deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #3643 from MicrosoftDocs/master

Browse Source 
Publish 08/26/2020 3:30 PM
This commit is contained in:
Gary Moore 2020-08-26 16:37:02 -07:00 committed by GitHub
commit eae3542daf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
29 changed files with 308 additions and 199 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

186
browsers/edge/microsoft-edge.yml
View File

@ -1,60 +1,144 @@
### YamlMime:YamlDocument ### YamlMime:Landing
title: Microsoft Edge Legacy # < 60 chars
summary: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # < 160 chars
documentType: LandingData
title: Microsoft Edge
metadata: metadata:
title: Microsoft Edge title: Microsoft Edge Legacy # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # Required; article description that is displayed in search results. < 160 chars.
keywords: Microsoft Edge, issues, fixes, announcements, Windows Server, advisories keywords: Microsoft Edge, issues, fixes, announcements, Windows Server, advisories
ms.prod: edge
ms.localizationpriority: medium ms.localizationpriority: medium
author: lizap author: lizap
ms.author: elizapo ms.author: elizapo
manager: dougkim manager: dougkim
ms.topic: article ms.topic: landing-page
ms.devlang: na ms.devlang: na
ms.date: 08/19/2020 #Required; mm/dd/yyyy format.
sections: # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
- items:
- type: markdown landingContent:
text: " # Cards and links should be based on top customer tasks or top subjects
Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # Start card title with a verb
" # Card (optional)
- title: What's new - title: What's new
- items: linkLists:
- type: markdown - linkListType: whats-new
text: " links:
Find out the latest and greatest news on Microsoft Edge.<br> - text: Documentation for Microsoft Edge version 77 or later
<table><tr><td><img src='images/new1.png' width='192' height='192'><br>**The latest in Microsoft Edge**<br>See what's new for users and developers in the next update to Microsoft Edge - now available with the Windows 10 April 2018 update!<br><a href='https://blogs.windows.com/msedgedev/2018/04/30/edgehtml-17-april-2018-update/#C7jCBdbPSG6bCXHr.97'>Find out more</a></td><td><img src='images/new2.png' width='192' height='192'><br>**Evaluate the impact**<br>Review the latest Forrester Total Economic Impact (TEI) report to learn about the impact Microsoft Edge can have in your organization.<br><a href='microsoft-edge-forrester'>Download the reports</a></td></tr><tr><td><img src='images/new3.png' width='192' height='192'><br>**Microsoft Edge for iOS and Android**<br>Microsoft Edge brings familiar features across your PC and phone, which allows browsing to go with you, no matter what device you use.<br><a href='https://blogs.windows.com/windowsexperience/2017/11/30/microsoft-edge-now-available-for-ios-and-android'>Learn more</a></td><td><img src='images/new4.png' width='192' height='192'><br>**Application Guard**<br>Microsoft Edge with Windows Defender Application Guard is the most secure browser on Windows 10 Enterprise.<br><a href='https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview'>Learn more</a></td></tr> url: https://docs.microsoft.com/DeployEdge/
</table> - text: Microsoft Edge Legacydesktop appwill reach end of support on March 9, 2021
" url: https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666
- title: Compatibility - text: The latest in Microsoft Edge
- items: url: https://blogs.windows.com/msedgedev/2018/04/30/edgehtml-17-april-2018-update/#C7jCBdbPSG6bCXHr.97
- type: markdown - text: Microsoft Edge for iOS and Android
text: " url: https://blogs.windows.com/windowsexperience/2017/11/30/microsoft-edge-now-available-for-ios-and-android
Even if you still have legacy apps in your organization, you can default to the secure, modern experience of Microsoft Edge and provide a consistent level of compatibility with existing legacy applications.<br> - text: Application Guard
<table><tr><td><img src='images/compat1.png' width='192' height='192'><br>**Test your site on Microsoft Edge**<br>Test your site on Microsoft Edge for free instantly, with remote browser testing powered by BrowserStack. You can also use the linting tool sonarwhal to assess your site's accessibility, speed, security, and more.<br><a href='https://developer.microsoft.com/microsoft-edge/tools/remote/'>Test your site on Microsoft Edge for free on BrowserStack</a><br><a href='https://sonarwhal.com/'>Use sonarwhal to improve your website.</a></td><td><img src='images/compat2.png' width='192' height='192'><br>**Improve compatibility with Enterprise Mode**<br>With Enterprise Mode you can use Microsoft Edge as your default browser, while ensuring apps continue working on IE11.<br><a href='https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility'>Use Enterprise mode to improve compatibility</a><br><a href='https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list'>Turn on Enterprise Mode and use a site list</a><br><a href='https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal'>Enterprise Site List Portal</a><br><a href='https://blogs.technet.microsoft.com/home_is_where_i_lay_my_head/2017/04/25/the-ultimate-browser-strategy-on-windows-10/'>Ultimate browser strategy on Windows 10</a></td><td><img src='images/compat3.png' width='192' height='192'><br>**Web Application Compatibility Lab Kit**<br>The Web Application Compatibility Lab Kit is a primer for the features and techniques used to provide web application compatibility during a typical enterprise migration to Microsoft Edge.<br><a href='web-app-compat-toolkit'>Find out more</a></td></tr> url: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview
</table> - linkListType: download
" links:
- title: Security - text: Evaluate the impact
- items: url: /microsoft-edge/deploy/microsoft-edge-forrester
- type: markdown
text: " # Card (optional)
Microsoft Edge uses Windows Hello and Windows Defender SmartScreen to defend against phishing and malware. Take a look at some of the additional features behind the strong defense that Microsoft Edge provides against web-based attacks.<br> - title: Test your site on Microsoft Edge
