diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 3b8c2ce3db..066d1d1e75 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -86,6 +86,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md", +"redirect_url": "https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip", +"redirect_document_id": false +}, +{ "source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md", "redirect_url": "https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure", "redirect_document_id": false diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index c9213a887f..18f6f3dbf0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -15,40 +15,42 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 10/18/2017 +ms.date: 4/16/2017 --- # Manage Windows Hello for Business in your organization **Applies to** -- Windows 10 +- Windows 10 You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10. >[!IMPORTANT] ->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511. +>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511. > ->Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. +>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. > >Use **PIN Complexity** policy settings to manage PINs for Windows Hello for Business. - + ## Group Policy settings for Windows Hello for Business -The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. +The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**. > [!NOTE] > Starting with Windows 10, version 1709, the location of the PIN complexity section of the Group Policy is: **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity**. - + + + @@ -56,15 +58,41 @@ The following table lists the Group Policy settings that you can configure for W + + + + + + + + + + + + + + + + + + + + + - - + +
PolicyScope Options
Use Windows Hello for Business Computer or user -

Not configured: Users can provision Windows Hello for Business, which encrypts their domain password.

+

Not configured: Device does not provision Windows Hello for Business for any user.

Enabled: Device provisions Windows Hello for Business using keys or certificates for all users.

Disabled: Device does not provision Windows Hello for Business for any user.

Use a hardware security device Computer

Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.

-

Enabled: Windows Hello for Business will only be provisioned using TPM.

+

Enabled: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set.

Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.
Use certificate for on-premises authenticationComputer or user +

Not configured: Windows Hello for Business enrolls a key that is used for on-premises authentication.

+

Enabled: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication.

+

Disabled: Windows Hello for Business enrolls a key that is used for on-premises authentication.

+
Use PIN recoveryComputer +

Added in Windows 10, version 1703

+

Not configured: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

+

Enabled: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.

+

Disabled: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

+

+ +For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md). +

+
Use biometrics Computer

Not configured: Biometrics can be used as a gesture in place of a PIN.

Enabled: Biometrics can be used as a gesture in place of a PIN.

@@ -74,6 +102,7 @@ The following table lists the Group Policy settings that you can configure for W
PIN Complexity Require digitsComputer

Not configured: Users must include a digit in their PIN.

Enabled: Users must include a digit in their PIN.

@@ -82,6 +111,7 @@ The following table lists the Group Policy settings that you can configure for W
Require lowercase lettersComputer

Not configured: Users cannot use lowercase letters in their PIN.

Enabled: Users must include at least one lowercase letter in their PIN.

@@ -90,6 +120,7 @@ The following table lists the Group Policy settings that you can configure for W
Maximum PIN lengthComputer

Not configured: PIN length must be less than or equal to 127.

Enabled: PIN length must be less than or equal to the number you specify.

@@ -98,6 +129,7 @@ The following table lists the Group Policy settings that you can configure for W
Minimum PIN lengthComputer

Not configured: PIN length must be greater than or equal to 4.

Enabled: PIN length must be greater than or equal to the number you specify.

@@ -106,6 +138,7 @@ The following table lists the Group Policy settings that you can configure for W
ExpirationComputer

Not configured: PIN does not expire.

Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.

@@ -114,6 +147,7 @@ The following table lists the Group Policy settings that you can configure for W
HistoryComputer

Not configured: Previous PINs are not stored.

Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused.

@@ -124,6 +158,7 @@ The following table lists the Group Policy settings that you can configure for W
Require special charactersComputer

Not configured: Users cannot include a special character in their PIN.

Enabled: Users must include at least one special character in their PIN.

@@ -132,6 +167,7 @@ The following table lists the Group Policy settings that you can configure for W
Require uppercase lettersComputer

Not configured: Users cannot include an uppercase letter in their PIN.

Enabled: Users must include at least one uppercase letter in their PIN.

@@ -139,9 +175,9 @@ The following table lists the Group Policy settings that you can configure for W
>Phone Sign-in -

Use Phone Sign-in

+		Phone Sign-inUse Phone Sign-inComputer

Not currently supported.

