpoint API endpoint. Use the API Explorer to take actions or find data that might not yet be available through the user interface. The tool is useful during app development. It allows you to perform API queries that respect your user access settings, reducing the need to generate access tokens. @@ -44,7 +47,7 @@ From the left navigation menu, select **Partners & APIs** > **API Explorer**. ## Supported APIs -API Explorer supports all the APIs offered by Microsoft Defender ATP. +API Explorer supports all the APIs offered by Defender for Endpoint. The list of supported APIs is available in the [APIs documentation](apis-intro.md). @@ -58,7 +61,7 @@ Some of the samples may require specifying a parameter in the URL, for example, ## FAQ **Do I need to have an API token to use the API Explorer?**
    -Credentials to access an API aren't needed. The API Explorer uses the Microsoft Defender ATP management portal token whenever it makes a request. +Credentials to access an API aren't needed. The API Explorer uses the Defender for Endpoint management portal token whenever it makes a request. The logged-in user authentication credential is used to verify that the API Explorer is authorized to access data on your behalf. diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md index 88fd42601a..81f125ba22 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md @@ -17,11 +17,18 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Microsoft Defender ATP API - Hello World +# Microsoft Defender for Endpoint API - Hello World -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## Get Alerts using a simple PowerShell script @@ -44,7 +51,7 @@ For the Application registration stage, you must have a **Global administrator** 3. In the registration form, choose a name for your application and then click **Register**. -4. Allow your Application to access Microsoft Defender ATP and assign it **'Read all alerts'** permission: +4. Allow your Application to access Defender for Endpoint and assign it **'Read all alerts'** permission: - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**. @@ -100,8 +107,8 @@ $tenantId = '' ### Paste your tenant ID here $appId = '' ### Paste your Application ID here $appSecret = '' ### Paste your Application secret here -$resourceAppIdUri = 'https://api.securitycenter.windows.com' -$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token" +$resourceAppIdUri = 'https://api.securitycenter.microsoft.com' +$oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/token" $authBody = [Ordered] @{ resource = "$resourceAppIdUri" client_id = "$appId" @@ -139,7 +146,7 @@ $dateTime = (Get-Date).ToUniversalTime().AddHours(-48).ToString("o") # The URL contains the type of query and the time filter we create above # Read more about other query options and filters at Https://TBD- add the documentation link -$url = "https://api.securitycenter.windows.com/api/alerts?`$filter=alertCreationTime ge $dateTime" +$url = "https://api.securitycenter.microsoft.com/api/alerts?`$filter=alertCreationTime ge $dateTime" # Set the WebRequest headers $headers = @{ @@ -174,6 +181,6 @@ You’re all done! You have just successfully: ## Related topic -- [Microsoft Defender ATP APIs](exposed-apis-list.md) -- [Access Microsoft Defender ATP with application context](exposed-apis-create-app-webapp.md) -- [Access Microsoft Defender ATP with user context](exposed-apis-create-app-nativeapp.md) +- [Microsoft Defender for Endpoint APIs](exposed-apis-list.md) +- [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md) +- [Access Microsoft Defender for Endpoint with user context](exposed-apis-create-app-nativeapp.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md index e4a1dddb18..44003ec0b9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md @@ -19,9 +19,12 @@ ms.topic: article # Microsoft Power Automate (formerly Microsoft Flow), and Azure Functions -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional cyber defenders forces SOC to work in the most efficient way and automation is a must. Microsoft Power Automate supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within a few minutes. @@ -78,4 +81,4 @@ The Alert trigger provides only the Alert ID and the Machine ID. You can use the You can also create a **scheduled** flow that runs Advanced Hunting queries and much more! ## Related topic -- [Microsoft Defender ATP APIs](apis-intro.md) +- [Microsoft Defender for Endpoint APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md index 1e157ea511..2170d310c0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md @@ -17,25 +17,28 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Microsoft Defender ATP detections API fields +# Microsoft Defender for Endpoint detections API fields + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink) Understand what data fields are exposed as part of the detections API and how they map to Microsoft Defender Security Center. >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. +>- [Defender for Endpoint Alert](alerts.md) is composed from one or more detections. >- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Device and its related **Alert** details. ->- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). +>- The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). ## Detections API fields and portal mapping The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal. -The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md). +The ArcSight field column contains the default mapping between the Defender for Endpoint fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md). Field numbers match the numbers in the images below. @@ -46,12 +49,12 @@ Field numbers match the numbers in the images below. > | 1 | AlertTitle | name | Microsoft Defender AV detected 'Mikatz' high-severity malware | Value available for every Detection. | > | 2 | Severity | deviceSeverity | High | Value available for every Detection. | > | 3 | Category | deviceEventCategory | Malware | Value available for every Detection. | -> | 4 | Detection source | sourceServiceName | Antivirus | Microsoft Defender Antivirus or Microsoft Defender ATP. Value available for every Detection. | +> | 4 | Detection source | sourceServiceName | Antivirus | Microsoft Defender Antivirus or Defender for Endpoint. Value available for every Detection. | > | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every Detection. | > | 6 | FileName | fileName | Robocopy.exe | Available for detections associated with a file or process. | > | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for detections associated with a file or process. | -> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based detections. | -> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based detections. | +> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Defender for Endpoint behavioral based detections. | +> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Defender for Endpoint behavioral based detections. | > | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for detections associated with a file or process. | > | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Microsoft Defender AV detections. | > | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Microsoft Defender AV detections. | @@ -69,6 +72,9 @@ Field numbers match the numbers in the images below. > | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available. | > | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. | > | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. | +| | LinkToMTP | No mapping | `https://security.microsoft.com/alert/da637370718981685665_16349121` | Value available for every Detection. +| | IncidentLinkToMTP | No mapping | `"https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection. +| | IncidentLinkToWDATP | No mapping | `https://securitycenter.windows.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection. > | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. | > | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. | > | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. | @@ -91,7 +97,7 @@ Field numbers match the numbers in the images below. ## Related topics -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) -- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) +- [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md) +- [Configure ArcSight to pull Microsoft Defender for Endpoint detections](configure-arcsight.md) +- [Pull Microsoft Defender for Endpoint detections using REST API](pull-alerts-using-rest-api.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md index a7f95c1789..9bb4eb7102 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md @@ -19,11 +19,18 @@ ms.topic: article # Create custom reports using Power BI -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -In this section you will learn create a Power BI report on top of Microsoft Defender ATP APIs. +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + +In this section you will learn create a Power BI report on top of Defender for Endpoint APIs. The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs, such as Machine Actions or Alerts. @@ -43,9 +50,9 @@ The first example demonstrates how to connect Power BI to Advanced Hunting API a ``` let - AdvancedHuntingQuery = "DeviceEvents | where ActionType contains 'Anti'", + AdvancedHuntingQuery = "DeviceEvents | where ActionType contains 'Anti' | limit 20", - HuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries", + HuntingUrl = "https://api.securitycenter.microsoft.com/api/advancedqueries", Response = Json.Document(Web.Contents(HuntingUrl, [Query=[key=AdvancedHuntingQuery]])), @@ -111,7 +118,7 @@ The first example demonstrates how to connect Power BI to Advanced Hunting API a Query = "MachineActions", - Source = OData.Feed("https://api.securitycenter.windows.com/api/" & Query, null, [Implementation="2.0", MoreColumns=true]) + Source = OData.Feed("https://api.securitycenter.microsoft.com/api/" & Query, null, [Implementation="2.0", MoreColumns=true]) in Source @@ -130,6 +137,6 @@ View the Microsoft Defender ATP Power BI report samples. For more information, s ## Related topic -- [Microsoft Defender ATP APIs](apis-intro.md) +- [Defender for Endpoint APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Using OData Queries](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md index 1e42b10a63..9c8c96f2ea 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md @@ -16,11 +16,14 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Microsoft Defender ATP API license and terms of use +# Microsoft Defender for Endpoint API license and terms of use + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + ## APIs -Microsoft Defender ATP APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/legal/microsoft-apis/terms-of-use). +Defender for Endpoint APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/legal/microsoft-apis/terms-of-use). ### Throttling limits diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md index aac9695165..ba3e749a61 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md +++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md @@ -17,30 +17,32 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Access the Microsoft Defender Advanced Threat Protection APIs +# Access the Microsoft Defender for Endpoint APIs -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Watch this video for a quick overview of Microsoft Defender ATP's APIs. +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). + +Watch this video for a quick overview of Defender for Endpoint's APIs. >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M] In general, you’ll need to take the following steps to use the APIs: - Create an AAD application - Get an access token using this application -- Use the token to access Microsoft Defender ATP API +- Use the token to access Defender for Endpoint API -You can access Microsoft Defender ATP API with **Application Context** or **User Context**. +You can access Defender for Endpoint API with **Application Context** or **User Context**. - **Application Context: (Recommended)**
    Used by apps that run without a signed-in user present. for example, apps that run as background services or daemons. - Steps that need to be taken to access Microsoft Defender ATP API with application context: + Steps that need to be taken to access Defender for Endpoint API with application context: 1. Create an AAD Web-Application. 2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'. @@ -54,7 +56,8 @@ You can access Microsoft Defender ATP API with **Application Context** or **User - **User Context:**
    Used to perform actions in the API on behalf of a user. - Steps that needs to be taken to access Microsoft Defender ATP API with application context: + Steps to take to access Defender for Endpoint API with application context: + 1. Create AAD Native-Application. 2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc. 3. Get token using the application with user credentials. @@ -64,6 +67,6 @@ You can access Microsoft Defender ATP API with **Application Context** or **User ## Related topics -- [Microsoft Defender ATP APIs](exposed-apis-list.md) -- [Access Microsoft Defender ATP with application context](exposed-apis-create-app-webapp.md) -- [Access Microsoft Defender ATP with user context](exposed-apis-create-app-nativeapp.md) +- [Microsoft Defender for Endpoint APIs](exposed-apis-list.md) +- [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md) +- [Access Microsoft Defender for Endpoint with user context](exposed-apis-create-app-nativeapp.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md index 1181ff8181..a8bf456da1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md @@ -20,14 +20,17 @@ ms.date: 11/28/2018 # Assign user access to Microsoft Defender Security Center +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** - Azure Active Directory - Office 365 -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) -Microsoft Defender ATP supports two ways to manage permissions: +Defender for Endpoint supports two ways to manage permissions: - **Basic permissions management**: Set permissions to either full access or read-only. - **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to device groups. For more information on RBAC, see [Manage portal access using role-based access control](rbac.md). @@ -35,7 +38,7 @@ Microsoft Defender ATP supports two ways to manage permissions: > [!NOTE] > If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch: > -> - Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Microsoft Defender ATP administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Microsoft Defender ATP administrator role after switching to RBAC. Only users assigned to the Microsoft Defender ATP administrator role can manage permissions using RBAC. +> - Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Defender for Endpoint administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Defender for Endpoint administrator role after switching to RBAC. Only users assigned to the Defender for Endpoint administrator role can manage permissions using RBAC. > - Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC. > - After switching to RBAC, you will not be able to switch back to using basic permissions management. diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md index 492d7037dc..74cc0538fb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md @@ -18,19 +18,22 @@ ms.topic: article ms.date: 11/20/2018 --- -# Experience Microsoft Defender ATP through simulated attacks +# Experience Microsoft Defender for Endpoint through simulated attacks + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink) >[!TIP] ->- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). ->- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). +>- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Defender for Endpoint?](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). -You might want to experience Microsoft Defender ATP before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Microsoft Defender ATP surfaces malicious activity and explore how it enables an efficient response. +You might want to experience Defender for Endpoint before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Defender for Endpoint surfaces malicious activity and explore how it enables an efficient response. ## Before you begin @@ -58,10 +61,10 @@ Read the walkthrough document provided with each attack scenario. Each document > Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test device. > > -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink) ## Related topics - [Onboard devices](onboard-configure.md) -- [Onboard Windows 10 devices](configure-endpoints.md) \ No newline at end of file +- [Onboard Windows 10 devices](configure-endpoints.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md index 992ba51235..27c2c2db47 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md @@ -18,13 +18,16 @@ ms.custom: asr # Attack surface reduction frequently asked questions (FAQ) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Is attack surface reduction (ASR) part of Windows? -ASR was originally a feature of the suite of exploit guard features introduced as a major update to Microsoft Defender Antivirus, in Windows 10 version 1709. Microsoft Defender Antivirus is the native antimalware component of Windows. However, the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Microsoft Defender Antivirus exclusions. +ASR was originally a feature of the suite of exploit guard features introduced as a major update to Microsoft Defender Antivirus, in Windows 10, version 1709. Microsoft Defender Antivirus is the native antimalware component of Windows. However, the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Microsoft Defender Antivirus exclusions. ## Do I need to have an enterprise license to run ASR rules? @@ -40,7 +43,7 @@ Yes. ASR is supported for Windows Enterprise E3 and above. All of the rules supported with E3 are also supported with E5. -E5 also added greater integration with Microsoft Defender ATP. With E5, you can [use Microsoft Defender ATP to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/mtp/monitor-devices?view=o365-worldwide#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports. +E5 also added greater integration with Defender for Endpoint. With E5, you can [use Defender for Endpoint to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/mtp/monitor-devices?view=o365-worldwide#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports. ## What are the currently supported ASR rules? @@ -72,13 +75,13 @@ Larger organizations should consider rolling out ASR rules in "rings," by auditi Keep the rule in audit mode for about 30 days to get a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them. -## I'm making the switch from a third-party security solution to Microsoft Defender ATP. Is there an "easy" way to export rules from another security solution to ASR? +## I'm making the switch from a third-party security solution to Defender for Endpoint. Is there an "easy" way to export rules from another security solution to ASR? -In most cases, it's easier and better to start with the baseline recommendations suggested by [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. +In most cases, it's easier and better to start with the baseline recommendations suggested by [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. -The default configuration for most ASR rules, combined with Microsoft Defender ATP's real-time protection, will protect against a large number of exploits and vulnerabilities. +The default configuration for most ASR rules, combined with Defender for Endpoint's real-time protection, will protect against a large number of exploits and vulnerabilities. -From within Microsoft Defender ATP, you can update your defenses with custom indicators, to allow and block certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-business applications that might get blocked. +From within Defender for Endpoint, you can update your defenses with custom indicators, to allow and block certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-business applications that might get blocked. ## Does ASR support file or folder exclusions that include system variables and wildcards in the path? @@ -92,9 +95,9 @@ It depends on the rule. Most ASR rules cover the behavior of Microsoft Office pr ASR uses Microsoft Defender Antivirus to block applications. It is not possible to configure ASR to use another security solution for blocking at this time. -## I have an E5 license and enabled some ASR rules in conjunction with Microsoft Defender ATP. Is it possible for an ASR event to not show up at all in Microsoft Defender ATP's event timeline? +## I have an E5 license and enabled some ASR rules in conjunction with Defender for Endpoint. Is it possible for an ASR event to not show up at all in Defender for Endpoint's event timeline? -Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Microsoft Defender ATP portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Microsoft Defender ATP. +Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Defender for Endpoint portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Defender for Endpoint. ## I applied a rule using GPO. Now when I try to check the indexing options for the rule in Microsoft Outlook, I get a message stating, 'Access denied'. @@ -124,7 +127,7 @@ Because many legitimate processes throughout a typical day will be calling on ls Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe. -## Related topics +## See also * [Attack surface reduction overview](attack-surface-reduction.md) * [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index de60666730..c0c77ae782 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -11,32 +11,90 @@ ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb -ms.reviewer: +ms.reviewer: sugamar, jcedola manager: dansimp ms.custom: asr +ms.date: 01/08/2021 --- -# Reduce attack surfaces with attack surface reduction rules +# Use attack surface reduction rules to prevent malware infection + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Your attack surface is the total number of places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means offering attackers fewer ways to perform attacks. +## Why attack surface reduction rules are important -Attack surface reduction rules target software behaviors that are often abused by attackers, such as: +Your organization's attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Microsoft Defender for Endpoint can help! -- Launching executable files and scripts that attempt to download or run files -- Running obfuscated or otherwise suspicious scripts -- Performing behaviors that apps don't usually initiate during normal day-to-day work +Attack surface reduction rules target certain software behaviors, such as: -Such behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe. +- Launching executable files and scripts that attempt to download or run files; +- Running obfuscated or otherwise suspicious scripts; and +- Performing behaviors that apps don't usually initiate during normal day-to-day work. + +Such software behaviors are sometimes seen in legitimate applications; however, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain risky behaviors and help keep your organization safe. + +For more information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). + +## Assess rule impact before deployment + +You can assess how an attack surface reduction rule might impact your network by opening the security recommendation for that rule in [threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/#tvm). + +:::image type="content" source="images/asrrecommendation.png" alt-text="Security reco for attack surface reduction rule"::: + +In the recommendation details pane, check the user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adverse impact to user productivity. + +## Audit mode for evaluation Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. -Whenever a rule is triggered, a notification will be displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays within the Microsoft Defender Security Center and the Microsoft 365 security center. +## Warn mode for users -For more information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). +(**NEW**!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes. + +Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks. + +### Requirements for warn mode to work + +Warn mode is supported on devices running the following versions of Windows: +- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later + +In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed +- Minimum platform release requirement: `4.18.2008.9` +- Minimum engine release requirement: `1.1.17400.5` + +For more information and to get your updates, see [Update for Microsoft Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform). + +### Cases where warn mode is not supported + +Warn mode is not supported for the following attack surface reduction rules: + +- [Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) (GUID `d3e037e1-3eb8-44c8-a917-57927947596d`) +- [Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) (GUID `e6db77e5-3df2-4cf1-b95a-636979351e5b`) +- [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) (GUID `c1db55ab-c21a-4637-bb3f-a12568109d35`) + +In addition, warn mode is not supported on devices running older versions of Windows. In those cases, attack surface reduction rules that are configured to run in warn mode will run in block mode. + +## Notifications and alerts + +Whenever an attack surface reduction rule is triggered, a notification is displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. + +In addition, when certain attack surface reduction rules are triggered, alerts are generated. + +Notifications and any alerts that are generated can be viewed in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and in the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)). + +## Advanced hunting and attack surface reduction events + +You can use advanced hunting to view attack surface reduction events. To streamline the volume of incoming data, only unique processes for each hour are viewable with advanced hunting. The time of an attack surface reduction event is the first time that event is seen within the hour. + +For example, suppose that an attack surface reduction event occurs on ten devices during the 2:00 PM hour. Suppose that the first event occurred at 2:15, and the last at 2:45. With advanced hunting, you'll see one instance of that event (even though it actually occurred on ten devices), and its timestamp will be 2:15 PM. + +For more information about advanced hunting, see [Proactively hunt for threats with advanced hunting](advanced-hunting-overview.md). ## Attack surface reduction features across Windows versions @@ -46,13 +104,13 @@ You can set attack surface reduction rules for devices running any of the follow - Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events. +To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events. ## Review attack surface reduction events in the Microsoft Defender Security Center -Microsoft Defender ATP provides detailed reporting for events and blocks, as part of its alert investigation scenarios. +Defender for Endpoint provides detailed reporting for events and blocks as part of alert investigation scenarios. -You can query Microsoft Defender ATP data by using [advanced hunting](advanced-hunting-query-language.md). If you're running [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment. +You can query Defender for Endpoint data by using [advanced hunting](advanced-hunting-query-language.md). If you're running [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment. Here is an example query: @@ -75,7 +133,7 @@ You can review the Windows event log to view events generated by attack surface 5. Select **OK**. -This will create a custom view that filters events to only show the following, all of which are related to controlled folder access: +You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access: |Event ID | Description | |---|---| @@ -83,29 +141,88 @@ This will create a custom view that filters events to only show the following, a |1121 | Event when rule fires in Block-mode | |1122 | Event when rule fires in Audit-mode | -The "engine version" listed for attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not by the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all devices with Windows 10 installed. +The "engine version" listed for attack surface reduction events in the event log, is generated by Defender for Endpoint, not by the operating system. Defender for Endpoint is integrated with Windows 10, so this feature works on all devices with Windows 10 installed. ## Attack surface reduction rules -The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs: +The following table and subsections describe each of the 15 attack surface reduction rules. The attack surface reduction rules are listed in alphabetical order, by rule name. + +If you are configuring attack surface reduction rules by using Group Policy or PowerShell, you'll need the GUIDs. On the other hand, if you use Microsoft Endpoint Manager or Microsoft Intune, you do not need the GUIDs. + | Rule name | GUID | File & folder exclusions | Minimum OS supported | -|-----|----|---|---| -|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|:-----|:-----:|:-----|:-----| +|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) |`26190899-1602-49e8-8b27-eb1d0a1ce869` |Supported |[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater | |[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | `26190899-1602-49e8-8b27-eb1d0a1ce869` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater | +|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | + +### Block Adobe Reader from creating child processes + +This rule prevents attacks by blocking Adobe Reader from creating additional processes. + +Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading. + +This rule was introduced in: +- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) + +Intune name: `Process creation from Adobe Reader (beta)` + +Configuration Manager name: Not yet available + +GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` + +### Block all Office applications from creating child processes + +This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access. + +Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings. + +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `Office apps launching child processes` + +Configuration Manager name: `Block Office application from creating child processes` + +GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` + +### Block credential stealing from the Windows local security authority subsystem + +This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS). + +LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. + +> [!NOTE] +> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. + +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `Flag credential stealing from the Windows local security authority subsystem` + +Configuration Manager name: `Block credential stealing from the Windows local security authority subsystem` + +GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` ### Block executable content from email client and webmail @@ -118,37 +235,86 @@ This rule was introduced in: - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Microsoft Endpoint Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) +- [Microsoft Endpoint Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) +Intune name: `Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)` -Microsoft Endpoint Configuration Manager name: Block executable content from email client and webmail +Microsoft Endpoint Manager name: `Block executable content from email client and webmail` GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` -### Block all Office applications from creating child processes +> [!NOTE] +> The rule **Block executable content from email client and webmail** has the following alternative descriptions, depending on which application you use: +> - Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions). +> - Endpoint Manager: Block executable content download from email and webmail clients. +> - Group Policy: Block executable content from email client and webmail. -This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. +### Block executable files from running unless they meet a prevalence, age, or trusted list criterion -Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings. +This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list: + +- Executable files (such as .exe, .dll, or .scr) + +Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious. + +> [!IMPORTANT] +> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.

