Merge branch 'master' into wcf

This commit is contained in:
Beth Levin 2020-01-10 11:11:46 -08:00
commit ee4cc73442
12 changed files with 130 additions and 126 deletions

View File

@ -44,7 +44,7 @@ To opt out of Insider builds:
## Provide feedback and report issues
Please use [the Feedback Hub app](hololens-feedback.md) on your HoloLens or Windows 10 PC to provide feedback and report issues. Using Feedback Hub ensures that all necessary diagnostics information is included to help our engineers quickly debug and resolve the problem. Issues with the Chinese and Japanese version of HoloLens should be reported the same way.
Please use [the Feedback Hub app](hololens-feedback.md) on your HoloLens to provide feedback and report issues. Using Feedback Hub ensures that all necessary diagnostics information is included to help our engineers quickly debug and resolve the problem. Issues with the Chinese and Japanese version of HoloLens should be reported the same way.
>[!NOTE]
>Be sure to accept the prompt that asks whether youd like Feedback Hub to access your Documents folder (select **Yes** when prompted).

View File

@ -58,6 +58,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- [What is dmwappushsvc?](#what-is-dmwappushsvc)
- **Change history in MDM documentation**
- [January 2020](#january-2020)
- [November 2019](#november-2019)
- [October 2019](#october-2019)
- [September 2019](#september-2019)
@ -1935,6 +1936,12 @@ How do I turn if off? | The service can be stopped from the "Services" console o
## Change history in MDM documentation
### January 2020
|New or updated topic | Description|
|--- | ---|
|[Policy CSP - Defender](policy-csp-defender.md)|Added descriptions for supported actions for Defender/ThreatSeverityDefaultAction.|
### November 2019
|New or updated topic | Description|

View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.date: 01/08/2020
ms.reviewer:
manager: dansimp
---
@ -3068,7 +3068,7 @@ The following list shows the supported values:
Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take.
This value is a list of threat severity level IDs and corresponding actions, separated by a<strong>|</strong> using the format "*threat level*=*action*|*threat level*=*action*". For example "1=6|2=2|4=10|5=3
This value is a list of threat severity level IDs and corresponding actions, separated by a <strong>|</strong> using the format "*threat level*=*action*|*threat level*=*action*". For example, "1=6|2=2|4=10|5=3".
The following list shows the supported values for threat severity levels:
@ -3079,12 +3079,12 @@ The following list shows the supported values for threat severity levels:
The following list shows the supported values for possible actions:
- 1 Clean
- 2 Quarantine
- 3 Remove
- 6 Allow
- 8 User defined
- 10 Block
- 1 Clean. Service tries to recover files and try to disinfect.
- 2 Quarantine. Moves files to quarantine.
- 3 Remove. Removes files from system.
- 6 Allow. Allows file/does none of the above actions.
- 8 User defined. Requires user to make a decision on which action to take.
- 10 Block. Blocks file execution.
<!--/Description-->
<!--ADMXMapped-->