@@ -154,7 +190,7 @@ The following table lists the Group Policy settings that you can configure for W The following table lists the MDM policy settings that you can configure for Windows Hello for Business use in your workplace. These MDM policy settings use the [PassportForWork configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkId=692070). >[!IMPORTANT] ->Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. +>Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. @@ -166,7 +202,7 @@ The following table lists the MDM policy settings that you can configure for Win - + - + + + + + + + + + + + + + + + - + - + + + + + + + + + + + + + @@ -252,7 +336,7 @@ The following table lists the MDM policy settings that you can configure for Win @@ -261,29 +345,11 @@ The following table lists the MDM policy settings that you can configure for Win - - - - - - - - - - - -
UsePassportForWork DeviceDevice or user True

True: Windows Hello for Business will be provisioned for all users on the device.

@@ -178,7 +214,7 @@ The following table lists the MDM policy settings that you can configure for Win
RequireSecurityDevice DeviceDevice or user False

True: Windows Hello for Business will only be provisioned using TPM.

@@ -186,6 +222,32 @@ The following table lists the MDM policy settings that you can configure for Win
ExcludeSecurityDeviceTPM12DeviceFalse +

Added in Windows 10, version 1703

+

True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.

+

False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.

+
EnablePinRecoveryDevice or userFalse +

Added in Windows 10, version 1703

+

True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.

+

False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.

+

+ +For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md). +

+
Biometrics

UseBiometrics

@@ -216,19 +278,41 @@ The following table lists the MDM policy settings that you can configure for Win
Digits Device or user2 1 -

1: Numbers are not allowed.

-

2: At least one number is required.

+

0: Digits are allowed.

+

1: At least one digit is required.

+

2: Digits are not allowed.

Lowercase letters Device or user1 2 -

1: Lowercase letters are not allowed.

-

2: At least one lowercase letter is required.

+

0: Lowercase letters are allowed.

+

1: At least one lowercase letter is required.

+

2: Lowercase letters are not allowed.

+
Special charactersDevice or user2 +

0: Special characters are allowed.

+

1: At least one special character is required.

+

2: Special characters are not allowed.

+
Uppercase lettersDevice or user2 +

0: Uppercase letters are allowed.

+

1: At least one uppercase letter is required.

+

2: Uppercase letters are not allowed.

Device or user 0 -

Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. +

Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.

Device or user 0 -

Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. +

Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.

Special charactersDevice or user1 -

1: Special characters are not allowed.

-

2: At least one special character is required.

