deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into user/tudobril/bm-public-preview

Browse Source
This commit is contained in:
Tina Burden 2021-03-22 11:56:28 -07:00 committed by GitHub
commit f2de10e18c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
42 changed files with 1528 additions and 306 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.openpublishing.redirection.json
View File

@ -16550,6 +16550,10 @@
"redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/device-guard/memory-integrity.md",
"redirect_url": "https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78",
"redirect_document_id": true
}
]
}

12
store-for-business/includes/store-for-business-content-updates.md
View File

@ -2,17 +2,9 @@
## Week of January 25, 2021
## Week of March 15, 2021
| Published On |Topic title | Change |
|------|------------|--------|
| 1/29/2021 | [Distribute offline apps (Windows 10)](/microsoft-store/distribute-offline-apps) | modified |
## Week of January 11, 2021
| Published On |Topic title | Change |
|------|------------|--------|
| 1/14/2021 | [Add unsigned app to code integrity policy (Windows 10)](/microsoft-store/add-unsigned-app-to-code-integrity-policy) | modified |
| 3/17/2021 | [Roles and permissions in Microsoft Store for Business and Education (Windows 10)](/microsoft-store/roles-and-permissions-microsoft-store-for-business) | modified |

74
store-for-business/roles-and-permissions-microsoft-store-for-business.md
View File

@ -13,11 +13,16 @@ author: cmcatee-MSFT
manager: scotv
ms.topic: conceptual
ms.localizationpriority: medium
ms.date: 03/10/2021
ms.date: 03/16/2021
---
# Roles and permissions in Microsoft Store for Business and Education
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
@ -31,62 +36,65 @@ This table lists the global user accounts and the permissions they have in Micro
| | Global Administrator | Billing Administrator |
| ------------------------------ | --------------------- | --------------------- |
| Sign up for Microsoft Store for Business and Education | X |
| Modify company profile settings | X | |
| Sign up for Microsoft Store for Business and Education | X | X |
| Modify company profile settings | X | X |
| Purchase apps | X | X |
| Distribute apps | X | X |
| Purchase subscription-based software | X | X |
- **Global Administrator** and **Billing Administrator** - IT Pros with these accounts have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store.
**Global Administrator** - IT Pros with this account have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store.
## Microsoft Store roles and permissions
**Billing Administrator** - IT Pros with this account have the same permissions as Microsoft Store Purchaser role.
## Billing account roles and permissions
There are a set of roles, managed at your billing account level, that help IT admins and employees manage access to and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store for Business.
Microsoft Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store.
This table lists the roles and their permissions.
| Role | Buy from<br /><br /> Microsoft Store | Assign<br /><br /> roles | Edit<br /><br /> account | Sign<br /><br /> agreements | View<br /><br /> account |
| ------------------------| ------ | -------- | ------ | -------| -------- |
| Billing account owner | X | X | X | X | X |
| Billing account contributor | | | X | X | X |
| Billing account reader | | | | | X |
| Signatory | | | | X | X |
| | Admin | Purchaser | Device Guard signer |
| ------------------------------ | ------ | -------- | ------------------- |
| Assign roles | X | | |
| Manage Microsoft Store for Business and Education settings | X | | |
| Acquire apps | X | X | |
| Distribute apps | X | X | |
| Sign policies and catalogs | X | | |
| Sign Device Guard changes | X | | X |
<!---
These permissions allow people to:
- **Edit account**:
- **Manage Microsoft Store settings**:
- Account information (view only)
- Device Guard signing
- LOB publishers
- Management tools
- Offline licensing
- Permissions
- Private store
- **Acquire apps** - Acquire apps from Microsoft Store and add them to your inventory.
- **Distribute apps** - Distribute apps that are in your inventory.
- Admins can assign apps to people, add apps to the private store, or use a management tool.
- Purchasers can assign apps to people.
-->
## Purchasing roles and permissions
There are also a set of roles for purchasing and managing items bought.
This table lists the roles and their permissions.
| Role | Buy from<br /><br /> Microsoft Store | Manage all items | Manage items<br /><br /> I buy |
| ------------| ------ | -------- | ------ |
| Purchaser | X | X | |
| Basic purchaser | X | | X |
## Assign roles
**To assign roles to people**
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com).
1. Sign in to Microsoft Store for Business or Microsoft Store for Education.
>[!Note]
>You need to be a Global Administrator, or have the Billing account owner role to access **Permissions**. 
>You need to be a Global Administrator, or have the Microsoft Store Admin role to access the **Permissions** page.
2. Select **Manage**, and then select **Permissions**.
3. On **Roles**, or **Purchasing roles**, select **Assign roles**.
4. Enter a name, choose the role you want to assign, and select **Save**.
If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts](manage-users-and-groups-microsoft-store-for-business.md).
To assign roles, you need to be a Global Administrator or a Store Administrator.
2. Click **Settings**, and then choose **Permissions**.
OR
Click **Manage**, and then click **Permissions** on the left-hand menu.
<!--- ![Image showing Permissions page in Microsoft Store for Business.](images/wsfb-settings-permissions.png) -->
3. Click **Add people**, type a name, choose the role you want to assign, and click **Save**.
<!--- ![Image showing Assign roles to people box in Microsoft Store for Business.](images/wsfb-permissions-assignrole.png) -->
4. If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md).