View File

@ -20,39 +20,33 @@ ms.custom:
# VAMT known issues
The following list and the section that follows contain the current known issues regarding the Volume Activation Management Tool (VAMT), versions 3.0. and 3.1.
The current known issues with the Volume Activation Management Tool (VAMT), versions 3.0. and 3.1, include:
- VAMT Windows Management Infrastructure (WMI) remote operations might take longer to execute if the target computer is in a sleep or standby state.
- When opening a Computer Information List (CIL file) that was saved by using a previous version of VAMT, the edition information is not shown for each product in the center pane. Users must update the product status again to obtain the edition information.
- The remaining activation count can only be retrieved for MAKs.
- When you open a Computer Information List (CIL) file that was saved by using a previous version of VAMT, the edition information is not shown for each product in the center pane. You must update the product status again to obtain the edition information.
- The remaining activation count can only be retrieved for Multiple Activation Key (MAKs).
## Can't add CSVLKs for Windows 10 activation to VAMT 3.1
## Workarounds for adding CSVLKs for Windows 10 activation to VAMT 3.1
When you try to add a Windows 10 Key Management Service (KMS) Host key (CSVLK) or a Windows Server 2012 R2 for Windows 10 CSVLK into VAMT 3.1 (version 10.0.10240.0), you receive the following error message:
> The specified product key is invalid, or is unsupported by this version of VAMT. An update to support additional products may be available online.
Another known issue is that when you try to add a Windows 10 Key Management Service (KMS) Host key (CSVLK) or a Windows Server 2012 R2 for Windows 10 CSVLK into VAMT 3.1 (version 10.0.10240.0), you receive the error message shown here.
![VAMT error message](./images/vamt-known-issue-message.png)
This issue occurs because VAMT 3.1 does not contain the correct Pkconfig files to recognize this kind of key.
This issue occurs because VAMT 3.1 does not contain the correct Pkconfig files to recognize this kind of key. To work around this issue, use one of the following methods.
### Workaround
### Method 1
To work around this issue, use one of the following methods.
Do not add the CSVLK to the VAMT 3.1 tool. Instead, use the **slmgr.vbs /ipk \<*CSVLK*>** command to install a CSVLK on a KMS host. In this command, \<*CSVLK*> represents the specific key that you want to install. For more information about how to use the Slmgr.vbs tool, see [Slmgr.vbs options for obtaining volume activation information](https://docs.microsoft.com/windows-server/get-started/activation-slmgr-vbs-options).
**Method 1**
### Method 2
Do not add the CSVLK to the VAMT 3.1 tool. Instead, use the **slmgr.vbs /ipk \<*CSVLK*>** command-line tool to install a CSVLK on a KMS host. In this command, \<*CSVLK*> represents the specific key that you want to install. For more information about how to use the Slmgr.vbs tool, see [Slmgr.vbs options for obtaining volume activation information](https://docs.microsoft.com/windows-server/get-started/activation-slmgr-vbs-options).
**Method 2**
On the KMS host computer, follow these steps:
On the KMS host computer, perform the following steps:
1. Download the hotfix from [July 2016 update rollup for Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/3172614/).
1. In Windows Explorer, right-click **485392_intl_x64_zip**, and then extract the hotfix to **C:\KB3058168**.
1. In Windows Explorer, right-click **485392_intl_x64_zip** and extract the hotfix to C:\KB3058168.
1. To extract the contents of the update, open a Command Prompt window and run the following command:
1. To extract the contents of the update, run the following command:
```cmd
expand c:\KB3058168\Windows8.1-KB3058168-x64.msu -f:* C:\KB3058168\
@ -64,6 +58,6 @@ On the KMS host computer, follow these steps:
expand c:\KB3058168\Windows8.1-KB3058168-x64.cab -f:pkeyconfig-csvlk.xrm-ms c:\KB3058168
```
1. In the "C:\KB3058168\x86_microsoft-windows-s..nent-sku-csvlk-pack_31bf3856ad364e35_6.3.9600.17815_none_bd26b4f34d049716\" folder, copy the **pkeyconfig-csvlk.xrm-ms** file. Paste this file to the "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT3\pkconfig" folder.
1. In the C:\KB3058168\x86_microsoft-windows-s..nent-sku-csvlk-pack_31bf3856ad364e35_6.3.9600.17815_none_bd26b4f34d049716 folder, copy the pkeyconfig-csvlk.xrm-ms file. Paste this file into the C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT3\pkconfig folder.
1. Restart VAMT.

