mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-15 14:57:23 +00:00
Merge remote-tracking branch 'refs/remotes/origin/master' into vs-9329193
This commit is contained in:
LizRoss
commit
ee25c20fa8
@ -36,7 +36,7 @@ Highlighted area|Area name|Description
|
||||
:---|:---|:---
|
||||
(1)|**Alerts queue**| Select to show **New**, **In Progress**, or **Resolved alerts**
|
||||
(2)|Alerts|Each alert shows:<ul><li>The severity of an alert as a colored bar</li><li>A short description of the alert, including the name of the threat actor (in cases where the attribution is possible)</li><li>The last occurrence of the alert on any machine</li><li>The number of days the alert has been in the queue</li><li>The severity of the alert</li><li>The general category or type of alert, or the alert's kill-chain stage</li><li>The affected machine (if there are multiple machines, the number of affected machines will be shown)</li><li>A **Manage Alert** menu icon  that allows you to update the alert's status and add comments</li></ul>Clicking an alert expands to display more information about the threat and brings you to the date in the timeline when the alert was detected.
|
||||
(3)|Alerts sorting and filters | You can sort alerts by: <ul><li>**Newest** (when the threat was last seen on your network)</li><li>**Time in queue** (how long the threat has been in your queue)</li><li>**Severity**</li></ul>You can also filter the displayed alerts by:<ul><li>Severity</li><li>Time period</li></ul>See [Windows Defender ATP alerts](use-windows-defender-advanced-threat-protection.md#windows-defender-atp-alerts) for more details.
|
||||
(3)|Alerts sorting and filters | You can sort alerts by: <ul><li>**Newest** (when the threat was last seen on your network)</li><li>**Time in queue** (how long the threat has been in your queue)</li><li>**Severity**</li></ul>You can also filter the displayed alerts by:<ul><li>Severity</li><li>Time period</li></ul>See [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) for more details.
|
||||
|
||||
##Sort and filter the Alerts queue
|
||||
You can filter and sort (or "pivot") the Alerts queue to identify specific alerts based on certain criteria.
|
||||
|
||||
@ -51,7 +51,7 @@ This tile shows you a list of machines with the highest number of active alerts.
|
||||
|
||||
|
||||
|
||||
Click the name of the machine to see details about that machine. For more information see, [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-a-machine).
|
||||
Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
|
||||
@ -30,4 +30,4 @@ Windows Defender will continue to receive updates, and the *mspeng.exe* process
|
||||
|
||||
The Windows Defender interface will be disabled, and users on the endpoint will not be able to use Windows Defender to perform on-demand scans or configure most options.
|
||||
|
||||
For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection).
|
||||
For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md).
|
||||
|
||||
@ -151,7 +151,7 @@ The service could not contact the external processing servers at that URL.</td>
|
||||
<td>17</td>
|
||||
<td>Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```.</td>
|
||||
<td>An error occurred with the Windows telemetry service.</td>
|
||||
<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
|
||||
<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).<br>
|
||||
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
|
||||
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
|
||||
</tr>
|
||||
@ -202,7 +202,7 @@ Ensure real-time antimalware protection is running properly.</td>
|
||||
<td>28</td>
|
||||
<td>Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```.</td>
|
||||
<td>An error occurred with the Windows telemetry service.</td>
|
||||
<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
|
||||
<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).<br>
|
||||
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
|
||||
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
|
||||
</tr>
|
||||
@ -218,7 +218,7 @@ Ensure real-time antimalware protection is running properly.</td>
|
||||
<td>31</td>
|
||||
<td>Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```.</td>
|
||||
<td>An error occurred with the Windows telemetry service during onboarding. The offboarding process continues.</td>
|
||||
<td>[Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).</td>
|
||||
<td>[Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>32</td>
|
||||
@ -237,7 +237,7 @@ If the identifier does not persist, the same machine might appear twice in the p
|
||||
<td>34</td>
|
||||
<td>Windows Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```.</td>
|
||||
<td>An error occurred with the Windows telemetry service.</td>
|
||||
<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).<br>
|
||||
<td>[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled).<br>
|
||||
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
|
||||
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
|
||||
</tr>
|
||||
|
||||
@ -69,7 +69,7 @@ The threat category filter lets you filter the view by the following categories:
|
||||
- Threat
|
||||
- Low severity
|
||||
|
||||
For more information on the description of each category see, [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#investigate-machines-with-active-malware-detections).
|
||||
For more information on the description of each category see, [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#machines-with-active-malware-detections).
|
||||
|
||||
You can also download a full list of all the machines in your organization, in CSV format. Click the **Manage Alert** menu icon  to download the entire list as a CSV file.
|
||||
|
||||
@ -104,7 +104,7 @@ You'll see an aggregated view of alerts, a short description of the alert, detai
|
||||
|
||||
This feature also enables you to selectively drill down into a behavior or event that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a specified time period.
|
||||
|
||||
You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alerts-spotlight) feature to see the correlation between alerts and events on a specific machine.
|
||||
You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-spotlight) feature to see the correlation between alerts and events on a specific machine.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -108,7 +108,7 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
|
||||
## Windows Defender signature updates are configured
|
||||
The Windows Defender ATP agent depends on Windows Defender’s ability to scan files and provide information about them. If Windows Defender is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender in Windows 10](windows-defender-in-windows-10.md).
|
||||
|
||||
When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection).
|
||||
When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md).
|
||||
|
||||
## Windows Defender Early Launch Antimalware (ELAM) driver is enabled
|
||||
If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard.
|
||||
|
||||
@ -149,7 +149,7 @@ If the deployment tools used does not indicate an error in the onboarding proces
|
||||
Event ID | Message | Resolution steps
|
||||
:---|:---|:---
|
||||
5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
|
||||
6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual).
|
||||
6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).
|
||||
7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again.
|
||||
15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
|
||||
25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user