    The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID `01443614-cd74-433a-b99e-2ecdc07bfc25` is owned by Microsoft and is not specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly. +> +>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to. This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `Executables that don't meet a prevalence, age, or trusted list criteria` + +Configuration Manager name: `Block executable files from running unless they meet a prevalence, age, or trusted list criteria` + +GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25` + +### Block execution of potentially obfuscated scripts + +This rule detects suspicious properties within an obfuscated script. + +Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software. + +This rule was introduced in: - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Office apps launching child processes +Intune name: `Obfuscated js/vbs/ps/macro code` -Configuration Manager name: Block Office application from creating child processes +Configuration Manager name: `Block execution of potentially obfuscated scripts` -GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` +GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` + +### Block JavaScript or VBScript from launching downloaded executable content + +This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet. + +Although not common, line-of-business applications sometimes use scripts to download and launch installers. + +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `js/vbs executing payload downloaded from Internet (no exceptions)` + +Configuration Manager name: `Block JavaScript or VBScript from launching downloaded executable content` + +GUID: `D3E037E1-3EB8-44C8-A917-57927947596D` ### Block Office applications from creating executable content This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk. - Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique. +Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique. This rule was introduced in: - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) @@ -156,9 +322,9 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [System Center Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager) -Intune name: Office apps/macros creating executable content +Intune name: `Office apps/macros creating executable content` -SCCM name: Block Office applications from creating executable content +SCCM name: `Block Office applications from creating executable content` GUID: `3B576869-A4EC-4529-8536-B80A7769E899` @@ -178,173 +344,17 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Office apps injecting code into other processes (no exceptions) +Intune name: `Office apps injecting code into other processes (no exceptions)` -Configuration Manager name: Block Office applications from injecting code into other processes +Configuration Manager name: `Block Office applications from injecting code into other processes` GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` -### Block JavaScript or VBScript from launching downloaded executable content - -This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet. - -Although not common, line-of-business applications sometimes use scripts to download and launch installers. - -This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: js/vbs executing payload downloaded from Internet (no exceptions) - -Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content - -GUID: `D3E037E1-3EB8-44C8-A917-57927947596D` - -### Block execution of potentially obfuscated scripts - -This rule detects suspicious properties within an obfuscated script. - -Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software. - -This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Obfuscated js/vbs/ps/macro code - -Configuration Manager name: Block execution of potentially obfuscated scripts. - -GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` - -### Block Win32 API calls from Office macros - -This rule prevents VBA macros from calling Win32 APIs. - -Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways. - -This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Win32 imports from Office macro code - -Configuration Manager name: Block Win32 API calls from Office macros - -GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` - -### Block executable files from running unless they meet a prevalence, age, or trusted list criterion - -This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list: - -- Executable files (such as .exe, .dll, or .scr) - -Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious. - -> [!IMPORTANT] -> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.

    The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. -> ->You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to. - -This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Executables that don't meet a prevalence, age, or trusted list criteria. - -Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria - -GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25` - -### Use advanced protection against ransomware - -This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list. - -> [!NOTE] -> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule. - -This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Advanced ransomware protection - -Configuration Manager name: Use advanced protection against ransomware - -GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35` - -### Block credential stealing from the Windows local security authority subsystem - -This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS). - -LSASS authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. - -> [!NOTE] -> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. - -This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Flag credential stealing from the Windows local security authority subsystem - -Configuration Manager name: Block credential stealing from the Windows local security authority subsystem - -GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` - -### Block process creations originating from PSExec and WMI commands - -This rule blocks processes created through [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec) and [WMI](https://docs.microsoft.com/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network. - -> [!WARNING] -> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly. - -This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - -Intune name: Process creation from PSExec and WMI commands - -Configuration Manager name: Not applicable - -GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c` - -### Block untrusted and unsigned processes that run from USB - -With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include: - -* Executable files (such as .exe, .dll, or .scr) -* Script files (such as a PowerShell .ps, Visual Basic .vbs, or JavaScript .js file) - -This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Untrusted and unsigned processes that run from USB - -Configuration Manager name: Block untrusted and unsigned processes that run from USB - -GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` - ### Block Office communication application from creating child processes This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions. -This protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. +This rule protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. > [!NOTE] > This rule applies to Outlook and Outlook.com only. @@ -354,29 +364,12 @@ This rule was introduced in: - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -Intune name: Process creation from Office communication products (beta) +Intune name: `Process creation from Office communication products (beta)` -Configuration Manager name: Not yet available +Configuration Manager name: Not available GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869` -### Block Adobe Reader from creating child processes - -This rule prevents attacks by blocking Adobe Reader from creating additional processes. - -Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading. - -This rule was introduced in: -- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - -Intune name: Process creation from Adobe Reader (beta) - -Configuration Manager name: Not yet available - -GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` - ### Block persistence through WMI event subscription This rule prevents malware from abusing WMI to attain persistence on a device. @@ -390,13 +383,84 @@ This rule was introduced in: - [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) - [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909) -Intune name: Not yet available +Intune name: Not available -Configuration Manager name: Not yet available +Configuration Manager name: Not available GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b` -## Related topics +### Block process creations originating from PSExec and WMI commands + +This rule blocks processes created through [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec) and [WMI](https://docs.microsoft.com/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network. + +> [!WARNING] +> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly. + +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) + +Intune name: `Process creation from PSExec and WMI commands` + +Configuration Manager name: Not applicable + +GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c` + +### Block untrusted and unsigned processes that run from USB + +With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr) + +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `Untrusted and unsigned processes that run from USB` + +Configuration Manager name: `Block untrusted and unsigned processes that run from USB` + +GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` + +### Block Win32 API calls from Office macros + +This rule prevents VBA macros from calling Win32 APIs. + +Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways. + +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `Win32 imports from Office macro code` + +Configuration Manager name: `Block Win32 API calls from Office macros` + +GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` + +### Use advanced protection against ransomware + +This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list. + +> [!NOTE] +> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule. + +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `Advanced ransomware protection` + +Configuration Manager name: `Use advanced protection against ransomware` + +GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35` + +## See also - [Attack surface reduction FAQ](attack-surface-reduction-faq.md) @@ -404,4 +468,4 @@ GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b` - [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) -- [Compatibility of Microsoft Defender with other antivirus/antimalware](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) +- [Compatibility of Microsoft Defender Antivirus with other antivirus/antimalware solutions](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md index 093a2013f5..b442dcb82a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md +++ b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md @@ -15,11 +15,14 @@ ms.reviewer: manager: dansimp --- -# Test how Microsoft Defender ATP features work in audit mode +# Test how Microsoft Defender for Endpoint features work in audit mode + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. Audit mode lets you see a record of what *would* have happened if you had enabled the feature. @@ -29,7 +32,7 @@ The features won't block or prevent apps, scripts, or files from being modified. To find the audited entries, go to **Applications and Services** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**. -You can use Microsoft Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +You can use Defender for Endpoint to get greater details for each event, especially for investigating attack surface reduction rules. Using the Defender for Endpoint console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). This article provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index cb7648e275..0a77813dd2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -12,13 +12,20 @@ author: denisebmsft ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: article +ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs +ms.date: 09/24/2020 --- # View details and results of automated investigations -During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP) is configured for your organization, some remediation actions are taken automatically. +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) is configured for your organization, some remediation actions are taken automatically. If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation. @@ -160,5 +167,5 @@ When you click on the pending actions link, you'll be taken to the Action center - [View and approve remediation actions](manage-auto-investigation.md) -- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide) +- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index bd94cf5240..fea480df60 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -1,59 +1,72 @@ --- title: Use automated investigations to investigate and remediate threats -description: Understand the automated investigation flow in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). -keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export +description: Understand the automated investigation flow in Microsoft Defender for Endpoint. +keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export, defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 +ms.technology: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft +ms.date: 12/07/2020 ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: conceptual +ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs +ms.custom: AIR --- # Overview of automated investigations -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh] +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, and to reduce the volume of alerts that must be investigated individually, Microsoft Defender ATP includes automated investigation and remediation capabilities. +**Applies to** -Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when each investigation was initiated. +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) + + +Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation (AIR) capabilities that can help your security operations team address threats more efficiently and effectively. Want to see how it works? Watch the following video: + +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bOeh] + +The technology in automated investigation uses various inspection algorithms and is based on processes that are used by security analysts. AIR capabilities are designed to examine alerts and take immediate action to resolve breaches. AIR capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions. > [!TIP] -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink). ## How the automated investigation starts -When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation. +When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender for Endpoint checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation. To learn more about what happens after a verdict is reached, see [Automated investigation results and remediation actions](manage-auto-investigation.md#automated-investigation-results-and-remediation-actions). >[!NOTE] ->Currently, automated investigation only supports the following OS versions: +>Currently, AIR only supports the following OS versions: >- Windows Server 2019 >- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later >- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later ->- Later versions of Windows 10 +>- Windows 10, version [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later ## Details of an automated investigation During and after an automated investigation, you can view details about the investigation. Select a triggering alert to view the investigation details. From there, you can go to the **Investigation graph**, **Alerts**, **Devices**, **Evidence**, **Entities**, and **Log** tabs. |Tab |Description | -|--|--| -|**Alerts**| Shows the alert that started the investigation.| -|**Devices** |Shows where the alert was seen.| -|**Evidence** |Shows the entities that were found to be malicious during the investigation.| -|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). | -|**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.| +|:--|:--| +|**Alerts**| The alert(s) that started the investigation.| +|**Devices** |The device(s) where the threat was seen.| +|**Evidence** |The entities that were found to be malicious during an investigation.| +|**Entities** |Details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). | +|**Log** |The chronological, detailed view of all the investigation actions taken on the alert.| |**Pending actions** |If there are any actions awaiting approval as a result of the investigation, the **Pending actions** tab is displayed. On the **Pending actions** tab, you can approve or reject each action. | > [!IMPORTANT] -> Go to the **Action center** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions. +> Go to the **[Action center](auto-investigation-action-center.md)** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions. ## How an automated investigation expands its scope @@ -63,46 +76,22 @@ If an incriminated entity is seen in another device, the automated investigation ## How threats are remediated -Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically remediates threats. +As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. -> [!NOTE] -> Microsoft Defender ATP tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups). +As verdicts are reached, automated investigations can result in one or more remediation actions. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. (See [Remediation actions](manage-auto-investigation.md#remediation-actions).) -You can configure the following levels of automation: +Depending on the [level of automation](automation-levels.md) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. Additional security settings that can affect automatic remediation include [protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (PUA). -|Automation level | Description| -|---|---| -|**Full - remediate threats automatically** | All remediation actions are performed automatically.

    *This option is selected by default for Microsoft Defender ATP tenants created on or after August 16, 2020.*| -|**Semi - require approval for core folders remediation** | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.

    Files or executables in all other folders are automatically remediated, if needed.| -|**Semi - require approval for non-temp folders remediation** | An approval is required on files or executables that are not in temporary folders.

    Files or executables in temporary folders, such as the user's download folder or the user's temp folder, are automatically be remediated (if needed).| -|**Semi - require approval for any remediation** | An approval is needed for any remediation action.

    *This option is selected by default for Microsoft Defender ATP tenants created before August 16, 2020.*| -|**No automated response** | Devices do not get any automated investigations run on them.

    *This option is not recommended, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* | - - -> [!IMPORTANT] -> A few points of clarification regarding automation levels and default settings: -> - If your tenant already has device groups defined, the automation level settings are not changed. -> - If your tenant was onboarded to Microsoft Defender ATP before August 16, 2020, your organization's first device group is set to **Semi - require approval for any remediation** by default. -> - If your tenant is onboarded on or after August 16, 2020, when your organization's first device group is set to **Full - remediate threats automatically**. -> - To change an automation level, edit your [device groups](configure-automated-investigations-remediation.md#set-up-device-groups). - - -### A few points to keep in mind - -- Your level of automation is determined by your device group settings. See [Set up device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups). - -- If your Microsoft Defender ATP tenant was created before August 16, 2020, you have a default device group that is configured for semi-automatic remediation. Any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). You can configure your device groups to use full automation so that no user approval is needed. - -- If your Microsoft Defender ATP tenant was created on or after August 16, 2020, you have a default device group that is configured for full automation. Remediation actions are taken automatically for entities that are considered to be malicious. Remediation actions that were taken can be viewed on the **History** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). +All remediation actions, whether pending or completed, can be viewed in the [Action Center](auto-investigation-action-center.md) ([https://securitycenter.windows.com](https://securitycenter.windows.com)). If necessary, your security operations team can undo a remediation action. (See [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation).) ## Next steps -- [Learn about the automated investigations dashboard](manage-auto-investigation.md) +- [Get an overview of the automated investigations dashboard](manage-auto-investigation.md) +- [Learn more about automation levels](automation-levels.md) +- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide) -- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide) +## See also -## Related articles - -- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air) - -- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir) \ No newline at end of file +- [PUA protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) +- [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air) +- [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md new file mode 100644 index 0000000000..9fa9ebd762 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md @@ -0,0 +1,62 @@ +--- +title: Automation levels in automated investigation and remediation +description: Get an overview of automation levels and how they work in Microsoft Defender for Endpoint +keywords: automated, investigation, level, defender atp +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.technology: windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.date: 10/22/2020 +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: conceptual +ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs +ms.custom: AIR +--- + +# Automation levels in automated investigation and remediation capabilities + +Automated investigation and remediation (AIR) capabilities in Microsoft Defender for Endpoint can be configured to one of several levels of automation. Your automation level affects whether remediation actions following AIR investigations are taken automatically or only upon approval. +- *Full automation* (recommended) means remediation actions are taken automatically on artifacts determined to be malicious. +- *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. (See the table in [Levels of automation](#levels-of-automation).) +- All remediation actions, whether pending or completed, are tracked in the Action Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). + +> [!TIP] +> For best results, we recommend using full automation when you [configure AIR](configure-automated-investigations-remediation.md). Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers who are using lower levels of automation. Full automation can help free up your security operations resources to focus more on your strategic initiatives. + +## Levels of automation + +The following table describes each level of automation and how it works. + +|Automation level | Description| +|:---|:---| +|**Full - remediate threats automatically**
    (also referred to as *full automation*)| With full automation, remediation actions are performed automatically. All remediation actions that are taken can be viewed in the [Action Center](auto-investigation-action-center.md) on the **History** tab. If necessary, a remediation action can be undone.

    ***Full automation is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.* | +|**Semi - require approval for any remediation**
    (also referred to as *semi-automation*)| With this level of semi-automation, approval is required for *any* remediation action. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.

    *This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*| +|**Semi - require approval for core folders remediation**
    (also a type of *semi-automation*) | With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are in core folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`).

    Remediation actions can be taken automatically on files or executables that are in other (non-core) folders.

    Pending actions for files or executables in core folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.

    Actions that were taken on files or executables in other folders can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab. | +|**Semi - require approval for non-temp folders remediation**
    (also a type of *semi-automation*)| With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are *not* in temporary folders.

    Temporary folders can include the following examples:
    - `\users\*\appdata\local\temp\*`
    - `\documents and settings\*\local settings\temp\*`
    - `\documents and settings\*\local settings\temporary\*`
    - `\windows\temp\*`
    - `\users\*\downloads\*`
    - `\program files\`
    - `\program files (x86)\*`
    - `\documents and settings\*\users\*`

    Remediation actions can be taken automatically on files or executables that are in temporary folders.

    Pending actions for files or executables that are not in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.

    Actions that were taken on files or executables in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **History** tab. | +|**No automated response**
    (also referred to as *no automation*) | With no automation, automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. However, other threat protection features, such as [protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus), can be in effect, depending on how your antivirus and next-generation protection features are configured.