-
Uppercase lettersDevice or user1 -

1: Uppercase letters are not allowed

-

2: At least one uppercase letter is required

-
Remote

UseRemotePassport

@@ -297,20 +363,53 @@ The following table lists the MDM policy settings that you can configure for Win
>[!NOTE] -> If policy is not configured to explicitly require letters or special characters, users will be restricted to creating a numeric PIN. - +> In Windows 10, version 1709 and later, if policy is not configured to explicitly require letters or special characters, users can optionally set an alphanumeric PIN. Prior to version 1709 the user is required to set a numeric PIN. + +## Policy conflicts from multiple policy sources + +Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device. + +Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. All PIN complexity policies are grouped together and enforced from a single policy source. + +Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies is enforced on a per policy basis. + +>[!NOTE] +> Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP. + +>Examples +> +>The following are configured using computer Group Policy: +> +>- Use Windows Hello for Business - Enabled +>- User certificate for on-premises authentication - Enabled +>- Require digits - Enabled +>- Minimum PIN length - 6 +> +>The following are configured using device MDM Policy: +> +>- UsePassportForWork - Disabled +>- UseCertificateForOnPremAuth - Disabled +>- MinimumPINLength - 8 +>- Digits - 1 +>- LowercaseLetters - 1 +>- SpecialCharacters - 1 +> +>Enforced policy set: +> +>- Use Windows Hello for Business - Enabled +>- Use certificate for on-premises authentication - Enabled +>- Require digits - Enabled +>- Minimum PIN length - 6d ## How to use Windows Hello for Business with Azure Active Directory -There are three scenarios for using Windows Hello for Business in Azure AD–only organizations: +There are three scenarios for using Windows Hello for Business in Azure AD–only organizations: -- **Organizations that use the version of Azure AD included with Office 365**. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant’s directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone. -- **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won’t be enabled unless and until the organization’s administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered. +- **Organizations that use the version of Azure AD included with Office 365**. For these organizations, no additional work is necessary. When Windows 10 was released to general availability, Microsoft changed the behavior of the Office 365 Azure AD stack. When a user selects the option to join a work or school network, the device is automatically joined to the Office 365 tenant's directory partition, a certificate is issued for the device, and it becomes eligible for Office 365 MDM if the tenant has subscribed to that feature. In addition, the user will be prompted to log on and, if MFA is enabled, to enter an MFA proof that Azure AD sends to his or her phone. +- **Organizations that use the free tier of Azure AD**. For these organizations, Microsoft has not enabled automatic domain join to Azure AD. Organizations that have signed up for the free tier have the option to enable or disable this feature, so automatic domain join won't be enabled unless and until the organization's administrators decide to enable it. When that feature is enabled, devices that join the Azure AD domain by using the Connect to work or school dialog box will be automatically registered with Windows Hello for Business support, but previously joined devices will not be registered. - **Organizations that have subscribed to Azure AD Premium** have access to the full set of Azure AD MDM features. These features include controls to manage Windows Hello for Business. You can set policies to disable or force the use of Windows Hello for Business, require the use of a TPM, and control the length and strength of PINs set on the device. -If you want to use Windows Hello for Business with certificates, you’ll need a device registration system. That means that you set up Configuration Manager, Microsoft Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates. - - +If you want to use Windows Hello for Business with certificates, you'll need a device registration system. That means that you set up Configuration Manager, Microsoft Intune, or a compatible non-Microsoft MDM system and enable it to enroll devices. This is a prerequisite step to use Windows Hello for Business with certificates, no matter the IDP, because the enrollment system is responsible for provisioning the devices with the necessary certificates. ## Related topics diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md deleted file mode 100644 index 684b78d8e2..0000000000 --- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md +++ /dev/null @@ -1,122 +0,0 @@ ---- -title: How Windows Information Protection (WIP) protects files with a sensitivity label (Windows 10) -description: Explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label. -keywords: sensitivity, labels, WIP, Windows Information Protection, EDP, Enterprise Data Protection -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: dulcemontemayor -ms.author: dansimp -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 04/30/2019 -ms.reviewer: ---- - -# How Windows Information Protection (WIP) protects a file that has a sensitivity label - -**Applies to:** - -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Windows 10, version 1903 -- Windows 10, version 1809 - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label. -Microsoft information protection technologies work together as an integrated solution to help enterprises: - -- Discover corporate data on endpoint devices -- Classify and label information based on its content and context -- Protect corporate data from unintentionally leaving to non-business environments -- Enable audit reports of user interactions with corporate data on endpoint devices - -Microsoft information protection technologies include: - -- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP. - -- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services. - -- [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security) is a cloud access security broker (CASB) solution that allows you to discover, classify, protect, and monitor user data in first-party and third-party Software-as-a-Service (SaaS) apps used by your organization. - -## How WIP protects sensitivity labels with endpoint data loss prevention - -You can create and manage [sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) in the Microsoft 365 compliance center. -When you [create a sensitivity label](https://docs.microsoft.com/microsoft-365/compliance/create-sensitivity-labels), you can specify that endpoint data loss prevention applies to content with that label. - -![Endpoint data loss prevention](images/sensitivity-label-endpoint-dlp.png) - -Office app users can choose a sensitivity label from a menu and apply it to a file. - -![Sensitivity labels](images/sensitivity-labels.png) - -WIP enforces default endpoint protection as follows: - -- If endpoint data loss prevention is enabled, the device enforces work protection for any file with the label -- If endpoint data loss prevention is not enabled: - - The device enforces work protection to a file downloaded from a work site - - The device does not enforce work protection to a file downloaded from a personal site - -Here's an example where a file remains protected without any work context beyond the sensitivity label: - -1. Sara creates a PDF file on a Mac and labels it as **Confidential**. -1. She emails the PDF from her Gmail account to Laura. -1. Laura opens the PDF file on her Windows 10 device. -1. Windows Defender Advanced Threat Protection (Windows Defender ATP) scans Windows 10 for any file that gets modified or created, including files that were created on a personal site. -1. Windows Defender ATP triggers WIP policy. -1. WIP policy protects the file even though it came from a personal site. - -## How WIP protects automatically classified files - -The next sections cover how Windows Defender ATP extends discovery and protection of sensitive information with improvements in Windows 10 version 1903. - -### Discovery - -Windows Defender ATP can extract the content of the file itself and evaluate whether it contains sensitive information types such as credit card numbers or employee ID numbers. -When you create a sensitivity label, you can specify that the label be added to any file that contains a sensitive information type. - -![Sensitivity labels](images/sensitivity-label-auto-label.png) - -A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, driver's license numbers, and so on. -You can also [create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type), which can include any keyword or expression that you want to evaluate. - -### Protection - -When a file is created or edited on a Windows 10 endpoint, Windows Defender ATP extracts the content and evaluates if it contains any default or custom sensitive information types that have been defined. -If the file has a match, Windows Defender ATP applies endpoint data loss prevention even if the file had no label previously. - -Windows Defender ATP is integrated with Azure Information Protection for data discovery and reports sensitive information types that were discovered. -Azure Information Protection aggregates the files with sensitivity labels and the sensitive information types they contain across the enterprise. - -![Image of Azure Information Protection - Data discovery](images/azure-data-discovery.png) - -You can see sensitive information types in Microsoft 365 compliance under **Classifications**. Default sensitive information types have Microsoft as the publisher. The publisher for custom types is the tenant name. - -![Sensitive information types](images/sensitive-info-types.png) - ->[!NOTE] ->Automatic classification does not change the file itself, but it applies protection based on the label. ->WIP protects a file that contains a sensitive information type as a work file. ->Azure Information Protection works differently in that it extends a file with a new attribute so the protection persists if the file is copied. - -## Prerequisites - -- Endpoint data loss prevention requires Windows 10, version 1809 -- Auto labelling requires Windows 10, version 1903 -- Devices need to be onboarded to [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection), which scans content for a label and applies WIP policy -- [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in Microsoft 365 compliance center -- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-configmgr.md) - - - - - - - - - diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index fdb2c392fa..eceb1d2833 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -18,7 +18,9 @@ ms.topic: article # View details and results of automated investigations -Pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) are listed in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)). +During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP) is configured for your organization, some remediation actions are taken automatically. + +If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation. >[!NOTE] >If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation. @@ -27,12 +29,13 @@ Pending and completed [remediation actions](manage-auto-investigation.md#remedia ![Action center page](images/action-center.png) -The action center consists of two main tabs, as described in the following table. - -|Tab |Description | -|---------|---------| -|Pending actions |Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject.