<table><tr><td><img src='images/security1.png' width='192' height='192'><br>**NSS Labs web browser security reports**<br>See the results of two global tests measuring how effective browsers are at protecting against socially engineered malware and phishing attacks.<br><a href='https://www.microsoft.com/download/details.aspx?id=54773'>Download the reports</a></td><td><img src='images/security2.png' width='192' height='192'><br>**Microsoft Edge sandbox**<br>See how Microsoft Edge has significantly reduced the attack surface of the sandbox by configuring the app container to further reduce its privilege.<br><a href='https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/'>Find out more</a></td><td><img src='images/security3.png' width='192' height='192'><br>**Windows Defender SmartScreen**<br>Manage your organization's computer settings with Group Policy and MDM settings to display a warning page to employees or block a site entirely.<br><a href='https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview'>Read the docs</a></td></tr> linkLists:
</table> - linkListType: overview
" links:
- title: Deployment and end user readiness - text: Test your site on Microsoft Edge for free on BrowserStack
- items: url: https://developer.microsoft.com/microsoft-edge/tools/remote/
- type: markdown - text: Use sonarwhal to improve your website
text: " url: https://sonarwhal.com/
Find resources and learn about features to help you deploy Microsoft Edge in your organization to get your users up and running quickly.<br>
<table><tr><td><img src='images/deploy-land.png' width='192' height='192'><br>**Deployment**<br>Find resources, learn about features, and get answers to commonly asked questions to help you deploy Microsoft Edge in your organization.<br><a href='https://docs.microsoft.com/microsoft-edge/deploy/'>Microsoft Edge deployment guide</a><br><a href='https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-faq'>Microsoft Edge FAQ</a><br><a href='https://docs.microsoft.com/microsoft-edge/deploy/hardware-and-software-requirements'>System requirements and language support</a><br><a href='https://docs.microsoft.com/microsoft-edge/deploy/available-policies'>Group Policy and MDM settings in Microsoft Edge</a><br><a href='https://www.microsoft.com/itpro/microsoft-edge/web-app-compat-toolkit'>Download the Web Application Compatibility Lab Kit</a><br><a href='edge-technical-demos.md'>Microsoft Edge training and demonstrations</a></td><td><img src='images/enduser-land.png' width='192' height='192'><br>**End user readiness**<br>Help your users get started on Microsoft Edge quickly and learn about features like tab management, instant access to Office files, and more.<br><a href='https://go.microsoft.com/fwlink/?linkid=825648'>Quick Start: Microsoft Edge (PDF, .98 MB)</a><br><a href='https://go.microsoft.com/fwlink/?linkid=825661'>Find it faster with Microsoft Edge (PDF, 605 KB)</a><br><a href='https://go.microsoft.com/fwlink/?linkid=825653'>Use Microsoft Edge to collaborate (PDF, 468 KB)</a><br><a href='https://microsoftedgetips.microsoft.com/en-us/2/39'>Import bookmarks</a><br><a href='https://microsoftedgetips.microsoft.com/en-us/2/18'>Password management</a><br><a href='https://myignite.microsoft.com/sessions/56630?source=sessions'>Microsoft Edge tips and tricks (video, 20:26)</a></td></tr> # Card (optional)
</table> - title: Improve compatibility with Enterprise Mode
" linkLists:
- title: Stay informed - linkListType: how-to-guide
- items: links:
- type: markdown - text: Use Enterprise mode to improve compatibility
text: " url: /microsoft-edge/deploy/emie-to-improve-compatibility
<table><tr><td><img src='images/wipinsider.png' width='192' height='192'><br>**Sign up for the Windows IT Pro Insider**<br>Get the latest tools, tips, and expert guidance on deployment, management, security, and more.<br><a href='https://aka.ms/windows-it-pro-insider'>Learn more</a></td><td><img src='images/edgeblog.png' width='192' height='192'><br>**Microsoft Edge Dev blog**<br>Keep up with the latest browser trends, security tips, and news for IT professionals.<br><a href='https://blogs.windows.com/msedgedev'>Read the blog</a></td><td><img src='images/twitter.png' width='192' height='192'><br>**Microsoft Edge Dev on Twitter**<br>Get the latest news and updates from the Microsoft Web Platform team.<br><a href='https://twitter.com/MSEdgeDev'>Visit Twitter</a></td></tr> - text: Turn on Enterprise Mode and use a site list
</table> url: https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list
" - text: Enterprise Site List Portal
url: https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal
# Card (optional)
- title: Web Application Compatibility Lab Kit
linkLists:
- linkListType: overview
links:
- text: Overview
url: /microsoft-edge/deploy/emie-to-improve-compatibility
# Card (optional)
- title: Security
linkLists:
- linkListType: download
links:
- text: NSS Labs web browser security reports
url: https://www.microsoft.com/download/details.aspx?id=54773
- linkListType: overview
links:
- text: Microsoft Edge sandbox
url: https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/
- text: Windows Defender SmartScreen
url: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview
# Card (optional)
- title: Deployment
linkLists:
- linkListType: overview
links:
- text: Microsoft Edge deployment guide
url: /microsoft-edge/deploy/
- text: Microsoft Edge FAQ
url: /microsoft-edge/deploy/microsoft-edge-faq
- text: System requirements and language support
url: /microsoft-edge/deploy/hardware-and-software-requirements
- text: Group Policy and MDM settings in Microsoft Edge
url: /microsoft-edge/deploy/available-policies
- text: Microsoft Edge training and demonstrations
url: /microsoft-edge/deploy/edge-technical-demos
- linkListType: download
links:
- text: Web Application Compatibility Lab Kit
url: https://www.microsoft.com/itpro/microsoft-edge/web-app-compat-toolkit
# Card (optional)
- title: End user readiness
linkLists:
- linkListType: video
links:
- text: Microsoft Edge tips and tricks (video, 20:26)
url: https://myignite.microsoft.com/sessions/56630?source=sessions
- linkListType: download
links:
- text: Quick Start - Microsoft Edge (PDF, .98 MB)
url: https://go.microsoft.com/fwlink/?linkid=825648
- text: Find it faster with Microsoft Edge (PDF, 605 KB)
url: https://go.microsoft.com/fwlink/?linkid=825661
- text: Use Microsoft Edge to collaborate (PDF, 468 KB)
url: https://go.microsoft.com/fwlink/?linkid=825653
- text: Group Policy and MDM settings in Microsoft Edge
url: /microsoft-edge/deploy/available-policies
- text: Microsoft Edge training and demonstrations
url: /microsoft-edge/deploy/edge-technical-demos
- linkListType: how-to-guide
links:
- text: Import bookmarks
url: https://microsoftedgetips.microsoft.com/2/39
- text: Password management
url: https://microsoftedgetips.microsoft.com/2/18
# Card (optional)
- title: Stay informed
linkLists:
- linkListType: overview
links:
- text: Sign up for the Windows IT Pro Insider
url: https://aka.ms/windows-it-pro-insider
- text: Microsoft Edge Dev blog
url: https://blogs.windows.com/msedgedev
- text: Microsoft Edge Dev on Twitter
url: https://twitter.com/MSEdgeDev