    ***Using the *no automation* option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up your automation level to full automation (or at least semi-automation)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)*. | + +## Important points about automation levels + +- Full automation has proven to be reliable, efficient, and safe, and is recommended for all customers. Full automation frees up your critical security resources so they can focus more on your strategic initiatives. + +- New tenants (which include tenants that were created on or after August 16, 2020) with Microsoft Defender for Endpoint are set to full automation by default. + +- If your security team has defined device groups with a level of automation, those settings are not changed by the new default settings that are rolling out. + +- You can keep your default automation settings, or change them according to your organizational needs. To change your settings, [set your level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups). + +## Next steps + +- [Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint](configure-automated-investigations-remediation.md) + +- [Visit the Action Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md index d9ced772ad..1c8fc2eacd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md @@ -13,64 +13,73 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article --- # Use basic permissions to access the portal + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** - Azure Active Directory -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-basicaccess-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-basicaccess-abovefoldlink) -Refer to the instructions below to use basic permissions management. +Refer to the instructions below to use basic permissions management. -You can use either of the following: +You can use either of the following solutions: - Azure PowerShell -- Azure Portal +- Azure portal For granular control over permissions, [switch to role-based access control](rbac.md). ## Assign user access using Azure PowerShell + You can assign users with one of the following levels of permissions: - Full access (Read and Write) - Read-only access ### Before you begin -- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
    + +- Install Azure PowerShell. For more information, see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
    > [!NOTE] > You need to run the PowerShell cmdlets in an elevated command-line. -- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx). +- Connect to your Azure Active Directory. For more information, see [Connect-MsolService](https://docs.microsoft.com/powershell/module/msonline/connect-msolservice?view=azureadps-1.0). **Full access**
    Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. Assigning full access rights requires adding the users to the "Security Administrator" or "Global Administrator" AAD built-in roles. -**Read only access**
    -Users with read only access can log in, view all alerts, and related information. +**Read-only access**
    +Users with read-only access can log in, view all alerts, and related information. They will not be able to change alert states, submit files for deep analysis or perform any state changing operations. -Assigning read only access rights requires adding the users to the "Security Reader" AAD built-in role. +Assigning read-only access rights requires adding the users to the "Security Reader" Azure AD built-in role. Use the following steps to assign security roles: - For **read and write** access, assign users to the security administrator role by using the following command: - ```text + + ```PowerShell Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com" ``` -- For **read only** access, assign users to the security reader role by using the following command: - ```text + +- For **read-only** access, assign users to the security reader role by using the following command: + + ```PowerShell Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com" ``` -For more information see, [Add or remove group memberships](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). +For more information, see [Add or remove group members using Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal). ## Assign user access using the Azure portal -For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). +For more information, see [Assign administrator and non-administrator roles to users with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). ## Related topic + - [Manage portal access using RBAC](rbac.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md index 4fc887a605..05ec75c8d0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -16,29 +16,34 @@ ms.custom: - next-gen - edr ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint --- # Behavioral blocking and containment +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Overview -Today’s threat landscape is overrun by [fileless malware](https://docs.microsoft.com/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised devices. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and device learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security). +Today’s threat landscape is overrun by [fileless malware](https://docs.microsoft.com/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised devices. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and device learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Defender for Endpoint](https://docs.microsoft.com/windows/security). -Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Microsoft Defender ATP components and features work together in behavioral blocking and containment capabilities. +Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Defender for Endpoint components and features work together in behavioral blocking and containment capabilities. :::image type="content" source="images/mdatp-next-gen-EDR-behavblockcontain.png" alt-text="Behavioral blocking and containment"::: -Behavioral blocking and containment capabilities work with multiple components and features of Microsoft Defender ATP to stop attacks immediately and prevent attacks from progressing. +Behavioral blocking and containment capabilities work with multiple components and features of Defender for Endpoint to stop attacks immediately and prevent attacks from progressing. - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) (which includes Microsoft Defender Antivirus) can detect threats by analyzing behaviors, and stop threats that have started running. - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) receives security signals across your network, devices, and kernel behavior. As threats are detected, alerts are created. Multiple alerts of the same type are aggregated into incidents, which makes it easier for your security operations team to investigate and respond. -- [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) has a wide range of optics across identities, email, data, and apps, in addition to the network, endpoint, and kernel behavior signals received through EDR. A component of [Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection), Microsoft Defender ATP processes and correlates these signals, raises detection alerts, and connects related alerts in incidents. +- [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) has a wide range of optics across identities, email, data, and apps, in addition to the network, endpoint, and kernel behavior signals received through EDR. A component of [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection), Defender for Endpoint processes and correlates these signals, raises detection alerts, and connects related alerts in incidents. With these capabilities, more threats can be prevented or blocked, even if they start running. Whenever suspicious behavior is detected, the threat is contained, alerts are created, and threats are stopped in their tracks. @@ -54,7 +59,7 @@ The following image shows an example of an alert that was triggered by behaviora - **[Feedback-loop blocking](feedback-loop-blocking.md)** (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.) -- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.) +- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode is not enabled by default; you turn it on in the Microsoft Defender Security Center.) Expect more to come in the area of behavioral blocking and containment, as Microsoft continues to improve threat protection features and capabilities. To see what's planned and rolling out now, visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap). @@ -80,7 +85,7 @@ Below are two real-life examples of behavioral blocking and containment in actio As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the user’s device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server. -Behavior-based device learning models in Microsoft Defender ATP caught and stopped the attacker’s techniques at two points in the attack chain: +Behavior-based device learning models in Defender for Endpoint caught and stopped the attacker’s techniques at two points in the attack chain: - The first protection layer detected the exploit behavior. Device learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack. - The second protection layer, which helped stop cases where the attack got past the first layer, detected process hollowing, stopped that process, and removed the corresponding files (such as Lokibot). @@ -92,7 +97,7 @@ This example shows how behavior-based device learning models in the cloud add ne ### Example 2: NTLM relay - Juicy Potato malware variant -As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Microsoft Defender ATP detected a privilege escalation activity on a device in an organization. An alert called “Possible privilege escalation using NTLM relay” was triggered. +As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Defender for Endpoint detected a privilege escalation activity on a device in an organization. An alert called “Possible privilege escalation using NTLM relay” was triggered. :::image type="content" source="images/NTLMalertjuicypotato.png" alt-text="NTLM alert for Juicy Potato malware"::: @@ -108,7 +113,7 @@ This example shows that with behavioral blocking and containment capabilities, t ## Next steps -- [Learn more about Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) +- [Learn more about Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Configure your attack surface reduction rules](attack-surface-reduction.md) @@ -116,4 +121,4 @@ This example shows that with behavioral blocking and containment capabilities, t - [See recent global threat activity](https://www.microsoft.com/wdsi/threats) -- [Get an overview of Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) +- [Get an overview of Microsoft 365 Defender ](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) diff --git a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md index 621f338029..bbff2e68b9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md +++ b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md @@ -18,29 +18,32 @@ ms.topic: article ms.date: 04/24/2018 --- -# Check sensor health state in Microsoft Defender ATP +# Check sensor health state in Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-checksensor-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-checksensor-abovefoldlink) -The **Devices with sensor issues** tile is found on the Security Operations dashboard. This tile provides information on the individual device’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many devices require attention and helps you identify problematic devices and take action to correct known issues. +The **Devices with sensor issues** tile is found on the Security Operations dashboard. This tile provides information on the individual device’s ability to provide sensor data and communicate with the Defender for Endpoint service. It reports how many devices require attention and helps you identify problematic devices and take action to correct known issues. There are two status indicators on the tile that provide information on the number of devices that are not reporting properly to the service: -- **Misconfigured** - These devices might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected. -- **Inactive** - Devices that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month. +- **Misconfigured** - These devices might partially be reporting sensor data to the Defender for Endpoint service and might have configuration errors that need to be corrected. +- **Inactive** - Devices that have stopped reporting to the Defender for Endpoint service for more than seven days in the past month. Clicking any of the groups directs you to **Devices list**, filtered according to your choice. ![Screenshot of Devices with sensor issues tile](images/atp-devices-with-sensor-issues-tile.png) On **Devices list**, you can filter the health state list by the following status: -- **Active** - Devices that are actively reporting to the Microsoft Defender ATP service. -- **Misconfigured** - These devices might partially be reporting sensor data to the Microsoft Defender ATP service but have configuration errors that need to be corrected. Misconfigured devices can have either one or a combination of the following issues: +- **Active** - Devices that are actively reporting to the Defender for Endpoint service. +- **Misconfigured** - These devices might partially be reporting sensor data to the Defender for Endpoint service but have configuration errors that need to be corrected. Misconfigured devices can have either one or a combination of the following issues: - **No sensor data** - Devices has stopped sending sensor data. Limited alerts can be triggered from the device. - **Impaired communications** - Ability to communicate with device is impaired. Sending files for deep analysis, blocking files, isolating device from network and other actions that require communication with the device may not work. -- **Inactive** - Devices that have stopped reporting to the Microsoft Defender ATP service. +- **Inactive** - Devices that have stopped reporting to the Defender for Endpoint service. You can also download the entire list in CSV format using the **Export** feature. For more information on filters, see [View and organize the Devices list](machines-view-overview.md). @@ -52,4 +55,4 @@ You can also download the entire list in CSV format using the **Export** feature You can view the device details when you click on a misconfigured or inactive device. ## Related topic -- [Fix unhealthy sensors in Microsoft Defender ATP](fix-unhealthy-sensors.md) +- [Fix unhealthy sensors in Defender for Endpoint](fix-unhealthy-sensors.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md index 19fabebbdf..ef5d153836 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md +++ b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md @@ -16,17 +16,22 @@ ms.custom: - next-gen - edr ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint --- # Client behavioral blocking +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Overview -Client behavioral blocking is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in Microsoft Defender ATP. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically. +Client behavioral blocking is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in Defender for Endpoint. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically. :::image type="content" source="images/pre-execution-and-post-execution-detection-engines.png" alt-text="Cloud and client protection"::: @@ -67,11 +72,11 @@ Behavior-based detections are named according to the [MITRE ATT&CK Matrix for En ## Configuring client behavioral blocking -If your organization is using Microsoft Defender ATP, client behavioral blocking is enabled by default. However, to benefit from all Microsoft Defender ATP capabilities, including [behavioral blocking and containment](behavioral-blocking-containment.md), make sure the following features and capabilities of Microsoft Defender ATP are enabled and configured: +If your organization is using Defender for Endpoint, client behavioral blocking is enabled by default. However, to benefit from all Defender for Endpoint capabilities, including [behavioral blocking and containment](behavioral-blocking-containment.md), make sure the following features and capabilities of Defender for Endpoint are enabled and configured: -- [Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline) +- [Defender for Endpoint baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline) -- [Devices onboarded to Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure) +- [Devices onboarded to Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure) - [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) @@ -87,4 +92,4 @@ If your organization is using Microsoft Defender ATP, client behavioral blocking - [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/) -- [Helpful Microsoft Defender ATP resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources) +- [Helpful Defender for Endpoint resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources) diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md index d8929fdd67..b3cb7a04fa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md +++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md @@ -19,9 +19,17 @@ ms.topic: article # Collect investigation package API -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description Collect investigation package from a device. @@ -32,7 +40,7 @@ Collect investigation package from a device. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -46,7 +54,7 @@ Delegated (work or school account) | Machine.CollectForensics | 'Collect forensi ## HTTP request ``` -POST https://api.securitycenter.windows.com/api/machines/{id}/collectInvestigationPackage +POST https://api.securitycenter.microsoft.com/api/machines/{id}/collectInvestigationPackage ``` ## Request headers @@ -73,10 +81,8 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - ``` -POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage +POST https://api.securitycenter.microsoft.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage Content-type: application/json { "Comment": "Collect forensics due to alert 1234" diff --git a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md deleted file mode 100644 index 558f93dfb9..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md +++ /dev/null @@ -1,108 +0,0 @@ ---- -title: Microsoft Defender ATP for US Government GCC High customers -description: Learn about the requirements and the available Microsoft Defender ATP capabilities for US Government CCC High customers -keywords: government, gcc, high, requirements, capabilities, defender, defender atp, mdatp -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Microsoft Defender ATP for US Government GCC High customers - -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for US Government Community Cloud High (GCC High) customers, built in the US Azure Government environment, uses the same underlying technologies as Microsoft Defender ATP in Azure Commercial. - -This offering is currently available to US Office 365 GCC High customers and is based on the same prevention, detection, investigation, and remediation as the commercial version. However, there are some key differences in the availability of capabilities for this offering. - - -## Endpoint versions -The following OS versions are supported: - -- Windows 10, version 1903 -- Windows 10, version 1809 (OS Build 17763.404 with [KB4490481](https://support.microsoft.com/en-us/help/4490481)) -- Windows 10, version 1803 (OS Build 17134.799 with [KB4499183](https://support.microsoft.com/help/4499183)) -- Windows 10, version 1709 (OS Build 16299.1182 with [KB4499147](https://support.microsoft.com/help/4499147)) -- Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/en-us/help/4490481)) - ->[!NOTE] ->A patch must be deployed before device onboarding in order to configure Microsoft Defender ATP to the correct environment. - -The following OS versions are supported via Azure Security Center: -- Windows Server 2008 R2 SP1 -- Windows Server 2012 R2 -- Windows Server 2016 - -The following OS versions are not supported: -- Windows Server 2008 R2 SP1 (standalone, not via ASC) -- Windows Server 2012 R2 (standalone, not via ASC) -- Windows Server 2016 (standalone, not via ASC) -- Windows Server, version 1803 -- Windows 7 SP1 Enterprise -- Windows 7 SP1 Pro -- Windows 8 Pro -- Windows 8.1 Enterprise -- macOS -- Linux - -The initial release of Microsoft Defender ATP will not have immediate parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government (GCC High) customers, there are some capabilities not yet available that we'd like to highlight. These are the known gaps as of August 2019: - -## Threat Analytics -Not currently available. - -## Threat & Vulnerability Management -Not currently available. - - -## Automated investigation and remediation -The following capabilities are not currently available: -- Response to Office 365 alerts -- Live response - - - -## Management and APIs -The following capabilities are not currently available: - -- Threat protection report -- Device health and compliance report -- Integration with third-party products - - -## Email notifications -Not currently available. - - -## Integrations -Integrations with the following Microsoft products are not currently available: -- Azure Advanced Threat Protection -- Azure Information Protection -- Office 365 Advanced Threat Protection -- Microsoft Cloud App Security -- Skype for Business -- Microsoft Intune (sharing of device information and enhanced policy enforcement) - -## Microsoft Threat Experts -Not currently available. - -## Required connectivity settings -You'll need to ensure that traffic from the following are allowed: - -Service location | DNS record -:---|:--- -Common URLs for all locations (Global location) | ```crl.microsoft.com```
    ```ctldl.windowsupdate.com```
    ```notify.windows.com```
    ```settings-win.data.microsoft.com```

    NOTE: ```settings-win.data.microsoft.com``` is only needed on Windows 10 devices running version 1803 or earlier. -Microsoft Defender ATP GCC High specific | ```us4-v20.events.data.microsoft.com```
    ```winatp-gw-usgt.microsoft.com```
    ```winatp-gw-usgv.microsoft.com```
    ```*.blob.core.usgovcloudapi.net``` - - - diff --git a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md index bcc6ba7dc3..c43240cb86 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md +++ b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md @@ -18,7 +18,9 @@ ms.topic: article # Common REST API error codes -* The error codes listed in the following table may be returned by an operation on any of Microsoft Defender ATP APIs. +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +* The error codes listed in the following table may be returned by an operation on any of Microsoft Defender for Endpoint APIs. * Note that in addition to the error code, every error response contains an error message which can help resolving the problem. * Note that the message is a free text that can be changed. * At the bottom of the page you can find response examples. @@ -37,19 +39,20 @@ MaximumBatchSizeExceeded | BadRequest (400) | Maximum batch size exceeded. Recei MissingRequiredParameter | BadRequest (400) | Parameter {the missing parameter} is missing. OsPlatformNotSupported | BadRequest (400) | OS Platform {the client OS Platform} is not supported for this action. ClientVersionNotSupported | BadRequest (400) | {The requested action} is supported on client version {supported client version} and above. -Unauthorized | Unauthorized (401) | Unauthorized (usually invalid or expired authorization header). +Unauthorized | Unauthorized (401) | Unauthorized (invalid or expired authorization header). Forbidden | Forbidden (403) | Forbidden (valid token but insufficient permission for the action). DisabledFeature | Forbidden (403) | Tenant feature is not enabled. DisallowedOperation | Forbidden (403) | {the disallowed operation and the reason}. NotFound | Not Found (404) | General Not Found error message. ResourceNotFound | Not Found (404) | Resource {the requested resource} was not found. InternalServerError | Internal Server Error (500) | (No error message, try retry the operation or contact us if it does not resolved) +TooManyRequests | Too Many Requests (429) | Response will represent reaching quota limit either by number of requests or by CPU. -## Body parameters are case sensitive +## Body parameters are case-sensitive -The submitted body parameters are currently case sensitive. +The submitted body parameters are currently case-sensitive.
    If you experience an **InvalidRequestBody** or **MissingRequiredParameter** errors, it might be caused from a wrong parameter capital or lower-case letter. -
    It is recommended to go to the requested Api documentation page and check that the submitted parameters match the relevant example. +
    We recommend that you go to the requested API documentation page and check that the submitted parameters match the relevant example. ## Correlation request ID diff --git a/windows/security/threat-protection/microsoft-defender-atp/community.md b/windows/security/threat-protection/microsoft-defender-atp/community.md index 78f18ff20e..f68dcdeab3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/community.md +++ b/windows/security/threat-protection/microsoft-defender-atp/community.md @@ -19,14 +19,17 @@ ms.date: 04/24/2018 --- -# Access the Microsoft Defender ATP Community Center +# Access the Microsoft Defender for Endpoint Community Center + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. +The Defender for Endpoint Community Center is a place where community members can learn, collaborate, and share experiences about the product. There are several spaces you can explore to learn about specific information: - Announcements @@ -35,8 +38,8 @@ There are several spaces you can explore to learn about specific information: There are several ways you can access the Community Center: -- In the Microsoft Defender Security Center navigation pane, select **Community center**. A new browser tab opens and takes you to the Microsoft Defender ATP Tech Community page. -- Access the community through the [Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page +- In the Microsoft Defender Security Center navigation pane, select **Community center**. A new browser tab opens and takes you to the Defender for Endpoint Tech Community page. +- Access the community through the [Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page You can instantly view and read conversations that have been posted in the community. diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md index fb8e70489a..a0ace30f14 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md @@ -19,12 +19,15 @@ ms.topic: article # Enable Conditional Access to better protect users, devices, and data +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink) Conditional Access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications. @@ -34,7 +37,7 @@ With Conditional Access, you can control access to enterprise information based You can define security conditions under which devices and applications can run and access information from your network by enforcing policies to stop applications from running until a device returns to a compliant state. -The implementation of Conditional Access in Microsoft Defender ATP is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies. +The implementation of Conditional Access in Defender for Endpoint is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies. The compliance policy is used with Conditional Access to allow only devices that fulfill one or more device compliance policy rules to access applications. @@ -64,15 +67,15 @@ When the risk is removed either through manual or automated remediation, the dev The following example sequence of events explains Conditional Access in action: -1. A user opens a malicious file and Microsoft Defender ATP flags the device as high risk. +1. A user opens a malicious file and Defender for Endpoint flags the device as high risk. 2. The high risk assessment is passed along to Intune. In parallel, an automated investigation is initiated to remediate the identified threat. A manual remediation can also be done to remediate the identified threat. 3. Based on the policy created in Intune, the device is marked as not compliant. The assessment is then communicated to Azure AD by the Intune Conditional Access policy. In Azure AD, the corresponding policy is applied to block access to applications. -4. The manual or automated investigation and remediation is completed and the threat is removed. Microsoft Defender ATP sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications. +4. The manual or automated investigation and remediation is completed and the threat is removed. Defender for Endpoint sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications. 5. Users can now access applications. ## Related topic -- [Configure Conditional Access in Microsoft Defender ATP](configure-conditional-access.md) +- [Configure Conditional Access in Microsoft Defender for Endpoint](configure-conditional-access.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md index ef4053bac6..aca0be0b19 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md @@ -17,22 +17,24 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections +# Configure Micro Focus ArcSight to pull Defender for Endpoint detections + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink) -You'll need to install and configure some files and tools to use Micro Focus ArcSight so that it can pull Microsoft Defender ATP detections. +You'll need to install and configure some files and tools to use Micro Focus ArcSight so that it can pull Defender for Endpoint detections. >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections ->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. +>- [Defender for Endpoint Alert](alerts.md) is composed from one or more detections +>- [Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. ## Before you begin @@ -40,7 +42,7 @@ Configuring the Micro Focus ArcSight Connector tool requires several configurati This section guides you in getting the necessary information to set and use the required configuration files correctly. -- Make sure you have enabled the SIEM integration feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md). +- Make sure you have enabled the SIEM integration feature from the **Settings** menu. For more information, see [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md). - Have the file you saved from enabling the SIEM integration feature ready. You'll need to get the following values: - OAuth 2.0 Token refresh URL @@ -113,7 +115,7 @@ The following steps assume that you have completed all the required steps in [Be Browse to the location of the wdatp-connector.properties file. The name must match the file provided in the .zip that you downloaded. Refresh Token - You can obtain a refresh token in two ways: by generating a refresh token from the SIEM settings page or using the restutil tool.