**NOTE**: The Pending tab appears only if there are pending actions to be approved (or rejected). | -|History |Acts as an audit log for all of the following:
- All actions taken by automated investigation and remediation in Microsoft Defender ATP
Actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone)
- All commands ran and remediation actions that were applied in Live Response sessions (some actions can be undone)
- Remediation actions that were applied by Windows Defender Antivirus (some actions can be undone) | +The action center consists of two main tabs: **Pending actions** and **History**. +- **Pending actions** Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject. The Pending tab appears only if there are pending actions to be approved (or rejected). +- **History** Acts as an audit log for all of the following items:
+ - Remediation actions that were taken as a result of an automated investigation + - Remediation actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone) + - Commands that were run and remediation actions that were applied in Live Response sessions (some actions can be undone) + - Remediation actions that were applied by Windows Defender Antivirus (some actions can be undone) Use the **Customize columns** menu to select columns that you'd like to show or hide. @@ -58,29 +61,30 @@ On the **Investigations** page, you can view details and use filters to focus on |---------|---------| |**Status** |(See [Automated investigation status](#automated-investigation-status)) | |**Triggering alert** | The alert that initiated the automated investigation | -|**Detection source** |The source of the alert that initiated the automated investigation. | -|**Entities** | These can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that you might have created. | -|**Threat** |The category of threat detected during the automated investigation. | -|**Tags** |Filter using manually added tags that capture the context of an automated investigation.| -|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't.| +|**Detection source** |The source of the alert that initiated the automated investigation | +|**Entities** | Entities can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that were created. | +|**Threat** |The category of threat detected during the automated investigation | +|**Tags** |Filter using manually added tags that capture the context of an automated investigation| +|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't| ## Automated investigation status -An automated investigation can be have one of the following status values: +An automated investigation can have one of the following status values: |Status |Description | |---------|---------| -| No threats found | No malicious entities found during the investigation. | -| Failed | A problem has interrupted the investigation, preventing it from completing. | -| Partially remediated | A problem prevented the remediation of some malicious entities. | -| Pending action | Remediation actions require review and approval. | +| Running | The investigation process has started and is underway. Malicious artifacts that are found are remediated. | +| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for specific details. | +| No threats found | The investigation has finished and no threats were identified.
If you suspect something was missed (such as a false negative), you can use [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). | +| Pending action | The investigation has found a threat, and an action to remediate that threat is awaiting approval. The Pending Action state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to see if other items are still pending completion. | +| Remediated | The investigation finished and all actions were approved (fully remediated). | +| Partially remediated | The investigation resulted in remediation actions, and some were approved and completed. Other actions are still pending. | +| Terminated by system | The investigation stopped. An investigation can stop for several reasons:
- The investigation's pending actions expired. Pending actions can time out after awaiting approval for an extended period of time.
- There are too many actions in the list.
Visit the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) to view and approve any pending actions. | +| Failed | At least one investigation analyzer ran into a problem where it could not complete properly.