10
windows/client-management/mdm/dmclient-csp.md
View File

@ -21,11 +21,15 @@ The following diagram shows the DMClient CSP in tree format.
![dmclient csp](images/provisioning-csp-dmclient-th2.png) ![dmclient csp](images/provisioning-csp-dmclient-th2.png)
<a href="" id="msft"></a>**./Vendor/MSFT**
All the nodes in this CSP are supported in the device context, except for the **ExchangeID** node, which is supported in the user context. For the device context, use the **./Device/Vendor/MSFT** path and for the user context, use the **./User/Vendor/MSFT** path.
<a href="" id="dmclient"></a>**DMClient** <a href="" id="dmclient"></a>**DMClient**
Root node for the CSP. Root node for the CSP.
<a href="" id="updatemanagementserviceaddress"></a>**UpdateManagementServiceAddress** <a href="" id="updatemanagementserviceaddress"></a>**UpdateManagementServiceAddress**
For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node. For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node.
<a href="" id="hwdevid"></a>**HWDevID** <a href="" id="hwdevid"></a>**HWDevID**
Added in Windows 10, version 1703. Returns the hardware device ID. Added in Windows 10, version 1703. Returns the hardware device ID.
@ -221,7 +225,7 @@ Added in Windows 10, version 1607. Returns the hardware device ID.
Supported operation is Get. Supported operation is Get.
<a href="" id="provider-providerid-commercialid"></a>**Provider/*ProviderID*/CommercialID** <a href="" id="provider-providerid-commercialid"></a>**Provider/*ProviderID*/CommercialID**
Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization.. Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization.
Supported operations are Add, Get, Replace, and Delete. Supported operations are Add, Get, Replace, and Delete.
@ -265,7 +269,7 @@ Supported operations are Add, Delete, Get, and Replace. Value type is integer.
<a href="" id="provider-providerid-aadsenddevicetoken"></a>**Provider/*ProviderID*/AADSendDeviceToken** <a href="" id="provider-providerid-aadsenddevicetoken"></a>**Provider/*ProviderID*/AADSendDeviceToken**
Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token can not be obtained. Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token cannot be obtained.
Supported operations are Add, Delete, Get, and Replace. Value type is bool. Supported operations are Add, Delete, Get, and Replace. Value type is bool.