    For more information on generating a refresh token from the Preferences setup , see Enable SIEM integration in Microsoft Defender ATP.

    Get your refresh token using the restutil tool:
    a. Open a command prompt. Navigate to C:\folder_location\current\bin where folder_location represents the location where you installed the tool.

    b. Type: arcsight restutil token -config from the bin directory.For example: arcsight restutil boxtoken -proxy proxy.location.hp.com:8080 A Web browser window will open.

    c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.

    d. A refresh token is shown in the command prompt.

    e. Copy and paste it into the Refresh Token field. + You can obtain a refresh token in two ways: by generating a refresh token from the SIEM settings page or using the restutil tool.

    For more information on generating a refresh token from the Preferences setup , see Enable SIEM integration in Defender for Endpoint.

    Get your refresh token using the restutil tool:
    a. Open a command prompt. Navigate to C:\folder_location\current\bin where folder_location represents the location where you installed the tool.

    b. Type: arcsight restutil token -config from the bin directory.For example: arcsight restutil boxtoken -proxy proxy.location.hp.com:8080 A Web browser window will open.

    c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.

    d. A refresh token is shown in the command prompt.

    e. Copy and paste it into the Refresh Token field. @@ -175,7 +177,7 @@ The following steps assume that you have completed all the required steps in [Be You can now run queries in the Micro Focus ArcSight console. -Microsoft Defender ATP detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name. +Defender for Endpoint detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name. ## Troubleshooting Micro Focus ArcSight connection @@ -201,7 +203,7 @@ Microsoft Defender ATP detections will appear as discrete events, with "Microsof > Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear. ## Related topics -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) -- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) +- [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md) +- [Configure Splunk to pull Defender for Endpoint detections](configure-splunk.md) +- [Pull Defender for Endpoint detections using REST API](pull-alerts-using-rest-api.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md index 50726aa946..736ab0b846 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md @@ -19,6 +19,9 @@ ms.topic: conceptual # Configure attack surface reduction +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + You can configure attack surface reduction with a number of tools, including: * Microsoft Intune diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md index a4c17d2c2a..f8d91cd3e1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -1,10 +1,11 @@ --- title: Configure automated investigation and remediation capabilities -description: Set up your automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). +description: Set up your automated investigation and remediation capabilities in Microsoft Defender for Endpoint. keywords: configure, setup, automated, investigation, detection, alerts, remediation, response search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 +ms.technology: windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,18 +15,23 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: conceptual +ms.topic: article +ms.date: 09/24/2020 +ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs --- -# Configure automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection +# Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). +If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Defender for Endpoint), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). -To configure automated investigation and remediation, you [turn on the features](#turn-on-automated-investigation-and-remediation), and then you [set up device groups](#set-up-device-groups). +To configure automated investigation and remediation, [turn on the features](#turn-on-automated-investigation-and-remediation), and then [set up device groups](#set-up-device-groups). ## Turn on automated investigation and remediation diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md index 944a823a64..206e5721b3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md @@ -17,9 +17,12 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Configure Conditional Access in Microsoft Defender ATP +# Configure Conditional Access in Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) This section guides you through all the steps you need to take to properly implement Conditional Access. @@ -51,7 +54,7 @@ It's important to note the required roles to access these portals and implement Take the following steps to enable Conditional Access: - Step 1: Turn on the Microsoft Intune connection from Microsoft Defender Security Center -- Step 2: Turn on the Microsoft Defender ATP integration in Intune +- Step 2: Turn on the Defender for Endpoint integration in Intune - Step 3: Create the compliance policy in Intune - Step 4: Assign the policy - Step 5: Create an Azure AD Conditional Access policy @@ -63,7 +66,7 @@ Take the following steps to enable Conditional Access: 3. Click **Save preferences**. -### Step 2: Turn on the Microsoft Defender ATP integration in Intune +### Step 2: Turn on the Defender for Endpoint integration in Intune 1. Sign in to the [Azure portal](https://portal.azure.com). 2. Select **Device compliance** > **Microsoft Defender ATP**. 3. Set **Connect Windows 10.0.15063+ devices to Microsoft Defender Advanced Threat Protection** to **On**. @@ -104,4 +107,4 @@ Take the following steps to enable Conditional Access: For more information, see [Enable Microsoft Defender ATP with Conditional Access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection). ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md index e605898b2f..f7ccfe871b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md @@ -19,13 +19,16 @@ ms.topic: article # Configure alert notifications in Microsoft Defender ATP +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-emailconfig-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-emailconfig-abovefoldlink) -You can configure Microsoft Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity. +You can configure Defender for Endpoint to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity. > [!NOTE] > Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. @@ -54,7 +57,7 @@ You can create rules that determine the devices and alert severities to send ema - **Include device information** - Includes the device name in the email alert body. >[!NOTE] - > This information might be processed by recipient mail servers that ar not in the geographic location you have selected for your Microsoft Defender ATP data. + > This information might be processed by recipient mail servers that ar not in the geographic location you have selected for your Defender for Endpoint data. - **Devices** - Choose whether to notify recipients for alerts on all devices (Global administrator role only) or on selected device groups. For more information, see [Create and manage device groups](machine-groups.md). - **Alert severity** - Choose the alert severity level. @@ -89,11 +92,10 @@ This section lists various issues that you may encounter when using email notifi **Solution:** Make sure that the notifications are not blocked by email filters: -1. Check that the Microsoft Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk. -2. Check that your email security product is not blocking the email notifications from Microsoft Defender ATP. -3. Check your email application rules that might be catching and moving your Microsoft Defender ATP email notifications. +1. Check that the Defender for Endpoint email notifications are not sent to the Junk Email folder. Mark them as Not junk. +2. Check that your email security product is not blocking the email notifications from Defender for Endpoint. +3. Check your email application rules that might be catching and moving your Defender for Endpoint email notifications. ## Related topics - [Update data retention settings](data-retention-settings.md) -- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) - [Configure advanced features](advanced-features.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md index 413259ce26..5360517315 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md @@ -20,16 +20,19 @@ ms.date: 04/24/2018 # Onboard Windows 10 devices using Group Policy +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** - Group Policy -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink) > [!NOTE] @@ -38,6 +41,14 @@ ms.date: 04/24/2018 > For Windows Server 2019, you may need to replace NT AUTHORITY\Well-Known-System-Account with NT AUTHORITY\SYSTEM of the XML file that the Group Policy preference creates. ## Onboard devices using Group Policy + +[![Image of the PDF showing the various deployment paths](images/onboard-gp.png)](images/onboard-gp.png#lightbox) + + +Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint. + + + 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -65,9 +76,9 @@ ms.date: 04/24/2018 9. Click **OK** and close any open GPMC windows. >[!TIP] -> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md). +> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md). -## Additional Microsoft Defender ATP configuration settings +## Additional Defender for Endpoint configuration settings For each device, you can state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature. @@ -223,5 +234,5 @@ With Group Policy there isn’t an option to monitor deployment of policies on t - [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) - [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP devices](run-detection-test.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Run a detection test on a newly onboarded Microsoft Defender for Endpoint devices](run-detection-test.md) +- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md index 50e1369d5f..0a97fbf1e3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md @@ -19,16 +19,19 @@ ms.topic: article # Onboard Windows 10 devices using Mobile Device Management tools +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink) -You can use mobile device management (MDM) solutions to configure devices. Microsoft Defender ATP supports MDMs by providing OMA-URIs to create policies to manage devices. +You can use mobile device management (MDM) solutions to configure devices. Defender for Endpoint supports MDMs by providing OMA-URIs to create policies to manage devices. -For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). +For more information on using Defender for Endpoint CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). ## Before you begin If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully. @@ -37,9 +40,13 @@ For more information on enabling MDM with Microsoft Intune, see [Device enrollme ## Onboard devices using Microsoft Intune +[![Image of the PDF showing onboarding devices to Defender for Endpoint using Microsoft Intune](images/onboard-intune.png) ](images/onboard-intune-big.png#lightbox) + +Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint. + Follow the instructions from [Intune](https://docs.microsoft.com/intune/advanced-threat-protection). -For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). +For more information on using Defender for Endpoint CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). > [!NOTE] @@ -48,9 +55,10 @@ For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedTh >[!TIP] -> After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md). +> After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md). +Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender ATP. ## Offboard and monitor devices using Mobile Device Management tools For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. @@ -90,5 +98,5 @@ For more information on Microsoft Intune policy settings see, [Windows 10 policy - [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md) +- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md index e59d230fb9..ba65815551 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md @@ -19,25 +19,28 @@ ms.topic: article # Onboard non-Windows devices +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** - macOS - Linux -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-nonwindows-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-nonwindows-abovefoldlink) -Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. +Defender for Endpoint provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. -You'll need to know the exact Linux distros and macOS versions that are compatible with Microsoft Defender ATP for the integration to work. For more information, see: -- [Microsoft Defender ATP for Linux system requirements](microsoft-defender-atp-linux.md#system-requirements) -- [Microsoft Defender ATP for Mac system requirements](microsoft-defender-atp-mac.md#system-requirements). +You'll need to know the exact Linux distros and macOS versions that are compatible with Defender for Endpoint for the integration to work. For more information, see: +- [Microsoft Defender for Endpoint for Linux system requirements](microsoft-defender-atp-linux.md#system-requirements) +- [Microsoft Defender for Endpoint for Mac system requirements](microsoft-defender-atp-mac.md#system-requirements). ## Onboarding non-Windows devices You'll need to take the following steps to onboard non-Windows devices: 1. Select your preferred method of onboarding: - - For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-party solution. For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-atp-mac). + - For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-party solution. For more information, see [Microsoft Defender for Endpoint for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). - For other non-Windows devices choose **Onboard non-Windows devices through third-party integration**. 1. In the navigation pane, select **Interoperability** > **Partners**. Make sure the third-party solution is listed. @@ -53,7 +56,7 @@ You'll need to take the following steps to onboard non-Windows devices: ## Offboard non-Windows devices -1. Follow the third-party's documentation to disconnect the third-party solution from Microsoft Defender ATP. +1. Follow the third-party's documentation to disconnect the third-party solution from Microsoft Defender for Endpoint. 2. Remove permissions for the third-party solution in your Azure AD tenant. 1. Sign in to the [Azure portal](https://portal.azure.com). @@ -66,4 +69,4 @@ You'll need to take the following steps to onboard non-Windows devices: - [Onboard Windows 10 devices](configure-endpoints.md) - [Onboard servers](configure-server-endpoints.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) -- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Troubleshooting Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md index 4536ced3cc..70d15daa13 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md @@ -20,13 +20,16 @@ ms.date: 02/07/2020 # Onboard Windows 10 devices using Configuration Manager +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Microsoft Endpoint Configuration Manager current branch +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- Microsoft Endpoint Manager current branch - System Center 2012 R2 Configuration Manager ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink) ## Supported client operating systems @@ -34,21 +37,34 @@ Based on the version of Configuration Manager you're running, the following clie #### Configuration Manager version 1910 and prior -- Clients computers running Windows 10, version 1607 and later +- Clients computers running Windows 10 #### Configuration Manager version 2002 and later Starting in Configuration Manager version 2002, you can onboard the following operating systems: - Windows 8.1 -- Windows 10, version 1607 or later +- Windows 10 - Windows Server 2012 R2 - Windows Server 2016 - Windows Server 2016, version 1803 or later - Windows Server 2019 +>[!NOTE] +>For more information on how to onboard Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019, see, [Onboard Windows servers](configure-server-endpoints.md). + + + ### Onboard devices using System Center Configuration Manager + +[![Image of the PDF showing the various deployment paths](images/onboard-config-mgr.png)](images/onboard-config-mgr.png#lightbox) + + +Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender for Endpoint. + + + 1. Open the Configuration Manager configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -66,10 +82,10 @@ Starting in Configuration Manager version 2002, you can onboard the following op a. Choose a predefined device collection to deploy the package to. > [!NOTE] -> Microsoft Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading. +> Defender for Endpoint doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading. >[!TIP] -> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md). +> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md). > > Note that it is possible to create a detection rule on a Configuration Manager application to continuously check if a device has been onboarded. An application is a different type of object than a package and program. > If a device is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the device until the rule detects the status change. @@ -151,9 +167,9 @@ For security reasons, the package used to Offboard devices will expire 30 days a > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions. -### Offboard devices using Microsoft Endpoint Configuration Manager current branch +### Offboard devices using Microsoft Endpoint Manager current branch -If you use Microsoft Endpoint Configuration Manager current branch, see [Create an offboarding configuration file](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#create-an-offboarding-configuration-file). +If you use Microsoft Endpoint Manager current branch, see [Create an offboarding configuration file](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#create-an-offboarding-configuration-file). ### Offboard devices using System Center 2012 R2 Configuration Manager @@ -179,13 +195,13 @@ If you use Microsoft Endpoint Configuration Manager current branch, see [Create ## Monitor device configuration -If you're using Microsoft Endpoint Configuration Manager current branch, use the built-in Microsoft Defender ATP dashboard in the Configuration Manager console. For more information, see [Microsoft Defender Advanced Threat Protection - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor). +If you're using Microsoft Endpoint Manager current branch, use the built-in Defender for Endpoint dashboard in the Configuration Manager console. For more information, see [Defender for Endpoint - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor). If you're using System Center 2012 R2 Configuration Manager, monitoring consists of two parts: 1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the devices in your network. -2. Checking that the devices are compliant with the Microsoft Defender ATP service (this ensures the device can complete the onboarding process and can continue to report data to the service). +2. Checking that the devices are compliant with the Defender for Endpoint service (this ensures the device can complete the onboarding process and can continue to report data to the service). ### Confirm the configuration package has been correctly deployed @@ -197,7 +213,7 @@ If you're using System Center 2012 R2 Configuration Manager, monitoring consists 4. Review the status indicators under **Completion Statistics** and **Content Status**. - If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information, see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md). + If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information, see, [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md). ![Configuration Manager showing successful deployment with no errors](images/sccm-deployment.png) @@ -221,4 +237,4 @@ For more information, see [Introduction to compliance settings in System Center - [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) - [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md index ebc09038ff..acfdb668c7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md @@ -19,52 +19,64 @@ ms.topic: article # Onboard Windows 10 devices using a local script +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) -You can also manually onboard individual devices to Microsoft Defender ATP. You might want to do this first when testing the service before you commit to onboarding all devices in your network. +You can also manually onboard individual devices to Defender for Endpoint. You might want to do this first when testing the service before you commit to onboarding all devices in your network. -> [!NOTE] -> The script has been optimized to be used on a limited number of devices (1-10 devices). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 devices](configure-endpoints.md). +> [!IMPORTANT] +> This script has been optimized for use on up to 10 devices. +> +> To deploy at scale, use [other deployment options](configure-endpoints.md). For example, you can deploy an onboarding script to more than 10 devices in production with the script available in [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md). ## Onboard devices + +[![Image of the PDF showing the various deployment paths](images/onboard-script.png)](images/onboard-script.png#lightbox) + + +Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint. + + 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Onboarding**. + 1. In the navigation pane, select **Settings** > **Onboarding**. - b. Select Windows 10 as the operating system. + 1. Select Windows 10 as the operating system. - c. In the **Deployment method** field, select **Local Script**. + 1. In the **Deployment method** field, select **Local Script**. - d. Click **Download package** and save the .zip file. + 1. Click **Download package** and save the .zip file. 2. Extract the contents of the configuration package to a location on the device you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. 3. Open an elevated command-line prompt on the device and run the script: - a. Go to **Start** and type **cmd**. + 1. Go to **Start** and type **cmd**. - b. Right-click **Command prompt** and select **Run as administrator**. + 1. Right-click **Command prompt** and select **Run as administrator**. - ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) + ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) 4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd* 5. Press the **Enter** key or click **OK**. -For information on how you can manually validate that the device is compliant and correctly reports sensor data see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md). +For information on how you can manually validate that the device is compliant and correctly reports sensor data see, [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md). >[!TIP] -> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). +> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint endpoint](run-detection-test.md). ## Configure sample collection settings For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. @@ -73,7 +85,7 @@ You can manually configure the sample sharing setting on the device by using *re The configuration is set through the following registry key entry: -``` +```console Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” Name: "AllowSampleCollection" Value: 0 or 1 @@ -95,23 +107,23 @@ For security reasons, the package used to Offboard devices will expire 30 days a 1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Offboarding**. + 1. In the navigation pane, select **Settings** > **Offboarding**. - b. Select Windows 10 as the operating system. + 1. Select Windows 10 as the operating system. - c. In the **Deployment method** field, select **Local Script**. + 1. In the **Deployment method** field, select **Local Script**. - d. Click **Download package** and save the .zip file. + 1. Click **Download package** and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the devices. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. 3. Open an elevated command-line prompt on the device and run the script: - a. Go to **Start** and type **cmd**. + 1. Go to **Start** and type **cmd**. - b. Right-click **Command prompt** and select **Run as administrator**. + 1. Right-click **Command prompt** and select **Run as administrator**. - ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) + ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) 4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd* @@ -139,5 +151,5 @@ Monitoring can also be done directly on the portal, or by using the different de - [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md) +- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md index 771c2b866b..fc7c7e1d3c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md @@ -20,29 +20,35 @@ ms.date: 04/16/2020 # Onboard non-persistent virtual desktop infrastructure (VDI) devices +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** - Virtual desktop infrastructure (VDI) devices >[!WARNING] -> Microsoft Defender ATP support for Windows Virtual Desktop multi-user scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However single session scenarios on Windows Virtual Desktop are fully supported. +> Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-user scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However single session scenarios on Windows Virtual Desktop are fully supported. ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink) ## Onboard non-persistent virtual desktop infrastructure (VDI) devices -Microsoft Defender ATP supports non-persistent VDI session onboarding. +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +Defender for Endpoint supports non-persistent VDI session onboarding. >[!Note] ->To onboard non-persistent VDI sessions, VDI devices must be on Windows 10. +>To onboard non-persistent VDI sessions, VDI devices must be Windows 10 or Windows Server 2019. > ->While other Windows versions might work, only Windows 10 is supported. +>While other Windows versions might work, only Windows 10 and Windows Server 2019 are supported. There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario: -- Instant early onboarding of a short-lived sessions, which must be onboarded to Microsoft Defender ATP prior to the actual provisioning. +- Instant early onboarding of a short-lived sessions, which must be onboarded to Defender for Endpoint prior to the actual provisioning. - The device name is typically reused for new sessions. -VDI devices can appear in Microsoft Defender ATP portal as either: +VDI devices can appear in Defender for Endpoint portal as either: - Single entry for each device. Note that in this case, the *same* device name must be configured when the session is created, for example using an unattended answer file. @@ -51,7 +57,7 @@ Note that in this case, the *same* device name must be configured when the sessi The following steps will guide you through onboarding VDI devices and will highlight steps for single and multiple entries. >[!WARNING] -> For environments where there are low resource configurations, the VDI boot procedure might slow the Microsoft Defender ATP sensor onboarding. +> For environments where there are low resource configurations, the VDI boot procedure might slow the Defender for Endpoint sensor onboarding. 1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): @@ -63,25 +69,21 @@ The following steps will guide you through onboarding VDI devices and will highl 1. Click **Download package** and save the .zip file. -2. Copy all the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`. +2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. - >[!NOTE] - >If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer. + 1. If you are not implementing a single entry for each device, copy WindowsDefenderATPOnboardingScript.cmd. -3. The following step is only applicable if you're implementing a single entry for each device:
    - **For single entry for each device**: + 1. If you are implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd. - 1. From the `WindowsDefenderATPOnboardingPackage`, copy the `Onboard-NonPersistentMachine.ps1` and `WindowsDefenderATPOnboardingScript.cmd` file to `golden/master` image to the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
    + > [!NOTE] + > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from File Explorer. - > [!NOTE] - > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer. - -4. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**. +3. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**. > [!NOTE] > Domain Group Policy may also be used for onboarding non-persistent VDI devices. -5. Depending on the method you'd like to implement, follow the appropriate steps:
    +4. Depending on the method you'd like to implement, follow the appropriate steps:
    **For single entry for each device**:
    Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. @@ -90,7 +92,7 @@ The following steps will guide you through onboarding VDI devices and will highl Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`. -6. Test your solution: +5. Test your solution: 1. Create a pool with one device. @@ -103,9 +105,9 @@ The following steps will guide you through onboarding VDI devices and will highl 1. **For single entry for each device**: Check only one entry in Microsoft Defender Security Center.
    **For multiple entries for each device**: Check multiple entries in Microsoft Defender Security Center. -7. Click **Devices list** on the Navigation pane. +6. Click **Devices list** on the Navigation pane. -8. Use the search function by entering the device name and select **Device** as search type. +7. Use the search function by entering the device name and select **Device** as search type. ## Updating non-persistent virtual desktop infrastructure (VDI) images As a best practice, we recommend using offline servicing tools to patch golden/master images.
    @@ -124,7 +126,7 @@ For more information on DISM commands and offline servicing, please refer to the If offline servicing is not a viable option for your non-persistent VDI environment, the following steps should be taken to ensure consistency and sensor health: -1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Microsoft Defender ATP sensor. For more information, see [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script). +1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Defender for Endpoint sensor. For more information, see [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script). 2. Ensure the sensor is stopped by running the command below in a CMD window: @@ -151,4 +153,4 @@ If offline servicing is not a viable option for your non-persistent VDI environm - [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) - [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md index 867e457571..d4fd6a0a02 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md @@ -19,13 +19,16 @@ ms.topic: conceptual # Onboarding tools and methods for Windows 10 devices +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - [Microsoft 365 Endpoint data loss prevention (DLP)](/microsoft-365/compliance/endpoint-dlp-learn-about) -Devices in your organization must be configured so that the Microsoft Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization. +Devices in your organization must be configured so that the Defender for Endpoint service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization. The following deployment tools and methods are supported: @@ -38,10 +41,10 @@ The following deployment tools and methods are supported: Topic | Description :---|:--- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) | Use Group Policy to deploy the configuration package on devices. -[Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices. +[Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Manager (current branch) version 1606 or Microsoft Endpoint Manager (current branch) version 1602 or earlier to deploy the configuration package on devices. [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device. [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) | Learn how to use the local script to deploy the configuration package on endpoints. [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI devices. ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink) \ No newline at end of file +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md index 42f46bd701..17e8cb3039 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md @@ -19,11 +19,14 @@ ms.topic: article # Optimize ASR rule deployment and detections +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink). +> Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink). [Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent typical malware exploits. They control when and how potentially malicious code can run. For example, they can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, and block processes that run from USB drives. @@ -49,5 +52,5 @@ For more information about ASR rule deployment in Microsoft 365 security center, **Related topics** * [Ensure your devices are configured properly](configure-machines.md) -* [Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md) -* [Monitor compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) +* [Get devices onboarded to Microsoft Defender for Endpoint](configure-machines-onboarding.md) +* [Monitor compliance to the Microsoft Defender for Endpoint security baseline](configure-machines-security-baseline.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md index c189165c5f..b207e1fb84 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md @@ -17,12 +17,15 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get devices onboarded to Microsoft Defender ATP +# Get devices onboarded to Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) Each onboarded device adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a device can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks. @@ -32,17 +35,17 @@ Before you can track and manage onboarding of devices: ## Discover and track unprotected devices -The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 devices that have actually onboarded to Microsoft Defender ATP against the total number of Intune-managed Windows 10 devices. +The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 devices that have actually onboarded to Defender for Endpoint against the total number of Intune-managed Windows 10 devices. ![Device configuration management Onboarding card](images/secconmgmt_onboarding_card.png)
    *Card showing onboarded devices compared to the total number of Intune-managed Windows 10 device* >[!NOTE] ->If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your devices. +>If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Defender for Endpoint onboarding and assign that profile to your devices. ## Onboard more devices with Intune profiles -Microsoft Defender ATP provides several convenient options for [onboarding Windows 10 devices](onboard-configure.md). For Intune-managed devices, however, you can leverage Intune profiles to conveniently deploy the Microsoft Defender ATP sensor to select devices, effectively onboarding these devices to the service. +Defender for Endpoint provides several convenient options for [onboarding Windows 10 devices](onboard-configure.md). For Intune-managed devices, however, you can leverage Intune profiles to conveniently deploy the Defender for Endpoint sensor to select devices, effectively onboarding these devices to the service. From the **Onboarding** card, select **Onboard more devices** to create and assign a profile on Intune. The link takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state. @@ -50,21 +53,21 @@ From the **Onboarding** card, select **Onboard more devices** to create and assi *Microsoft Defender ATP device compliance page on Intune device management* >[!TIP] ->Alternatively, you can navigate to the Microsoft Defender ATP onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**. +>Alternatively, you can navigate to the Defender for Endpoint onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**. >[!NOTE] > If you want to view the most up-to-date device data, click on **List of devices without ATP sensor**. -From the device compliance page, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the devices you want to onboard. To do this, you can either: +From the device compliance page, create a configuration profile specifically for the deployment of the Defender for Endpoint sensor and assign that profile to the devices you want to onboard. To do this, you can either: - Select **Create a device configuration profile to configure ATP sensor** to start with a predefined device configuration profile. - Create the device configuration profile from scratch. -For more information, [read about using Intune device configuration profiles to onboard devices to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile). +For more information, [read about using Intune device configuration profiles to onboard devices to Defender for Endpoint](https://docs.microsoft.com/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile). >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) ## Related topics - [Ensure your devices are configured properly](configure-machines.md) -- [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) +- [Increase compliance to the Defender for Endpoint security baseline](configure-machines-security-baseline.md) - [Optimize ASR rule deployment and detections](configure-machines-asr.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md index 958fa4756c..e110a3d518 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md @@ -17,14 +17,17 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Increase compliance to the Microsoft Defender ATP security baseline +# Increase compliance to the Microsoft Defender for Endpoint security baseline + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) -Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection. +Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Defender for Endpoint security baseline sets Defender for Endpoint security controls to provide optimal protection. To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a). @@ -33,22 +36,22 @@ Before you can deploy and track compliance to security baselines: - [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions) ## Compare the Microsoft Defender ATP and the Windows Intune security baselines -The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure devices running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Microsoft Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see: +The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure devices running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Microsoft Defender Antivirus. In contrast, the Defender for Endpoint baseline provides settings that optimize all the security controls in the Defender for Endpoint stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see: - [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows) - [Microsoft Defender ATP baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-defender-atp) -Ideally, devices onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls. To benefit from the latest data on risks and threats and to minimize conflicts as baselines evolve, always apply the latest versions of the baselines across all products as soon as they are released. +Ideally, devices onboarded to Defender for Endpoint are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Defender for Endpoint security baseline layered on top to optimally configure the Defender for Endpoint security controls. To benefit from the latest data on risks and threats and to minimize conflicts as baselines evolve, always apply the latest versions of the baselines across all products as soon as they are released. >[!NOTE] ->The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machine (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments. +>The Defender for Endpoint security baseline has been optimized for physical devices and is currently not recommended for use on virtual machine (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments. -## Monitor compliance to the Microsoft Defender ATP security baseline +## Monitor compliance to the Defender for Endpoint security baseline -The **Security baseline** card on [device configuration management](configure-machines.md) provides an overview of compliance across Windows 10 devices that have been assigned the Microsoft Defender ATP security baseline. +The **Security baseline** card on [device configuration management](configure-machines.md) provides an overview of compliance across Windows 10 devices that have been assigned the Defender for Endpoint security baseline. ![Security baseline card](images/secconmgmt_baseline_card.png)
    -*Card showing compliance to the Microsoft Defender ATP security baseline* +*Card showing compliance to the Defender for Endpoint security baseline* Each device is given one of the following status types: @@ -62,20 +65,20 @@ To review specific devices, select **Configure security baseline** on the card. >[!NOTE] >You might experience discrepancies in aggregated data displayed on the device configuration management page and those displayed on overview screens in Intune. -## Review and assign the Microsoft Defender ATP security baseline +## Review and assign the Microsoft Defender for Endpoint security baseline -Device configuration management monitors baseline compliance only of Windows 10 devices that have been specifically assigned the Microsoft Defender ATP security baseline. You can conveniently review the baseline and assign it to devices on Intune device management. +Device configuration management monitors baseline compliance only of Windows 10 devices that have been specifically assigned the Microsoft Defender for Endpoint security baseline. You can conveniently review the baseline and assign it to devices on Intune device management. 1. Select **Configure security baseline** on the **Security baseline** card to go to Intune device management. A similar overview of baseline compliance is displayed. >[!TIP] - > Alternatively, you can navigate to the Microsoft Defender ATP security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines > Microsoft Defender ATP baseline**. + > Alternatively, you can navigate to the Defender for Endpoint security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines > Microsoft Defender ATP baseline**. 2. Create a new profile. - ![Microsoft Defender ATP security baseline overview on Intune](images/secconmgmt_baseline_intuneprofile1.png)
    - *Microsoft Defender ATP security baseline overview on Intune* + ![Microsoft Defender for Endpoint security baseline overview on Intune](images/secconmgmt_baseline_intuneprofile1.png)
    + *Microsoft Defender for Endpoint security baseline overview on Intune* 3. During profile creation, you can review and adjust specific settings on the baseline. @@ -95,9 +98,9 @@ Device configuration management monitors baseline compliance only of Windows 10 >[!TIP] >Security baselines on Intune provide a convenient way to comprehensively secure and protect your devices. [Learn more about security baselines on Intune](https://docs.microsoft.com/intune/security-baselines). ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) ## Related topics - [Ensure your devices are configured properly](configure-machines.md) -- [Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md) +- [Get devices onboarded to Microsoft Defender for Endpoint](configure-machines-onboarding.md) - [Optimize ASR rule deployment and detections](configure-machines-asr.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md index 3e3bb64cc8..9b830a3988 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md @@ -19,15 +19,18 @@ ms.topic: conceptual # Ensure your devices are configured properly -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) + +**Applies to:** +- [Microsoft Defender for Endpoint ](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) With properly configured devices, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your devices: -- Onboard to Microsoft Defender ATP -- Meet or exceed the Microsoft Defender ATP security baseline configuration +- Onboard to Microsoft Defender for Endpoint +- Meet or exceed the Defender for Endpoint security baseline configuration - Have strategic attack surface mitigations in place Click **Configuration management** from the navigation menu to open the Device configuration management page. @@ -53,7 +56,7 @@ Before you can ensure your devices are configured properly, enroll them to Intun >To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/intune/licenses-assign). >[!TIP] ->To optimize device management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). +>To optimize device management through Intune, [connect Intune to Defender for Endpoint](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). ## Obtain required permissions By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage and assign the device configuration profiles needed for onboarding devices and deploying the security baseline. @@ -74,8 +77,8 @@ If you have been assigned other roles, ensure you have the necessary permissions ## In this section Topic | Description :---|:--- -[Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)| Track onboarding status of Intune-managed devices and onboard more devices through Intune. -[Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed devices. +[Get devices onboarded to Defender for Endpoint](configure-machines-onboarding.md)| Track onboarding status of Intune-managed devices and onboard more devices through Intune. +[Increase compliance to the Defender for Endpoint security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed devices. [Optimize ASR rule deployment and detections](configure-machines-asr.md) | Review rule deployment and tweak detections using impact analysis tools in Microsoft 365 security center. ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) \ No newline at end of file +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index 0be1734f27..3ce240d781 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -14,24 +14,32 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: article --- # Configure and manage Microsoft Threat Experts capabilities + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Before you begin -Ensure that you have Microsoft Defender ATP deployed in your environment with devices enrolled, and not just on a laboratory set-up. +> [!NOTE] +> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service. -Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service. +Ensure that you have Defender for Endpoint deployed in your environment with devices enrolled, and not just on a laboratory set-up. -If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription. +Defender for Endpoint customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service. + +If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on-Demand subscription. ## Register to Microsoft Threat Experts managed threat hunting service -If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal. +If you're already a Defender for Endpoint customer, you can apply through the Microsoft Defender for Endpoint portal. 1. From the navigation pane, go to **Settings > General > Advanced features > Microsoft Threat Experts**. @@ -51,7 +59,7 @@ If you're already a Microsoft Defender ATP customer, you can apply through the M ## Receive targeted attack notification from Microsoft Threat Experts You can receive targeted attack notification from Microsoft Threat Experts through the following medium: -- The Microsoft Defender ATP portal's **Alerts** dashboard +- The Defender for Endpoint portal's **Alerts** dashboard - Your email, if you choose to configure it To receive targeted attack notifications through email, create an email notification rule. @@ -76,7 +84,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w 1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or device is in view before you send an investigation request. -2. From the upper right-hand menu, click **?**. Then, select **Consult a threat expert**. +2. From the upper right-hand menu, click the **?** icon. Then, select **Consult a threat expert**. ![Image of Microsoft Threat Experts Experts on Demand from the menu](images/mte-eod-menu.png) @@ -84,7 +92,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w ![Image of Microsoft Threat Experts Experts on Demand screen](images/mte-eod.png) - The following screen shows when you are on a full Microsoft Threat Experts - Experts on Demand subscription. + The following screen shows when you are on a full Microsoft Threat Experts - Experts on-Demand subscription. ![Image of Microsoft Threat Experts Experts on Demand full subscription screen](images/mte-eod-fullsubscription.png) @@ -107,8 +115,8 @@ Watch this video for a quick overview of the Microsoft Services Hub. **Alert information** - We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further? -- We’ve observed two similar attacks, which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference? -- I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find any further evidence around these sign-in attempts. How can Microsoft Defender ATP see these attempts? What type of sign-ins are being monitored? +- We’ve observed two similar attacks, which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious PowerShell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference? +- I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find any further evidence around these sign-in attempts. How can Defender for Endpoint see these attempts? What type of sign-ins are being monitored? - Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”. **Possible machine compromise** @@ -116,8 +124,8 @@ Watch this video for a quick overview of the Microsoft Services Hub. - Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]? **Threat intelligence details** -- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events, which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link? -- I recently saw a [social media reference, for example, Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor? +- We detected a phishing email that delivered a malicious Word document to a user. The malicious Word document caused a series of suspicious events, which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link? +- I recently saw a [social media reference, for example, Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Defender for Endpoint provides against this threat actor? **Microsoft Threat Experts’ alert communications** - Can your incident response team help us address the targeted attack notification that we got? diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md index b7c4bf19d6..e75588efda 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md @@ -19,11 +19,14 @@ ms.topic: article # Configure alert notifications that are sent to MSSPs +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) >[!NOTE] @@ -43,4 +46,4 @@ These check boxes must be checked: ## Related topics - [Grant MSSP access to the portal](grant-mssp-access.md) - [Access the MSSP customer portal](access-mssp-portal.md) -- [Fetch alerts from customer tenant](fetch-alerts-mssp.md) \ No newline at end of file +- [Fetch alerts from customer tenant](fetch-alerts-mssp.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md index 98599b9d18..dde5d47ec5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md @@ -19,11 +19,14 @@ ms.topic: article # Configure managed security service provider integration +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] @@ -41,7 +44,7 @@ The integration will allow MSSPs to take the following actions: - Get email notifications, and - Fetch alerts through security information and event management (SIEM) tools -Before MSSPs can take these actions, the MSSP customer will need to grant access to their Microsoft Defender ATP tenant so that the MSSP can access the portal. +Before MSSPs can take these actions, the MSSP customer will need to grant access to their Defender for Endpoint tenant so that the MSSP can access the portal. Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP. @@ -51,7 +54,7 @@ In general, the following configuration steps need to be taken: - **Grant the MSSP access to Microsoft Defender Security Center**
    -This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Microsoft Defender ATP tenant. +This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Defender for Endpoint tenant. - **Configure alert notifications sent to MSSPs**
    @@ -63,6 +66,8 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools. - **Fetch alerts from MSSP customer's tenant using APIs**
    This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs. +## Multi-tenant access for MSSPs +For information on how to implement a multi-tenant delegated access, see [Multi-tenant access for Managed Security Service Providers](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/multi-tenant-access-for-managed-security-service-providers/ba-p/1533440). diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index a25c911a4f..48fd0bee7d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -13,21 +13,26 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint ms.topic: article --- # Configure device proxy and Internet connectivity settings +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) -The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. +The Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Defender for Endpoint service. -The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender ATP cloud service. +The embedded Defender for Endpoint sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Defender for Endpoint cloud service. >[!TIP] >For organizations that use forward proxies as a gateway to the Internet, you can use network protection to investigate behind a proxy. For more information, see [Investigate connection events that occur behind forward proxies](investigate-behind-proxy.md). @@ -39,7 +44,7 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe - Web Proxy Auto-discovery Protocol (WPAD) > [!NOTE] - > If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). + > If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Defender for Endpoint URL exclusions in the proxy, see [Enable access to Defender for Endpoint service URLs in the proxy server](#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). - Manual static proxy configuration: - Registry based configuration @@ -47,16 +52,16 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe ## Configure the proxy server manually using a registry-based static proxy -Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the Internet. +Configure a registry-based static proxy to allow only Defender for Endpoint sensor to report diagnostic data and communicate with Defender for Endpoint services if a computer is not be permitted to connect to the Internet. The static proxy is configurable through Group Policy (GP). The group policy can be found under: - Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service - Set it to **Enabled** and select **Disable Authenticated Proxy usage**: - ![Image of Group Policy setting](images/atp-gpo-proxy1.png) + ![Image of Group Policy setting1](images/atp-gpo-proxy1.png) - **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**: - Configure the proxy:
    - ![Image of Group Policy setting](images/atp-gpo-proxy2.png) + ![Image of Group Policy setting2](images/atp-gpo-proxy2.png) The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`. @@ -100,18 +105,19 @@ netsh winhttp reset proxy See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/windows-server/networking/technologies/netsh/netsh-contexts) to learn more. -## Enable access to Microsoft Defender ATP service URLs in the proxy server +## Enable access to Microsoft Defender for Endpoint service URLs in the proxy server If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed in the downloadable sheet to the allowed domains list. +The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them. -|**Item**|**Description**| +|**Spreadsheet of domains list**|**Description**| |:-----|:-----| -|[![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)
    [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS. +|![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)
    | Spreadsheet of specific DNS records for service locations, geographic locations, and OS.