19
windows/client-management/mdm/TOC.md
View File

@ -159,15 +159,16 @@
### [Personalization CSP](personalization-csp.md)
#### [Personalization DDF file](personalization-ddf.md)
### [Policy CSP](policy-configuration-service-provider.md)
#### [Policy DDF file](policy-ddf-file.md)
#### [Policies in Policy CSP supported by Group Policy](policy-csps-supported-by-group-policy.md)
#### [ADMX-backed policies in Policy CSP](policy-csps-admx-backed.md)
#### [Policies in Policy CSP supported by HoloLens 2](policy-csps-supported-by-hololens2.md)
#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)
#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
#### [Policies in Policy CSP supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md)
#### [Policies in Policy CSP supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md)
#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policy-csps-that-can-be-set-using-eas.md)
#### [Policy CSP DDF file](policy-ddf-file.md)
#### [Policies in Policy CSP supported by Group Policy](policies-in-policy-csp-supported-by-group-policy.md)
#### [ADMX-backed policies in Policy CSP](policies-in-policy-csp-admx-backed.md)
#### [Policies in Policy CSP supported by HoloLens 2](policies-in-policy-csp-supported-by-hololens2.md)
#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md)
#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md)
#### [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policies-in-policy-csp-supported-by-iot-enterprise.md)
#### [Policies in Policy CSP supported by Windows 10 IoT Core](policies-in-policy-csp-supported-by-iot-core.md)
#### [Policies in Policy CSP supported by Microsoft Surface Hub](policies-in-policy-csp-supported-by-surface-hub.md)
#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policies-in-policy-csp-that-can-be-set-using-eas.md)
#### [AboveLock](policy-csp-abovelock.md)
#### [Accounts](policy-csp-accounts.md)
#### [ActiveXControls](policy-csp-activexcontrols.md)