28
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -107,7 +107,7 @@ The following table lists management options for each setting, beginning with Wi
| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [28. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
@ -217,7 +217,7 @@ See the following table for a summary of the management settings for Windows Ser
| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) |
| [28. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
## How to configure each setting ## How to configure each setting
@ -415,7 +415,7 @@ To turn off Insider Preview builds for Windows 10:
### <a href="" id="bkmk-ie"></a>8. Internet Explorer ### <a href="" id="bkmk-ie"></a>8. Internet Explorer
> [!NOTE] > [!NOTE]
>When attempting to use Internet Explorer on any edition of Windows Server be aware there are restrictions enforced by [Enhanced Security Configuration (ESC)](https://support.microsoft.com/en-us/help/815141/ie-enhanced-security-configuration-changes-browsing-experience). The following Group Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under **Computer Configuration > Administrative Templates > Windows Components > Internet Explorer** and make these settings: >When attempting to use Internet Explorer on any edition of Windows Server be aware there are restrictions enforced by [Enhanced Security Configuration (ESC)](https://support.microsoft.com/help/815141/ie-enhanced-security-configuration-changes-browsing-experience). The following Group Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under **Computer Configuration > Administrative Templates > Windows Components > Internet Explorer** and make these settings:
| Policy | Description | | Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| |------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
@ -1560,7 +1560,7 @@ To turn off Messaging cloud sync:
You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](https://technet.microsoft.com/library/cc722030.aspx). You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](https://technet.microsoft.com/library/cc722030.aspx).
>[!NOTE] >[!NOTE]
>If you disable Teredo, some XBOX gaming features and Windows Update Delivery Optimization will not work. >If you disable Teredo, some XBOX gaming features and Delivery Optimization (with Group or Internet peering) will not work.
- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** &gt; **TCPIP Settings** &gt; **IPv6 Transition Technologies** &gt; **Set Teredo State** and set it to **Disabled State**. - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** &gt; **TCPIP Settings** &gt; **IPv6 Transition Technologies** &gt; **Set Teredo State** and set it to **Disabled State**.
@ -1664,7 +1664,7 @@ You can turn off **Enhanced Notifications** as follows:
### <a href="" id="bkmk-defender-smartscreen"></a>24.1 Windows Defender SmartScreen ### <a href="" id="bkmk-defender-smartscreen"></a>24.1 Windows Defender SmartScreen
To disable Windows Defender Smartscreen: To disable Windows Defender SmartScreen:
In Group Policy, configure: In Group Policy, configure:
@ -1809,19 +1809,19 @@ You can turn off apps for websites, preventing customers who visit websites that
- Create a new REG_DWORD registry setting named **EnableAppUriHandlers** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**. - Create a new REG_DWORD registry setting named **EnableAppUriHandlers** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**.
### <a href="" id="bkmk-updates"></a>28. Windows Update Delivery Optimization ### <a href="" id="bkmk-updates"></a>28. Delivery Optimization
Windows Update Delivery Optimization lets you get Windows updates and Microsoft Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. Delivery Optimization is the downloader of Windows updates, Microsoft Store apps, Office and other content from Microsoft. Delivery Optimization can also download from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization Peer-to-Peer option turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network. By default, PCs running Windows 10 will only use Delivery Optimization to get and receive updates for PCs and apps on your local network.
Use the UI, Group Policy, or Registry Keys to set up Delivery Optimization. Use the UI, Group Policy, or Registry Keys to set up Delivery Optimization.
In Windows 10 version 1607 and above you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Bypass** (99), as described below. In Windows 10 version 1607 and above you can stop network traffic related to Delivery Optimization Cloud Service by setting **Download Mode** to **Simple Mode** (99), as described below.
### <a href="" id="bkmk-wudo-ui"></a>28.1 Settings &gt; Update & security ### <a href="" id="bkmk-wudo-ui"></a>28.1 Settings &gt; Update & security
You can set up Delivery Optimization from the **Settings** UI. You can set up Delivery Optimization Peer-to-Peer from the **Settings** UI.
- Go to **Settings** &gt; **Update & security** &gt; **Windows Update** &gt; **Advanced options** &gt; **Choose how updates are delivered**. - Go to **Settings** &gt; **Update & security** &gt; **Windows Update** &gt; **Advanced options** &gt; **Choose how updates are delivered**.
@ -1837,9 +1837,12 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con
| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size. <br /> The default value is 20, which represents 20% of the disk.| | Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size. <br /> The default value is 20, which represents 20% of the disk.|
| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity. <br /> The default value is 0, which means unlimited possible bandwidth.| | Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity. <br /> The default value is 0, which means unlimited possible bandwidth.|
For a comprehensive list of Delivery Optimization Policies, see [Delivery Optimization Reference](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference).
### <a href="" id="bkmk-wudo-mdm"></a>28.3 Delivery Optimization ### <a href="" id="bkmk-wudo-mdm"></a>28.3 Delivery Optimization
- **Enable** the **Download Mode** Group Policy under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Delivery Optimization** and set the **Download Mode** to **"Bypass"** to prevent traffic. - **Enable** the **Download Mode** Group Policy under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Delivery Optimization** and set the **Download Mode** to **"Simple Mode (99)"** to prevent traffic between peers as well as traffic back to the Delivery Optimization Cloud Service.
-or- -or-
@ -1848,6 +1851,9 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con
For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730684). For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730684).
For IT Professionals, information about Delivery Optimization is available here: [Delivery Optimization for Windows 10 updates]
(https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization).
### <a href="" id="bkmk-wu"></a>29. Windows Update ### <a href="" id="bkmk-wu"></a>29. Windows Update
You can turn off Windows Update by setting the following registry entries: You can turn off Windows Update by setting the following registry entries:

2
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
View File

@ -27,7 +27,7 @@ ms.reviewer:
## Provisioning ## Provisioning
The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
![Event358](images/Event358.png) ![Event358](images/Event358-2.png)
The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**. The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**.

2
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
View File

@ -1,6 +1,6 @@
--- ---
title: Configure Hybrid Windows Hello for Business key trust Settings title: Configure Hybrid Windows Hello for Business key trust Settings
description: Configuring Windows Hello for Business settings in hybrid key trust deployment. description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy

2
windows/security/identity-protection/hello-for-business/hello-overview.md
View File

@ -1,7 +1,7 @@
--- ---
title: Windows Hello for Business Overview (Windows 10) title: Windows Hello for Business Overview (Windows 10)
ms.reviewer: An overview of Windows Hello for Business ms.reviewer: An overview of Windows Hello for Business
description: An overview of Windows Hello for Business description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10.
keywords: identity, PIN, biometric, Hello, passport keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy

2
windows/security/identity-protection/hello-for-business/hello-planning-guide.md
View File

@ -1,6 +1,6 @@
--- ---
title: Planning a Windows Hello for Business Deployment title: Planning a Windows Hello for Business Deployment
description: A guide to planning a Windows Hello for Business deployment description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
keywords: identity, PIN, biometric, Hello, passport keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy

2
windows/security/identity-protection/hello-for-business/hello-videos.md
View File

@ -1,6 +1,6 @@
--- ---
title: Windows Hello for Business Videos title: Windows Hello for Business Videos
description: Windows Hello for Business Videos description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10.
keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy

BIN
windows/security/identity-protection/hello-for-business/images/event358-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 90 KiB

2
windows/security/identity-protection/hello-for-business/passwordless-strategy.md
View File

@ -1,6 +1,6 @@
--- ---
title: Passwordless Strategy title: Passwordless Strategy
description: Reducing Password Usage Surface description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10.
keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy

2
windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
View File

@ -1,6 +1,6 @@
--- ---
title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10) title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10)
description: Explains how to secure VPN connections for Diffie Hellman Group 2 description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections.
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library

2
windows/security/identity-protection/vpn/vpn-authentication.md
View File

@ -1,6 +1,6 @@
--- ---
title: VPN authentication options (Windows 10) title: VPN authentication options (Windows 10)
description: tbd description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library