    [Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) -If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed below from HTTPS scanning. +If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning. > [!NOTE] > settings-win.data.microsoft.com is only needed if you have Windows 10 devices running version 1803 or earlier.
    @@ -122,11 +128,11 @@ If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the > [!NOTE] -> If you are using Microsoft Defender Antivirus in your environment, please refer to the following article for details on allowing connections to the Microsoft Defender Antivirus cloud service: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus +> If you are using Microsoft Defender Antivirus in your environment, see [Configure network connections to the Microsoft Defender Antivirus cloud service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus). -If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs. +If a proxy or firewall is blocking anonymous traffic, as Defender for Endpoint sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs. -### Log analytics agent requirements +### Microsoft Monitoring Agent (MMA) - proxy and firewall requirements for older versions of Windows client or Windows Server The information below list the proxy and firewall configuration information required to communicate with Log Analytics agent (often referred to as Microsoft Monitoring Agent) for the previous versions of Windows such as Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016. @@ -134,32 +140,39 @@ The information below list the proxy and firewall configuration information requ |------|---------|--------|--------| |*.ods.opinsights.azure.com |Port 443 |Outbound|Yes | |*.oms.opinsights.azure.com |Port 443 |Outbound|Yes | -|*.blob.core.windows.net |Port 443 |Outbound|Yes | +|*.blob.core.windows.net |Port 443 |Outbound|Yes | +|*.azure-automation.net |Port 443 |Outbound|Yes | -## Microsoft Defender ATP service backend IP range - -If your network devices don't support the URLs added to an "allow" list in the prior section, you can use the following information. - -Microsoft Defender ATP is built on Azure cloud, deployed in the following regions: - -- \+\ -- \+\ -- \+\ -- \+\ -- \+\ -- \+\ -- \+\ - -You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/download/details.aspx?id=56519). > [!NOTE] > As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting. +## Confirm Microsoft Monitoring Agent (MMA) Service URL Requirements + +Please see the following guidance to eliminate the wildcard (*) requirement for your specific environment when using the Microsoft Monitoring Agent (MMA) for previous versions of Windows. + +1. Onboard a previous operating system with the Microsoft Monitoring Agent (MMA) into Defender for Endpoint (for more information, see [Onboard previous versions of Windows on Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2010326) and [Onboard Windows servers](configure-server-endpoints.md#windows-server-2008-r2-sp1-windows-server-2012-r2-and-windows-server-2016). + +2. Ensure the machine is successfully reporting into the Microsoft Defender Security Center portal. + +3. Run the TestCloudConnection.exe tool from “C:\Program Files\Microsoft Monitoring Agent\Agent” to validate the connectivity and to see the required URLs for your specific workspace. + +4. Check the Microsoft Defender for Endpoint URLs list for the complete list of requirements for your region (please refer to the Service URLs [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)). + +![Image of administrator in Windows PowerShell](images/admin-powershell.png) + +The wildcards (*) used in *.ods.opinsights.azure.com, *.oms.opinsights.azure.com, and *.agentsvc.azure-automation.net URL endpoints can be replaced with your specific Workspace ID. The Workspace ID is specific to your environment and workspace and can be found in the Onboarding section of your tenant within the Microsoft Defender Security Center portal. + +The *.blob.core.windows.net URL endpoint can be replaced with the URLs shown in the “Firewall Rule: *.blob.core.windows.net” section of the test results. + +> [!NOTE] +> In the case of onboarding via Azure Security Center (ASC), multiple workspaces maybe used. You will need to perform the TestCloudConnection.exe procedure above on an onboarded machine from each workspace (to determine if there are any changes to the *.blob.core.windows.net URLs between the workspaces). + ## Verify client connectivity to Microsoft Defender ATP service URLs -Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs. +Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Defender for Endpoint service URLs. -1. Download the [MDATP Client Analyzer tool](https://aka.ms/mdatpanalyzer) to the PC where Microsoft Defender ATP sensor is running on. +1. Download the [MDATP Client Analyzer tool](https://aka.ms/mdatpanalyzer) to the PC where Defender for Endpoint sensor is running on. 2. Extract the contents of MDATPClientAnalyzer.zip on the device. @@ -184,7 +197,7 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover 5. Extract the *MDATPClientAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*. 6. Open *MDATPClientAnalyzerResult.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.

    - The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *MDATPClientAnalyzerResult.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For example: + The tool checks the connectivity of Defender for Endpoint service URLs that Defender for Endpoint client is configured to interact with. It then prints the results into the *MDATPClientAnalyzerResult.txt* file for each URL that can potentially be used to communicate with the Defender for Endpoint services. For example: ```text Testing URL : https://xxx.microsoft.com/xxx @@ -195,18 +208,18 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover 5 - Command line proxy: Doesn't exist ``` -If at least one of the connectivity options returns a (200) status, then the Microsoft Defender ATP client can communicate with the tested URL properly using this connectivity method.

    +If at least one of the connectivity options returns a (200) status, then the Defender for Endpoint client can communicate with the tested URL properly using this connectivity method.