View File

@ -23,6 +23,7 @@ ms.date: 10/08/2019
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> [!TIP]
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for advanced hunting. To understand these concepts better, run your first query.
@ -97,16 +98,16 @@ Now that you've run your first query and have a general idea of its components,
| Operator | Description and usage |
|--|--|
| **`where`** | Filter a table to the subset of rows that satisfy a predicate. |
| **`summarize`** | Produce a table that aggregates the content of the input table. |
| **`join`** | Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. |
| **`count`** | Return the number of records in the input record set. |
| **`top`** | Return the first N records sorted by the specified columns. |
| **`limit`** | Return up to the specified number of rows. |
| **`project`** | Select the columns to include, rename or drop, and insert new computed columns. |
| **`extend`** | Create calculated columns and append them to the result set. |
| **`makeset`** | Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group. |
| **`find`** | Find rows that match a predicate across a set of tables. |
| `where` | Filter a table to the subset of rows that satisfy a predicate. |
| `summarize` | Produce a table that aggregates the content of the input table. |
| `join` | Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. |
| `count` | Return the number of records in the input record set. |
| `top` | Return the first N records sorted by the specified columns. |
| `limit` | Return up to the specified number of rows. |
| `project` | Select the columns to include, rename or drop, and insert new computed columns. |
| `extend` | Create calculated columns and append them to the result set. |
| `makeset` | Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group. |
| `find` | Find rows that match a predicate across a set of tables. |
To see a live example of these operators, run them from the **Get started** section of the advanced hunting page.
@ -116,11 +117,11 @@ Data in advanced hunting tables are generally classified into the following data
| Data type | Description and query implications |
|--|--|
| **datetime** | Data and time information typically representing event timestamps |
| **string** | Character string |
| **bool** | True or false |
| **int** | 32-bit numeric value |
| **long** | 64-bit numeric value |
| `datetime` | Data and time information typically representing event timestamps |
| `string` | Character string |
| `bool` | True or false |
| `int` | 32-bit numeric value |
| `long` | 64-bit numeric value |
## Use sample queries
@ -140,4 +141,5 @@ For detailed information about the query language, see [Kusto query language doc
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Apply query best practices](advanced-hunting-best-practices.md)
> [!TIP]
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)

View File

@ -35,6 +35,7 @@ When an alert is triggered, a security playbook goes into effect. Depending on t
>[!NOTE]
>Currently, automated investigation only supports the following OS versions:
>- Windows Server 2019
>- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later
>- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later
>- Later versions of Windows 10