16
windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
View File

@ -1,6 +1,6 @@
--- ---
title: VPN auto-triggered profile options (Windows 10) title: VPN auto-triggered profile options (Windows 10)
description: tbd description: Learn about the types of auto-trigger rules for VPNs in Windows 10, which start a VPN when it is needed to access a resource.
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
@ -61,13 +61,15 @@ When the trigger occurs, VPN tries to connect. If an error occurs or any user in
When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**. Devices with multiple users have the same restriction: only one profile and therefore only one user will be able to use the Always On triggers. When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**. Devices with multiple users have the same restriction: only one profile and therefore only one user will be able to use the Always On triggers.
Preserving user Always On preference ## Preserving user Always On preference
Windows has a feature to preserve a users AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList. Windows has a feature to preserve a users AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value **AutoTriggerDisabledProfilesList**.
Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference.
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config Should a management tool remove or add the same profile name back and set **AlwaysOn** to **true**, Windows will not check the box if the profile name exists in the following registry value in order to preserve user preference.
Value: AutoTriggerDisabledProfilesList
Type: REG_MULTI_SZ **Key:** HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config<br/>
**Value:** AutoTriggerDisabledProfilesList<br/>
**Type:** REG_MULTI_SZ
## Trusted network detection ## Trusted network detection

2
windows/security/identity-protection/vpn/vpn-guide.md
View File

@ -1,6 +1,6 @@
--- ---
title: Windows 10 VPN technical guide (Windows 10) title: Windows 10 VPN technical guide (Windows 10)
description: Use this guide to configure VPN deployment for Windows 10. description: Learn about decisions to make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment.
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library

2
windows/security/identity-protection/vpn/vpn-name-resolution.md
View File

@ -1,6 +1,6 @@
--- ---
title: VPN name resolution (Windows 10) title: VPN name resolution (Windows 10)
description: tbd description: Learn how the name resolution setting in the VPN profile configures how name resolution works when a VPN client connects to a VPN server.
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library

2
windows/security/identity-protection/vpn/vpn-routing.md
View File

@ -1,6 +1,6 @@
--- ---
title: VPN routing decisions (Windows 10) title: VPN routing decisions (Windows 10)
description: tbd description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library

2
windows/security/identity-protection/vpn/vpn-security-features.md
View File

@ -1,6 +1,6 @@
--- ---
title: VPN security features (Windows 10) title: VPN security features (Windows 10)
description: tbd description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters.
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library

2
windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
View File

@ -1,6 +1,6 @@
--- ---
title: BitLocker Management Recommendations for Enterprises (Windows 10) title: BitLocker Management Recommendations for Enterprises (Windows 10)
description: This topic explains recommendations for managing BitLocker. description: Refer to relevant documentation, products, and services to learn about managing BitLocker for enterprises and see recommendations for different computers.
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: explore ms.mktglfcycl: explore
ms.sitesec: library ms.sitesec: library

6
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
View File

@ -84,11 +84,15 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if
1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar. 1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar.
2. Check the value of **Kernel DMA Protection**. 2. Check the value of **Kernel DMA Protection**.
![Kernel DMA protection in System Information](bitlocker/images/kernel-dma-protection.png) ![Kernel DMA protection in System Information](bitlocker/images/kernel-dma-protection.png)
3. If the current state of **Kernel DMA Protection** is OFF and **Virtualization Technology in Firmware** is NO: 3. If the current state of **Kernel DMA Protection** is OFF and **Hyper-V - Virtualization Enabled in Firmware** is NO:
- Reboot into BIOS settings - Reboot into BIOS settings
- Turn on Intel Virtualization Technology. - Turn on Intel Virtualization Technology.
- Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md). - Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
- Reboot system into Windows 10. - Reboot system into Windows 10.
>[!NOTE]
> **Hyper-V - Virtualization Enabled in Firmware** is NOT shown when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is shown because this means that **Hyper-V - Virtualization Enabled in Firmware** is YES.
4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. 4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.
For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.

2
windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
View File

@ -1,6 +1,6 @@
--- ---
title: Appendix A, Security monitoring recommendations for many audit events (Windows 10) title: Appendix A, Security monitoring recommendations for many audit events (Windows 10)
description: Appendix A, Security monitoring recommendations for many audit events description: Learn about recommendations for the type of monitoring required for certain classes of security audit events.
ms.pagetype: security ms.pagetype: security
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy

2
windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
View File

@ -1,6 +1,6 @@
--- ---
title: Audit Other Privilege Use Events (Windows 10) title: Audit Other Privilege Use Events (Windows 10)
description: This security policy setting is not used. description: Learn about the audit other privilege use events, an auditing subcategory that should not have any events in it but enables generation of event 4985(S).
ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp

2
windows/security/threat-protection/auditing/basic-security-audit-policies.md
View File

@ -1,6 +1,6 @@
--- ---
title: Basic security audit policies (Windows 10) title: Basic security audit policies (Windows 10)
description: Before you implement auditing, you must decide on an auditing policy. description: Learn about basic security audit policies that specify the categories of security-related events that you want to audit for the needs of your organization.
ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3 ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3
ms.reviewer: ms.reviewer:
ms.author: dansimp ms.author: dansimp

9
windows/security/threat-protection/auditing/event-4608.md
View File

@ -1,6 +1,6 @@
--- ---
title: 4608(S) Windows is starting up. (Windows 10) title: 4608(S) Windows is starting up. (Windows 10)
description: Describes security event 4608(S) Windows is starting up. description: Describes security event 4608(S) Windows is starting up. This event is logged when the LSASS.EXE process starts and the auditing subsystem is initialized.
ms.pagetype: security ms.pagetype: security
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
@ -20,7 +20,7 @@ ms.author: dansimp
- Windows Server 2016 - Windows Server 2016
<img src="images/event-4608.png" alt="Event 4608 illustration" width="449" height="317" hspace="10" align="left" /> <img src="images/event-4608.png" alt="Event 4608 illustration" width="449" height="317" hspace="10" align="top" />
***Subcategory:***&nbsp;[Audit Security State Change](audit-security-state-change.md) ***Subcategory:***&nbsp;[Audit Security State Change](audit-security-state-change.md)
@ -30,12 +30,13 @@ This event is logged when LSASS.EXE process starts and the auditing subsystem is
It typically generates during operating system startup process. It typically generates during operating system startup process.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. > [!NOTE]
> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all"> <br clear="all">
***Event XML:*** ***Event XML:***
``` ```xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System> - <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />

2
windows/security/threat-protection/auditing/event-4615.md
View File

@ -1,6 +1,6 @@
--- ---
title: 4615(S) Invalid use of LPC port. (Windows 10) title: 4615(S) Invalid use of LPC port. (Windows 10)
description: Describes security event 4615(S) Invalid use of LPC port. description: Describes security event 4615(S) Invalid use of LPC port. It appears that the Invalid use of LPC port event never occurs.
ms.pagetype: security ms.pagetype: security
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy

15
windows/security/threat-protection/auditing/event-4616.md
View File

@ -1,6 +1,6 @@
--- ---
title: 4616(S) The system time was changed. (Windows 10) title: 4616(S) The system time was changed. (Windows 10)
description: Describes security event 4616(S) The system time was changed. description: Describes security event 4616(S) The system time was changed. This event is generated every time system time is changed.
ms.pagetype: security ms.pagetype: security
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
@ -20,7 +20,7 @@ ms.author: dansimp
- Windows Server 2016 - Windows Server 2016
<img src="images/event-4616.png" alt="Event 4616 illustration" width="522" height="518" hspace="10" align="left" /> <img src="images/event-4616.png" alt="Event 4616 illustration" width="522" height="518" hspace="10" align="top" />
***Subcategory:***&nbsp;[Audit Security State Change](audit-security-state-change.md) ***Subcategory:***&nbsp;[Audit Security State Change](audit-security-state-change.md)
@ -32,12 +32,13 @@ This event is always logged regardless of the "Audit Security State Change" sub-
You will typically see these events with “**Subject\\Security ID**” = “**LOCAL SERVICE**”, these are normal time correction actions. You will typically see these events with “**Subject\\Security ID**” = “**LOCAL SERVICE**”, these are normal time correction actions.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. > [!NOTE]
> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all"> <br clear="all">
***Event XML:*** ***Event XML:***
``` ```xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System> - <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
@ -87,7 +88,8 @@ You will typically see these events with “**Subject\\Security ID**” = “**L
- **Security ID** \[Type = SID\]**:** SID of account that requested the “change system time” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - **Security ID** \[Type = SID\]**:** SID of account that requested the “change system time” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). > [!NOTE]
> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change system time” operation. - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change system time” operation.
@ -161,7 +163,8 @@ You will typically see these events with “**Subject\\Security ID**” = “**L
For 4616(S): The system time was changed. For 4616(S): The system time was changed.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). > [!IMPORTANT]
> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Report all “**Subject\\Security ID**” not equals **“LOCAL SERVICE”**, which means that the time change was not made not by Windows Time service. - Report all “**Subject\\Security ID**” not equals **“LOCAL SERVICE”**, which means that the time change was not made not by Windows Time service.