    -However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure. +However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Defender for Endpoint service URLs in the proxy server](#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure. > [!NOTE] > The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool. > [!NOTE] -> When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy. +> When the TelemetryProxyServer is set, in Registry or via Group Policy, Defender for Endpoint will fall back to direct if it can't access the defined proxy. ## Related topics - [Onboard Windows 10 devices](configure-endpoints.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index ed06fd8042..f00858169a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -17,7 +17,10 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Onboard Windows servers to the Microsoft Defender ATP service +# Onboard Windows servers to the Microsoft Defender for Endpoint service + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** @@ -27,40 +30,52 @@ ms.topic: article - Windows Server (SAC) version 1803 and later - Windows Server 2019 and later - Windows Server 2019 core edition -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink) -Microsoft Defender ATP extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console. +Defender for Endpoint extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console. -The service supports the onboarding of the following Windows servers: -- Windows Server 2008 R2 SP1 -- Windows Server 2012 R2 -- Windows Server 2016 -- Windows Server (SAC) version 1803 and later -- Windows Server 2019 and later -- Windows Server 2019 core edition - -For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). +For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Defender for Endpoint](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines). ## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 -You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 to Microsoft Defender ATP by using any of the following options: +You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 to Defender for Endpoint by using any of the following options: -- **Option 1**: [Onboard through Microsoft Defender Security Center](#option-1-onboard-windows-servers-through-microsoft-defender-security-center) +- **Option 1**: [Onboard by installing and configuring Microsoft Monitoring Agent (MMA)](#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma) - **Option 2**: [Onboard through Azure Security Center](#option-2-onboard-windows-servers-through-azure-security-center) -- **Option 3**: [Onboard through Microsoft Endpoint Configuration Manager version 2002 and later (only for Windows Server 2012 R2 and Windows Server 2016)](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later) +- **Option 3**: [Onboard through Microsoft Endpoint Manager version 2002 and later](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later) + + +After completing the onboarding steps using any of the provided options, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). + > [!NOTE] -> Microsoft defender ATP standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). +> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). -### Option 1: Onboard Windows servers through Microsoft Defender Security Center -Perform the following steps to onboard Windows servers through Microsoft Defender Security Center: +### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA) +You'll need to install and configure MMA for Windows servers to report sensor data to Defender for Endpoint. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). + +If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support. + +In general, you'll need to take the following steps: +1. Fulfill the onboarding requirements outlined in **Before you begin** section. +2. Turn on server monitoring from Microsoft Defender Security center. +3. Install and configure MMA for the server to report sensor data to Defender for Endpoint. +4. Configure and update System Center Endpoint Protection clients. + + +> [!TIP] +> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint endpoint](run-detection-test.md). + + +#### Before you begin +Perform the following steps to fulfill the onboarding requirements: - For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix: - [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) @@ -74,36 +89,10 @@ Perform the following steps to onboard Windows servers through Microsoft Defende > [!NOTE] > This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2. - - [Turn on server monitoring from Microsoft Defender Security Center](#turn-on-server-monitoring-from-the-microsoft-defender-security-center-portal). - - - If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. - - Otherwise, [install and configure MMA to report sensor data to Microsoft Defender ATP](#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp). For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). - -> [!TIP] -> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). - -### Configure and update System Center Endpoint Protection clients - -Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. - -The following steps are required to enable this integration: -- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie). - -- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting. - - -### Turn on Server monitoring from the Microsoft Defender Security Center portal - -1. In the navigation pane, select **Settings** > **Device management** > **Onboarding**. - -2. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system. - -3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. -### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP +### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender for Endpoint 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603). @@ -112,16 +101,21 @@ The following steps are required to enable this integration: On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). -3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](configure-proxy-internet.md). -Once completed, you should see onboarded Windows servers in the portal within an hour. -### Configure Windows server proxy and Internet connectivity settings +### Configure Windows server proxy and Internet connectivity settings if needed +If your servers need to use a proxy to communicate with Defender for Endpoint, use one of the following methods to configure the MMA to use the proxy server: -- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the OMS Gateway. -- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). + +- [Configure the MMA to use a proxy server](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#install-agent-using-setup-wizard) + +- [Configure Windows to use a proxy server for all connections](configure-proxy-internet.md) + +If a proxy or firewall is in use, please ensure that servers can access all of the Microsoft Defender ATP service URLs directly and without SSL interception. For more information, see [enable access to Defender for Endpoint service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). Use of SSL interception will prevent the system from communicating with the Defender for Endpoint service. + +Once completed, you should see onboarded Windows servers in the portal within an hour. ### Option 2: Onboard Windows servers through Azure Security Center 1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Device management** > **Onboarding**. @@ -130,10 +124,20 @@ Once completed, you should see onboarded Windows servers in the portal within an 3. Click **Onboard Servers in Azure Security Center**. -4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). +4. Follow the onboarding instructions in [Microsoft Defender for Endpoint with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). -### Option 3: Onboard Windows servers through Microsoft Endpoint Configuration Manager version 2002 and later -You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Configuration Manager version 2002 and later. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection). +After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). + +> [!NOTE] +> - For onboarding via Azure Defender for Servers (previously Azure Security Center Standard Edition) to work as expected, the server must have an appropriate workspace and key configured within the Microsoft Monitoring Agent (MMA) settings. +> - Once configured, the appropriate cloud management pack is deployed on the machine and the sensor process (MsSenseS.exe) will be deployed and started. +> - This is also required if the server is configured to use an OMS Gateway server as proxy. + +### Option 3: Onboard Windows servers through Microsoft Endpoint Manager version 2002 and later +You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Manager version 2002 and later. For more information, see [Microsoft Defender for Endpoint + in Microsoft Endpoint Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection). + +After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). ## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods: @@ -145,12 +149,12 @@ You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windo - [VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md) > [!NOTE] -> - The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs). +> - The Onboarding package for Windows Server 2019 through Microsoft Endpoint Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs). > - A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. -Support for Windows Server, provide deeper insight into activities happening on the Windows server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. +Support for Windows Server provides deeper insight into server activities, coverage for kernel and memory attack detection, and enables response actions. -1. Configure Microsoft Defender ATP onboarding settings on the Windows server. For more information, see [Onboard Windows 10 devices](configure-endpoints.md). +1. Configure Defender for Endpoint onboarding settings on the Windows server. For more information, see [Onboard Windows 10 devices](configure-endpoints.md). 2. If you're running a third-party antimalware solution, you'll need to apply the following Microsoft Defender AV passive mode settings. Verify that it was configured correctly: @@ -179,52 +183,63 @@ Support for Windows Server, provide deeper insight into activities happening on For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus). ## Integration with Azure Security Center -Microsoft Defender ATP can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers. +Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers. The following capabilities are included in this integration: -- Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). +- Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). > [!NOTE] > Automated onboarding is only applicable for Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016. -- Windows servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console. +- Windows servers monitored by Azure Security Center will also be available in Defender for Endpoint - Azure Security Center seamlessly connects to the Defender for Endpoint tenant, providing a single view across clients and servers. In addition, Defender for Endpoint alerts will be available in the Azure Security Center console. - Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach. > [!IMPORTANT] -> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created (in the US for US users, in the EU for European and UK users).
    -Data collected by Microsoft Defender ATP is stored in the geo-location of the tenant as identified during provisioning. -> - If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. +> - When you use Azure Security Center to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European and UK users).
    +Data collected by Defender for Endpoint is stored in the geo-location of the tenant as identified during provisioning. +> - If you use Defender for Endpoint before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. > - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant.
    Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers. +## Configure and update System Center Endpoint Protection clients + +Defender for Endpoint integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. + +The following steps are required to enable this integration: +- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie). + +- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting. + + + ## Offboard Windows servers You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices. For other Windows server versions, you have two options to offboard Windows servers from the service: - Uninstall the MMA agent -- Remove the Microsoft Defender ATP workspace configuration +- Remove the Defender for Endpoint workspace configuration > [!NOTE] > Offboarding causes the Windows server to stop sending sensor data to the portal but data from the Windows server, including reference to any alerts it has had will be retained for up to 6 months. ### Uninstall Windows servers by uninstalling the MMA agent -To offboard the Windows server, you can uninstall the MMA agent from the Windows server or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the Windows server will no longer send sensor data to Microsoft Defender ATP. +To offboard the Windows server, you can uninstall the MMA agent from the Windows server or detach it from reporting to your Defender for Endpoint workspace. After offboarding the agent, the Windows server will no longer send sensor data to Defender for Endpoint. For more information, see [To disable an agent](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent). -### Remove the Microsoft Defender ATP workspace configuration +### Remove the Defender for Endpoint workspace configuration To offboard the Windows server, you can use either of the following methods: -- Remove the Microsoft Defender ATP workspace configuration from the MMA agent +- Remove the Defender for Endpoint workspace configuration from the MMA agent - Run a PowerShell command to remove the configuration -#### Remove the Microsoft Defender ATP workspace configuration from the MMA agent +#### Remove the Defender for Endpoint workspace configuration from the MMA agent 1. In the **Microsoft Monitoring Agent Properties**, select the **Azure Log Analytics (OMS)** tab. -2. Select the Microsoft Defender ATP workspace, and click **Remove**. +2. Select the Defender for Endpoint workspace, and click **Remove**. - ![Image of Microsoft Monitoring Agen Properties](images/atp-mma.png) + ![Image of Microsoft Monitoring Agent Properties](images/atp-mma.png) #### Run a PowerShell command to remove the configuration @@ -239,16 +254,18 @@ To offboard the Windows server, you can use either of the following methods: 2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`: ```powershell + $ErrorActionPreference = "SilentlyContinue" # Load agent scripting object $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg # Remove OMS Workspace - $AgentCfg.RemoveCloudWorkspace($WorkspaceID) + $AgentCfg.RemoveCloudWorkspace("WorkspaceID") # Reload the configuration and apply changes $AgentCfg.ReloadConfiguration() + ``` ## Related topics - [Onboard Windows 10 devices](configure-endpoints.md) - [Onboard non-Windows devices](configure-endpoints-non-windows.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md) -- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md) +- [Troubleshooting Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index a72dbb0a7b..62e2e5f5b1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -19,37 +19,39 @@ ms.topic: article # Pull detections to your SIEM tools +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) ## Pull detections using security information and events management (SIEM) tools >[!NOTE] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. ->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. ->-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). +>- [Microsoft Defender for Endpoint Alert](alerts.md) is composed from one or more detections. +>- [Microsoft Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. +>-The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). -Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. +Defender for Endpoint supports security information and event management (SIEM) tools to pull detections. Defender for Endpoint exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. - -Microsoft Defender ATP currently supports the following specific SIEM solution tools through a dedicated SIEM integration model: +Defender for Endpoint currently supports the following specific SIEM solution tools through a dedicated SIEM integration model: - IBM QRadar - Micro Focus ArcSight -Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://df.securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details. +Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details. -To use either of these supported SIEM tools you'll need to: +To use either of these supported SIEM tools, you'll need to: -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) +- [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md) - Configure the supported SIEM tool: - - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) - - Configure IBM QRadar to pull Microsoft Defender ATP detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). + - [Configure HP ArcSight to pull Defender for Endpoint detections](configure-arcsight.md) + - Configure IBM QRadar to pull Defender for Endpoint detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). -For more information on the list of fields exposed in the Detection API see, [Microsoft Defender ATP Detection fields](api-portal-mapping.md). +For more information on the list of fields exposed in the Detection API see, [Defender for Endpoint Detection fields](api-portal-mapping.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md index bc7f7201e2..99a86d51e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md @@ -18,14 +18,17 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Connected applications in Microsoft Defender ATP +# Connected applications in Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Connected applications integrates with the Microsoft Defender ATP platform using APIs. +Connected applications integrates with the Defender for Endpoint platform using APIs. -Applications use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender ATP APIs. In addition, Azure Active Directory (Azure AD) applications allow tenant admins to set explicit control over which APIs can be accessed using the corresponding app. +Applications use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender for Endpoint APIs. In addition, Azure Active Directory (Azure AD) applications allow tenant admins to set explicit control over which APIs can be accessed using the corresponding app. You'll need to follow [these steps](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro) to use the APIs with the connected application. @@ -34,7 +37,7 @@ From the left navigation menu, select **Partners & APIs** > **Connected AAD appl ## View connected application details -The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender ATP in your organization. You can review the usage of the connected applications: last seen, number of requests in the past 24 hours, and request trends in the last 30 days. +The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender for Endpoint in your organization. You can review the usage of the connected applications: last seen, number of requests in the past 24 hours, and request trends in the last 30 days. ![Image of connected apps](images/connected-apps.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/contact-support-usgov.md b/windows/security/threat-protection/microsoft-defender-atp/contact-support-usgov.md new file mode 100644 index 0000000000..a3ea45d493 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/contact-support-usgov.md @@ -0,0 +1,44 @@ +--- +title: Contact Microsoft Defender for Endpoint support for US Government customers +description: Learn how to contact Microsoft Defender for Endpoint support for US Government customers +keywords: support, contact, premier support, solutions, problems, case, government, gcc, gcc-m, gcc-h, defender, endpoint, mdatp, mde +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ROBOTS: noindex,nofollow +--- + +# Contact Microsoft Defender for Endpoint support for US Government customers + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +Defender for Endpoint has recently upgraded the support process to offer a more modern and advanced support experience. + +## Using the right portal +In order to open a support case, you will need to login to your Microsoft Defender for Endpoint portal: + +Environment | Portal URL +:---|:--- +GCC-M on Commercial | [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) +GCC-M | [https://gcc.securitycenter.microsoft.us](https://gcc.securitycenter.microsoft.us) +GCC-H | [https://securitycenter.microsoft.us](https://securitycenter.microsoft.us) +DoD | [https://securitycenter.microsoft.us](https://securitycenter.microsoft.us) + +If you are unable to login to the portal, you can also open a support case using the [phone](https://docs.microsoft.com/microsoft-365/admin/contact-support-for-business-products?view=o365-worldwide&tabs=phone&preserve-view=true). + +## Opening a support case +For prerequisites and instructions, see [Contact Microsoft Defender for Endpoint support](contact-support.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/contact-support.md b/windows/security/threat-protection/microsoft-defender-atp/contact-support.md new file mode 100644 index 0000000000..b8af068443 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/contact-support.md @@ -0,0 +1,90 @@ +--- +title: Contact Microsoft Defender ATP support +description: Learn how to contact Microsoft Defender ATP support +keywords: support, contact, premier support, solutions, problems, case +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Contact Microsoft Defender for Endpoint support + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** +- [Microsoft Defender for Endpoint](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +Defender for Endpoint has recently upgraded the support process to offer a more modern and advanced support experience. + +The new widget allows customers to: +- Find solutions to common problems +- Submit a support case to the Microsoft support team + +## Prerequisites +It's important to know the specific roles that have permission to open support cases. + +At a minimum, you must have a Service Support Administrator **OR** Helpdesk Administrator role. + + +For more information on which roles have permission see, [Security Administrator permissions](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles#security-administrator-permissions). Roles that include the action `microsoft.office365.supportTickets/allEntities/allTasks` can submit a case. + +For general information on admin roles, see [About admin roles](https://docs.microsoft.com/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide). + + +## Access the widget +Accessing the new support widget can be done in one of two ways: + +1. Clicking on the question mark on the top right of the portal and then clicking on "Microsoft support": + + ![Image of widget when question mark is selected](images/support-widget.png) + +2. Clicking on the **Need help?** button in the bottom right of the Microsoft Defender Security Center: + + + ![Image of the need help button](images/need-help.png) + +In the widget you will be offered two options: + +- Find solutions to common problems +- Open a service request + +## Find solutions to common problems +This option includes articles that might be related to the question you may ask. Just start typing the question in the search box and articles related to your search will be surfaced. + +![Image of need help widget](images/Support3.png) + +In case the suggested articles are not sufficient, you can open a service request. + +## Open a service request + +Learn how to open support tickets by contacting Defender for Endpoint support. + + + + +### Contact support +This option is available by clicking the icon that looks like a headset. You will then get the following page to submit your support case: + +![Image of the open a service request widget](images/Support4.png) + +1. Fill in a title and description for the issue you are facing, as well as a phone number and email address where we may reach you. + +2. (Optional) Include up to five attachments that are relevant to the issue in order to provide additional context for the support case. + +3. Select your time zone and an alternative language, if applicable. The request will be sent to Microsoft Support Team. The team will respond to your service request shortly. + + +## Related topics +- [Troubleshoot service issues](troubleshoot-mdatp.md) +- [Check service health](service-status.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index 74f0ab9e28..d01c44566e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb audience: ITPro -ms.date: 08/25/2020 +ms.date: 12/17/2020 ms.reviewer: v-maave manager: dansimp ms.custom: asr @@ -19,41 +19,68 @@ ms.custom: asr # Protect important folders with controlled folder access +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## What is controlled folder access? -Controlled folder access helps you protect your valuable data from malicious apps and threats, like ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App or in Microsoft Endpoint Configuration Manager and Intune (for managed devices). +Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices). -Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +> [!NOTE] +> Scripting engines are not trusted and you cannot allow them access to controlled protected folders. For example, PowerShell is not trusted by controlled folder access, even if you add it as an application you trust or allow with [certificate and file indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates). + +Controlled folder access works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). ## How does controlled folder access work? Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders. -Controlled folder access works with a list of trusted software. If an app is included in the list of trusted software, the app works as expected. If not, the app is blocked from making any changes to files that are inside protected folders. Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and automatically added to the list. +Controlled folder access works with a list of trusted apps. If an app is included in the list of trusted software, it works as expected. If not, the app is prevented from making any changes to files that are inside protected folders. -Apps can also be manually added to the trusted list via Configuration Manager and Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for the app, can be performed from the Security Center Console. +Apps are added to the list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization and that have never displayed any behavior deemed malicious are considered trustworthy. Those apps are added to the list automatically. + +Apps can also be added manually to the trusted list by using Configuration Manager or Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for an app, can be performed from the Security Center Console. + +## Why controlled folder access is important Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. -The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. +The [protected folders](#review-controlled-folder-access-events-in-windows-event-viewer) include common system folders (including boot sectors), and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019. +Controlled folder access is supported on the following versions of Windows: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) and later +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -## Requirements +## Windows system folders are protected by default + +Windows system folders are protected by default, along with several other folders: + +- `c:\Users\\Documents` +- `c:\Users\Public\Documents` +- `c:\Users\\Pictures` +- `c:\Users\Public\Pictures` +- `c:\Users\Public\Videos` +- `c:\Users\\Music` +- `c:\Users\Public\Music` +- `c:\Users\\Favorites` + +> [!NOTE] +> You can configure additional folders as protected, but you cannot remove the Windows system folders that are protected by default. + +## Requirements for controlled folder access Controlled folder access requires enabling [Microsoft Defender Antivirus real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md). ## Review controlled folder access events in the Microsoft Defender Security Center -Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +Defender for Endpoint provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. +You can query Microsoft Defender for Endpoint data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use [advanced hunting](advanced-hunting-overview.md) to see how controlled folder access settings would affect your environment if they were enabled. Example query: @@ -74,19 +101,19 @@ You can review the Windows event log to see events that are created when control 4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views.md). -5. Click **OK**. +5. Select **OK**. -After following the procedure, you have created a custom view that shows events related to controlled folder access, as listed in the following table: +The following table shows events related to controlled folder access: |Event ID | Description | -|---|---| +|:---|:---| |5007 | Event when settings are changed | |1124 | Audited controlled folder access event | |1123 | Blocked controlled folder access event | ## View or change the list of protected folders -### Windows 10 security app +You can use the Windows Security app to view the list of folders that are protected by controlled folder access. 1. On your Windows 10 device, open the Windows Security app. @@ -102,10 +129,11 @@ After following the procedure, you have created a custom view that shows events - To remove a folder, select it, and then select **Remove**. +> [!NOTE] +> [Windows system folders](#windows-system-folders-are-protected-by-default) are protected by default, and you cannot remove them from the list. + ## See also -- [Evaluate controlled folder access](evaluate-controlled-folder-access.md). Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created. - -- [Enable controlled folder access](enable-controlled-folders.md). Use Group Policy, PowerShell, or mobile device management CSPs to enable and manage controlled folder access in your network - -- [Customize controlled folder access](customize-controlled-folders.md). Add additional protected folders, and allow specified apps to access protected folders. +- [Evaluate controlled folder access](evaluate-controlled-folder-access.md) +- [Customize controlled folder access](customize-controlled-folders.md) +- [Protect additional folders](customize-controlled-folders.md#protect-additional-folders) diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md index fc2674e848..eefccc5624 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md @@ -18,14 +18,21 @@ ms.topic: article # Create alert API -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description Creates new [Alert](alerts.md) on top of **Event**. -
    **Microsoft Defender ATP Event** is required for the alert creation. +
    **Microsoft Defender for Endpoint Event** is required for the alert creation.
    You will need to supply 3 parameters from the Event in the request: **Event Time**, **Machine ID** and **Report ID**. See example below.
    You can use an event found in Advanced Hunting API or Portal.