37
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
View File

@ -13,7 +13,7 @@ author: lomayor
# Azure Active Directory integration with MDM
Azure Active Directory is the world largest enterprise cloud identity management service. Its used by millions of organizations to access Office 365 and thousands of business applications from Microsoft and third party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows 10 provides an integrated configuration experience with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in a smooth integrated flow.
Azure Active Directory is the world largest enterprise cloud identity management service. Its used by millions of organizations to access Office 365 and thousands of business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows 10 provides an integrated configuration experience with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in a smooth integrated flow.
Once a device is enrolled in MDM, the MDM can enforce compliance with corporate policies, add or remove apps, and more. Additionally, the MDM can report a devices compliance Azure AD. This enables Azure AD to allow access to corporate resources or applications secured by Azure AD only to devices that comply with policies. To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. This topic describes the steps involved.
@ -52,19 +52,19 @@ Two Azure AD MDM enrollment scenarios:
In both scenarios, Azure AD is responsible for authenticating the user and the device, which provides a verified unique device identifier that can be used for MDM enrollment.
In both scenarios, the enrollment flow provides an opportunity for the MDM service to render it's own UI, using a web view. MDM vendors should use this to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render additional UI elements, such as asking for a one-time PIN, if this is part of the business process of the organization.
In both scenarios, the enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use this to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render additional UI elements, such as asking for a one-time PIN, if this is part of the business process of the organization.
In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It is important that MDM vendors who chose to integrate with Azure AD to respect the Windows 10 design guidelines to the letter. This includes using a responsive web design and respecting the Windows accessibility guidelines, which includes the forward and back buttons that are properly wired to the navigation logic. Additional details are provided later in this topic.
In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It is important that MDM vendors who chose to integrate with Azure AD respect the Windows 10 design guidelines to the letter. This includes using a responsive web design and respecting the Windows accessibility guidelines, which includes the forward and back buttons that are properly wired to the navigation logic. Additional details are provided later in this topic.
For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [this article](https://go.microsoft.com/fwlink/?LinkId=690246).
For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [Configure Azure MFA as authentication provider with AD FS](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa).
Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar.
Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios is similar.
> [!NOTE]
> Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
### MDM endpoints involved in Azure AD integrated enrollment
### MDM endpoints involved in Azure ADintegrated enrollment
Azure AD MDM enrollment is a two-step process:
@ -112,27 +112,39 @@ The keys used by the MDM application to request access tokens from Azure AD are
Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery.
1. Login to the Azure Management Portal using an admin account in your home tenant.
1. Log in to the Azure Management Portal using an admin account in your home tenant.
2. In the left navigation, click on the **Active Directory**.
3. Click the directory tenant where you want to register the application.
Ensure that you are logged into your home tenant.
4. Click the **Applications** tab.
5. In the drawer, click **Add**.
6. Click **Add an application my organization is developing**.
7. Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then click **Next**.
8. Enter the login URL for your MDM service.
9. For the App ID, enter **https://&lt;your\_tenant\_name>/ContosoMDM**, then click OK.
10. While still in the Azure portal, click the **Configure** tab of your application.
11. Mark your application as **multi-tenant**.
12. Find the client ID value and copy it.
You will need this later when configuring your application. This client ID is used when obtaining access tokens and adding applications to the Azure AD app gallery.
13. Generate a key for your application and copy it.
You will need this to call the Azure AD Graph API to report device compliance. This is covered in the subsequent section.
For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667)
For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
### Add an on-premises MDM
@ -208,7 +220,7 @@ The following table shows the required information to create an entry in the Azu
### Add on-premises MDM to the app gallery
There are no special requirements for adding on-premises MDM to the app gallery.There is a generic entry for administrator to add an app to their tenant.
There are no special requirements for adding on-premises MDM to the app gallery. There is a generic entry for administrator to add an app to their tenant.
However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. These are used to obtain authorization to access the Azure AD Graph API and for reporting device compliance.
@ -347,6 +359,7 @@ The following claims are expected in the access token passed by Windows to the T
</tr>
</tbody>
</table>
<br/>
> [!NOTE]
> There is no device ID claim in the access token because the device may not yet be enrolled at this time.
@ -355,7 +368,7 @@ To retrieve the list of group memberships for the user, you can use the [Azure A
Here's an example URL.
```console
```http
https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0
Authorization: Bearer eyJ0eXAiOi
```
@ -647,7 +660,7 @@ Alert sample:
## Determine when a user is logged in through polling
An alert is send to the MDM server in DM package\#1.
An alert is sent to the MDM server in DM package\#1.
- Alert type - com.microsoft/MDM/LoginStatus
- Alert format - chr
@ -925,5 +938,3 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di

10
windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
View File

@ -112,8 +112,8 @@ Example: Export the Debug logs
</SyncML>
```
## Collect logs from Windows 10 Mobile devices
<!--## Collect logs from Windows 10 Mobile devices-->
<!--
Since there is no Event Viewer in Windows 10 Mobile, you can use the [Field Medic](https://www.microsoft.com/p/field-medic/9wzdncrfjb82?activetab=pivot%3aoverviewtab) app to collect logs.
**To collect logs manually**
@ -182,11 +182,11 @@ The following table contains a list of common providers and their corresponding
| e5fc4a0f-7198-492f-9b0f-88fdcbfded48 | Microsoft-Windows Networking VPN |
| e5c16d49-2464-4382-bb20-97a4b5465db9 | Microsoft-Windows-WiFiNetworkManager |
 