129
windows/security/threat-protection/auditing/event-4625.md
View File

@ -1,6 +1,6 @@
--- ---
title: 4625(F) An account failed to log on. (Windows 10) title: 4625(F) An account failed to log on. (Windows 10)
description: Describes security event 4625(F) An account failed to log on. description: Describes security event 4625(F) An account failed to log on. This event is generated if an account logon attempt failed for a locked out account.
ms.pagetype: security ms.pagetype: security
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
@ -20,7 +20,7 @@ ms.author: dansimp
- Windows Server 2016 - Windows Server 2016
<img src="images/event-4625.png" alt="Event 4625 illustration" width="449" height="780" hspace="10" align="left" /> <img src="images/event-4625.png" alt="Event 4625 illustration" width="449" height="780" hspace="10" align="top" />
***Subcategories:***&nbsp;[Audit Account Lockout](audit-account-lockout.md) and [Audit Logon](audit-logon.md) ***Subcategories:***&nbsp;[Audit Account Lockout](audit-account-lockout.md) and [Audit Logon](audit-logon.md)
@ -32,12 +32,13 @@ It generates on the computer where logon attempt was made, for example, if logon
This event generates on domain controllers, member servers, and workstations. This event generates on domain controllers, member servers, and workstations.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. > [!NOTE]
> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all"> <br clear="all">
***Event XML:*** ***Event XML:***
``` ```xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System> - <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
@ -93,7 +94,8 @@ This event generates on domain controllers, member servers, and workstations.
- **Security ID** \[Type = SID\]**:** SID of account that reported information about logon failure. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - **Security ID** \[Type = SID\]**:** SID of account that reported information about logon failure. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). > [!NOTE]
> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about logon failure. - **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about logon failure.
@ -109,27 +111,30 @@ This event generates on domain controllers, member servers, and workstations.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
**Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field. - **Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field.
| <span id="Windows_Logon_Types" class="anchor"></span>Logon Type | Logon Title | Description |
|-----------------------------------------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 7 | Unlock | This workstation was unlocked. |
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
> <span id="_Ref433822321" class="anchor"></span>Table: Windows Logon Types <span id="_Ref433822321" class="anchor"></span>**Table 11: Windows Logon Types**
| <span id="Windows_Logon_Types" class="anchor"></span>Logon Type | Logon Title | Description |
|-----------------------------------------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 7 | Unlock | This workstation was unlocked. |
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
**Account For Which Logon Failed:** **Account For Which Logon Failed:**
- **Security ID** \[Type = SID\]**:** SID of the account that was specified in the logon attempt. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - **Security ID** \[Type = SID\]**:** SID of the account that was specified in the logon attempt. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). > [!NOTE]
> A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was specified in the logon attempt. - **Account Name** \[Type = UnicodeString\]**:** the name of the account that was specified in the logon attempt.
@ -151,35 +156,36 @@ This event generates on domain controllers, member servers, and workstations.
- **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event it typically has “**Account locked out**” value. - **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event it typically has “**Account locked out**” value.
- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes. - **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes.
| Status\\Sub-Status Code | Description | <span id="_Ref433822658" class="anchor"></span>**Table 12: Windows logon status codes.**
|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0XC000005E | There are currently no logon servers available to service the logon request. |
| 0xC0000064 | User logon with misspelled or bad user account |
| 0xC000006A | User logon with misspelled or bad password |
| 0XC000006D | This is either due to a bad username or authentication information |
| 0XC000006E | Unknown user name or bad password. |
| 0xC000006F | User logon outside authorized hours |
| 0xC0000070 | User logon from unauthorized workstation |
| 0xC0000071 | User logon with expired password |
| 0xC0000072 | User logon to account disabled by administrator |
| 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. |
| 0XC0000133 | Clocks between DC and other computer too far out of sync |
| 0XC000015B | The user has not been granted the requested logon type (aka logon right) at this machine |
| 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
| 0XC0000192 | An attempt was made to logon, but the N**etlogon** service was not started. |
| 0xC0000193 | User logon with expired account |
| 0XC0000224 | User is required to change password at next logon |
| 0XC0000225 | Evidently a bug in Windows and not a risk |
| 0xC0000234 | User logon with account locked |
| 0XC00002EE | Failure Reason: An Error occurred during Logon |
| 0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
| 0x0 | Status OK. |
> <span id="_Ref433822658" class="anchor"></span>Table: Windows logon status codes. | Status\\Sub-Status Code | Description |
> |-------------------------|------------------------------------------------------------------------------------------------------|
> **Note**&nbsp;&nbsp;To see the meaning of other status\\sub-status codes you may also check for status code in the Window header file ntstatus.h in Windows SDK. | 0XC000005E | There are currently no logon servers available to service the logon request. |
| 0xC0000064 | User logon with misspelled or bad user account |
| 0xC000006A | User logon with misspelled or bad password |
| 0XC000006D | This is either due to a bad username or authentication information |
| 0XC000006E | Unknown user name or bad password. |
| 0xC000006F | User logon outside authorized hours |
| 0xC0000070 | User logon from unauthorized workstation |
| 0xC0000071 | User logon with expired password |
| 0xC0000072 | User logon to account disabled by administrator |
| 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. |
| 0XC0000133 | Clocks between DC and other computer too far out of sync |
| 0XC000015B | The user has not been granted the requested logon type (aka logon right) at this machine |
| 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
| 0XC0000192 | An attempt was made to logon, but the N**etlogon** service was not started. |
| 0xC0000193 | User logon with expired account |
| 0XC0000224 | User is required to change password at next logon |
| 0XC0000225 | Evidently a bug in Windows and not a risk |
| 0xC0000234 | User logon with account locked |
| 0XC00002EE | Failure Reason: An Error occurred during Logon |
| 0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
| 0x0 | Status OK. |
> [!NOTE]
> To see the meaning of other status\\sub-status codes you may also check for status code in the Window header file ntstatus.h in Windows SDK.
More information: <https://dev.windows.com/en-us/downloads> More information: <https://dev.windows.com/en-us/downloads>
@ -187,7 +193,7 @@ More information: <https://dev.windows.com/en-us/downloads>
**Process Information:** **Process Information:**
- **Caller Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): - **Caller Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):<br/><br/>
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" /> <img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
@ -241,7 +247,8 @@ More information: <https://dev.windows.com/en-us/downloads>
For 4625(F): An account failed to log on. For 4625(F): An account failed to log on.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). > [!IMPORTANT]
> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. - If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
@ -277,17 +284,17 @@ For 4625(F): An account failed to log on.
- Monitor for all events with the fields and values in the following table: - Monitor for all events with the fields and values in the following table:
| **Field** | Value to monitor for | | **Field** | Value to monitor for |