View File

@ -10,9 +10,9 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/09/2019
author: denisebmsft
ms.author: deniseb
ms.date: 01/08/2020
ms.reviewer:
manager: dansimp
---
@ -23,51 +23,50 @@ manager: dansimp
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps.
[Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. Exploit protection consists of a number of mitigations that can be applied to either the operating system or individual apps.
> [!IMPORTANT]
> .NET 2.0 is not compatible with some exploit protection capabilities, specifically, Export Address Filtering (EAF) and Import Address Filtering (IAF). If you have enabled .NET 2.0, usage of EAF and IAF are not supported.
Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
You can enable each mitigation separately by using any of these methods:
* [Windows Security app](#windows-security-app)
* [Microsoft Intune](#intune)
* [Mobile Device Management (MDM)](#mdm)
* [System Center Configuration Manager (SCCM)](#sccm)
* [Group Policy](#group-policy)
* [PowerShell](#powershell)
- [Windows Security app](#windows-security-app)
- [Microsoft Intune](#intune)
- [Mobile Device Management (MDM)](#mdm)
- [System Center Configuration Manager (SCCM)](#sccm)
- [Group Policy](#group-policy)
- [PowerShell](#powershell)
They are configured by default in Windows 10.
You can set each mitigation to on, off, or to its default value.
Some mitigations have additional options.
Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options.
You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines.
You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
## Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**.
3. Go to **Program settings** and choose the app you want to apply mitigations to:
3. Go to **Program settings** and choose the app you want to apply mitigations to. <br/>
- If the app you want to configure is already listed, click it and then click **Edit**.
- If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. <br/>
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
* Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
* Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat steps 3-4 for all the apps and mitigations you want to configure.
5. Repeat this for all the apps and mitigations you want to configure.
6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:<br/>
- **On by default**: The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- **Off by default**: The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- **Use default**: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
* **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
* **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
* **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
7. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
7. Repeat step 6 for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
@ -78,51 +77,45 @@ Enabled in **Program settings** | Enabled in **System settings** | Behavior
[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
**Example 1**
### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default
Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
Mikael adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Mikael enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
**Example 2**
### Example 2: Josie configures Data Execution Prevention in system settings to be off by default
Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
Josie adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Josie enables the **Override system settings** option and sets the switch to **On**.
Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. Josie doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
CFG will be enabled for *miles.exe*.
The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*.
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
3. Go to **Program settings** and choose the app you want to apply mitigations to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
* Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
* Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
3. Go to **Program settings** and choose the app you want to apply mitigations to.<br/>
- If the app you want to configure is already listed, click it and then click **Edit**.
- If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.<br/>
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
## Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
1. Click **Device configuration** > **Profiles** > **Create profile**.
1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
2. Click **Device configuration** > **Profiles** > **Create profile**.
3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
1. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
1. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
![Enable network protection in Intune](../images/enable-ep-intune.png)
1. Click **OK** to save each open blade and click **Create**.
1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
6. Click **OK** to save each open blade and click **Create**.
7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
## MDM
@ -131,21 +124,19 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt
## SCCM
1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
1. Click **Home** > **Create Exploit Guard Policy**.
1. Enter a name and a description, click **Exploit protection**, and click **Next**.
1. Browse to the location of the exploit protection XML file and click **Next**.
1. Review the settings and click **Next** to create the policy.
1. After the policy is created, click **Close**.
2. Click **Home** > **Create Exploit Guard Policy**.
3. Enter a name and a description, click **Exploit protection**, and click **Next**.
4. Browse to the location of the exploit protection XML file and click **Next**.
5. Review the settings and click **Next** to create the policy.
6. After the policy is created, click **Close**.
## Group Policy
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
1. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
2. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
3. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
## PowerShell
@ -230,7 +221,7 @@ Validate handle usage | App-level only | StrictHandle | Audit not available
Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for dlls for a process:
<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for DLLs for a process:
```PowerShell
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll

Binary file not shown.

After

Width:  |  Height:  |  Size: 287 KiB

View File

@ -45,8 +45,6 @@ The following features are included in the preview release:
- [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os) <BR>Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
- [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) <BR> You can now use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.
- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) <BR> You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories.
- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy) <BR> You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy).

View File

@ -21,7 +21,8 @@ ms.date: 04/11/2019
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
> [!TIP]
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
@ -43,13 +44,18 @@ Each machine in the organization is scored based on three important factors: thr
You can access the security recommendation from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page, to give you the context that you need, as you require it.
There are security recommendations for application, operating system, network, accounts, and security controls.
From the menu, select **Security recommendations** to get an overview of the running list with its weaknesses, related components, application, operating system, network, accounts, and security controls, associated breach, threats, and recommendation insights, exposed machine trends, status, remediation type and activities.
![Screenshot of Security recommendations page](images/tvm_securityrecommendation-graph.png)
>[!NOTE]
> The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens per change, which means an increase or decrease of even a single machine will change the graph's color.
In a given day as a Security Administrator, you can take a look at the dashboard to see your exposure score side-by-side with your configuration score. The goal is to lower down your organization's exposure from vulnerabilities, and increase your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