If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for detailed results. | +| Queued | An investigation is being held in a queue. When other investigations complete, queued investigations begin. | | Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. | -| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. | -| Running | Investigation ongoing. Malicious entities found will be remediated. | -| Remediated | Malicious entities found were successfully remediated. | -| Terminated by system | Investigation was stopped by the system. | | Terminated by user | A user stopped the investigation before it could complete. | -| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. | + ## View details about an automated investigation @@ -92,7 +96,7 @@ In this view, you'll see the name of the investigation, when it started and ende ### Investigation graph -The investigation graph provides a graphical representation of an automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information. +The investigation graph provides a graphical representation of an automated investigation. All investigation-related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information. A progress ring shows two status indicators: - Orange ring - shows the pending portion of the investigation @@ -108,7 +112,7 @@ From this view, you can also view and add comments and tags about the investigat ### Alerts -The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to. +The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and to whom the investigation is assigned. Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing. @@ -124,7 +128,7 @@ Machines that show the same threat can be added to an ongoing investigation and Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users. -Clicking on an machine name brings you the machine page. +Clicking on a machine name brings you the machine page. ### Evidence @@ -146,7 +150,7 @@ You can also click on an action to bring up the details pane where you'll see in ### Pending actions -If there are pending actions on an automated investigation, you'll see a pop up similar to the following image. +If there are pending actions on an automated investigation, you'll see a pop-up similar to the following image. ![Image of pending actions](images/pending-actions.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index a9250abb97..8ae4bbb815 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -21,39 +21,39 @@ ms.topic: conceptual ## Remediation actions -When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *Clean*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed. +When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization’s security operations team. For example, some actions, such as removing malware, are taken automatically. Other actions require review and approval to proceed. When a verdict of *Malicious* is reached for a piece of evidence, Microsoft Defender Advanced Threat Protection takes one of the following remediation actions automatically: -- Quarantine file -- Remove registry key -- Kill process -- Stop service -- Remove registry key -- Disable driver -- Remove scheduled task +- Quarantine a file +- Remove a registry key +- Kill a process +- Stop a service +- Remove a registry key +- Disable a driver +- Remove a scheduled task -Evidence determined as *Suspicious* results in pending actions that require approval. As a best practice, make sure to [approve (or reject) pending actions](#review-pending-actions) as soon as possible. This helps your automated investigations complete in a timely manner. +Evidence determined as *Suspicious* results in pending actions that require approval. As a best practice, make sure to [approve (or reject) pending actions](#review-pending-actions) as soon as possible so that you automated investigations complete in a timely manner. -No actions are taken when evidence is determined to be *Clean*. +No actions are taken when a verdict of *No threats found* is reached for a piece of evidence. In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and viewable in the Microsoft Defender Security Center](#review-completed-actions). ## Review pending actions -1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. This takes you to your Security dashboard. +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the Security dashboard. 2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**. 3. Review any items on the **Pending** tab. - Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details. + Select an investigation from any of the categories to open a panel where you can approve or reject remediation actions. Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details. You can also select multiple investigations to approve or reject actions on multiple investigations. ## Review completed actions -1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. This takes you to your Security dashboard. +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the Security dashboard. 2. On the Security dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**. @@ -61,6 +61,12 @@ In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and 4. Select an item to view more details about that remediation action. +## Next steps + +- [View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center) + +- [Get an overview of live response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/live-response) + ## Related articles - [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)