diff --git a/devices/surface-hub/docfx.json b/devices/surface-hub/docfx.json index dc151c3165..47f420a4d0 100644 --- a/devices/surface-hub/docfx.json +++ b/devices/surface-hub/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json index 86d594455f..8477cac86f 100644 --- a/devices/surface/docfx.json +++ b/devices/surface/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting .md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting .md deleted file mode 100644 index e37ec6a7c4..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting .md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: Querying Application Control events centrally using Advanced hunting (Windows 10) -description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: mdsakibMSFT -ms.author: justinha -ms.date: 12/06/2018 ---- - -# Querying Application Control events centrally using Advanced hunting - -A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. -While Event Viewer helps to see the impact on a single system, IT Pros want to gauge the impact across many systems. - -In November 2018, we added functionality in Windows Defender Advanced Threat Protection (Windows Defender ATP) that makes it easy to view WDAC events centrally from all systems that are connected to Windows Defender ATP. - -Advanced hunting in Windows Defender ATP allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”. -This capability is supported beginning with Windows version 1607. - -Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Windows Defender ATP: - -```kusto -MiscEvents -| where EventTime > ago(7d) and -ActionType startswith "AppControl" -| summarize Machines=dcount(ComputerName) by ActionType -| order by Machines desc -``` - -The query results can be used for several important functions related to managing WDAC including: - -- Assessing the impact of deploying policies in audit mode - Since applications still run in audit mode, it is an ideal way to see the impact and correctness of the rules included in the policy. Integrating the generated events with Advanced hunting makes it much easier to have broad deployments of audit mode policies and see how the included rules would impact those systems in real world usage. This audit mode data will help streamline the transition to using policies in enforced mode. -- Monitoring blocks from policies in enforced mode - Policies deployed in enforced mode may block executables or scripts that fail to meet any of the included allow rules. Legitimate new applications and updates or potentially unwanted or malicious software could be blocked. In either case, the Advanced hunting queries report the blocks for further investigation. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index e0c41580fa..a567b25209 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/19/2018 +ms.date: 12/06/2018 --- # Onboard Windows 10 machines using Mobile Device Management tools @@ -34,27 +34,10 @@ For more information on enabling MDM with Microsoft Intune, see [Setup Windows D ## Onboard machines using Microsoft Intune +Follow the instructions from [Intune](https://docs.microsoft.com/intune/advanced-threat-protection). + For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). -### Use the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher - -1. Login to the [Microsoft Azure portal](https://portal.azure.com). - -2. Select **Device Configuration > Profiles > Create profile**. - -3. Enter a **Name** and **Description**. - -4. For **Platform**, select **Windows 10 and later**. - -5. For **Profile type**, select **Windows Defender ATP (Windows 10 Desktop)**. - -6. Configure the settings: - - **Onboard Configuration Package**: Browse and select the **WindowsDefenderATP.onboarding** file you downloaded. This file enables a setting so devices can report to the Windows Defender ATP service. - - **Sample sharing for all files**: Allows samples to be collected, and shared with Windows Defender ATP. For example, if you see a suspicious file, you can submit it to Windows Defender ATP for deep analysis. - - **Expedite telemetry reporting frequency**: For devices that are at high risk, enable this setting so it reports telemetry to the Windows Defender ATP service more frequently. - - **Offboard Configuration Package**: If you want to remove Windows Defender ATP monitoring, you can download an offboarding package from Windows Defender Security Center, and add it. Otherwise, skip this property. - -7. Select **OK**, and **Create** to save your changes, which creates the profile. > [!NOTE] > - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.