 -->
## Collect logs remotely from Windows 10 Holographic or Windows 10 Mobile devices
## Collect logs remotely from Windows 10 Holographic
For holographic or mobile devices already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md).
For holographic already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md).
You can use the DiagnosticLog CSP to enable the ETW provider. The provider ID is 3DA494E4-0FE2-415C-B895-FB5265C5C83B. The following examples show how to enable the ETW provider:

4
windows/client-management/mdm/euiccs-csp.md
View File

@ -25,6 +25,10 @@ eUICCs
--------IsActive
--------PPR1Allowed
--------PPR1AlreadySet
--------DownloadServers
------------ServerName
----------------DiscoveryState
----------------AutoEnable
--------Profiles
------------ICCID
----------------ServerName

3
windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
View File

@ -236,6 +236,9 @@ ADMX Info:
- GP ADMX file name: *AppHVSI.admx*
<!--/ADMXMapped-->
> [!NOTE]
> To enforce this policy, device restart or user logon/logoff is required.
<a href="" id="allowcameramicrophoneredirection"></a>**Settings/AllowCameraMicrophoneRedirection**
Added in Windows 10, version 1809. This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the devices camera and microphone when these settings are enabled on the users device.

13
windows/deployment/update/windows-update-resources.md
View File

@ -39,9 +39,18 @@ The following resources provide additional information about using Windows Updat
## How do I reset Windows Update components?
[Reset Windows Update Client settings script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data.
- Try using the [Windows Update Troubleshooter](https://support.microsoft.com/windows/windows-update-troubleshooter-for-windows-10-19bc41ca-ad72-ae67-af3c-89ce169755dd), which will analyze the situation and reset any components that need it.
- Try the steps in [Troubleshoot problems updating Windows 10](https://support.microsoft.com/windows/troubleshoot-problems-updating-windows-10-188c2b0f-10a7-d72f-65b8-32d177eb136c).
- Try the steps in [Fix Windows Update](https://support.microsoft.com/sbs/windows/fix-windows-update-errors-18b693b5-7818-5825-8a7e-2a4a37d6d787) errors.
If all else fails, try resetting the Windows Update Agent by running these commands from an elevated command prompt:
``` console
net stop wuauserv
rd /s /q %systemroot%\SoftwareDistribution
net start wuauserv
```
[Reset Windows Update Agent script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allows you to reset the Windows Update Agent, resolving issues with Windows Update.
## Reset Windows Update components manually

2
windows/deployment/windows-10-subscription-activation.md
View File

@ -23,7 +23,7 @@ Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription
With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions—**Windows 10 Education**.
The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices.
The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices.
## Subscription Activation for Windows 10 Enterprise

8
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
View File

@ -81,7 +81,13 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
> [!NOTE]
> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
> The certificate for the CA issuing the domain controller certificate must be included in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a multi-tier CA hierarchy or a third-party CA, this may not be done by default. If the Domain Controller certificate does not directly chain to a CA certificate in the NTAuth store, user authentication will fail.
The following PowerShell command can be used to check all certificates in the NTAuth store:
```powershell
Certutil -viewstore -enterprise NTAuth
```
### Publish Certificate Templates to a Certificate Authority

10
windows/security/identity-protection/vpn/vpn-connection-type.md
View File

@ -43,6 +43,9 @@ There are many options for VPN clients. In Windows 10, the built-in plug-in and
SSTP is supported for Windows desktop editions only. SSTP cannot be configured using mobile device management (MDM), but it is one of the protocols attempted in the **Automatic** option.
> [!NOTE]
> When a VPN plug-in is used, the adapter will be listed as an SSTP adapter, even though the VPN protocol used is the plug-in's protocol.
- Automatic
The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt from most secure to least secure.
@ -63,11 +66,13 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.m
The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune:
![Available connection types](images/vpn-connection-intune.png)
> [!div class="mx-imgBorder"]
> ![Available connection types](images/vpn-connection-intune.png)
In Intune, you can also include custom XML for third-party plug-in profiles:
![Custom XML](images/vpn-custom-xml-intune.png)
> [!div class="mx-imgBorder"]
> ![Custom XML](images/vpn-custom-xml-intune.png)
## Related topics
@ -85,4 +90,3 @@ In Intune, you can also include custom XML for third-party plug-in profiles:

4
windows/security/threat-protection/TOC.md
View File

@ -253,6 +253,10 @@
##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md)
##### [Set preferences](microsoft-defender-atp/mac-preferences.md)
##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md)
##### [Device control]()
###### [Device control overview](microsoft-defender-atp/mac-device-control-overview.md)
###### [JAMF examples](microsoft-defender-atp/mac-device-control-jamf.md)
###### [Intune examples](microsoft-defender-atp/mac-device-control-intune.md)
##### [Schedule scans](microsoft-defender-atp/mac-schedule-scan-atp.md)
#### [Troubleshoot]()

3
windows/security/threat-protection/auditing/audit-file-system.md
View File

@ -21,6 +21,8 @@ ms.technology: mde
- Windows 10
- Windows Server 2016
> [!NOTE]
> For more details about applicability on older operating system versions, read the article [Audit File System](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319068(v=ws.11)).
Audit File System determines whether the operating system generates audit events when users attempt to access file system objects.
@ -61,4 +63,3 @@ Only one event, “[4658](event-4658.md): The handle to an object was closed,”
- [5051](event-5051.md)(-): A file was virtualized.
- [4670](event-4670.md)(S): Permissions on an object were changed.

24
windows/security/threat-protection/device-guard/memory-integrity.md
View File

@ -1,24 +0,0 @@
---
title: Memory integrity
keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
description: Learn about memory integrity, a feature of Windows that ensures code running in the Windows kernel is securely designed and trustworthy.
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: levinec
ms.author: ellevin
ms.reviewer:
manager: dansimp
ms.technology: mde
---
# Memory integrity
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Memory integrity is a feature of Windows that ensures code running in the Windows kernel is securely designed and trustworthy. It uses hardware virtualization and Hyper-V to protect Windows kernel mode processes from the injection and execution of malicious or unverified code. The integrity of code that runs on Windows is validated by memory integrity, making Windows resistant to attacks from malicious software. Memory integrity is a powerful security boundary that helps to block many types of malware from running in Windows 10 and Windows Server 2016 environments.
For more information about Windows Security, see [Device protection in Windows Security](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center).

4
windows/security/threat-protection/intelligence/safety-scanner-download.md
View File

@ -39,12 +39,12 @@ Microsoft Safety Scanner is a scan tool designed to find and remove malware from
## System requirements
Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the [Microsoft Lifecycle Policy](https://support.microsoft.com/lifecycle).
Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the [Microsoft Lifecycle Policy](https://support.microsoft.com/lifecycle).
## How to run a scan
1. Download this tool and open it.
2. Select the type of scan you want run and start the scan.
2. Select the type of scan that you want to run and start the scan.
3. Review the scan results displayed on screen. For detailed detection results, view the log at **%SYSTEMROOT%\debug\msert.log**.
To remove this tool, delete the executable file (msert.exe by default).

2
windows/security/threat-protection/mbsa-removal-and-guidance.md
View File

@ -30,7 +30,7 @@ For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with Po
For example:
[![VBS script](images/vbs-example.png)](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline)
[![PowerShell script](images/powershell-example.png)](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be)
[![PowerShell script](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0)
The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers.

15
windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
View File

@ -12,7 +12,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer: ksarens
manager: dansimp
ms.date: 08/17/2020
ms.date: 03/19/2021
ms.technology: mde
---
@ -25,12 +25,11 @@ ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt.
You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool **mpcmdrun.exe**. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt.
> [!NOTE]
> You might need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
>
> If you're running an updated Microsoft Defender Platform version, please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<version>`.
> You might need to open an administrator-level version of the command prompt. When you search for **Command Prompt** on the Start menu, choose **Run as administrator**.
> If you're running an updated Microsoft Defender Platform version, run `**MpCmdRun**` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<version>`.
The utility has the following commands:
@ -68,7 +67,7 @@ MpCmdRun.exe -Scan -ScanType 2
|:----|:----|
| `ValidateMapsConnection failed (800106BA) or 0x800106BA` | The Microsoft Defender Antivirus service is disabled. Enable the service and try again. <br> **Note:** In Windows 10 1909 or older, and Windows Server 2019 or older, the service used to be called "Windows Defender Antivirus" service.|
| `0x80070667` | You're running the `-ValidateMapsConnection` command from a computer that is Windows 10 version 1607 or older, or Windows Server 2016 or older. Run the command from a machine that is Windows 10 version 1703 or newer, or Windows Server 2019 or newer.|
| `'MpCmdRun' is not recognized as an internal or external command, operable program or batch file.` | The tool needs to be run from either: `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0` (where `2008.4-0` might differ since platform updates are monthly except for December)|
| `'MpCmdRun' is not recognized as an internal or external command, operable program or batch file.` | The tool needs to be run from either: `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2012.4-0` (where `2012.4-0` might differ since platform updates are monthly except for March)|
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070005 httpcode=450)` | Not enough privileges. Use the command prompt (cmd.exe) as an administrator.|
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070006 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80004005 httpcode=450)` | Possible network-related issues, like name resolution problems|
@ -76,7 +75,9 @@ MpCmdRun.exe -Scan -ScanType 2
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=800722F0D` | The firewall is blocking the connection or conducting SSL inspection. |
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80072EE7 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
## Related topics
## See also
- [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md)
- [Manage Microsoft Defender Antivirus in your business](configuration-management-reference-microsoft-defender-antivirus.md)
- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

6
windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
View File

@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer: pahuijbr
manager: dansimp
ms.date: 03/10/2021
ms.date: 03/19/2021
ms.technology: mde
---
@ -35,7 +35,7 @@ There are two types of updates related to keeping Microsoft Defender Antivirus u
> Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
> Make sure to update your antivirus protection even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
>
> To see the most current engine, platform, and signature date, visit the [Microsoft security encyclopedia](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info).
> To see the most current engine, platform, and signature date, visit the [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
## Security intelligence updates
@ -48,7 +48,7 @@ Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft
Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
For a list of recent security intelligence updates, see [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/wdsi/definitions/antimalware-definition-release-notes).
For a list of recent security intelligence updates, see [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
Engine updates are included with security intelligence updates and are released on a monthly cadence.

6
windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
View File

@ -32,11 +32,11 @@ ms.technology: mde
## Before you begin
> [!NOTE]
> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service.
> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to Microsoft Threat Experts - Targeted Attack Notification managed threat hunting service.
Ensure that you have Defender for Endpoint deployed in your environment with devices enrolled, and not just on a laboratory set-up.
If you're a Defender for Endpoint customer, you need to apply for Microsoft Threat Experts - Targeted Attack Notifications to get special insights and analysis to help identify the most critical threats, so you can respond to them quickly. Contact your account team or Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand to consult with our threat experts on relevant detections and adversaries.
If you're a Defender for Endpoint customer, you need to apply for **Microsoft Threat Experts - Targeted Attack Notifications** to get special insights and analysis to help identify the most critical threats, so you can respond to them quickly. Contact your account team or Microsoft representative to subscribe to **Microsoft Threat Experts - Experts on Demand** to consult with our threat experts on relevant detections and adversaries.
## Apply for Microsoft Threat Experts - Targeted Attack Notifications service
If you're already a Defender for Endpoint customer, you can apply through the Microsoft Defender Security Center.
@ -78,7 +78,7 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert
2. From the dashboard, select the same alert topic that you got from the email, to view the details.
## Subscribe to Microsoft Threat Experts - Experts on Demand
If you're already a Defender for Endpoint customer, you can contact your Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand.
This is available as a subscription service. If you're already a Defender for Endpoint customer, you can contact your Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand.
## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization
You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised device, or a threat intelligence context that you see on your portal dashboard.

2
windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
View File

@ -200,7 +200,7 @@ The following capabilities are included in this integration:
- Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
> [!NOTE]
> Automated onboarding is only applicable for Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016.
> The integration between Azure Defender for Servers and Microsoft Defender for Endpoint has been expanded to support [Windows Server 2019 and Windows Virtual Desktop (WVD)](https://docs.microsoft.com/azure/security-center/release-notes#microsoft-defender-for-endpoint-integration-with-azure-defender-now-supports-windows-server-2019-and-windows-10-virtual-desktop-wvd-in-preview).
- Windows servers monitored by Azure Security Center will also be available in Defender for Endpoint - Azure Security Center seamlessly connects to the Defender for Endpoint tenant, providing a single view across clients and servers. In addition, Defender for Endpoint alerts will be available in the Azure Security Center console.
- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach.

4
windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
View File

@ -47,10 +47,10 @@ To use either of these supported SIEM tools, you'll need to:
- [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md)
- Configure the supported SIEM tool:
- [Configure HP ArcSight to pull Defender for Endpoint detections](configure-arcsight.md)
- [Configure Micro Focus ArcSight to pull Defender for Endpoint detections](configure-arcsight.md)
- Configure IBM QRadar to pull Defender for Endpoint detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
For more information on the list of fields exposed in the Detection API see, [Defender for Endpoint Detection fields](api-portal-mapping.md).
For more information on the list of fields exposed in the Detection API, see [Defender for Endpoint Detection fields](api-portal-mapping.md).

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 118 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 296 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 426 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-lookup-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 404 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/mac-device-control-notification.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

4
windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md
View File

@ -105,8 +105,8 @@ getfile c:\Users\user\Desktop\work.txt -auto
>
> The following file types **cannot** be downloaded using this command from within Live Response:
>
> * [Reparse point files](/windows/desktop/fileio/reparse-points/)
> * [Sparse files](/windows/desktop/fileio/sparse-files/)
> * [Reparse point files](https://docs.microsoft.com/windows/win32/fileio/reparse-points)
> * [Sparse files](https://docs.microsoft.com/windows/win32/fileio/sparse-files)
> * Empty files
> * Virtual files, or files that are not fully present locally
>

426
windows/security/threat-protection/microsoft-defender-atp/mac-device-control-intune.md Normal file
View File