|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000005E “There are currently no logon servers available to service the logon request.” <br>This is typically not a security issue but it can be an infrastructure or availability issue. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000005E “There are currently no logon servers available to service the logon request.” <br>This is typically not a security issue but it can be an infrastructure or availability issue. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000064 “User logon with misspelled or bad user account”. <br>Especially if you get a number of these in a row, it can be a sign of user enumeration attack. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000064 “User logon with misspelled or bad user account”. <br>Especially if you get a number of these in a row, it can be a sign of user enumeration attack. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006A “User logon with misspelled or bad password” for critical accounts or service accounts. <br>Especially watch for a number of such events in a row. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006A “User logon with misspelled or bad password” for critical accounts or service accounts. <br>Especially watch for a number of such events in a row. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000006D “This is either due to a bad username or authentication information” for critical accounts or service accounts. <br>Especially watch for a number of such events in a row. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000006D “This is either due to a bad username or authentication information” for critical accounts or service accounts. <br>Especially watch for a number of such events in a row. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006F “User logon outside authorized hours”. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006F “User logon outside authorized hours”. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000070 “User logon from unauthorized workstation”. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000070 “User logon from unauthorized workstation”. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000072 “User logon to account disabled by administrator”. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000072 “User logon to account disabled by administrator”. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000015B “The user has not been granted the requested logon type (aka logon right) at this machine”. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000015B “The user has not been granted the requested logon type (aka logon right) at this machine”. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000192 “An attempt was made to logon, but the Netlogon service was not started”. <br>This is typically not a security issue but it can be an infrastructure or availability issue. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000192 “An attempt was made to logon, but the Netlogon service was not started”. <br>This is typically not a security issue but it can be an infrastructure or availability issue. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000193 “User logon with expired account”. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000193 “User logon with expired account”. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000413 “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. | | **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000413 “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. |

3
windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
View File

@ -13,6 +13,7 @@ ms.author: deniseb
ms.custom: nextgen ms.custom: nextgen
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
ms.date: 08/26/2020
--- ---
# Microsoft Defender Antivirus compatibility # Microsoft Defender Antivirus compatibility
@ -26,7 +27,7 @@ manager: dansimp
Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection. Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection.
- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus automatically goes into disabled mode. - If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus automatically goes into disabled mode.
- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.) - If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.)
- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) (currently in private preview) enabled, then Microsoft Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack. - If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) (currently in preview) enabled, then whenever a malicious artifact is detected, Microsoft Defender ATP takes action to block and remediate the artifact.
## Antivirus and Microsoft Defender ATP ## Antivirus and Microsoft Defender ATP

2
windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
View File

@ -150,7 +150,7 @@ Microsoft Defender ATP is built on Azure cloud, deployed in the following region
- \+\<Region Name="uksouth"> - \+\<Region Name="uksouth">
- \+\<Region Name="ukwest"> - \+\<Region Name="ukwest">
You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653). You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/download/details.aspx?id=56519).
> [!NOTE] > [!NOTE]
> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting. > As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.

69
windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
View File

@ -30,36 +30,31 @@ If you can reproduce a problem, increase the logging level, run the system for s
1. Increase logging level: 1. Increase logging level:
```bash ```bash
mdatp --log-level verbose mdatp log level set --level verbose
``` ```
```Output ```Output
Creating connection to daemon Log level configured successfully
Connection established
Operation succeeded
``` ```
2. Reproduce the problem 2. Reproduce the problem
3. Run `sudo mdatp --diagnostic --create` to back up Microsoft Defender ATP's logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds. 3. Run `sudo mdatp diagnostic create` to back up Microsoft Defender ATP's logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds.
```bash ```bash
sudo mdatp --diagnostic --create sudo mdatp diagnostic create
``` ```
```Output ```Output
Creating connection to daemon Diagnostic file created: "/Library/Application Support/Microsoft/Defender/wdavdiag/932e68a8-8f2e-4ad0-a7f2-65eb97c0de01.zip"
Connection established
``` ```
4. Restore logging level: 4. Restore logging level:
```bash ```bash
mdatp --log-level info mdatp log level set --level info
``` ```
```Output ```Output
Creating connection to daemon Log level configured successfully
Connection established
Operation succeeded
``` ```
## Logging installation issues ## Logging installation issues
@ -85,30 +80,32 @@ There are several ways to uninstall Microsoft Defender ATP for Mac. Note that wh
Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line:
|Group |Scenario |Command | |Group |Scenario |Command |
|-------------|-------------------------------------------|-----------------------------------------------------------------------| |-------------|-------------------------------------------|----------------------------------------------------------------------------------|
|Configuration|Turn on/off real-time protection |`mdatp --config realTimeProtectionEnabled [true/false]` | |Configuration|Turn on/off real-time protection |`mdatp config real-time-protection [enabled/disabled]` |
|Configuration|Turn on/off cloud protection |`mdatp --config cloudEnabled [true/false]` | |Configuration|Turn on/off cloud protection |`mdatp config cloud --value [enabled/disabled]` |
|Configuration|Turn on/off product diagnostics |`mdatp --config cloudDiagnosticEnabled [true/false]` | |Configuration|Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled/disabled]` |
|Configuration|Turn on/off automatic sample submission |`mdatp --config cloudAutomaticSampleSubmission [true/false]` | |Configuration|Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission --value [enabled/disabled]` |
|Configuration|Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` | |Configuration|Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` |
|Configuration|Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` | |Configuration|Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` |
|Configuration|List all allowed threat names |`mdatp threat allowed list` | |Configuration|List all allowed threat names |`mdatp threat allowed list` |
|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`| |Configuration|Turn on PUA protection |`mdatp threat policy set --type potentially_unwanted_application -- action block` |
|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` | |Configuration|Turn off PUA protection |`mdatp threat policy set --type potentially_unwanted_application -- action off` |
|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`| |Configuration|Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application -- action audit` |
|Configuration|Turn on/off passiveMode |`mdatp --config passiveMode [on/off]` | |Configuration|Turn on/off passiveMode |`mdatp config passive-mode --value enabled [enabled/disabled]` |
|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` | |Diagnostics |Change the log level |`mdatp log level set --level [error/warning/info/verbose]` |
|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` | |Diagnostics |Generate diagnostic logs |`mdatp diagnostic create` |
|Health |Check the product's health |`mdatp --health` | |Health |Check the product's health |`mdatp health` |
|Protection |Scan a path |`mdatp --scan --path [path]` | |Health |Check for a spefic product attribute |`mdatp health --field [attribute: healthy/licensed/engine_version...]` |
|Protection |Do a quick scan |`mdatp --scan --quick` | |Protection |Scan a path |`mdatp scan custom --path [path]` |
|Protection |Do a full scan |`mdatp --scan --full` | |Protection |Do a quick scan |`mdatp scan quick` |
|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` | |Protection |Do a full scan |`mdatp scan full` |
|Protection |Request a security intelligence update |`mdatp --definition-update` | |Protection |Cancel an ongoing on-demand scan |`mdatp scan cancel` |
|EDR |Turn on/off EDR preview for Mac |`mdatp --edr --early-preview [true/false]` OR `mdatp --edr --earlyPreview [true/false]` for versions earlier than 100.78.0 | |Protection |Request a security intelligence update |`mdatp definitions update` |
|EDR |Add group tag to device. EDR tags are used for managing device groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` | |EDR |Turn on/off EDR preview for Mac |`mdatp edr early-preview [enabled/disabled]` |
|EDR |Remove group tag from device |`mdatp --edr --remove-tag [name]` | |EDR |Add group tag to device. EDR tags are used for managing device groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp edr tag set --name GROUP --value [name]` |
|EDR |Remove group tag from device |`mdatp edr tag remove --tag-name [name]` |
|EDR |Add Group Id |`mdatp edr group-ids --group-id [group]` |
### How to enable autocompletion ### How to enable autocompletion