    If there existing an open alert on the same Device with the same Title, the new created alert will be merged with it. @@ -38,7 +45,7 @@ Creates new [Alert](alerts.md) on top of **Event**. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -53,7 +60,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' ## HTTP request ``` -POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference +POST https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference ``` ## Request headers @@ -88,10 +95,8 @@ If successful, this method returns 200 OK, and a new [alert](alerts.md) object i Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - ``` -POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference +POST https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference ``` ```json { diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 6021933e52..17e23e40fc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -16,34 +16,44 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.date: 09/20/2020 --- # Create custom detection rules + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. -Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md). +Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md). -## 1. Check required permissions +> [!NOTE] +> To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. -To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. - -## 2. Prepare the query +## 1. Prepare the query. In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results. >[!IMPORTANT] >To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity. - ### Required columns in the query results -To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. -There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device. +To use a query for a custom detection rule, the query must return the following columns: -The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this count to find only the devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. +- `Timestamp` +- `DeviceId` +- `ReportId` + +Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. + +There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device. + +The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this to find only those devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. ```kusto DeviceEvents @@ -53,7 +63,10 @@ DeviceEvents | where count_ > 5 ``` -## 3. Create new rule and provide alert details +> [!TIP] +> For better query performance, set a time filter that matches your intended run frequency for the rule. Since the least frequent run is every 24 hours, filtering for the past day will cover all new data. + +## 2. Create a new rule and provide alert details. With the query in the query editor, select **Create detection rule** and specify the following alert details: @@ -64,36 +77,52 @@ With the query in the query editor, select **Create detection rule** and specify - **Category**—type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories) - **MITRE ATT&CK techniques**—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is not available with certain alert categories, such as malware, ransomware, suspicious activity, and unwanted software - **Description**—more information about the component or activity identified by the rule -- **Recommended actions**—additional actions that responders might take in response to an alert +- **Recommended actions**—additional actions that responders might take in response to an alert For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md). ### Rule frequency -When saved, a new or edited custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose: + +When saved, a new custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose: - **Every 24 hours**—runs every 24 hours, checking data from the past 30 days - **Every 12 hours**—runs every 12 hours, checking data from the past 24 hours - **Every 3 hours**—runs every 3 hours, checking data from the past 6 hours - **Every hour**—runs hourly, checking data from the past 2 hours +> [!TIP] +> Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored. + Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts. -## 4. Specify actions on files or devices +## 3. Choose the impacted entities. + +Identify the columns in your query results where you expect to find the main affected or impacted entity. For example, a query might return both device and user IDs. Identifying which of these columns represent the main impacted entity helps the service aggregate relevant alerts, correlate incidents, and target response actions. + +You can select only one column for each entity type. Columns that are not returned by your query can't be selected. + +## 4. Specify actions. + Your custom detection rule can automatically take actions on files or devices that are returned by the query. ### Actions on devices + These actions are applied to devices in the `DeviceId` column of the query results: -- **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network) + +- **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Defender for Endpoint service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network) - **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices) - **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device - **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device ### Actions on files + These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results: + - **Allow/Block**—automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule. - **Quarantine file**—deletes the file from its current location and places a copy in quarantine -## 5. Set the rule scope +## 5. Set the rule scope. + Set the scope to specify which devices are covered by the rule: - All devices @@ -101,12 +130,15 @@ Set the scope to specify which devices are covered by the rule: Only data from devices in scope will be queried. Also, actions will be taken only on those devices. -## 6. Review and turn on the rule +## 6. Review and turn on the rule. + After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions. +You can [view and manage custom detection rules](custom-detections-manage.md), check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it. ## Related topics -- [View and manage detection rules](custom-detections-manage.md) + +- [View and manage custom detection rules](custom-detections-manage.md) - [Custom detections overview](overview-custom-detections.md) - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the advanced hunting query language](advanced-hunting-query-language.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md index bae067bcec..ef5088e134 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md @@ -20,8 +20,11 @@ ms.topic: article # View and manage custom detection rules + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Manage your existing [custom detection rules](custom-detection-rules.md) to ensure they are effectively finding threats and taking actions. Explore how to view the list of rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it. diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md index 8a8bf44962..81ede44b00 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md @@ -16,9 +16,12 @@ manager: dansimp # Customize attack surface reduction rules +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) > [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md index 0659908d5c..8c2ab186eb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md @@ -1,6 +1,6 @@ --- title: Customize controlled folder access -description: Add additional folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files. +description: Add other folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files. keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, allow, add executable search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -8,53 +8,61 @@ ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium audience: ITPro -author: levinec -ms.author: ellevin -ms.reviewer: +author: denisebmsft +ms.author: deniseb +ms.reviewer: jcedola, dbodorin, vladiso, nixanm, anvascon manager: dansimp +ms.date: 01/06/2021 --- # Customize controlled folder access +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients. -This article describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). +This article describes how to customize controlled folder access capabilities, and includes the following sections: -* [Add additional folders to be protected](#protect-additional-folders) -* [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders) +- [Protect additional folders](#protect-additional-folders) +- [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders) +- [Allow signed executable files to access protected folders](#allow-signed-executable-files-to-access-protected-folders) +- [Customize the notification](#customize-the-notification) -> [!WARNING] -> Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files. -> -> This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender.md) to fully assess the feature's impact. +> [!IMPORTANT] +> Controlled folder access monitors apps for activities that are detected as malicious. Sometimes, legitimate apps are blocked from making changes to your files. If controlled folder access impacts your organization's productivity, you might consider running this feature in [audit mode](audit-windows-defender.md) to fully assess the impact. ## Protect additional folders -Controlled folder access applies to a number of system folders and default locations, such as Documents, Pictures, Movies, and Desktop. You can add additional folders to be protected, but you can't remove the default folders in the default list. +Controlled folder access applies to many system folders and default locations, including folders such as **Documents**, **Pictures**, and **Movies**. You can add additional folders to be protected, but you cannot remove the default folders in the default list. -Adding other folders to controlled folder access can be useful. Some use-cases include if you don't store files in the default Windows libraries, or you've changed the location of the libraries away from the defaults. +Adding other folders to controlled folder access can be helpful for cases when you don't store files in the default Windows libraries, or you've changed the default location of your libraries. -You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +You can also specify network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). -You can use the Windows Security app or Group Policy to add and remove additional protected folders. +You can use the Windows Security app, Group Policy, PowerShell cmdlets, or mobile device management configuration service providers to add and remove additional protected folders. ### Use the Windows Security app to protect additional folders -1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Security**. -2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**. +2. Select **Virus & threat protection**, and then scroll down to the **Ransomware protection** section. -3. Under the **Controlled folder access** section, select **Protected folders**. +3. Select **Manage ransomware protection** to open the **Ransomware protection** pane. -4. Select **Add a protected folder** and follow the prompts to add apps. +4. Under the **Controlled folder access** section, select **Protected folders**. + +5. Choose **Yes** on the **User Access Control** prompt. The **Protected folders** pane displays. + +4. Select **Add a protected folder** and follow the prompts to add folders. ### Use Group Policy to protect additional folders -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)?preserve=true), right-click the Group Policy Object you want to configure, and then and select **Edit**. 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. @@ -64,16 +72,16 @@ You can use the Windows Security app or Group Policy to add and remove additiona ### Use PowerShell to protect additional folders -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** +1. Type **PowerShell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** + 2. Enter the following cmdlet: ```PowerShell Add-MpPreference -ControlledFolderAccessProtectedFolders "" ``` +3. Repeat step 2 until you have added all the folders you want to protect. Folders that are added are visible in the Windows Security app. -Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Security app. - -![Screenshot of a PowerShell window with the cmdlet above entered](../images/cfa-allow-folder-ps.png) + ![Screenshot of a PowerShell window with the cmdlet above entered](../images/cfa-allow-folder-ps.png) > [!IMPORTANT] > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. @@ -87,8 +95,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m You can specify if certain apps are always considered safe and give write access to files in protected folders. Allowing apps can be useful if a particular app you know and trust is being blocked by the controlled folder access feature. > [!IMPORTANT] -> By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets. -> You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness. +> By default, Windows adds apps that are considered friendly to the allowed list. Such apps that are added automatically are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets. You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness. When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders. If the app (with the same name) is in a different location, it will not be added to the allow list and may be blocked by controlled folder access. @@ -96,9 +103,9 @@ An allowed application or service only has write access to a controlled folder a ### Use the Windows Defender Security app to allow specific apps -1. Open the Windows Security by selecting the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by searching the start menu for **Security**. -2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**. +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Manage ransomware protection**. 3. Under the **Controlled folder access** section, select **Allow an app through Controlled folder access** @@ -108,7 +115,7 @@ An allowed application or service only has write access to a controlled folder a ### Use Group Policy to allow specific apps -1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. +1. On your Group Policy management device, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)?preserve=true), right-click the Group Policy Object you want to configure and select **Edit**. 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. @@ -118,7 +125,7 @@ An allowed application or service only has write access to a controlled folder a ### Use PowerShell to allow specific apps -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** +1. Type **PowerShell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** 2. Enter the following cmdlet: ```PowerShell @@ -142,12 +149,16 @@ An allowed application or service only has write access to a controlled folder a Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders. +## Allow signed executable files to access protected folders + +Microsoft Defender for Endpoint certificate and file indicators can allow signed executable files to access protected folders. For implementation details, see [Create indicators based on certificates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates). + ## Customize the notification -For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center). +For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Configure alert notifications in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications). -## Related topics +## See also -* [Protect important folders with controlled folder access](controlled-folders.md) -* [Enable controlled folder access](enable-controlled-folders.md) -* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) +- [Protect important folders with controlled folder access](controlled-folders.md) +- [Enable controlled folder access](enable-controlled-folders.md) +- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md index 55552af86b..3c72846e6a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md @@ -10,15 +10,18 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.reviewer: +ms.reviewer: manager: dansimp --- # Customize exploit protection +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. @@ -43,44 +46,44 @@ The **Use default** configuration for each of the mitigation settings indicates For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this article. -Mitigation | Description | Can be applied to | Audit mode available --|-|-|- -Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] -Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] -Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] -Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] -Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] -Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] -Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] -Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] -Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] -Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] -Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] -Don't allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] -Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] +| Mitigation | Description | Can be applied to | Audit mode available | +| ---------- | ----------- | ----------------- | -------------------- | +| Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | ![Check mark yes](../images/svg/check-yes.svg)| +| Block remote images | Prevents loading of images from remote devices. | App-level only | ![Check mark no](../images/svg/check-no.svg | +| Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | !include[Check mark yes](../images/svg/check-yes.svg) | +| Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | ![Check mark no](../images/svg/check-no.svg) | +| Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Don't allow child processes | Prevents an app from creating child processes. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | ![Check mark no](../images/svg/check-no.svg) | +| Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | ![Check mark no](../images/svg/check-no.svg) | +| Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | > [!IMPORTANT] > If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: > > -> Enabled in **Program settings** | Enabled in **System settings** | Behavior -> -|-|- -> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** -> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** -> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** -> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option +> | Enabled in **Program settings** | Enabled in **System settings** | Behavior | +> | ------------------------------- | ------------------------------ | -------- | +> | ![Check mark yes](../images/svg/check-yes.svg) | ![Check mark no](../images/svg/check-no.svg) | As defined in **Program settings** | +> | ![Check mark yes](../images/svg/check-yes.svg) | ![Check mark yes](../images/svg/check-yes.svg) | As defined in **Program settings** | +> | ![Check mark no](../images/svg/check-no.svg) | ![Check mark yes](../images/svg/check-yes.svg) | As defined in **System settings** | +> | ![Check mark no](../images/svg/check-no.svg) | ![Check mark yes](../images/svg/check-yes.svg) | Default as defined in **Use default** option | > > > -> * **Example 1** +> * **Example 1** > > Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**. > @@ -113,10 +116,10 @@ Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redir * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation - >[!NOTE] - >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting. + > [!NOTE] + > You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting. - Changing some settings may require a restart. + Changing some settings may require a restart. 4. Repeat this for all the system-level mitigations you want to configure. @@ -124,8 +127,8 @@ Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redir 1. If the app you want to configure is already listed, select it and then select **Edit** 2. If the app isn't listed, at the top of the list select **Add program to customize** and then choose how you want to add the app: - * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, select the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. @@ -137,14 +140,14 @@ Exporting the configuration as an XML file allows you to copy the configuration ## PowerShell reference - You can use the Windows Security app to configure Exploit protection, or you can use PowerShell cmdlets. +You can use the Windows Security app to configure Exploit protection, or you can use PowerShell cmdlets. - The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Security. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply. +The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Security. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply. - >[!IMPORTANT] - >Any changes that are deployed to a device through Group Policy will override the local configuration. When setting up an initial configuration, use a device that will not have a Group Policy configuration applied to ensure your changes aren't overridden. +> [!IMPORTANT] +> Any changes that are deployed to a device through Group Policy will override the local configuration. When setting up an initial configuration, use a device that will not have a Group Policy configuration applied to ensure your changes aren't overridden. - You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app: +You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app: ```PowerShell Get-ProcessMitigation -Name processName.exe @@ -161,7 +164,7 @@ Get-ProcessMitigation -Name processName.exe Use `Set` to configure each mitigation in the following format: - ```PowerShell +```PowerShell Set-ProcessMitigation - - ,, ``` @@ -176,34 +179,34 @@ Where: * \: * The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma. - For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command: +For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command: - ```PowerShell - Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation - ``` +```PowerShell +Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation +``` - > [!IMPORTANT] - > Separate each mitigation option with commas. +> [!IMPORTANT] +> Separate each mitigation option with commas. - If you wanted to apply DEP at the system level, you'd use the following command: +If you wanted to apply DEP at the system level, you'd use the following command: - ```PowerShell - Set-Processmitigation -System -Enable DEP - ``` +```PowerShell +Set-Processmitigation -System -Enable DEP +``` - To disable mitigations, you can replace `-Enable` with `-Disable`. However, for app-level mitigations, this will force the mitigation to be disabled only for that app. +To disable mitigations, you can replace `-Enable` with `-Disable`. However, for app-level mitigations, this will force the mitigation to be disabled only for that app. - If you need to restore the mitigation back to the system default, you need to include the `-Remove` cmdlet as well, as in the following example: +If you need to restore the mitigation back to the system default, you need to include the `-Remove` cmdlet as well, as in the following example: - ```PowerShell - Set-Processmitigation -Name test.exe -Remove -Disable DEP - ``` +```PowerShell +Set-Processmitigation -Name test.exe -Remove -Disable DEP +``` - You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below. +You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below. - For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used previously, you'd use the following command: +For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used previously, you'd use the following command: - ```PowerShell +```PowerShell Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode ``` @@ -215,29 +218,29 @@ This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that -Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet -- | - | - | - -Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available -Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available -Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available -Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available -Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available -Validate heap integrity | System and app-level | TerminateOnError | Audit not available -Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode -Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad -Block remote images | App-level only | BlockRemoteImages | Audit not available -Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly -Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned -Disable extension points | App-level only | ExtensionPoint | Audit not available -Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall -Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess -Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available -Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available -Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available -Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available -Validate handle usage | App-level only | StrictHandle | Audit not available -Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available -Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available +| Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet | +| ---------- | ---------- | ------------------ | ----------------- | +| Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available | +| Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available | +| Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available | +| Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available | +| Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available | +| Validate heap integrity | System and app-level | TerminateOnError | Audit not available | +| Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode | +| Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad | +| Block remote images | App-level only | BlockRemoteImages | Audit not available | +| Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly | +| Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned | +| Disable extension points | App-level only | ExtensionPoint | Audit not available | +| Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall | +| Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess | +| Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\] | +| Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\] | +| Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\] | +| Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\] | +| Validate handle usage | App-level only | StrictHandle | Audit not available | +| Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available | +| Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available\[2\] | \[1\]: Use the following format to enable EAF modules for dlls for a process: @@ -245,14 +248,15 @@ Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll ``` +\[2\]: Audit for this mitigation is not available via PowerShell cmdlets. + ## Customize the notification For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center). -## See also +## See also: * [Protect devices from exploits](exploit-protection.md) -* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md) * [Evaluate exploit protection](evaluate-exploit-protection.md) * [Enable exploit protection](enable-exploit-protection.md) * [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md index 9cc9cb48ba..7932cfb153 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md @@ -16,17 +16,20 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual --- -# Verify data storage location and update data retention settings for Microsoft Defender ATP +# Verify data storage location and update data retention settings for Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-gensettings-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-gensettings-abovefoldlink) -During the onboarding process, a wizard takes you through the data storage and retention settings of Microsoft Defender ATP. +During the onboarding process, a wizard takes you through the data storage and retention settings of Defender for Endpoint. After completing the onboarding, you can verify your selection in the data retention settings page. @@ -49,6 +52,5 @@ You can verify the data location by navigating to **Settings** > **Data retentio ## Related topics - [Update data retention settings](data-retention-settings.md) -- [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md) -- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) +- [Configure alert notifications in Defender for Endpoint](configure-email-notifications.md) - [Configure advanced features](advanced-features.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md index 6eb879daae..4a5639583d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md @@ -1,7 +1,7 @@ --- -title: Microsoft Defender ATP data storage and privacy -description: Learn about how Microsoft Defender ATP handles privacy and data that it collects. -keywords: Microsoft Defender ATP data storage and privacy, storage, privacy, licensing, geolocation, data retention, data +title: Microsoft Defender for Endpoint data storage and privacy +description: Learn about how Microsoft Defender for Endpoint handles privacy and data that it collects. +keywords: Microsoft Defender for Endpoint, Microsoft Defender ATP, data storage and privacy, storage, privacy, licensing, geolocation, data retention, data search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,26 +17,30 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Microsoft Defender ATP data storage and privacy +# Microsoft Defender for Endpoint data storage and privacy + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Microsoft Defender for Endpoint](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -This section covers some of the most frequently asked questions regarding privacy and data handling for Microsoft Defender ATP. +This section covers some of the most frequently asked questions regarding privacy and data handling for Defender for Endpoint. > [!NOTE] -> This document explains the data storage and privacy details related to Microsoft Defender ATP. For more information related to Microsoft Defender ATP and other products and services like Microsoft Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information. +> This document explains the data storage and privacy details related to Defender for Endpoint. For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information. -## What data does Microsoft Defender ATP collect? -Microsoft Defender ATP will collect and store information from your configured devices in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes. +## What data does Microsoft Defender for Endpoint collect? + +Microsoft Defender for Endpoint will collect and store information from your configured devices in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes. Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and device details (such as device identifiers, names, and the operating system version). Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578). -This data enables Microsoft Defender ATP to: +This data enables Defender for Endpoint to: - Proactively identify indicators of attack (IOAs) in your organization - Generate alerts if a possible attack was detected - Provide your security operations with a view into devices, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network. @@ -44,16 +48,16 @@ This data enables Microsoft Defender ATP to: Microsoft does not use your data for advertising. ## Data protection and encryption -The Microsoft Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure. +The Defender for Endpoint service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure. -There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Microsoft Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview). +There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Defender for Endpoint service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview). In all scenarios, data is encrypted using 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum. ## Data storage location -Microsoft Defender ATP operates in the Microsoft Azure datacenters in the European Union, the United Kingdom, or in the United States. Customer data collected by the service may be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) if Microsoft Defender ATP uses another Microsoft online service to process such data, the geolocation as defined by the data storage rules of that other online service. +Defender for Endpoint operates in the Microsoft Azure datacenters in the European Union, the United Kingdom, or in the United States. Customer data collected by the service may be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) if Defender for Endpoint uses another Microsoft online service to process such data, the geolocation as defined by the data storage rules of that other online service. Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States. @@ -76,21 +80,22 @@ Access to data for services deployed in Microsoft Azure Government data centers ## Is data shared with other customers? -No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which don’t contain any customer specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides. +No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which don’t contain any customer-specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides. ## How long will Microsoft store my data? What is Microsoft’s data retention policy? **At service onboarding**
    -You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. There’s a flexibility of choosing in the range of 1 month to six months to meet your company’s regulatory compliance needs. +You can choose the data retention policy for your data. This determines how long Window Defender for Endpoint will store your data. There’s a flexibility of choosing in the range of one month to six months to meet your company’s regulatory compliance needs. **At contract termination or expiration**
    Your data will be kept and will be available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration. ## Can Microsoft help us maintain regulatory compliance? -Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Microsoft Defender ATP services against their own legal and regulatory requirements. Microsoft Defender ATP has achieved a number of certifications including ISO, SOC, FedRAMP High, and PCI and continues to pursue additional national, regional and industry-specific certifications. -By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run. +Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Defender for Endpoint services against their own legal and regulatory requirements. Defender for Endpoint has achieved a number of certifications including ISO, SOC, FedRAMP High, and PCI and continues to pursue additional national, regional and industry-specific certifications. -For more information on the Microsoft Defender ATP certification reports, see [Microsoft Trust Center](https://servicetrust.microsoft.com/). +By providing customers with compliant, independently verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run. ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-datastorage-belowfoldlink) +For more information on the Defender for Endpoint certification reports, see [Microsoft Trust Center](https://servicetrust.microsoft.com/). + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-datastorage-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md index 50ce80ff33..f84762a3a0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md @@ -20,22 +20,25 @@ ms.date: 04/24/2018 # Microsoft Defender Antivirus compatibility with Microsoft Defender ATP +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** - Windows Defender -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-defendercompat-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-defendercompat-abovefoldlink) -The Microsoft Defender Advanced Threat Protection agent depends on Microsoft Defender Antivirus for some capabilities such as file scanning. +The Microsoft Defender for Endpoint agent depends on Microsoft Defender Antivirus for some capabilities such as file scanning. >[!IMPORTANT] ->Microsoft Defender ATP does not adhere to the Microsoft Defender Antivirus Exclusions settings. +>Defender for Endpoint does not adhere to the Microsoft Defender Antivirus Exclusions settings. -You must configure Security intelligence updates on the Microsoft Defender ATP devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md). +You must configure Security intelligence updates on the Defender for Endpoint devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md). If an onboarded device is protected by a third-party antimalware client, Microsoft Defender Antivirus on that endpoint will enter into passive mode. @@ -43,4 +46,4 @@ Microsoft Defender Antivirus will continue to receive updates, and the *mspeng.e The Microsoft Defender Antivirus interface will be disabled, and users on the device will not be able to use Microsoft Defender Antivirus to perform on-demand scans or configure most options. -For more information, see the [Microsoft Defender Antivirus and Microsoft Defender ATP compatibility topic](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). +For more information, see the [Microsoft Defender Antivirus and Defender for Endpoint compatibility topic](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md index 068f605c89..dfde8bf37e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md @@ -18,9 +18,16 @@ ms.topic: article # Delete Indicator API -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -42,12 +49,9 @@ Application | Ti.ReadWrite.All | 'Read and write Indicators' ## HTTP request ``` -Delete https://api.securitycenter.windows.com/api/indicators/{id} +Delete https://api.securitycenter.microsoft.com/api/indicators/{id} ``` -[!include[Improve request performance](../../includes/improve-request-performance.md)] - - ## Request headers Name | Type | Description @@ -69,5 +73,5 @@ If Indicator with the specified id was not found - 404 Not Found. Here is an example of the request. ``` -DELETE https://api.securitycenter.windows.com/api/indicators/995 +DELETE https://api.securitycenter.microsoft.com/api/indicators/995 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md index 3a379ea946..8332173b94 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md +++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md @@ -1,6 +1,6 @@ --- title: Deployment phases -description: Learn how deploy Microsoft Defender ATP by preparing, setting up, and onboarding endpoints to that service +description: Learn how to deploy Microsoft Defender ATP by preparing, setting up, and onboarding endpoints to that service keywords: deploy, prepare, setup, onboard, phase, deployment, deploying, adoption, configuring search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -20,48 +20,88 @@ ms.topic: article --- # Deployment phases + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -There are three phases in deploying Microsoft Defender ATP: +Learn how to deploy Microsoft Defender for Endpoint so that your enterprise can take advantage of preventative protection, post-breach detection, automated investigation, and response. -|Phase | Desription | + +This guide helps you work across stakeholders to prepare your environment and then onboard devices in a methodical way, moving from evaluation, to a meaningful pilot, to full deployment. + +Each section corresponds to a separate article in this solution. + +![Image of deployment phases with details from table](images/deployment-guide-phases.png) + + +![Summary of deployment phases: prepare, setup, onboard](images/phase-diagrams/deployment-phases.png) + +|Phase | Description | |:-------|:-----| -| ![Phase 1: Prepare](images/prepare.png)
    [Phase 1: Prepare](prepare-deployment.md)| Learn about what you need to consider when deploying Microsoft Defender ATP:

    - Stakeholders and sign-off
    - Environment considerations
    - Access
    - Adoption order -| ![Phase 2: Setup](images/setup.png)
    [Phase 2: Setup](production-deployment.md)| Take the initial steps to access Microsoft Defender Security Center. You'll be guided on:

    - Validating the licensing
    - Completing the setup wizard within the portal
    - Network configuration| -| ![Phase 3: Onboard](images/onboard.png)
    [Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them. You'll be guided on:

    - Using Microsoft Endpoint Configuration Manager to onboard devices
    - Configure capabilities +| [Phase 1: Prepare](prepare-deployment.md)| Learn about what you need to consider when deploying Defender for Endpoint such as stakeholder approvals, environment considerations, access permissions, and adoption order of capabilities. +| [Phase 2: Setup](production-deployment.md)| Get guidance on the initial steps you need to take so that you can access the portal such as validating licensing, completing the setup wizard, and network configuration. +| [Phase 3: Onboard](onboarding.md) | Learn how to make use of deployment rings, supported onboarding tools based on the type of endpoint, and configuring available capabilities. + + +After you've completed this guide, you'll be setup with the right access permissions, your endpoints will be onboarded and reporting sensor data to the service, and capabilities such as next-generation protection and attack surface reduction will be in place. - The deployment guide will guide you through the recommended path in deploying Microsoft Defender ATP. +Regardless of the environment architecture and method of deployment you choose outlined in the [Plan deployment](deployment-strategy.md) guidance, this guide is going to support you in onboarding endpoints. -There are several methods you can use to onboard to the service. For information on other ways to onboard, see [Onboard devices to Microsoft Defender ATP](onboard-configure.md). -## In Scope -The following is in scope for this deployment guide: -- Use of Microsoft Endpoint Configuration Manager to onboard endpoints into the service -- Enabling Microsoft Defender ATP endpoint protection platform (EPP) + + + +## Key capabilities + +While Microsoft Defender for Endpoint provides many capabilities, the primary purpose of this deployment guide is to get you started by onboarding devices. In addition to onboarding, this guidance gets you started with the following capabilities. + + + +Capability | Description +:---|:--- +Endpoint detection and response | Endpoint detection and response capabilities are put in place to detect, investigate, and respond to intrusion attempts and active breaches. +Next-generation protection | To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats. +Attack surface reduction | Provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. + +All these capabilities are available for Microsoft Defender for Endpoint license holders. For more information, see [Licensing requirements](minimum-requirements.md#licensing-requirements). + +## Scope + +### In scope + +- Use of Microsoft Endpoint Manager and Microsoft Endpoint Manager to onboard endpoints into the service and configure capabilities + +- Enabling Defender for Endpoint endpoint detection and response (EDR) capabilities + +- Enabling Defender for Endpoint endpoint protection platform (EPP) capabilities - Next-generation protection - Attack surface reduction -- Enabling Microsoft Defender ATP endpoint detection and response (EDR) - capabilities including automatic investigation and remediation -- Enabling Microsoft Defender ATP threat and vulnerability management (TVM) - - -## Out of scope +### Out of scope The following are out of scope of this deployment guide: -- Configuration of third-party solutions that might integrate with Microsoft - Defender ATP +- Configuration of third-party solutions that might integrate with Defender for Endpoint - Penetration testing in production environment + + + + +## See also +- [Phase 1: Prepare](prepare-deployment.md) +- [Phase 2: Set up](production-deployment.md) +- [Phase 3: Onboard](onboarding.md) +- [Plan deployment](deployment-strategy.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-rings.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-rings.md new file mode 100644 index 0000000000..8ad96f8300 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-rings.md @@ -0,0 +1,121 @@ +--- +title: Deploy Microsoft Defender ATP in rings +description: Learn how to deploy Microsoft Defender ATP in rings +keywords: deploy, rings, evaluate, pilot, insider fast, insider slow, setup, onboard, phase, deployment, deploying, adoption, configuring +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- M365-security-compliance +- m365solution-endpointprotect +- m365solution-overview +ms.topic: article +--- + +# Deploy Microsoft Defender ATP in rings + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) + + +Deploying Microsoft Defender ATP can be done using a ring-based deployment approach. + +The deployment rings can be applied in the following scenarios: +- [New deployments](#new-deployments) +- [Existing deployments](#existing-deployments) + +## New deployments + +![Image of deployment rings](images/deployment-rings.png) + + +A ring-based approach is a method of identifying a set of endpoints to onboard and verifying that certain criteria is met before proceeding to deploy the service to a larger set of devices. You can define the exit criteria for each ring and ensure that they are satisfied before moving on to the next ring. + +Adopting a ring-based deployment helps reduce potential issues that could arise while rolling out the service. By piloting a certain number of devices first, you can identify potential issues and mitigate potential risks that might arise. + + +Table 1 provides an example of the deployment rings you might use. + +**Table 1** + +|**Deployment ring**|**Description**| +|:-----|:-----| +Evaluate | Ring 1: Identify 50 systems for pilot testing +Pilot | Ring 2: Identify the next 50-100 endpoints in production environment
    +Full deployment | Ring 3: Roll out service to the rest of environment in larger increments + + + +### Exit criteria +An example set of exit criteria for these rings can include: +- Devices show up in the device inventory list +- Alerts appear in dashboard +- [Run a detection test](run-detection-test.md) +- [Run a simulated attack on a device](attack-simulations.md) + +### Evaluate +Identify a small number of test machines in your environment to onboard to the service. Ideally, these machines would be fewer than 50 endpoints. + + +### Pilot +Microsoft Defender ATP supports a variety of endpoints that you can onboard to the service. In this ring, identify several devices to onboard and based on the exit criteria you define, decide to proceed to the next deployment ring. + +The following table shows the supported endpoints and the corresponding tool you can use to onboard devices to the service. + +| Endpoint | Deployment tool | +|--------------|------------------------------------------| +| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md)
    NOTE: If you want to deploy more than 10 devices in a production environment, use the Group Policy method instead or the other supported tools listed below.
    [Group Policy](configure-endpoints-gp.md)
    [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md)
    [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
    [VDI scripts](configure-endpoints-vdi.md) | +| **macOS** | [Local script](mac-install-manually.md)
    [Microsoft Endpoint Manager](mac-install-with-intune.md)
    [JAMF Pro](mac-install-with-jamf.md)
    [Mobile Device Management](mac-install-with-other-mdm.md) | +| **Linux Server** | [Local script](linux-install-manually.md)
    [Puppet](linux-install-with-puppet.md)
    [Ansible](linux-install-with-ansible.md)| +| **iOS** | [App-based](ios-install.md) | +| **Android** | [Microsoft Endpoint Manager](android-intune.md) | + + + + +### Full deployment +At this stage, you can use the [Plan deployment](deployment-strategy.md) material to help you plan your deployment. + + +Use the following material to select the appropriate Microsoft Defender ATP architecture that best suites your organization. + +|**Item**|**Description**| +|:-----|:-----| +|[![Thumb image for Microsoft Defender ATP deployment strategy](images/mdatp-deployment-strategy.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)
    [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) \| [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures: