From 5ce77666e16a6f318781a6703c1506d817189274 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 21 Apr 2019 20:07:28 +0500 Subject: [PATCH 01/42] update attack-surface-reduction-exploit-guard.md --- .../attack-surface-reduction-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 5bfe2c6ba4..4181785422 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -22,7 +22,7 @@ ms.date: 04/02/2019 Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019. -To use attack surface reduction rules, you need a Windows 10 Enterprise E3 license or higher. A Windows E5 license gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. +To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subsciption, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: From b7fc3ce24c06828000fc4037776a4e8496feb516 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 21 Apr 2019 20:59:33 +0500 Subject: [PATCH 02/42] update attack-surface-reduction-exploit-guard.md --- .../attack-surface-reduction-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 4181785422..272c13081f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -22,7 +22,7 @@ ms.date: 04/02/2019 Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019. -To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subsciption, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. +To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subsciption, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: From 84e8a5a03ee541c5b5ae4fd9e849308b27308af5 Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Sat, 27 Apr 2019 16:35:21 +0200 Subject: [PATCH 03/42] Update assignedaccess-csp.md Added note about assigned access. --- windows/client-management/mdm/assignedaccess-csp.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 13f0987eca..55d8e8b012 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -22,6 +22,9 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u > [!Warning] > You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups. +> [!Note] +> If the application runs in assigned access mode, when the app calls KeyCredentialManager.IsSupportedAsync and it returns false on the first run, try invoking the settings screen to have the user select a convenience PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. This means you can only use Windows Hello if you first leave Assigned Access. The user must then select his/her convenience pin and then go into Assigned Access again. + > [!Note] > The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. Starting in Windows 10, version 1803, it is also supported in Windows Holographic for Business edition. From aacdf73752e02cbc2bac019ebf26164b78376416 Mon Sep 17 00:00:00 2001 From: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> Date: Mon, 29 Apr 2019 05:29:27 +0200 Subject: [PATCH 04/42] Update windows/client-management/mdm/assignedaccess-csp.md Changed wording. Co-Authored-By: lindspea <45809756+lindspea@users.noreply.github.com> --- windows/client-management/mdm/assignedaccess-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 55d8e8b012..b6470b0c3d 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -23,7 +23,7 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u > You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups. > [!Note] -> If the application runs in assigned access mode, when the app calls KeyCredentialManager.IsSupportedAsync and it returns false on the first run, try invoking the settings screen to have the user select a convenience PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. This means you can only use Windows Hello if you first leave Assigned Access. The user must then select his/her convenience pin and then go into Assigned Access again. +> If the application calls KeyCredentialManager.IsSupportedAsync when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select a convenience PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again. > [!Note] > The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. Starting in Windows 10, version 1803, it is also supported in Windows Holographic for Business edition. From 3020dfae762b7ad5ae675a3346cc1e5f2d580dd3 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 1 May 2019 11:48:22 -0400 Subject: [PATCH 05/42] first pass at updating known issues section --- .../microsoft-defender-atp-mac.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index f643a3b454..82acdc4d29 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -464,12 +464,15 @@ Or, from a command line: - ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` ## Known issues -- Microsoft Defender ATP is not yet optimized for performance or disk space. -- Centrally managed uninstall using Intune is still in development. To uninstall (as a workaround) a manual uninstall action has to be completed on each client device). -- Geo preference for telemetry traffic is not yet supported. Cloud traffic (definition updates) routed to US only. -- Full Windows Defender ATP integration is not yet available -- Not localized yet -- There might be accessibility issues + +- Not localized yet. +- There might be accessibility issues. +- Not optimized for performance or disk space yet. +- Full Windows Defender ATP integration is not available yet. +- Mac devices that switch networks may appear multiple times in the APT portal. +- Geo preference for telemetry traffic is not supported yet. Cloud traffic is routed to the US only. +- Centrally managed uninstall is still being developed. As a workaround, a manual uninstall must be performed on each client device. + ## Collecting diagnostic information If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. From c77397e197a5bf176ada23cd8883e8c1946aa22f Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 1 May 2019 12:45:00 -0400 Subject: [PATCH 06/42] added what's new section --- .../microsoft-defender-atp-mac.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 82acdc4d29..fd141aaa08 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -25,6 +25,21 @@ ms.topic: conceptual This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +## What’s new in the public preview + +- Fully accessible +- Various bug fixes +- Improved performance +- Improved user experience +- Improved threat handling +- Localized for 37 languages +- Improved anti-tampering protections +- Feedback can now be submitted via the Mac Client UI. +- Product health can now be queried via Jamf or the command line. +- Reduced delay for Mac devices to appear in the ATP console, following deployment. +- Admins can now set their cloud geo preference for any location, not just those in the US. + + ## Prerequisites You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine. From 5733e9b39311dab6057bd7c8bea356c63838ecbc Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 1 May 2019 12:59:11 -0400 Subject: [PATCH 07/42] refining what's new section text --- .../microsoft-defender-atp-mac.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index fd141aaa08..44e8b765e4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -34,10 +34,10 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only - Improved threat handling - Localized for 37 languages - Improved anti-tampering protections -- Feedback can now be submitted via the Mac Client UI. -- Product health can now be queried via Jamf or the command line. +- Feedback and samples can be submitted via the GUI. +- Product health can be queried via Jamf or the command line. - Reduced delay for Mac devices to appear in the ATP console, following deployment. -- Admins can now set their cloud geo preference for any location, not just those in the US. +- Admins can set their cloud preference for any location, not just those in the US. ## Prerequisites From 8162acd4cddfe26b4f61e0c31e295214b6bcba01 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 1 May 2019 14:21:07 -0400 Subject: [PATCH 08/42] added atp portal section --- .../microsoft-defender-atp-mac.md | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 44e8b765e4..eff522741e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -468,6 +468,32 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) +## What to expect in the ATP portal + +- Severity +- Scan type +- Antivirus alerts +- Device information: + - Machine identifier + - Tenant identifier + - App version + - Hostname + - OS type + - OS version + - Computer model + - Processor architecture + - Whether the device is a virtual machine +- File information: + - Hashes + - Size + - Path + - Name +- Threat information: + - Type + - State + - Name + + ## Uninstallation ### Removing Microsoft Defender ATP from Mac devices To remove Microsoft Defender ATP from your macOS devices: From 58618eb4e7609e299ce616f5f9294c95910ff2f6 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 2 May 2019 07:40:59 -0400 Subject: [PATCH 09/42] added configuring via the command line section & table --- .../microsoft-defender-atp-mac.md | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index eff522741e..274a348c8b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -468,6 +468,28 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) +## Configuring with the command line + +Controlling product settings, triggering on-demand scans, and several other important tasks can be done via the following CLI commands: + +|Group |Scenario |Command | +|-------------|-------------------------------------------|-----------------------------------------------------------------------| +|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | +|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | +|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | +|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | +|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| +|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | +|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| +|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | +|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | +|Health |Check the product's health |`mdatp --health` | +|Protection |Scan a path |`mdatp scan --path [path]` | +|Protection |Do a quick scan |`mdatp scan --quick` | +|Protection |Do a full scan |`mdatp scan --full` | +|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | +|Protection |Request a definition update |`mdatp --signature-update` | + ## What to expect in the ATP portal - Severity From 3c6938f6d81c091be95028cec8c18598fc7c2b5c Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 2 May 2019 07:54:37 -0400 Subject: [PATCH 10/42] fixed inaccuracies in portal section --- .../microsoft-defender-atp-mac.md | 23 ++++++++----------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 274a348c8b..1e0f483f69 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -470,7 +470,7 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b ## Configuring with the command line -Controlling product settings, triggering on-demand scans, and several other important tasks can be done via the following CLI commands: +Controlling product settings, triggering on-demand scans, and several other important tasks can be done with the following CLI commands: |Group |Scenario |Command | |-------------|-------------------------------------------|-----------------------------------------------------------------------| @@ -492,9 +492,12 @@ Controlling product settings, triggering on-demand scans, and several other impo ## What to expect in the ATP portal -- Severity -- Scan type -- Antivirus alerts +- AV alerts: + - Severity + - Scan type + - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) + - File information (name, path, size, and hash) + - Threat information (name, type, and state) - Device information: - Machine identifier - Tenant identifier @@ -505,19 +508,11 @@ Controlling product settings, triggering on-demand scans, and several other impo - Computer model - Processor architecture - Whether the device is a virtual machine -- File information: - - Hashes - - Size - - Path - - Name -- Threat information: - - Type - - State - - Name - ## Uninstallation + ### Removing Microsoft Defender ATP from Mac devices + To remove Microsoft Defender ATP from your macOS devices: - Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. From 1372d3faed690728d953a85eba6a7a9efb1eaeaa Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 2 May 2019 10:37:07 -0400 Subject: [PATCH 11/42] refining what's new section --- .../microsoft-defender-atp-mac.md | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 1e0f483f69..52531fa8c9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -27,18 +27,15 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## What’s new in the public preview -- Fully accessible -- Various bug fixes -- Improved performance -- Improved user experience -- Improved threat handling -- Localized for 37 languages -- Improved anti-tampering protections -- Feedback and samples can be submitted via the GUI. -- Product health can be queried via Jamf or the command line. -- Reduced delay for Mac devices to appear in the ATP console, following deployment. -- Admins can set their cloud preference for any location, not just those in the US. +We've been working hard through the private preview period, and we've heard your concerns. We've reduced the delay for when new Mac devices appear in the ATP console after they've been deployed. We've improved threat handling, and enhanced the user experience. We've also made numerous bug fixes. Other updates to Microsoft Defender ATP include: +- Full accessibility +- Improved performance +- Localization for 37 languages +- Improved anti-tampering protections +- Feedback and samples can now be submitted via the GUI. +- Product health can be queried with JAMF or the command line. +- Admins can set their cloud preference for any location, not just for those in the US. ## Prerequisites You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine. From 12bebd56e8258562ec62b79d7bc13e2f90c26a86 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 2 May 2019 11:01:29 -0400 Subject: [PATCH 12/42] markdown linting --- .../microsoft-defender-atp-mac.md | 221 ++++++++++-------- 1 file changed, 127 insertions(+), 94 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 52531fa8c9..17df14a9be 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -22,8 +22,8 @@ ms.topic: conceptual >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. ## What’s new in the public preview @@ -38,14 +38,17 @@ We've been working hard through the private preview period, and we've heard your - Admins can set their cloud preference for any location, not just for those in the US. ## Prerequisites + You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine. You should also have access to Windows Defender Security Center. ### System Requirements + Microsoft Defender ATP for Mac system requirements: + - macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra) -- Disk space during preview: 1GB +- Disk space during preview: 1GB After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. @@ -57,39 +60,43 @@ The following table lists the services and their associated URLs that your netwo To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://wu-cdn.x.cp.wd.microsoft.com/` in a browser, or run the following command in Terminal: -``` +```bash mavel-mojave:~ testuser$ curl 'https://x.cp.wd.microsoft.com/api/report' OK ``` -We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. +We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS. ## Installation and configuration overview -There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. + +There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. In general you'll need to take the following steps: - - Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal - - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: - * [Microsoft Intune based deployment](#microsoft-intune-based-deployment) - * [JAMF based deployment](#jamf-based-deployment) - * [Manual deployment](#manual-deployment) + +- Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal +- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: + - [Microsoft Intune based deployment](#microsoft-intune-based-deployment) + - [JAMF based deployment](#jamf-based-deployment) + - [Manual deployment](#manual-deployment) ## Microsoft Intune based deployment ### Download installation and onboarding packages + Download the installation and onboarding packages from Windows Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. -5. Download IntuneAppUtil from https://docs.microsoft.com/en-us/intune/lob-apps-macos. + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. +5. Download IntuneAppUtil from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos). ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) -6. From a command prompt, verify that you have the three files. +6. From a command prompt, verify that you have the three files. Extract the contents of the .zip files: - - ``` + + ```bash mavel-macmini:Downloads test$ ls -l total 721688 -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil @@ -103,13 +110,14 @@ Download the installation and onboarding packages from Windows Defender Security inflating: jamf/WindowsDefenderATPOnboarding.plist mavel-macmini:Downloads test$ ``` -7. Make IntuneAppUtil an executable: + +7. Make IntuneAppUtil an executable: ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` 8. Create the wdav.pkg.intunemac package from wdav.pkg: - ``` + ```bash mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" Microsoft Intune Application Utility for Mac OS X Version: 1.0.0.0 @@ -124,6 +132,7 @@ Download the installation and onboarding packages from Windows Defender Security ``` ### Client Machine Setup + You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). 1. You'll be asked to confirm device management. @@ -143,17 +152,18 @@ You can enroll additional machines. Optionally, you can do it later, after syste ![Add Devices screenshot](images/MDATP_5_allDevices.png) ### Create System Configuration profiles -1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. -2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. -3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. -4. Select **OK**. + +1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. +2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. +3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. +4. Select **OK**. ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) -5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. -7. Repeat these steps with the second profile. -8. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. -9. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. +5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. +6. Repeat these steps with the second profile. +7. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. +8. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: @@ -161,16 +171,16 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t ### Publish application -1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. -2. Select **App type=Other/Line-of-business app**. -3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. -4. Select **Configure** and add the required information. -5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. +1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. +2. Select **App type=Other/Line-of-business app**. +3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. +4. Select **Configure** and add the required information. +5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) 6. Select **OK** and **Add**. - + ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) 7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. @@ -187,7 +197,8 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) ### Verify client machine state -1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. + +1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) @@ -195,30 +206,33 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t 2. Verify the three profiles listed there: ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) -3. The **Management Profile** should be the Intune system profile. -4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. -5. You should also see the Microsoft Defender icon in the top-right corner: +3. The **Management Profile** should be the Intune system profile. +4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. +5. You should also see the Microsoft Defender icon in the top-right corner: ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) ## JAMF based deployment -### Prerequsites -You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. +### Prerequsites + +You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. ### Download installation and onboarding packages + Download the installation and onboarding packages from Windows Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) -5. From a command prompt, verify that you have the two files. +5. From a command prompt, verify that you have the two files. Extract the contents of the .zip files: - - ``` + + ```bash mavel-macmini:Downloads test$ ls -l total 721160 -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip @@ -230,18 +244,19 @@ Download the installation and onboarding packages from Windows Defender Security inflating: intune/WindowsDefenderATPOnboarding.xml inflating: jamf/WindowsDefenderATPOnboarding.plist mavel-macmini:Downloads test$ - ``` + ``` ### Create JAMF Policies + You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. #### Configuration Profile + The configuration profile contains one custom settings payload that includes: -- Microsoft Defender ATP for Mac onboarding information +- Microsoft Defender ATP for Mac onboarding information - Approved Kernel Extensions payload to enable the Microsoft kernel driver to run - 1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. >[!NOTE] @@ -252,15 +267,17 @@ The configuration profile contains one custom settings payload that includes: #### Approved Kernel Extension To approve the kernel extension: -1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. -2. Use **UBF8T346G9** for Team Id. + +1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. +2. Use **UBF8T346G9** for Team Id. ![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) -#### Configuration Profile's Scope +#### Configuration Profile's Scope + Configure the appropriate scope to specify the machines that will receive this configuration profile. -Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. +Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. ![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) @@ -269,14 +286,16 @@ Save the **Configuration Profile**. Use the **Logs** tab to monitor deployment status for each enrolled machine. #### Package + 1. Create a package in **Settings > Computer Management > Packages**. ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) -2. Upload wdav.pkg to the Distribution Point. +2. Upload wdav.pkg to the Distribution Point. 3. In the **filename** field, enter the name of the package. For example, wdav.pkg. #### Policy + Your policy should contain a single package for Microsoft Defender. ![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) @@ -286,34 +305,38 @@ Configure the appropriate scope to specify the computers that will receive this After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. ### Client machine setup + You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. > [!NOTE] -> After a computer is enrolled, it will show up in the Computers inventory (All Computers). +> After a computer is enrolled, it will show up in the Computers inventory (All Computers). -1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. +1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. ![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) ![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) -After some time, the machine's User Approved MDM status will change to Yes. +After some time, the machine's User Approved MDM status will change to Yes. ![MDM status screenshot](images/MDATP_23_MDMStatus.png) You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. ### Deployment + Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. #### Status on server + You can monitor the deployment status in the Logs tab: - - **Pending** means that the deployment is scheduled but has not yet happened - - **Completed** means that the deployment succeeded and is no longer scheduled + +- **Pending** means that the deployment is scheduled but has not yet happened +- **Completed** means that the deployment succeeded and is no longer scheduled ![Status on server screenshot](images/MDATP_24_StatusOnServer.png) - #### Status on client machine + After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. ![Status on client screenshot](images/MDATP_25_StatusOnClient.png) @@ -324,7 +347,7 @@ After the policy is applied, you'll see the Microsoft Defender icon in the macOS You can monitor policy installation on a machine by following the JAMF's log file: -``` +```bash mavel-mojave:~ testuser$ tail -f /var/log/jamf.log Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... @@ -336,7 +359,8 @@ Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. ``` You can also check the onboarding status: -``` + +```bash mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 @@ -349,6 +373,7 @@ orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 - **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. ### Uninstalling Microsoft Defender ATP for Mac + #### Uninstalling with a script Create a script in **Settings > Computer Management > Scripts**. @@ -357,7 +382,7 @@ Create a script in **Settings > Computer Management > Scripts**. For example, this script removes Microsoft Defender ATP from the /Applications directory: -``` +```bash echo "Is WDAV installed?" ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null @@ -371,6 +396,7 @@ echo "Done!" ``` #### Uninstalling with a policy + Your policy should contain a single script: ![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) @@ -381,7 +407,7 @@ Configure the appropriate scope in the **Scope** tab to specify the machines tha You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: -``` +```bash sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' ``` @@ -390,18 +416,20 @@ This script returns 0 if Microsoft Defender ATP is registered with the Windows D ## Manual deployment ### Download installation and onboarding packages + Download the installation and onboarding packages from Windows Defender Security Center: -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) -5. From a command prompt, verify that you have the two files. +5. From a command prompt, verify that you have the two files. Extract the contents of the .zip files: - - ``` + + ```bash mavel-macmini:Downloads test$ ls -l total 721152 -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip @@ -409,9 +437,10 @@ Download the installation and onboarding packages from Windows Defender Security mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip Archive: WindowsDefenderATPOnboardingPackage.zip inflating: WindowsDefenderATPOnboarding.py - ``` + ``` ### Application installation + To complete this process, you must have admin privileges on the machine. 1. Navigate to the downloaded wdav.pkg in Finder and open it. @@ -431,36 +460,38 @@ To complete this process, you must have admin privileges on the machine. ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) - The installation will proceed. > [!NOTE] > If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. ### Client configuration -1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. + +1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. The client machine is not associated with orgId. Note that the orgid is blank. - ``` + ```bash mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 orgid : ``` -2. Install the configuration file on a client machine: - ``` +2. Install the configuration file on a client machine: + + ```bash mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) ``` -3. Verify that the machine is now associated with orgId: +3. Verify that the machine is now associated with orgId: - ``` + ```bash mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 ``` + After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) @@ -490,7 +521,7 @@ Controlling product settings, triggering on-demand scans, and several other impo ## What to expect in the ATP portal - AV alerts: - - Severity + - Severity - Scan type - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) - File information (name, path, size, and hash) @@ -528,37 +559,39 @@ Or, from a command line: - Geo preference for telemetry traffic is not supported yet. Cloud traffic is routed to the US only. - Centrally managed uninstall is still being developed. As a workaround, a manual uninstall must be performed on each client device. - ## Collecting diagnostic information + If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. 1) Increase logging level: -``` - mavel-mojave:~ testuser$ mdatp log-level --verbose - Creating connection to daemon - Connection established - Operation succeeded + +```bash + mavel-mojave:~ testuser$ mdatp log-level --verbose + Creating connection to daemon + Connection established + Operation succeeded ``` 2) Reproduce the problem 3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - ``` + ```bash mavel-mojave:~ testuser$ mdatp --diagnostic Creating connection to daemon Connection established "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` - + ``` + 4) Restore logging level: -``` + + ```bash mavel-mojave:~ testuser$ mdatp log-level --info Creating connection to daemon Connection established Operation succeeded -``` + ``` - ### Installation issues + If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. From 78cf0150a08587a7321277c9fe4090762cdf6a53 Mon Sep 17 00:00:00 2001 From: martyav Date: Thu, 2 May 2019 14:22:37 -0400 Subject: [PATCH 13/42] updated known issues + small refinements to other owned sections --- .../microsoft-defender-atp-mac.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index a145ddc2d6..e159d86a94 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -27,7 +27,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## What’s new in the public preview -We've been working hard through the private preview period, and we've heard your concerns. We've reduced the delay for when new Mac devices appear in the ATP console after they've been deployed. We've improved threat handling, and enhanced the user experience. We've also made numerous bug fixes. Other updates to Microsoft Defender ATP include: +We've been working hard through the private preview period, and we've heard your concerns. We've reduced the delay for when new Mac devices appear in the ATP console after they've been deployed. We've improved threat handling, and enhanced the user experience. We've also made numerous bug fixes. Other updates to Microsoft Defender ATP for Mac include: - Full accessibility - Improved performance @@ -501,7 +501,7 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b ## Configuring with the command line -Controlling product settings, triggering on-demand scans, and several other important tasks can be done with the following CLI commands: +Controlling product settings, triggering on-demand scans, and several other important tasks can be done from the command line with the following commands: |Group |Scenario |Command | |-------------|-------------------------------------------|-----------------------------------------------------------------------| @@ -554,12 +554,9 @@ Or, from a command line: ## Known issues -- Not localized yet. -- There might be accessibility issues. -- Not optimized for performance or disk space yet. +- Not fully optimized for performance or disk space yet. - Full Windows Defender ATP integration is not available yet. - Mac devices that switch networks may appear multiple times in the APT portal. -- Geo preference for telemetry traffic is not supported yet. Cloud traffic is routed to the US only. - Centrally managed uninstall is still being developed. As a workaround, a manual uninstall must be performed on each client device. ## Collecting diagnostic information From d3d97220593b00a1c9e77bf451e98e741ca68ef8 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 13:11:09 -0400 Subject: [PATCH 14/42] added intune back into known issues --- .../windows-defender-antivirus/microsoft-defender-atp-mac.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index e159d86a94..e05ea856f0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -557,7 +557,7 @@ Or, from a command line: - Not fully optimized for performance or disk space yet. - Full Windows Defender ATP integration is not available yet. - Mac devices that switch networks may appear multiple times in the APT portal. -- Centrally managed uninstall is still being developed. As a workaround, a manual uninstall must be performed on each client device. +- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. ## Collecting diagnostic information From 66895adc528149860e62e31d07e425e8fc5e624d Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 15:50:26 -0400 Subject: [PATCH 15/42] created separate mdatp for mac logging page --- ...rosoft-defender-atp-mac-diagnostic-logging | 64 +++++++++++++++++++ ...oft-defender-atp-mac-diagnostic-logging.md | 0 2 files changed, 64 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging new file mode 100644 index 0000000000..d2ccd7fac2 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging @@ -0,0 +1,64 @@ +--- +title: Collecting diagnostic information from Microsoft Defender ATP for Mac +description: Describes how to collect diagnostic information from Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, installation, deploy, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: #w10 +ms.mktglfcycl: #deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Collecting diagnostic information + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. + +1) Increase logging level: + +```bash + mavel-mojave:~ testuser$ mdatp log-level --verbose + Creating connection to daemon + Connection established + Operation succeeded +``` + +2) Reproduce the problem + +3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. + + ```bash + mavel-mojave:~ testuser$ mdatp --diagnostic + Creating connection to daemon + Connection established + "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" + ``` + +4) Restore logging level: + + ```bash + mavel-mojave:~ testuser$ mdatp log-level --info + Creating connection to daemon + Connection established + Operation succeeded + ``` + +## Installation issues + +If an error occurs during installation, the installer will only report a general failure. + +The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md new file mode 100644 index 0000000000..e69de29bb2 From e66b83c15d43c5529561cd9942e01ea69b3e4649 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 15:52:37 -0400 Subject: [PATCH 16/42] removed logging section from mdatp for mac --- .../microsoft-defender-atp-mac.md | 39 +------------------ 1 file changed, 1 insertion(+), 38 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index e05ea856f0..08918bc9be 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -557,41 +557,4 @@ Or, from a command line: - Not fully optimized for performance or disk space yet. - Full Windows Defender ATP integration is not available yet. - Mac devices that switch networks may appear multiple times in the APT portal. -- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. - -## Collecting diagnostic information - -If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. - -1) Increase logging level: - -```bash - mavel-mojave:~ testuser$ mdatp log-level --verbose - Creating connection to daemon - Connection established - Operation succeeded -``` - -2) Reproduce the problem - -3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - - ```bash - mavel-mojave:~ testuser$ mdatp --diagnostic - Creating connection to daemon - Connection established - "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` - -4) Restore logging level: - - ```bash - mavel-mojave:~ testuser$ mdatp log-level --info - Creating connection to daemon - Connection established - Operation succeeded - ``` - -### Installation issues - -If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. +- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. \ No newline at end of file From f98baf2b4b9fd113299ad33c7a0aa3cb1e44ace0 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 16:00:01 -0400 Subject: [PATCH 17/42] added text to mdatp for mac diagnostic logging --- ...rosoft-defender-atp-mac-diagnostic-logging | 64 ------------------- ...oft-defender-atp-mac-diagnostic-logging.md | 64 +++++++++++++++++++ 2 files changed, 64 insertions(+), 64 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging deleted file mode 100644 index d2ccd7fac2..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Collecting diagnostic information from Microsoft Defender ATP for Mac -description: Describes how to collect diagnostic information from Microsoft Defender ATP for Mac. -keywords: microsoft, defender, atp, mac, installation, deploy, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: #w10 -ms.mktglfcycl: #deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Collecting diagnostic information - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. - -1) Increase logging level: - -```bash - mavel-mojave:~ testuser$ mdatp log-level --verbose - Creating connection to daemon - Connection established - Operation succeeded -``` - -2) Reproduce the problem - -3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - - ```bash - mavel-mojave:~ testuser$ mdatp --diagnostic - Creating connection to daemon - Connection established - "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` - -4) Restore logging level: - - ```bash - mavel-mojave:~ testuser$ mdatp log-level --info - Creating connection to daemon - Connection established - Operation succeeded - ``` - -## Installation issues - -If an error occurs during installation, the installer will only report a general failure. - -The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md index e69de29bb2..d2ccd7fac2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md @@ -0,0 +1,64 @@ +--- +title: Collecting diagnostic information from Microsoft Defender ATP for Mac +description: Describes how to collect diagnostic information from Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, installation, deploy, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: #w10 +ms.mktglfcycl: #deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Collecting diagnostic information + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. + +1) Increase logging level: + +```bash + mavel-mojave:~ testuser$ mdatp log-level --verbose + Creating connection to daemon + Connection established + Operation succeeded +``` + +2) Reproduce the problem + +3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. + + ```bash + mavel-mojave:~ testuser$ mdatp --diagnostic + Creating connection to daemon + Connection established + "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" + ``` + +4) Restore logging level: + + ```bash + mavel-mojave:~ testuser$ mdatp log-level --info + Creating connection to daemon + Connection established + Operation succeeded + ``` + +## Installation issues + +If an error occurs during installation, the installer will only report a general failure. + +The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. \ No newline at end of file From 6a3fd9878885f1dc686aba622fa1c065ff870d05 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 16:26:32 -0400 Subject: [PATCH 18/42] created uninstallation for mdatp-mac page --- ...microsoft-defender-atp-mac-uninstalling.md | 66 +++++++++++++++++++ .../microsoft-defender-atp-mac.md | 43 ------------ 2 files changed, 66 insertions(+), 43 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md new file mode 100644 index 0000000000..5004b31c5b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md @@ -0,0 +1,66 @@ +--- +title: Uninstalling Microsoft Defender ATP for Mac +description: Describes how to uninstall Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, installation, deploy, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: #w10 +ms.mktglfcycl: #deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Uninstalling + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available for JAMF, it is not yet available for Intune. See [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) for updates on development. + +## Within the GUI + +- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. + +## From the command line: + +- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` + +## With a script + +Create a script in **Settings > Computer Management > Scripts**. + +![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) + +For example, this script removes Microsoft Defender ATP from the /Applications directory: + +```bash +echo "Is WDAV installed?" +ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + +echo "Uninstalling WDAV..." +rm -rf '/Applications/Microsoft Defender ATP.app' + +echo "Is WDAV still installed?" +ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + +echo "Done!" +``` + +## With a JAMF policy + +If you are running JAMF, your policy should contain a single script: + +![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) + +Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 08918bc9be..42b5eb2508 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -375,37 +375,6 @@ orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 - **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. -### Uninstalling Microsoft Defender ATP for Mac - -#### Uninstalling with a script - -Create a script in **Settings > Computer Management > Scripts**. - -![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) - -For example, this script removes Microsoft Defender ATP from the /Applications directory: - -```bash -echo "Is WDAV installed?" -ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - -echo "Uninstalling WDAV..." -rm -rf '/Applications/Microsoft Defender ATP.app' - -echo "Is WDAV still installed?" -ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - -echo "Done!" -``` - -#### Uninstalling with a policy - -Your policy should contain a single script: - -![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) - -Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. - ### Check onboarding status You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: @@ -540,18 +509,6 @@ Controlling product settings, triggering on-demand scans, and several other impo - Processor architecture - Whether the device is a virtual machine -## Uninstallation - -### Removing Microsoft Defender ATP from Mac devices - -To remove Microsoft Defender ATP from your macOS devices: - -- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. - -Or, from a command line: - -- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` - ## Known issues - Not fully optimized for performance or disk space yet. From 875aeade4e6f57d886733a9edb192206720ede3d Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 16:40:02 -0400 Subject: [PATCH 19/42] rm'd 2 previous pages split from mdatp-mac & collated them into resources page alongside known issues --- ...oft-defender-atp-mac-diagnostic-logging.md | 64 ---------- .../microsoft-defender-atp-mac-resources.md | 112 ++++++++++++++++++ ...microsoft-defender-atp-mac-uninstalling.md | 66 ----------- .../microsoft-defender-atp-mac.md | 9 +- 4 files changed, 113 insertions(+), 138 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md deleted file mode 100644 index d2ccd7fac2..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-diagnostic-logging.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Collecting diagnostic information from Microsoft Defender ATP for Mac -description: Describes how to collect diagnostic information from Microsoft Defender ATP for Mac. -keywords: microsoft, defender, atp, mac, installation, deploy, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: #w10 -ms.mktglfcycl: #deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Collecting diagnostic information - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. - -1) Increase logging level: - -```bash - mavel-mojave:~ testuser$ mdatp log-level --verbose - Creating connection to daemon - Connection established - Operation succeeded -``` - -2) Reproduce the problem - -3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - - ```bash - mavel-mojave:~ testuser$ mdatp --diagnostic - Creating connection to daemon - Connection established - "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` - -4) Restore logging level: - - ```bash - mavel-mojave:~ testuser$ mdatp log-level --info - Creating connection to daemon - Connection established - Operation succeeded - ``` - -## Installation issues - -If an error occurs during installation, the installer will only report a general failure. - -The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md new file mode 100644 index 0000000000..7f2b515f99 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -0,0 +1,112 @@ +--- +title: Microsoft Defender ATP for Mac Resources +description: Describes resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, and known issues with the product. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +## Collecting diagnostic information + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. + +1) Increase logging level: + +```bash + mavel-mojave:~ testuser$ mdatp log-level --verbose + Creating connection to daemon + Connection established + Operation succeeded +``` + +2) Reproduce the problem + +3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. + + ```bash + mavel-mojave:~ testuser$ mdatp --diagnostic + Creating connection to daemon + Connection established + "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" + ``` + +4) Restore logging level: + + ```bash + mavel-mojave:~ testuser$ mdatp log-level --info + Creating connection to daemon + Connection established + Operation succeeded + ``` + +### Installation issues + +If an error occurs during installation, the installer will only report a general failure. + +The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. + +## Uninstalling + +There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available for JAMF, it is not yet available for Intune. + +### Within the GUI + +- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. + +### From the command line: + +- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` + +### With a script + +Create a script in **Settings > Computer Management > Scripts**. + +![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) + +For example, this script removes Microsoft Defender ATP from the /Applications directory: + +```bash + echo "Is WDAV installed?" + ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + + echo "Uninstalling WDAV..." + rm -rf '/Applications/Microsoft Defender ATP.app' + + echo "Is WDAV still installed?" + ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + + echo "Done!" +``` + +### With a JAMF policy + +If you are running JAMF, your policy should contain a single script: + +![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) + +Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. + +## Known issues + +- Not fully optimized for performance or disk space yet. +- Full Windows Defender ATP integration is not available yet. +- Mac devices that switch networks may appear multiple times in the APT portal. +- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md deleted file mode 100644 index 5004b31c5b..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-uninstalling.md +++ /dev/null @@ -1,66 +0,0 @@ ---- -title: Uninstalling Microsoft Defender ATP for Mac -description: Describes how to uninstall Microsoft Defender ATP for Mac. -keywords: microsoft, defender, atp, mac, installation, deploy, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: #w10 -ms.mktglfcycl: #deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Uninstalling - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available for JAMF, it is not yet available for Intune. See [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) for updates on development. - -## Within the GUI - -- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. - -## From the command line: - -- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` - -## With a script - -Create a script in **Settings > Computer Management > Scripts**. - -![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) - -For example, this script removes Microsoft Defender ATP from the /Applications directory: - -```bash -echo "Is WDAV installed?" -ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - -echo "Uninstalling WDAV..." -rm -rf '/Applications/Microsoft Defender ATP.app' - -echo "Is WDAV still installed?" -ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - -echo "Done!" -``` - -## With a JAMF policy - -If you are running JAMF, your policy should contain a single script: - -![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) - -Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 42b5eb2508..fe62a0b6a7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -507,11 +507,4 @@ Controlling product settings, triggering on-demand scans, and several other impo - OS version - Computer model - Processor architecture - - Whether the device is a virtual machine - -## Known issues - -- Not fully optimized for performance or disk space yet. -- Full Windows Defender ATP integration is not available yet. -- Mac devices that switch networks may appear multiple times in the APT portal. -- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. \ No newline at end of file + - Whether the device is a virtual machine \ No newline at end of file From 139958d30b4647f590ab94f33bafabf199634531 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 17:11:23 -0400 Subject: [PATCH 20/42] added seperate mdatp-mac installation pages --- ...osoft-defender-atp-mac-install-manually.md | 130 ++++++ ...ft-defender-atp-mac-install-with-intune.md | 158 +++++++ ...soft-defender-atp-mac-install-with-jamf.md | 195 ++++++++ .../microsoft-defender-atp-mac.md | 428 +----------------- 4 files changed, 495 insertions(+), 416 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md create mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md new file mode 100644 index 0000000000..4fbed04668 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -0,0 +1,130 @@ +--- +title: Installing Microsoft Defender ATP for Mac with JAMF +description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +# Manual deployment + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Windows Defender Security Center: + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ```bash + mavel-macmini:Downloads test$ ls -l + total 721152 + -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + inflating: WindowsDefenderATPOnboarding.py + ``` + +## Application installation + +To complete this process, you must have admin privileges on the machine. + +1. Navigate to the downloaded wdav.pkg in Finder and open it. + + ![App install screenshot](images/MDATP_28_AppInstall.png) + +2. Select **Continue**, agree with the License terms, and enter the password when prompted. + + ![App install screenshot](images/MDATP_29_AppInstallLogin.png) + + > [!IMPORTANT] + > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. + + ![App install screenshot](images/MDATP_30_SystemExtension.png) + +3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: + + ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) + +The installation will proceed. + +> [!NOTE] +> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. + +## Client configuration + +1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. + + The client machine is not associated with orgId. Note that the orgid is blank. + + ```bash + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : + ``` + +2. Install the configuration file on a client machine: + + ```bash + mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py + Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) + ``` + +3. Verify that the machine is now associated with orgId: + + ```bash + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 + ``` + +After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## Configuring from the command line + +Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: + +|Group |Scenario |Command | +|-------------|-------------------------------------------|-----------------------------------------------------------------------| +|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | +|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | +|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | +|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | +|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| +|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | +|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| +|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | +|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | +|Health |Check the product's health |`mdatp --health` | +|Protection |Scan a path |`mdatp scan --path [path]` | +|Protection |Do a quick scan |`mdatp scan --quick` | +|Protection |Do a full scan |`mdatp scan --full` | +|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | +|Protection |Request a definition update |`mdatp --signature-update` | \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md new file mode 100644 index 0000000000..5cd1e22a19 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -0,0 +1,158 @@ +--- +title: Installing Microsoft Defender ATP for Mac with Microsoft Intune +description: Describes how to install Microsoft Defender ATP for Mac, using Microsoft Intune. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +# Microsoft Intune-based deployment + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Windows Defender Security Center: + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. +5. Download IntuneAppUtil from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos). + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +6. From a command prompt, verify that you have the three files. + Extract the contents of the .zip files: + + ```bash + mavel-macmini:Downloads test$ ls -l + total 721688 + -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + mavel-macmini:Downloads test$ + ``` + +7. Make IntuneAppUtil an executable: + + ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` + +8. Create the wdav.pkg.intunemac package from wdav.pkg: + + ```bash + mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" + Microsoft Intune Application Utility for Mac OS X + Version: 1.0.0.0 + Copyright 2018 Microsoft Corporation + + Creating intunemac file for /Users/test/Downloads/wdav.pkg + Composing the intunemac file output + Output written to ./wdav.pkg.intunemac. + + IntuneAppUtil successfully processed "wdav.pkg", + to deploy refer to the product documentation. + ``` + +## Client Machine Setup + +You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). + +1. You'll be asked to confirm device management. + +![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) + +Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**: + +![Management profile screenshot](images/MDATP_4_ManagementProfile.png) + +2. Select the **Continue** button and complete the enrollment. + +You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned. + +3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine: + +![Add Devices screenshot](images/MDATP_5_allDevices.png) + +## Create System Configuration profiles + +1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. +2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. +3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. +4. Select **OK**. + + ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) + +5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. +6. Repeat these steps with the second profile. +7. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. +8. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. + +After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: + +![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) + +## Publish application + +1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. +2. Select **App type=Other/Line-of-business app**. +3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. +4. Select **Configure** and add the required information. +5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. + + ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) + +6. Select **OK** and **Add**. + + ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) + +7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. + + ![Client apps screenshot](images/MDATP_10_ClientApps.png) + +8. Change **Assignment type=Required**. +9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. + + ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) + +10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade: + + ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) + +## Verify client machine state + +1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. + + ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) + ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) + +2. Verify the three profiles listed there: + ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) + +3. The **Management Profile** should be the Intune system profile. +4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. +5. You should also see the Microsoft Defender icon in the top-right corner: + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md new file mode 100644 index 0000000000..82aaf8ffe2 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -0,0 +1,195 @@ +--- +title: Installing Microsoft Defender ATP for Mac with JAMF +description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +search.product: eADQiWindows 10XVcnh +search.appverid: #met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-maave +author: martyav +ms.localizationpriority: #medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: #conceptual +--- + +# JAMF-based deployment + +**Applies to:** + +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) + +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +## Prerequsites + +You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. + +## Download installation and onboarding packages + +Download the installation and onboarding packages from Windows Defender Security Center: + +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ```bash + mavel-macmini:Downloads test$ ls -l + total 721160 + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + mavel-macmini:Downloads test$ + ``` + +## Create JAMF Policies + +You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. + +### Configuration Profile + +The configuration profile contains one custom settings payload that includes: + +- Microsoft Defender ATP for Mac onboarding information +- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run + +1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. + + >[!NOTE] + > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain. + + ![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) + +### Approved Kernel Extension + +To approve the kernel extension: + +1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. +2. Use **UBF8T346G9** for Team Id. + +![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) + +#### Configuration Profile's Scope + +Configure the appropriate scope to specify the machines that will receive this configuration profile. + +Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. + +![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) + +Save the **Configuration Profile**. + +Use the **Logs** tab to monitor deployment status for each enrolled machine. + +### Package + +1. Create a package in **Settings > Computer Management > Packages**. + + ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) + +2. Upload wdav.pkg to the Distribution Point. +3. In the **filename** field, enter the name of the package. For example, wdav.pkg. + +### Policy + +Your policy should contain a single package for Microsoft Defender. + +![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) + +Configure the appropriate scope to specify the computers that will receive this policy. + +After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. + +## Client machine setup + +You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. + +> [!NOTE] +> After a computer is enrolled, it will show up in the Computers inventory (All Computers). + +1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. + +![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) +![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) + +After some time, the machine's User Approved MDM status will change to Yes. + +![MDM status screenshot](images/MDATP_23_MDMStatus.png) + +You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. + +## Deployment + +Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. + +### Status on server + +You can monitor the deployment status in the Logs tab: + +- **Pending** means that the deployment is scheduled but has not yet happened +- **Completed** means that the deployment succeeded and is no longer scheduled + +![Status on server screenshot](images/MDATP_24_StatusOnServer.png) + +### Status on client machine + +After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. + +![Status on client screenshot](images/MDATP_25_StatusOnClient.png) + +After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + +![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +You can monitor policy installation on a machine by following the JAMF's log file: + +```bash +mavel-mojave:~ testuser$ tail -f /var/log/jamf.log +Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. +Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... +Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV +Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. +``` + +You can also check the onboarding status: + +```bash +mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py +uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 +orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +``` + +- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. + +- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. + +## Check onboarding status + +You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: + +```bash +sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' +``` + +This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index fe62a0b6a7..3eb0b476e4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -37,7 +37,18 @@ We've been working hard through the private preview period, and we've heard your - Product health can be queried with JAMF or the command line. - Admins can set their cloud preference for any location, not just for those in the US. -## Prerequisites +## Installing and configuring + +There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. +In general you'll need to take the following steps: + +- Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal +- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: + - [Microsoft Intune-based deployment](separate-page-url) + - [JAMF-based deployment](seperate-page-url) + - [Manual deployment](seperate-page-url) + +### Prerequisites You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine. @@ -71,424 +82,9 @@ To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/ap We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS. -## Installation and configuration overview -There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. -In general you'll need to take the following steps: -- Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal -- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: - - [Microsoft Intune based deployment](#microsoft-intune-based-deployment) - - [JAMF based deployment](#jamf-based-deployment) - - [Manual deployment](#manual-deployment) -## Microsoft Intune based deployment - -### Download installation and onboarding packages - -Download the installation and onboarding packages from Windows Defender Security Center: - -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. -5. Download IntuneAppUtil from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos). - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -6. From a command prompt, verify that you have the three files. - Extract the contents of the .zip files: - - ```bash - mavel-macmini:Downloads test$ ls -l - total 721688 - -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist - mavel-macmini:Downloads test$ - ``` - -7. Make IntuneAppUtil an executable: - - ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` - -8. Create the wdav.pkg.intunemac package from wdav.pkg: - - ```bash - mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" - Microsoft Intune Application Utility for Mac OS X - Version: 1.0.0.0 - Copyright 2018 Microsoft Corporation - - Creating intunemac file for /Users/test/Downloads/wdav.pkg - Composing the intunemac file output - Output written to ./wdav.pkg.intunemac. - - IntuneAppUtil successfully processed "wdav.pkg", - to deploy refer to the product documentation. - ``` - -### Client Machine Setup - -You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). - -1. You'll be asked to confirm device management. - -![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) - -Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**: - -![Management profile screenshot](images/MDATP_4_ManagementProfile.png) - -2. Select the **Continue** button and complete the enrollment. - -You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned. - -3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine: - -![Add Devices screenshot](images/MDATP_5_allDevices.png) - -### Create System Configuration profiles - -1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. -2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. -3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. -4. Select **OK**. - - ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) - -5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. -6. Repeat these steps with the second profile. -7. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. -8. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. - -After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: - -![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) - -### Publish application - -1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. -2. Select **App type=Other/Line-of-business app**. -3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. -4. Select **Configure** and add the required information. -5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. - - ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) - -6. Select **OK** and **Add**. - - ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) - -7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. - - ![Client apps screenshot](images/MDATP_10_ClientApps.png) - -8. Change **Assignment type=Required**. -9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. - - ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) - -10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade: - - ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) - -### Verify client machine state - -1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. - - ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) - ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) - -2. Verify the three profiles listed there: - ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) - -3. The **Management Profile** should be the Intune system profile. -4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. -5. You should also see the Microsoft Defender icon in the top-right corner: - - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -## JAMF based deployment - -### Prerequsites - -You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. - -### Download installation and onboarding packages - -Download the installation and onboarding packages from Windows Defender Security Center: - -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ```bash - mavel-macmini:Downloads test$ ls -l - total 721160 - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist - mavel-macmini:Downloads test$ - ``` - -### Create JAMF Policies - -You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. - -#### Configuration Profile - -The configuration profile contains one custom settings payload that includes: - -- Microsoft Defender ATP for Mac onboarding information -- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run - -1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. - - >[!NOTE] - > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain. - - ![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) - -#### Approved Kernel Extension - -To approve the kernel extension: - -1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. -2. Use **UBF8T346G9** for Team Id. - -![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) - -#### Configuration Profile's Scope - -Configure the appropriate scope to specify the machines that will receive this configuration profile. - -Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. - -![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) - -Save the **Configuration Profile**. - -Use the **Logs** tab to monitor deployment status for each enrolled machine. - -#### Package - -1. Create a package in **Settings > Computer Management > Packages**. - - ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) - -2. Upload wdav.pkg to the Distribution Point. -3. In the **filename** field, enter the name of the package. For example, wdav.pkg. - -#### Policy - -Your policy should contain a single package for Microsoft Defender. - -![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) - -Configure the appropriate scope to specify the computers that will receive this policy. - -After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. - -### Client machine setup - -You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. - -> [!NOTE] -> After a computer is enrolled, it will show up in the Computers inventory (All Computers). - -1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. - -![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) -![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) - -After some time, the machine's User Approved MDM status will change to Yes. - -![MDM status screenshot](images/MDATP_23_MDMStatus.png) - -You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. - -### Deployment - -Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. - -#### Status on server - -You can monitor the deployment status in the Logs tab: - -- **Pending** means that the deployment is scheduled but has not yet happened -- **Completed** means that the deployment succeeded and is no longer scheduled - -![Status on server screenshot](images/MDATP_24_StatusOnServer.png) - -#### Status on client machine - -After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. - -![Status on client screenshot](images/MDATP_25_StatusOnClient.png) - -After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. - -![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -You can monitor policy installation on a machine by following the JAMF's log file: - -```bash -mavel-mojave:~ testuser$ tail -f /var/log/jamf.log -Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. -Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... -Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV -Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. -``` - -You can also check the onboarding status: - -```bash -mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py -uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 -orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -``` - -- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. - -- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. - -### Check onboarding status - -You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: - -```bash -sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' -``` - -This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. - -## Manual deployment - -### Download installation and onboarding packages - -Download the installation and onboarding packages from Windows Defender Security Center: - -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ```bash - mavel-macmini:Downloads test$ ls -l - total 721152 - -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: WindowsDefenderATPOnboarding.py - ``` - -### Application installation - -To complete this process, you must have admin privileges on the machine. - -1. Navigate to the downloaded wdav.pkg in Finder and open it. - - ![App install screenshot](images/MDATP_28_AppInstall.png) - -2. Select **Continue**, agree with the License terms, and enter the password when prompted. - - ![App install screenshot](images/MDATP_29_AppInstallLogin.png) - - > [!IMPORTANT] - > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. - - ![App install screenshot](images/MDATP_30_SystemExtension.png) - -3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: - - ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) - -The installation will proceed. - -> [!NOTE] -> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. - -### Client configuration - -1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. - - The client machine is not associated with orgId. Note that the orgid is blank. - - ```bash - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : - ``` - -2. Install the configuration file on a client machine: - - ```bash - mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py - Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) - ``` - -3. Verify that the machine is now associated with orgId: - - ```bash - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 - ``` - -After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. - - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -## Configuring with the command line - -Controlling product settings, triggering on-demand scans, and several other important tasks can be done from the command line with the following commands: - -|Group |Scenario |Command | -|-------------|-------------------------------------------|-----------------------------------------------------------------------| -|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | -|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | -|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | -|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | -|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| -|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | -|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| -|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | -|Health |Check the product's health |`mdatp --health` | -|Protection |Scan a path |`mdatp scan --path [path]` | -|Protection |Do a quick scan |`mdatp scan --quick` | -|Protection |Do a full scan |`mdatp scan --full` | -|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | -|Protection |Request a definition update |`mdatp --signature-update` | ## What to expect in the ATP portal From 8b9f0da22d48315f1cddffdc025b92e2a8805288 Mon Sep 17 00:00:00 2001 From: martyav Date: Fri, 3 May 2019 17:17:28 -0400 Subject: [PATCH 21/42] moved what to expect from mdatp-mac to mdatp-mac resources --- .../microsoft-defender-atp-mac-resources.md | 19 +++++++++++++ .../microsoft-defender-atp-mac.md | 27 ++----------------- 2 files changed, 21 insertions(+), 25 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 7f2b515f99..4de5bdb96c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -104,6 +104,25 @@ If you are running JAMF, your policy should contain a single script: Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. +## What to expect in the ATP portal + +- AV alerts: + - Severity + - Scan type + - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) + - File information (name, path, size, and hash) + - Threat information (name, type, and state) +- Device information: + - Machine identifier + - Tenant identifier + - App version + - Hostname + - OS type + - OS version + - Computer model + - Processor architecture + - Whether the device is a virtual machine + ## Known issues - Not fully optimized for performance or disk space yet. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 3eb0b476e4..5132b03e9b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -37,7 +37,7 @@ We've been working hard through the private preview period, and we've heard your - Product health can be queried with JAMF or the command line. - Admins can set their cloud preference for any location, not just for those in the US. -## Installing and configuring +## Installing and configuring There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. In general you'll need to take the following steps: @@ -80,27 +80,4 @@ To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/ap ``` We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. -SIP is a built-in macOS security feature that prevents low-level tampering with the OS. - - - - - -## What to expect in the ATP portal - -- AV alerts: - - Severity - - Scan type - - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) - - File information (name, path, size, and hash) - - Threat information (name, type, and state) -- Device information: - - Machine identifier - - Tenant identifier - - App version - - Hostname - - OS type - - OS version - - Computer model - - Processor architecture - - Whether the device is a virtual machine \ No newline at end of file +SIP is a built-in macOS security feature that prevents low-level tampering with the OS. \ No newline at end of file From d021bb36b9833a9a9fc59259cbf5a43ce385b958 Mon Sep 17 00:00:00 2001 From: illfated Date: Sun, 5 May 2019 22:13:12 +0200 Subject: [PATCH 22/42] Delivery Optimization settings: copy-paste error The description content of this line has inadvertently been copy-pasted from the next line and therefore contains a wrong keyword: background Correction: background -> foreground Updates issue ticket #3416 (**Cut and paste error in the article**) --- .../deployment/update/waas-delivery-optimization-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 582639b74e..57bdd0311c 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -79,7 +79,7 @@ Additional options available that control the impact Delivery Optimization has o - [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage. - [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers each month. - [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network. -- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. +- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. - [Maximum Background Download Bandwidth](#maximum-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. - [Set Business Hours to Limit Background Download Bandwidth](#set-business-hours-to-limit-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. - [Set Business Hours to Limit Foreground Download Bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. From 021a00f05bc8004caa3637638f9f082abec460e5 Mon Sep 17 00:00:00 2001 From: illfated Date: Sun, 5 May 2019 23:23:24 +0200 Subject: [PATCH 23/42] Reboot CSP: sentence end closing HTML tag restored Excerpt from the docs.microsoft.com page before restoring the HTML tag: > The supported operations are Execute and Get. **Schedule** Ref. closed issue ticket #3471 (**How to set null**) --- windows/client-management/mdm/reboot-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 77dea602cf..f5d0d53a0f 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -30,7 +30,7 @@ The following diagram shows the Reboot configuration service provider management > [!Note]   > If this node is set to execute during a sync session, the device will reboot at the end of the sync session. -

The supported operations are Execute and Get. +

The supported operations are Execute and Get.

**Schedule**

The supported operation is Get.

From 81c924a15f51467a0816b9b0e974c0af8087fceb Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 6 May 2019 15:38:54 +0500 Subject: [PATCH 24/42] update waas-restart.md --- windows/deployment/update/waas-restart.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index 13c1dce96d..fb98782087 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -42,6 +42,9 @@ When **Configure Automatic Updates** is enabled in Group Policy, you can enable - **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours. - **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. +>[!NOTE] +>In case of using Remote Desktop connection, only active RDP sessions are considered as logged on users. Devices, that do not have locally logged on users or active RDP sessions, will be restarted. + You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting. For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart). @@ -159,8 +162,9 @@ In the Group Policy editor, you will see a number of policy settings that pertai >[!NOTE] >You can only choose one path for restart behavior. -> >If you set conflicting restart policies, the actual restart behavior may not be what you expected. +>In case of using RDP, only active RDP sessions are considered as logged on users. + ## Registry keys used to manage restart The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10. From 4545c71e37eb683049c2c256523a5b425876fe22 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 6 May 2019 15:44:44 +0500 Subject: [PATCH 25/42] update waas-restart.md --- windows/deployment/update/waas-restart.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index fb98782087..6d11b20ee9 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -43,7 +43,7 @@ When **Configure Automatic Updates** is enabled in Group Policy, you can enable - **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. >[!NOTE] ->In case of using Remote Desktop connection, only active RDP sessions are considered as logged on users. Devices, that do not have locally logged on users or active RDP sessions, will be restarted. +>In case of using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices, that do not have locally logged on users or active RDP sessions, will be restarted. You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting. From 0b8a2c84a141eee6516ae775782e75760e44de38 Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 6 May 2019 10:52:59 -0400 Subject: [PATCH 26/42] cross links within mdatp-mac pages --- ...osoft-defender-atp-mac-install-manually.md | 17 ++++++++++++++++- ...ft-defender-atp-mac-install-with-intune.md | 19 +++++++++++++++++-- ...soft-defender-atp-mac-install-with-jamf.md | 19 ++++++++++++++++--- .../microsoft-defender-atp-mac-resources.md | 13 +++++++++---- .../microsoft-defender-atp-mac.md | 12 ++++++++---- 5 files changed, 66 insertions(+), 14 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index 4fbed04668..27b3a8f924 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -26,6 +26,13 @@ ms.topic: #conceptual >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. + ## Download installation and onboarding packages Download the installation and onboarding packages from Windows Defender Security Center: @@ -127,4 +134,12 @@ Important tasks, such as controlling product settings and triggering on-demand s |Protection |Do a quick scan |`mdatp scan --quick` | |Protection |Do a full scan |`mdatp scan --full` | |Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | -|Protection |Request a definition update |`mdatp --signature-update` | \ No newline at end of file +|Protection |Request a definition update |`mdatp --signature-update` | + +## Logging installation issues + +See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index 5cd1e22a19..8af90fded1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -22,10 +22,17 @@ ms.topic: #conceptual **Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) - + >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. + ## Download installation and onboarding packages Download the installation and onboarding packages from Windows Defender Security Center: @@ -155,4 +162,12 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t 4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. 5. You should also see the Microsoft Defender icon in the top-right corner: - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) \ No newline at end of file + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## Logging installation issues + +See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index 82aaf8ffe2..8837b3bcc5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -26,9 +26,14 @@ ms.topic: #conceptual >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -## Prerequsites +This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. -You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. +## Prerequisites and system requirements + +Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. + +In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow. ## Download installation and onboarding packages @@ -192,4 +197,12 @@ You can check that machines are correctly onboarded by creating a script. For ex sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' ``` -This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. \ No newline at end of file +This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. + +## Logging installation issues + +See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. + +## Uninstallation + +See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 4de5bdb96c..09a4dcceae 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: #conceptual --- -## Collecting diagnostic information +# Resources **Applies to:** @@ -26,6 +26,11 @@ ms.topic: #conceptual >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +This topic describes how to use, and details about, Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. + +## Collecting diagnostic information + If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. 1) Increase logging level: @@ -57,7 +62,7 @@ If you can reproduce a problem, please increase the logging level, run the syste Operation succeeded ``` -### Installation issues +## Logging installation issues If an error occurs during installation, the installer will only report a general failure. @@ -65,13 +70,13 @@ The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If y ## Uninstalling -There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available for JAMF, it is not yet available for Intune. +There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune. ### Within the GUI - Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. -### From the command line: +### From the command line - ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 5132b03e9b..af6205c2ca 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -44,9 +44,9 @@ In general you'll need to take the following steps: - Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: - - [Microsoft Intune-based deployment](separate-page-url) - - [JAMF-based deployment](seperate-page-url) - - [Manual deployment](seperate-page-url) + - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune) + - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf) + - [Manual deployment](microsoft-defender-atp-mac-install-manually) ### Prerequisites @@ -80,4 +80,8 @@ To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/ap ``` We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. -SIP is a built-in macOS security feature that prevents low-level tampering with the OS. \ No newline at end of file +SIP is a built-in macOS security feature that prevents low-level tampering with the OS. + +## Resources + +For further information on logging, uninstalling, the ATP portal, or known issues, see our [Resources](microsoft-defender-atp-mac-resources) page. \ No newline at end of file From 42695d0f6c9c8160c0f7a2d5a0305d457a0d98a1 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 6 May 2019 23:34:21 +0500 Subject: [PATCH 27/42] update waas-restart.md --- windows/deployment/update/waas-restart.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index 6d11b20ee9..e7e1866acc 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -42,8 +42,8 @@ When **Configure Automatic Updates** is enabled in Group Policy, you can enable - **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours. - **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. ->[!NOTE] ->In case of using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices, that do not have locally logged on users or active RDP sessions, will be restarted. +> [!NOTE] +> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices, that do not have locally logged on users, or active RDP sessions, will be restarted. You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting. @@ -163,7 +163,7 @@ In the Group Policy editor, you will see a number of policy settings that pertai >[!NOTE] >You can only choose one path for restart behavior. >If you set conflicting restart policies, the actual restart behavior may not be what you expected. ->In case of using RDP, only active RDP sessions are considered as logged on users. +>When using RDP, only active RDP sessions are considered as logged on users. ## Registry keys used to manage restart From 3f848033697c90f18b6efc4065e5c5fc76126284 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 6 May 2019 23:36:43 +0500 Subject: [PATCH 28/42] update waas-restart.md --- windows/deployment/update/waas-restart.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index e7e1866acc..ee8f3c4fde 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -43,7 +43,7 @@ When **Configure Automatic Updates** is enabled in Group Policy, you can enable - **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**. > [!NOTE] -> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices, that do not have locally logged on users, or active RDP sessions, will be restarted. +> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices that do not have locally logged on users, or active RDP sessions, will be restarted. You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting. From 7d5154f5375c15ad8daa97fad59e6e2bd2f0f4cb Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Mon, 6 May 2019 22:10:39 +0200 Subject: [PATCH 29/42] Update increase-scheduling-priority.md Fixes https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3156 --- .../increase-scheduling-priority.md | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md index 7cd6b91162..565e032adb 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md +++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md @@ -38,26 +38,11 @@ Constant: SeIncreaseBasePriorityPrivilege ### Best practices -- Allow the default value, Administrators and Window Manager/Window Manager Group, as the only accounts responsible for controlling process scheduling priorities. +- Retain the default value and allow Administrators, and Window Manager/Window Manager Group, as the only accounts responsible for controlling process scheduling priorities. ### Location Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment - -### Default values - -By default this setting is Administrators on domain controllers and on stand-alone servers. - -The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. - -| Server type or GPO | Default value | -| - | - | -| Default Domain Policy| Not defined| -| Default Domain Controller Policy| Not defined| -| Stand-Alone Server Default Settings | Administrators and Window Manager/Window Manager Group| -| Domain Controller Effective Default Settings | Administrators and Window Manager/Window Manager Group| -| Member Server Effective Default Settings | Administrators and Window Manager/Window Manager Group| -| Client Computer Effective Default Settings | Administrators and Window Manager/Window Manager Group|   ## Policy management @@ -97,3 +82,4 @@ None. Restricting the **Increase scheduling priority** user right to members of ## Related topics - [User Rights Assignment](user-rights-assignment.md) +- [Increase scheduling priority for Windows Server 2012 and earlier](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn221960(v%3dws.11)) From 3c65e9363bfae0eba476a72fd8f0b48d98b36fd3 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 00:17:21 +0200 Subject: [PATCH 30/42] Update upgrade-readiness-data-sharing.md Typo and format fixes https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3523 --- .../deployment/upgrade/upgrade-readiness-data-sharing.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md index 3eff878d63..b7b51ae981 100644 --- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md +++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md @@ -29,10 +29,10 @@ In order to use the direct connection scenario, set the parameter **ClientProxy= This is the first and most simple proxy scenario. The WinHTTP stack was designed for use in services and does not support proxy autodetection, PAC scripts or authentication. In order to set the WinHTTP proxy system-wide on your computers, you need to -•Use the command netsh winhttp set proxy \:\ -•Set ClientProxy=System in runconfig.bat +- Use the command netsh winhttp set proxy \:\ +- Set ClientProxy=System in runconfig.bat -The WinHTTP scenario is most appropriate for customers who use a single proxy or f. If you have more advanced proxy requirements, refer to Scenario 3. +The WinHTTP scenario is most appropriate for customers who use a single proxy. If you have more advanced proxy requirements, refer to Scenario 3. If you want to learn more about proxy considerations on Windows, see [Understanding Web Proxy Configuration](https://blogs.msdn.microsoft.com/ieinternals/2013/10/11/understanding-web-proxy-configuration/). From 113fbb13600b75d42459155e378d5d6c8ef52730 Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 6 May 2019 18:45:02 -0400 Subject: [PATCH 31/42] added links to see also section of trusted-platform-module-overview.md --- .../tpm/trusted-platform-module-overview.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 3f858bbcb9..fc03050770 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -87,5 +87,12 @@ Some things that you can check on the device are: ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) -- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule) -- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) +- [Details on the TPM standard](https://www.microsoft.com/en-us/research/project/the-trusted-platform-module-tpm/) (has links to features using TPM) +- [TPM Base Services Portal](https://docs.microsoft.com/en-us/windows/desktop/TBS/tpm-base-services-portal) +- [TPM Base Services API](https://docs.microsoft.com/en-us/windows/desktop/api/_tbs/) +- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule) +- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) +- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/en-us/blog/device-provisioning-identity-attestation-with-tpm/) +- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/en-us/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/) +- [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx) +- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx) \ No newline at end of file From e656ed40b56379912671eb3fdcd7e9527da41c69 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 6 May 2019 16:03:07 -0700 Subject: [PATCH 32/42] Update attack-surface-reduction-exploit-guard.md --- .../attack-surface-reduction-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 272c13081f..9e11ba030f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -22,7 +22,7 @@ ms.date: 04/02/2019 Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019. -To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the M365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subsciption, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. +To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subsciption, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment. Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including: From ec38b89126d53bf0b4fdbad6e044ce40bd6aab5c Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 06:02:08 +0200 Subject: [PATCH 33/42] Update hello-hybrid-cert-trust-prereqs.md Typos --- .../hello-hybrid-cert-trust-prereqs.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 6b4a465a9c..3dd1963a94 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -27,10 +27,10 @@ Hybrid environments are distributed systems that enable organizations to use on- The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: * [Directories](#directories) -* [Public Key Infrastucture](#public-key-infrastructure) +* [Public Key Infrastructure](#public-key-infrastructure) * [Directory Synchronization](#directory-synchronization) * [Federation](#federation) -* [MultiFactor Authentication](#multifactor-authentication) +* [Multifactor Authentication](#multifactor-authentication) * [Device Registration](#device-registration) ## Directories ## @@ -57,7 +57,7 @@ Review these requirements and those from the Windows Hello for Business planning ## Public Key Infrastructure ## The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller. -Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment use the Windows Server 2016 Active Directory Federation Server (AS FS) as a certificate registration authority. +Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment uses the Windows Server 2016 Active Directory Federation Server (AS FS) as a certificate registration authority. The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012. @@ -96,7 +96,7 @@ The AD FS farm used with Windows Hello for Business must be Windows Server 2016 ## Multifactor Authentication ## Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor. but needs a second factor of authentication. -Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2016 Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS. +Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service, or they can use multifactor authentication provides by Windows Server 2016 Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS. ### Section Review > [!div class="checklist"] @@ -119,7 +119,7 @@ Hybrid certificate trust deployments need the device write back feature. Authen
### Next Steps ### -Follow the Windows Hello for Business hybrid certificate trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Basline**. +Follow the Windows Hello for Business hybrid certificate trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**. If your environment is already federated, but does not include Azure device registration, choose **Configure Azure Device Registration**. From 7b1ac59f12a73df162c08bb0e3c6e1af1df07a8a Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 06:42:18 +0200 Subject: [PATCH 34/42] Update hello-hybrid-cert-whfb-provision.md Typos lines 58, 62, 68, 76, 80 --- .../hello-hybrid-cert-whfb-provision.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index e295b98d48..22b4bd30cd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -18,7 +18,7 @@ ms.date: 08/19/2018 # Hybrid Windows Hello for Business Provisioning **Applies to** -- Windows 10, version 1703 or later +- Windows 10, version 1703 or later - Hybrid deployment - Certificate trust @@ -55,17 +55,17 @@ The remainder of the provisioning includes Windows Hello for Business requesting > The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). > The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. -> **This synchronization latency delays the user's ability to authenticate and use on-premises resouces until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources. +> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources. > Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization. > [!NOTE] -> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. The update needs to be installed on the federation servers. +> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completing the provisioning. The update needs to be installed on the federation servers. After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment. The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. -The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user they can use their PIN to sign-in through the Windows Action Center. +The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Windows Action Center.

@@ -73,9 +73,9 @@ The certificate authority validates the certificate was signed by the registrati ## Follow the Windows Hello for Business hybrid certificate trust deployment guide 1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) +2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings-policy.md) -6. Sign-in and Provision(*You are here*) +6. Sign-in and Provision (*You are here*) From 34e23be6411b087eff0daafbf4471b214d7358c0 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 7 May 2019 06:57:54 +0200 Subject: [PATCH 35/42] Update hello-hybrid-aadj-sso-base.md Typos lines 144, 283, 286 --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index bf17a84426..84d389751b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -141,7 +141,7 @@ These procedures configure NTFS and share permissions on the web server to allow 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server). 2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**. -3. Select **Share this folder**. Type **cdp$** in **Share name:**. Click **Permissions**. +3. Select **Share this folder**. Type **cdp$** in **Share name**. Click **Permissions**. ![cdp sharing](images/aadj/cdp-sharing.png) 4. In the **Permissions for cdp$** dialog box, click **Add**. 5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**, and then click **OK**. @@ -280,10 +280,10 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted 1. Sign-in to the [Microsoft Azure Portal](https://portal.azure.com) and select **Microsoft Intune**. 2. Click **Device configuration**. In the **Device Configuration** blade, click **Create profile**. ![Intune Create Profile](images/aadj/intune-create-device-config-profile.png) -3. In the **Create profle** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Click **Configure**. +3. In the **Create profile** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Click **Configure**. 4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate). Click **OK**. Click **Create**. ![Intune Trusted Certificate Profile](images/aadj/intune-create-trusted-certificate-profile.png) -5. In the **Enterprise Root Certificate** blade, click **Assignmnets**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**. +5. In the **Enterprise Root Certificate** blade, click **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**. ![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png) 6. Sign out of the Microsoft Azure Portal. From be33f0358941dc5cc8c4c9edc3cbeb3ceaee8e3c Mon Sep 17 00:00:00 2001 From: Russ Rimmerman Date: Tue, 7 May 2019 08:28:11 -0500 Subject: [PATCH 36/42] Update hello-faq.md Typo --- .../identity-protection/hello-for-business/hello-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 1dabe3c95d..d44e767bc5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -15,7 +15,7 @@ ms.topic: article localizationpriority: medium ms.date: 08/19/2018 --- -# Windows Hello for Business Frequently Ask Questions +# Windows Hello for Business Frequently Asked Questions **Applies to** - Windows 10 From a4025fa754257dd9793a122d3f19697b39a7ea35 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 7 May 2019 10:28:24 -0700 Subject: [PATCH 37/42] Update create-wip-policy-using-intune-azure.md --- .../create-wip-policy-using-intune-azure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 2a82682a3c..4932416954 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -39,7 +39,7 @@ You can create an app protection policy in Intune either with device enrollment ## Prerequisites -Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. +Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery relies on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. ## Configure the MDM or MAM provider From 1cbc48ce3444e7ed38e926108e20f3e8c81a602c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 7 May 2019 14:06:31 -0700 Subject: [PATCH 38/42] Update increase-scheduling-priority.md --- .../security-policy-settings/increase-scheduling-priority.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md index 565e032adb..95a0914890 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md +++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md @@ -38,7 +38,7 @@ Constant: SeIncreaseBasePriorityPrivilege ### Best practices -- Retain the default value and allow Administrators, and Window Manager/Window Manager Group, as the only accounts responsible for controlling process scheduling priorities. +- Retain the default value as the only accounts responsible for controlling process scheduling priorities. ### Location From ed83d70393fdc9d3e570091713b9114eddcaf58b Mon Sep 17 00:00:00 2001 From: Max Velitchko Date: Tue, 7 May 2019 17:47:12 -0700 Subject: [PATCH 39/42] Fix mdatp parameters --- ...osoft-defender-atp-mac-install-manually.md | 34 +++++------------- ...ft-defender-atp-mac-install-with-intune.md | 12 +++++++ ...soft-defender-atp-mac-install-with-jamf.md | 12 +++++++ .../microsoft-defender-atp-mac-resources.md | 35 ++++++++++++++----- 4 files changed, 58 insertions(+), 35 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index 27b3a8f924..82e53c1ff4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -114,32 +114,14 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) -## Configuring from the command line +## Test alert -Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: +Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. + + ```bash + curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt + ``` -|Group |Scenario |Command | -|-------------|-------------------------------------------|-----------------------------------------------------------------------| -|Configuration|Turn on/off real-time protection |`mdatp config --rtp [true/false]` | -|Configuration|Turn on/off cloud protection |`mdatp config --cloud [true/false]` | -|Configuration|Turn on/off product diagnostics |`mdatp config --diagnostic [true/false]` | -|Configuration|Turn on/off automatic sample submission |`mdatp config --sample-submission [true/false]` | -|Configuration|Turn on PUA protection |`mdatp threat --type-handling --potentially_unwanted_application block`| -|Configuration|Turn off PUA protection |`mdatp threat --type-handling --potentially_unwanted_application off` | -|Configuration|Turn on audit mode for PUA protection |`mdatp threat --type-handling --potentially_unwanted_application audit`| -|Diagnostics |Change the log level |`mdatp log-level --[error/warning/info/verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic` | -|Health |Check the product's health |`mdatp --health` | -|Protection |Scan a path |`mdatp scan --path [path]` | -|Protection |Do a quick scan |`mdatp scan --quick` | -|Protection |Do a full scan |`mdatp scan --full` | -|Protection |Cancel an ongoing on-demand scan |`mdatp scan --cancel` | -|Protection |Request a definition update |`mdatp --signature-update` | +You will get a "Threats found" notification, you can inspect threat's details in the Protection history. -## Logging installation issues - -See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. - -## Uninstallation - -See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file +Soon after that you'll get an alert in the ATP Portal. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index 8af90fded1..6cfc85694d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -164,6 +164,18 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) +## Test alert + +Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. + + ```bash + curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt + ``` + +You will get a "Threats found" notification, you can inspect threat's details in the Protection history. + +Soon after that you'll get an alert in the ATP Portal. + ## Logging installation issues See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index 8837b3bcc5..b2df2ab85f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -199,6 +199,18 @@ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. +## Test alert + +Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. + + ```bash + curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt + ``` + +You will get a "Threats found" notification, you can inspect threat's details in the Protection history. + +Soon after that you'll get an alert in the ATP Portal. + ## Logging installation issues See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 09a4dcceae..03532ddfb4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -36,9 +36,7 @@ If you can reproduce a problem, please increase the logging level, run the syste 1) Increase logging level: ```bash - mavel-mojave:~ testuser$ mdatp log-level --verbose - Creating connection to daemon - Connection established + mavel-mojave:~ testuser$ mdatp --log-level verbose Operation succeeded ``` @@ -47,21 +45,40 @@ If you can reproduce a problem, please increase the logging level, run the syste 3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. ```bash - mavel-mojave:~ testuser$ mdatp --diagnostic - Creating connection to daemon - Connection established + mavel-mojave:~ testuser$ mdatp --diagnostic --create "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" ``` 4) Restore logging level: ```bash - mavel-mojave:~ testuser$ mdatp log-level --info - Creating connection to daemon - Connection established + mavel-mojave:~ testuser$ mdatp --log-level info Operation succeeded ``` +## Managing from the command line + +Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: + +|Group |Scenario |Command | +|-------------|-------------------------------------------|-----------------------------------------------------------------------| +|Configuration|Turn on/off real-time protection |`mdatp --config rtp [true/false]` | +|Configuration|Turn on/off cloud protection |`mdatp --config cloud [true/false]` | +|Configuration|Turn on/off product diagnostics |`mdatp --config diagnostic [true/false]` | +|Configuration|Turn on/off automatic sample submission |`mdatp --config sample-submission [true/false]` | +|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`| +|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` | +|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`| +|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` | +|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` | +|Health |Check the product's health |`mdatp --health` | +|Health |Prints a single health metric |`mdatp --health [metric]` | +|Protection |Scan a path |`mdatp --scan --path [path]` | +|Protection |Do a quick scan |`mdatp --scan --quick` | +|Protection |Do a full scan |`mdatp --scan --full` | +|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` | +|Protection |Request a definition update |`mdatp --definition-update` | + ## Logging installation issues If an error occurs during installation, the installer will only report a general failure. From 2f92dc55cc0bf116fca0988f97d95662a06d7a74 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 8 May 2019 10:07:40 -0400 Subject: [PATCH 40/42] spacing, typo removal --- ...osoft-defender-atp-mac-install-manually.md | 4 +-- ...ft-defender-atp-mac-install-with-intune.md | 8 ++--- ...soft-defender-atp-mac-install-with-jamf.md | 36 +++++++++---------- .../microsoft-defender-atp-mac-resources.md | 22 ++++++------ .../microsoft-defender-atp-mac.md | 4 +-- 5 files changed, 37 insertions(+), 37 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index 82e53c1ff4..9b90ab16b4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -21,7 +21,7 @@ ms.topic: #conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,7 +31,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. ## Download installation and onboarding packages diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index 6cfc85694d..b145ab592c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -21,7 +21,7 @@ ms.topic: #conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,7 +31,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. ## Download installation and onboarding packages @@ -47,7 +47,7 @@ Download the installation and onboarding packages from Windows Defender Security 6. From a command prompt, verify that you have the three files. Extract the contents of the .zip files: - + ```bash mavel-macmini:Downloads test$ ls -l total 721688 @@ -167,7 +167,7 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t ## Test alert Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. - + ```bash curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt ``` diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index b2df2ab85f..a66f836f20 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -21,7 +21,7 @@ ms.topic: #conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -31,7 +31,7 @@ Microsoft Defender ATP for Mac is not yet widely available, and this topic only ## Prerequisites and system requirements -Before you get started, please see [the main Microsoft Defender ATP for Mac page]((microsoft-defender-atp.md)) for a description of prerequisites and system requirements for the current software version. +Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow. @@ -48,7 +48,7 @@ Download the installation and onboarding packages from Windows Defender Security 5. From a command prompt, verify that you have the two files. Extract the contents of the .zip files: - + ```bash mavel-macmini:Downloads test$ ls -l total 721160 @@ -165,24 +165,24 @@ After the policy is applied, you'll see the Microsoft Defender icon in the macOS You can monitor policy installation on a machine by following the JAMF's log file: ```bash -mavel-mojave:~ testuser$ tail -f /var/log/jamf.log -Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. -Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... -Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV -Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... -Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. + mavel-mojave:~ testuser$ tail -f /var/log/jamf.log + Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. + Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... + Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV + Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... + Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. ``` You can also check the onboarding status: ```bash -mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py -uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 -orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 + mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 + orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 + orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 ``` - **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. @@ -194,7 +194,7 @@ orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: ```bash -sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' + sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' ``` This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. @@ -202,7 +202,7 @@ This script returns 0 if Microsoft Defender ATP is registered with the Windows D ## Test alert Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. - + ```bash curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt ``` diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md index 03532ddfb4..8967cf9879 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md @@ -21,7 +21,7 @@ ms.topic: #conceptual **Applies to:** -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](https://go.microsoft.com/fwlink/p/?linkid=???To-Add???) +[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. @@ -36,25 +36,25 @@ If you can reproduce a problem, please increase the logging level, run the syste 1) Increase logging level: ```bash - mavel-mojave:~ testuser$ mdatp --log-level verbose - Operation succeeded + mavel-mojave:~ testuser$ mdatp --log-level verbose + Operation succeeded ``` 2) Reproduce the problem 3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - ```bash - mavel-mojave:~ testuser$ mdatp --diagnostic --create - "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` + ```bash + mavel-mojave:~ testuser$ mdatp --diagnostic --create + "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" + ``` 4) Restore logging level: - ```bash - mavel-mojave:~ testuser$ mdatp --log-level info - Operation succeeded - ``` + ```bash + mavel-mojave:~ testuser$ mdatp --log-level info + Operation succeeded + ``` ## Managing from the command line diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index af6205c2ca..b22d38d977 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -69,7 +69,7 @@ After you've enabled the service, you may need to configure your network or fire The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them: | Service | Description | URL | -| -------------- |:------------------------------------:| --------------------------------------------------------------------:| +| -------------- |:------------------------------------:|:--------------------------------------------------------------------:| | ATP | Advanced threat protection service | `https://x.cp.wd.microsoft.com/`, `https://*.x.cp.wd.microsoft.com/` | To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://wu-cdn.x.cp.wd.microsoft.com/` in a browser, or run the following command in Terminal: @@ -79,7 +79,7 @@ To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/ap OK ``` -We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. +We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection) enabled (default setting) on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS. ## Resources From 3bb30fe435131c2553ee9b848f5e4f27ad1226f4 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 8 May 2019 09:23:19 -0700 Subject: [PATCH 41/42] Revert "WIP - update microsoft-defender-atp-mac.md" --- ...osoft-defender-atp-mac-install-manually.md | 127 ----- ...ft-defender-atp-mac-install-with-intune.md | 185 ------- ...soft-defender-atp-mac-install-with-jamf.md | 220 -------- .../microsoft-defender-atp-mac-resources.md | 153 ------ .../microsoft-defender-atp-mac.md | 489 ++++++++++++++++-- 5 files changed, 456 insertions(+), 718 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md delete mode 100644 windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md deleted file mode 100644 index 9b90ab16b4..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ /dev/null @@ -1,127 +0,0 @@ ---- -title: Installing Microsoft Defender ATP for Mac with JAMF -description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: #conceptual ---- - -# Manual deployment - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. - -## Prerequisites and system requirements - -Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. - -## Download installation and onboarding packages - -Download the installation and onboarding packages from Windows Defender Security Center: - -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ```bash - mavel-macmini:Downloads test$ ls -l - total 721152 - -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: WindowsDefenderATPOnboarding.py - ``` - -## Application installation - -To complete this process, you must have admin privileges on the machine. - -1. Navigate to the downloaded wdav.pkg in Finder and open it. - - ![App install screenshot](images/MDATP_28_AppInstall.png) - -2. Select **Continue**, agree with the License terms, and enter the password when prompted. - - ![App install screenshot](images/MDATP_29_AppInstallLogin.png) - - > [!IMPORTANT] - > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. - - ![App install screenshot](images/MDATP_30_SystemExtension.png) - -3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: - - ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) - -The installation will proceed. - -> [!NOTE] -> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. - -## Client configuration - -1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. - - The client machine is not associated with orgId. Note that the orgid is blank. - - ```bash - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : - ``` - -2. Install the configuration file on a client machine: - - ```bash - mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py - Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) - ``` - -3. Verify that the machine is now associated with orgId: - - ```bash - mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 - ``` - -After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. - - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -## Test alert - -Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. - - ```bash - curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt - ``` - -You will get a "Threats found" notification, you can inspect threat's details in the Protection history. - -Soon after that you'll get an alert in the ATP Portal. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md deleted file mode 100644 index b145ab592c..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ /dev/null @@ -1,185 +0,0 @@ ---- -title: Installing Microsoft Defender ATP for Mac with Microsoft Intune -description: Describes how to install Microsoft Defender ATP for Mac, using Microsoft Intune. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: #conceptual ---- - -# Microsoft Intune-based deployment - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. - -## Prerequisites and system requirements - -Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. - -## Download installation and onboarding packages - -Download the installation and onboarding packages from Windows Defender Security Center: - -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. -5. Download IntuneAppUtil from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos). - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -6. From a command prompt, verify that you have the three files. - Extract the contents of the .zip files: - - ```bash - mavel-macmini:Downloads test$ ls -l - total 721688 - -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist - mavel-macmini:Downloads test$ - ``` - -7. Make IntuneAppUtil an executable: - - ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` - -8. Create the wdav.pkg.intunemac package from wdav.pkg: - - ```bash - mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" - Microsoft Intune Application Utility for Mac OS X - Version: 1.0.0.0 - Copyright 2018 Microsoft Corporation - - Creating intunemac file for /Users/test/Downloads/wdav.pkg - Composing the intunemac file output - Output written to ./wdav.pkg.intunemac. - - IntuneAppUtil successfully processed "wdav.pkg", - to deploy refer to the product documentation. - ``` - -## Client Machine Setup - -You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). - -1. You'll be asked to confirm device management. - -![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) - -Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**: - -![Management profile screenshot](images/MDATP_4_ManagementProfile.png) - -2. Select the **Continue** button and complete the enrollment. - -You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned. - -3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine: - -![Add Devices screenshot](images/MDATP_5_allDevices.png) - -## Create System Configuration profiles - -1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. -2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. -3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. -4. Select **OK**. - - ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) - -5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. -6. Repeat these steps with the second profile. -7. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. -8. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. - -After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: - -![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) - -## Publish application - -1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. -2. Select **App type=Other/Line-of-business app**. -3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. -4. Select **Configure** and add the required information. -5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. - - ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) - -6. Select **OK** and **Add**. - - ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) - -7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. - - ![Client apps screenshot](images/MDATP_10_ClientApps.png) - -8. Change **Assignment type=Required**. -9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. - - ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) - -10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade: - - ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) - -## Verify client machine state - -1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. - - ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) - ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) - -2. Verify the three profiles listed there: - ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) - -3. The **Management Profile** should be the Intune system profile. -4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. -5. You should also see the Microsoft Defender icon in the top-right corner: - - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -## Test alert - -Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. - - ```bash - curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt - ``` - -You will get a "Threats found" notification, you can inspect threat's details in the Protection history. - -Soon after that you'll get an alert in the ATP Portal. - -## Logging installation issues - -See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. - -## Uninstallation - -See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md deleted file mode 100644 index a66f836f20..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ /dev/null @@ -1,220 +0,0 @@ ---- -title: Installing Microsoft Defender ATP for Mac with JAMF -description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: #conceptual ---- - -# JAMF-based deployment - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic describes how to install Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. - -## Prerequisites and system requirements - -Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp.md) for a description of prerequisites and system requirements for the current software version. - -In addition, for JAMF deployment, you need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes having a properly configured distribution point. JAMF has many ways to complete the same task. These instructions provide an example for most common processes. Your organization might use a different workflow. - -## Download installation and onboarding packages - -Download the installation and onboarding packages from Windows Defender Security Center: - -1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - - ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) - -5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ```bash - mavel-macmini:Downloads test$ ls -l - total 721160 - -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators - inflating: intune/kext.xml - inflating: intune/WindowsDefenderATPOnboarding.xml - inflating: jamf/WindowsDefenderATPOnboarding.plist - mavel-macmini:Downloads test$ - ``` - -## Create JAMF Policies - -You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. - -### Configuration Profile - -The configuration profile contains one custom settings payload that includes: - -- Microsoft Defender ATP for Mac onboarding information -- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run - -1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. - - >[!NOTE] - > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain. - - ![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) - -### Approved Kernel Extension - -To approve the kernel extension: - -1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. -2. Use **UBF8T346G9** for Team Id. - -![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) - -#### Configuration Profile's Scope - -Configure the appropriate scope to specify the machines that will receive this configuration profile. - -Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. - -![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) - -Save the **Configuration Profile**. - -Use the **Logs** tab to monitor deployment status for each enrolled machine. - -### Package - -1. Create a package in **Settings > Computer Management > Packages**. - - ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) - -2. Upload wdav.pkg to the Distribution Point. -3. In the **filename** field, enter the name of the package. For example, wdav.pkg. - -### Policy - -Your policy should contain a single package for Microsoft Defender. - -![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) - -Configure the appropriate scope to specify the computers that will receive this policy. - -After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. - -## Client machine setup - -You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. - -> [!NOTE] -> After a computer is enrolled, it will show up in the Computers inventory (All Computers). - -1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. - -![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) -![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) - -After some time, the machine's User Approved MDM status will change to Yes. - -![MDM status screenshot](images/MDATP_23_MDMStatus.png) - -You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. - -## Deployment - -Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. - -### Status on server - -You can monitor the deployment status in the Logs tab: - -- **Pending** means that the deployment is scheduled but has not yet happened -- **Completed** means that the deployment succeeded and is no longer scheduled - -![Status on server screenshot](images/MDATP_24_StatusOnServer.png) - -### Status on client machine - -After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. - -![Status on client screenshot](images/MDATP_25_StatusOnClient.png) - -After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. - -![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) - -You can monitor policy installation on a machine by following the JAMF's log file: - -```bash - mavel-mojave:~ testuser$ tail -f /var/log/jamf.log - Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. - Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... - Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV - Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... - Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. - Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... - Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. -``` - -You can also check the onboarding status: - -```bash - mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py - uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 - orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 - orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 - orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 -``` - -- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. - -- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. - -## Check onboarding status - -You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: - -```bash - sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' -``` - -This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. - -## Test alert - -Run in Terminal the following command. It will download [a harmless file](https://en.wikipedia.org/wiki/EICAR_test_file) which will trigger a test detection. - - ```bash - curl -o ~/Downloads/eicar.com.txt http://www.eicar.org/download/eicar.com.txt - ``` - -You will get a "Threats found" notification, you can inspect threat's details in the Protection history. - -Soon after that you'll get an alert in the ATP Portal. - -## Logging installation issues - -See [Logging installation issues](microsoft-defender-atp-mac-resources#Logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. - -## Uninstallation - -See [Uninstalling](microsoft-defender-atp-mac-resources#Uninstalling) for details on how to remove Windows Defender ATP for Mac from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md deleted file mode 100644 index 8967cf9879..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ /dev/null @@ -1,153 +0,0 @@ ---- -title: Microsoft Defender ATP for Mac Resources -description: Describes resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, and known issues with the product. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra -search.product: eADQiWindows 10XVcnh -search.appverid: #met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-maave -author: martyav -ms.localizationpriority: #medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: #conceptual ---- - -# Resources - -**Applies to:** - -[Windows Defender Advanced Threat Protection (Windows Defender ATP) for Mac](microsoft-defender-atp.md) - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -This topic describes how to use, and details about, Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. - -## Collecting diagnostic information - -If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. - -1) Increase logging level: - -```bash - mavel-mojave:~ testuser$ mdatp --log-level verbose - Operation succeeded -``` - -2) Reproduce the problem - -3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. - - ```bash - mavel-mojave:~ testuser$ mdatp --diagnostic --create - "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" - ``` - -4) Restore logging level: - - ```bash - mavel-mojave:~ testuser$ mdatp --log-level info - Operation succeeded - ``` - -## Managing from the command line - -Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: - -|Group |Scenario |Command | -|-------------|-------------------------------------------|-----------------------------------------------------------------------| -|Configuration|Turn on/off real-time protection |`mdatp --config rtp [true/false]` | -|Configuration|Turn on/off cloud protection |`mdatp --config cloud [true/false]` | -|Configuration|Turn on/off product diagnostics |`mdatp --config diagnostic [true/false]` | -|Configuration|Turn on/off automatic sample submission |`mdatp --config sample-submission [true/false]` | -|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`| -|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` | -|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`| -|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` | -|Health |Check the product's health |`mdatp --health` | -|Health |Prints a single health metric |`mdatp --health [metric]` | -|Protection |Scan a path |`mdatp --scan --path [path]` | -|Protection |Do a quick scan |`mdatp --scan --quick` | -|Protection |Do a full scan |`mdatp --scan --full` | -|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` | -|Protection |Request a definition update |`mdatp --definition-update` | - -## Logging installation issues - -If an error occurs during installation, the installer will only report a general failure. - -The detailed log will be saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. - -## Uninstalling - -There are several ways to uninstall Microsoft Defender ATP for Mac. Please note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune. - -### Within the GUI - -- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. - -### From the command line - -- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` - -### With a script - -Create a script in **Settings > Computer Management > Scripts**. - -![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) - -For example, this script removes Microsoft Defender ATP from the /Applications directory: - -```bash - echo "Is WDAV installed?" - ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - - echo "Uninstalling WDAV..." - rm -rf '/Applications/Microsoft Defender ATP.app' - - echo "Is WDAV still installed?" - ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null - - echo "Done!" -``` - -### With a JAMF policy - -If you are running JAMF, your policy should contain a single script: - -![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) - -Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. - -## What to expect in the ATP portal - -- AV alerts: - - Severity - - Scan type - - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) - - File information (name, path, size, and hash) - - Threat information (name, type, and state) -- Device information: - - Machine identifier - - Tenant identifier - - App version - - Hostname - - OS type - - OS version - - Computer model - - Processor architecture - - Whether the device is a virtual machine - -## Known issues - -- Not fully optimized for performance or disk space yet. -- Full Windows Defender ATP integration is not available yet. -- Mac devices that switch networks may appear multiple times in the APT portal. -- Centrally managed uninstall via Intune is still in development. As an alternative, manually uninstall Microsoft Defender ATP for Mac from each client device. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index b22d38d977..cccde77573 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -22,40 +22,15 @@ ms.topic: conceptual >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. -Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. - -## What’s new in the public preview - -We've been working hard through the private preview period, and we've heard your concerns. We've reduced the delay for when new Mac devices appear in the ATP console after they've been deployed. We've improved threat handling, and enhanced the user experience. We've also made numerous bug fixes. Other updates to Microsoft Defender ATP for Mac include: - -- Full accessibility -- Improved performance -- Localization for 37 languages -- Improved anti-tampering protections -- Feedback and samples can now be submitted via the GUI. -- Product health can be queried with JAMF or the command line. -- Admins can set their cloud preference for any location, not just for those in the US. - -## Installing and configuring - -There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. -In general you'll need to take the following steps: - -- Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal -- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: - - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune) - - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf) - - [Manual deployment](microsoft-defender-atp-mac-install-manually) - -### Prerequisites +This topic describes how to install and use Microsoft Defender ATP for Mac. It supports the preview program and the information here is subject to change. +Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. +## Prerequisites You should have beginner-level experience in macOS and BASH scripting. You must have administrative privileges on the machine. You should also have access to Windows Defender Security Center. ### System Requirements - - macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra) - Disk space during preview: 1GB @@ -69,19 +44,467 @@ After you've enabled the service, you may need to configure your network or fire The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them: | Service | Description | URL | -| -------------- |:------------------------------------:|:--------------------------------------------------------------------:| +| -------------- |:------------------------------------:| --------------------------------------------------------------------:| | ATP | Advanced threat protection service | `https://x.cp.wd.microsoft.com/`, `https://*.x.cp.wd.microsoft.com/` | To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://wu-cdn.x.cp.wd.microsoft.com/` in a browser, or run the following command in Terminal: -```bash +``` mavel-mojave:~ testuser$ curl 'https://x.cp.wd.microsoft.com/api/report' OK ``` -We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection) enabled (default setting) on client machines. +We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS. -## Resources +## Installation and configuration overview +There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. +In general you'll need to take the following steps: + - Ensure you have a Windows Defender ATP subscription and have access to the Windows Defender ATP Portal + - Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: + * [Microsoft Intune based deployment](#microsoft-intune-based-deployment) + * [JAMF based deployment](#jamf-based-deployment) + * [Manual deployment](#manual-deployment) -For further information on logging, uninstalling, the ATP portal, or known issues, see our [Resources](microsoft-defender-atp-mac-resources) page. \ No newline at end of file +## Microsoft Intune based deployment + +### Download installation and onboarding packages +Download the installation and onboarding packages from Windows Defender Security Center: +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. +5. Download IntuneAppUtil from https://docs.microsoft.com/en-us/intune/lob-apps-macos. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +6. From a command prompt, verify that you have the three files. + Extract the contents of the .zip files: + + ``` + mavel-macmini:Downloads test$ ls -l + total 721688 + -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + mavel-macmini:Downloads test$ + ``` +7. Make IntuneAppUtil an executable: + + ```mavel-macmini:Downloads test$ chmod +x IntuneAppUtil``` + +8. Create the wdav.pkg.intunemac package from wdav.pkg: + + ``` + mavel-macmini:Downloads test$ ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0" + Microsoft Intune Application Utility for Mac OS X + Version: 1.0.0.0 + Copyright 2018 Microsoft Corporation + + Creating intunemac file for /Users/test/Downloads/wdav.pkg + Composing the intunemac file output + Output written to ./wdav.pkg.intunemac. + + IntuneAppUtil successfully processed "wdav.pkg", + to deploy refer to the product documentation. + ``` + +### Client Machine Setup +You need no special provisioning for a Mac machine beyond a standard [Company Portal installation](https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp). + +1. You'll be asked to confirm device management. + +![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) + +Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**: + +![Management profile screenshot](images/MDATP_4_ManagementProfile.png) + +2. Select the **Continue** button and complete the enrollment. + +You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned. + +3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine: + +![Add Devices screenshot](images/MDATP_5_allDevices.png) + +### Create System Configuration profiles +1. In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**. +2. Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**. +3. Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above. +4. Select **OK**. + + ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) + +5. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. +7. Repeat these steps with the second profile. +8. Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. +9. Select **Manage > Assignments**. In the Include tab, select **Assign to All Users & All devices**. + +After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade: + +![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) + +### Publish application + +1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**. +2. Select **App type=Other/Line-of-business app**. +3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. +4. Select **Configure** and add the required information. +5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value. + + ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) + +6. Select **OK** and **Add**. + + ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) + +7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**. + + ![Client apps screenshot](images/MDATP_10_ClientApps.png) + +8. Change **Assignment type=Required**. +9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. + + ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) + +10. After some time the application will be published to all enrolled machines. You'll see it on the **Monitor > Device** install status blade: + + ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) + +### Verify client machine state +1. After the configuration profiles are deployed to your machines, on your Mac device, open **System Preferences > Profiles**. + + ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) + ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) + +2. Verify the three profiles listed there: + ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) + +3. The **Management Profile** should be the Intune system profile. +4. wdav-config and wdav-kext are system configuration profiles that we added in Intune. +5. You should also see the Microsoft Defender icon in the top-right corner: + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## JAMF based deployment +### Prerequsites +You need to be familiar with JAMF administration tasks, have a JAMF tenant, and know how to deploy packages. This includes a properly configured distribution point. JAMF has many alternative ways to complete the same task. These instructions provide you an example for most common processes. Your organization might use a different workflow. + + +### Download installation and onboarding packages +Download the installation and onboarding packages from Windows Defender Security Center: +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ``` + mavel-macmini:Downloads test$ ls -l + total 721160 + -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators + inflating: intune/kext.xml + inflating: intune/WindowsDefenderATPOnboarding.xml + inflating: jamf/WindowsDefenderATPOnboarding.plist + mavel-macmini:Downloads test$ + ``` + +### Create JAMF Policies +You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client machines. + +#### Configuration Profile +The configuration profile contains one custom settings payload that includes: + +- Microsoft Defender ATP for Mac onboarding information +- Approved Kernel Extensions payload to enable the Microsoft kernel driver to run + + +1. Upload jamf/WindowsDefenderATPOnboarding.plist as the Property List File. + + >[!NOTE] + > You must use exactly "com.microsoft.wdav.atp" as the Preference Domain. + + ![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) + +#### Approved Kernel Extension + +To approve the kernel extension: +1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. +2. Use **UBF8T346G9** for Team Id. + +![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) + +#### Configuration Profile's Scope +Configure the appropriate scope to specify the machines that will receive this configuration profile. + +Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. + +![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) + +Save the **Configuration Profile**. + +Use the **Logs** tab to monitor deployment status for each enrolled machine. + +#### Package +1. Create a package in **Settings > Computer Management > Packages**. + + ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) + +2. Upload wdav.pkg to the Distribution Point. +3. In the **filename** field, enter the name of the package. For example, wdav.pkg. + +#### Policy +Your policy should contain a single package for Microsoft Defender. + +![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) + +Configure the appropriate scope to specify the computers that will receive this policy. + +After you save the Configuration Profile, you can use the Logs tab to monitor the deployment status for each enrolled machine. + +### Client machine setup +You need no special provisioning for a macOS computer beyond the standard JAMF Enrollment. + +> [!NOTE] +> After a computer is enrolled, it will show up in the Computers inventory (All Computers). + +1. Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. + +![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) +![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) + +After some time, the machine's User Approved MDM status will change to Yes. + +![MDM status screenshot](images/MDATP_23_MDMStatus.png) + +You can enroll additional machines now. Optionally, can do it after system configuration and application packages are provisioned. + +### Deployment +Enrolled client machines periodically poll the JAMF Server and install new configuration profiles and policies as soon as they are detected. + +#### Status on server +You can monitor the deployment status in the Logs tab: + - **Pending** means that the deployment is scheduled but has not yet happened + - **Completed** means that the deployment succeeded and is no longer scheduled + +![Status on server screenshot](images/MDATP_24_StatusOnServer.png) + + +#### Status on client machine +After the Configuration Profile is deployed, you'll see the profile on the machine in the **System Preferences > Profiles >** Name of Configuration Profile. + +![Status on client screenshot](images/MDATP_25_StatusOnClient.png) + +After the policy is applied, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + +![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +You can monitor policy installation on a machine by following the JAMF's log file: + +``` +mavel-mojave:~ testuser$ tail -f /var/log/jamf.log +Thu Feb 21 11:11:41 mavel-mojave jamf[7960]: No patch policies were found. +Thu Feb 21 11:16:41 mavel-mojave jamf[8051]: Checking for policies triggered by "recurring check-in" for user "testuser"... +Thu Feb 21 11:16:43 mavel-mojave jamf[8051]: Executing Policy WDAV +Thu Feb 21 11:17:02 mavel-mojave jamf[8051]: Installing Microsoft Defender... +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Successfully installed Microsoft Defender. +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: Checking for patches... +Thu Feb 21 11:17:23 mavel-mojave jamf[8051]: No patch policies were found. +``` + +You can also check the onboarding status: +``` +mavel-mojave:~ testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py +uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 +orgid : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +orgid managed : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +orgid effective : 79109c9d-83bb-4f3e-9152-8d75ee59ae22 +``` + +- **orgid/orgid managed**: This is the Microsoft Defender ATP org id specified in the configuration profile. If this value is blank, then the Configuration Profile was not properly set. + +- **orgid effective**: This is the Microsoft Defender ATP org id currently in use. If it does not match the value in the Configuration Profile, then the configuration has not been refreshed. + +### Uninstalling Microsoft Defender ATP for Mac +#### Uninstalling with a script + +Create a script in **Settings > Computer Management > Scripts**. + +![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) + +For example, this script removes Microsoft Defender ATP from the /Applications directory: + +``` +echo "Is WDAV installed?" +ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + +echo "Uninstalling WDAV..." +rm -rf '/Applications/Microsoft Defender ATP.app' + +echo "Is WDAV still installed?" +ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null + +echo "Done!" +``` + +#### Uninstalling with a policy +Your policy should contain a single script: + +![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) + +Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. + +### Check onboarding status + +You can check that machines are correctly onboarded by creating a script. For example, the following script checks that enrolled machines are onboarded: + +``` +sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py | grep -E 'orgid effective : [-a-zA-Z0-9]+' +``` + +This script returns 0 if Microsoft Defender ATP is registered with the Windows Defender ATP service, and another exit code if it is not installed or registered. + +## Manual deployment + +### Download installation and onboarding packages +Download the installation and onboarding packages from Windows Defender Security Center: +1. In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**. +2. In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**. +3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. +4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. + + ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png) + +5. From a command prompt, verify that you have the two files. + Extract the contents of the .zip files: + + ``` + mavel-macmini:Downloads test$ ls -l + total 721152 + -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip + -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg + mavel-macmini:Downloads test$ unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + inflating: WindowsDefenderATPOnboarding.py + ``` + +### Application installation +To complete this process, you must have admin privileges on the machine. + +1. Navigate to the downloaded wdav.pkg in Finder and open it. + + ![App install screenshot](images/MDATP_28_AppInstall.png) + +2. Select **Continue**, agree with the License terms, and enter the password when prompted. + + ![App install screenshot](images/MDATP_29_AppInstallLogin.png) + + > [!IMPORTANT] + > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. + + ![App install screenshot](images/MDATP_30_SystemExtension.png) + +3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: + + ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) + + +The installation will proceed. + +> [!NOTE] +> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time. + +### Client configuration +1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. + + The client machine is not associated with orgId. Note that the orgid is blank. + + ``` + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : + ``` +2. Install the configuration file on a client machine: + + ``` + mavel-mojave:wdavconfig testuser$ python WindowsDefenderATPOnboarding.py + Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) + ``` + +3. Verify that the machine is now associated with orgId: + + ``` + mavel-mojave:wdavconfig testuser$ sudo /Library/Extensions/wdavkext.kext/Contents/Resources/Tools/wdavconfig.py + uuid : 69EDB575-22E1-53E1-83B8-2E1AB1E410A6 + orgid : E6875323-A6C0-4C60-87AD-114BBE7439B8 + ``` +After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. + + ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + +## Uninstallation +### Removing Microsoft Defender ATP from Mac devices +To remove Microsoft Defender ATP from your macOS devices: + +- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**. + +Or, from a command line: + +- ```sudo rm -rf '/Applications/Microsoft Defender ATP'``` + +## Known issues +- Microsoft Defender ATP is not yet optimized for performance or disk space. +- Centrally managed uninstall using Intune is still in development. To uninstall (as a workaround) a manual uninstall action has to be completed on each client device). +- Geo preference for telemetry traffic is not yet supported. Cloud traffic (definition updates) routed to US only. +- Full Windows Defender ATP integration is not yet available +- Not localized yet +- There might be accessibility issues + +## Collecting diagnostic information +If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default. + +1) Increase logging level: +``` + mavel-mojave:~ testuser$ mdatp log-level --verbose + Creating connection to daemon + Connection established + Operation succeeded +``` + +2) Reproduce the problem + +3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file. + + ``` + mavel-mojave:~ testuser$ mdatp --diagnostic + Creating connection to daemon + Connection established + "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip" + ``` + +4) Restore logging level: +``` + mavel-mojave:~ testuser$ mdatp log-level --info + Creating connection to daemon + Connection established + Operation succeeded +``` + + +### Installation issues +If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. From 0734e038948e6d12cbba8e3943558cec05cd5829 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 8 May 2019 09:32:09 -0700 Subject: [PATCH 42/42] Update hello-hybrid-cert-trust-prereqs.md AS FS > AD FS typo --- .../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 3dd1963a94..8179a617a8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -57,7 +57,7 @@ Review these requirements and those from the Windows Hello for Business planning ## Public Key Infrastructure ## The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller. -Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment uses the Windows Server 2016 Active Directory Federation Server (AS FS) as a certificate registration authority. +Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment uses the Windows Server 2016 Active Directory Federation Server (AD FS) as a certificate registration authority. The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012.