The top security recommendations lists down the improvement opportunities prioritized based on the three important factors mentioned in the previous section - threat, likelihood to be breached, and value.
You can click on each one of them and see the details, the description, the potential risk if you don't act on or remediate it, insights, how many exposed devices are associated with the security recommendation, vulnerabilities, and other threats.
You can click on each one of them and see the details, the description, the potential risk if you don't act on or remediate it, insights, vulnerabilities, other threats found, how many exposed devices are associated with the security recommendation, and business impact of each security recommendation on the organizational exposure and configuration score.
From that page, you can do any of the following depending on what you need to do:
@ -77,8 +83,8 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
5. Include your machine name for investigation context.
>[!NOTE]
> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context.
>[!TIP]
> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context.
6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.

View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 10/18/2019
ms.date: 01/09/2020
ms.reviewer:
manager: dansimp
ms.custom: nextgen
@ -30,7 +30,7 @@ Keeping your antivirus protection up to date is critical. There are two componen
- *Where* the updates are downloaded from; and
- *When* updates are downloaded and applied.
This article describes the *where* - how to specify where updates should be downloaded from (this is also known as the fallback order). See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates).
This article describes how to specify from where updates should be downloaded (this is also known as the fallback order). See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates).
> [!IMPORTANT]
> Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update and starting Monday, October 21, 2019, all security intelligence updates will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to update your security intelligence. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus).
@ -40,7 +40,7 @@ This article describes the *where* - how to specify where updates should be down
## Fallback order
Typically, you configure endpoints to individually download updates from a primary source, followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used.
Typically, you configure endpoints to individually download updates from a primary source followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used.
When updates are published, some logic is applied to minimize the size of the update. In most cases, only the differences between the latest update and the update that is currently installed (this is referred to as the delta) on the device is downloaded and applied. However, the size of the delta depends on two main factors:
- The age of the last update on the device; and
@ -73,16 +73,13 @@ Each source has typical scenarios that depend on how your network is configured,
|System Center Configuration Manager | You are using System Center Configuration Manager to update your endpoints.|
|Security intelligence updates for Windows Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively. <br/>Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|
You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI.
> [!IMPORTANT]
> If you set Windows Server Update Service as a download location, you must approve the updates, regardless of the management tool you use to specify the location. You can set up an automatic approval rule with Windows Server Update Service, which might be useful as updates arrive at least once a day. To learn more, see [synchronize endpoint protection updates in standalone Windows Server Update Service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
The procedures in this article first describe how to set the order, and then how to set up the **File share** option if you have enabled it.
## Use Group Policy to manage the update location
1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
@ -103,7 +100,7 @@ The procedures in this article first describe how to set the order, and then how
4. Double-click the **Define file shares for downloading security intelligence updates** setting and set the option to **Enabled**.
5. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://docs.microsoft.com/openspecs/windows_protocols/ms-dtyp/62e862f4-2a51-452e-8eeb-dc4ff5ee33cc) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. If you do not enter any paths then this source will be skipped when the VM downloads updates.
5. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://docs.microsoft.com/openspecs/windows_protocols/ms-dtyp/62e862f4-2a51-452e-8eeb-dc4ff5ee33cc) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. If you do not enter any paths, then this source will be skipped when the VM downloads updates.
6. Click **OK**. This will set the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting.
@ -124,7 +121,7 @@ Use the following PowerShell cmdlets to set the update order.
Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION}
Set-MpPreference -SignatureDefinitionUpdateFileSharesSource {\\UNC SHARE PATH|\\UNC SHARE PATH}
```
See the following for more information:
See the following articles for more information:
- [Set-MpPreference -SignatureFallbackOrder](https://docs.microsoft.com/powershell/module/defender/set-mppreference)
- [Set-MpPreference -SignatureDefinitionUpdateFileSharesSource](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources)
- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)
@ -139,13 +136,21 @@ SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSource
```
See the following for more information:
See the following articles for more information:
- [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
## Use Mobile Device Management (MDM) to manage the update location
See [Policy CSP - Defender/SignatureUpdateFallbackOrder](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-signatureupdatefallbackorder) for details on configuring MDM.
## What if we're using a third-party vendor?
This article describes how to configure and manage updates for Windows Defender Antivirus. However, third-party vendors can be used to perform these tasks.
For example, suppose that Contoso has hired Fabrikam to manage their security solution, which includes Windows Defender Antivirus. Fabrikam typically uses [Windows Management Instrumentation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus), [PowerShell cmdlets](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus), or [Windows command-line](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to deploy patches and updates.
> [!NOTE]
> Microsoft does not test third-party solutions for managing Windows Defender Antivirus.
## Related articles

View File

@ -79,7 +79,7 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
- Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in Microsoft 365 E5. See [Microsoft 365 Enterprise overview](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview) for more details.)
- Your organization's devices must be managed by [Intune](https://docs.microsoft.com/intune/device-management-capabilities).
- Your Windows machines must be running [Windows OS 1903](https://docs.microsoft.com/windows/release-information/status-windows-10-1903) or later.
- Your Windows machines must be running [Windows OS 1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) or later.
- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above)
- Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). (See [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md).)
@ -99,7 +99,7 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
### To which Windows OS versions is configuring Tamper Protection is applicable?
Windows 1903 May release
[Windows 1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) or later
### Is configuring Tamper Protection in Intune supported on servers?
@ -109,7 +109,7 @@ No
No, third-party antivirus will continue to register with the Windows Security application.
### What happens if Microsoft Defender Antivirus is not active on a device?
### What happens if Windows Defender Antivirus is not active on a device?
Tamper Protection will not have any impact on such devices.