@ -0,0 +1,426 @@
---
title: Examples of device control policies for Intune
description: Learn how to use device control policies using examples that can be used with Intune.
keywords: microsoft, defender, atp, mac, device, control, usb, removable, media, intune
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security
ms.mktglfcycl: security
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.topic: conceptual
ms.technology: mde
---
# Examples of device control policies for Intune
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
This document contains examples of device control policies that you can customize for your own organization. These examples are applicable if you are using Intune to manage devices in your enterprise.
## Restrict access to all removable media
The following example restricts access to all removable media. Note the `none` permission that is applied at the top level of the policy, meaning that all file operations will be disallowed.
```xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>none</string>
</array>
</dict>
</dict>
</dict>
</array>
</dict>
</plist>
```
## Set all removable media to be read-only
The following example configures all removable media to be read-only. Note the `read` permission that is applied at the top level of the policy, meaning that all write and execute operations will be disallowed.
```xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>read</string>
</array>
</dict>
</dict>
</dict>
</array>
</dict>
</plist>
```
## Disallow program execution from removable media
The following example shows how program execution from removable media can be disallowed. Note the `read` and `write` permissions that are applied at the top level of the policy.
```xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
</array>
</dict>
</dict>
</dict>
</array>
</dict>
</plist>
```
## Restrict all devices from specific vendors
The following example restricts all devices from specific vendors (in this case identified by `fff0` and `4525`). All other devices will be unrestricted, since the permission defined at the top level of the policy lists all possible permissions (read, write, and execute).
```xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
<string>execute</string>
</array>
<key>vendors</key>
<dict>
<key>fff0</key>
<dict>
<key>permission</key>
<array>
<string>none</string>
</array>
</dict>
<key>4525</key>
<dict>
<key>permission</key>
<array>
<string>none</string>
</array>
</dict>
</dict>
</dict>
</dict>
</dict>
</array>
</dict>
</plist>
```
## Restrict specific devices identified by vendor ID, product ID, and serial number
The following example restricts two specific devices, identified by vendor ID `fff0`, product ID `1000`, and serial numbers `04ZSSMHI2O7WBVOA` and `04ZSSMHI2O7WBVOB`. At all other levels of the policy the permissions include all possible values (read, write, and execute), meaning that all other devices will be unrestricted.
```xml
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
<string>execute</string>
</array>
<key>vendors</key>
<dict>
<key>fff0</key>
<dict>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
<string>execute</string>
</array>
<key>products</key>
<dict>
<key>1000</key>
<dict>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
<string>execute</string>
</array>
<key>serialNumbers</key>
<dict>
<key>04ZSSMHI2O7WBVOA</key>
<array>
<string>none</string>
</array>
<key>04ZSSMHI2O7WBVOB</key>
<array>
<string>none</string>
</array>
</dict>
</dict>
</dict>
</dict>
</dict>
</dict>
</dict>
</dict>
</array>
</dict>
</plist>
```
## Related topics
- [Overview of device control for macOS](mac-device-control-overview.md)

221
windows/security/threat-protection/microsoft-defender-atp/mac-device-control-jamf.md Normal file
View File

@ -0,0 +1,221 @@
---
title: Examples of device control policies for JAMF
description: Learn how to use device control policies using examples that can be used with JAMF.
keywords: microsoft, defender, endpoint, atp, mac, device, control, usb, removable, media, jamf
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security
ms.mktglfcycl: security
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.topic: conceptual
ms.technology: mde
---
# Examples of device control policies for JAMF
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
This document contains examples of device control policies that you can customize for your own organization. These examples are applicable if you are using JAMF to manage devices in your enterprise.
## Restrict access to all removable media
The following example restricts access to all removable media. Note the `none` permission that is applied at the top level of the policy, meaning that all file operations will be prohibited.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>none</string>
</array>
</dict>
</dict>
</dict>
</plist>
```
## Set all removable media to be read-only
The following example configures all removable media to be read-only. Note the `read` permission that is applied at the top level of the policy, meaning that all write and execute operations will be disallowed.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>read</string>
</array>
</dict>
</dict>
</dict>
</plist>
```
## Disallow program execution from removable media
The following example shows how program execution from removable media can be disallowed. Note the `read` and `write` permissions that are applied at the top level of the policy.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
</array>
</dict>
</dict>
</dict>
</plist>
```
## Restrict all devices from specific vendors
The following example restricts all devices from specific vendors (in this case identified by `fff0` and `4525`). All other devices will be unrestricted, since the permission defined at the top level of the policy lists all possible permissions (read, write, and execute).
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
<string>execute</string>
</array>
<key>vendors</key>
<dict>
<key>fff0</key>
<dict>
<key>permission</key>
<array>
<string>none</string>
</array>
</dict>
<key>4525</key>
<dict>
<key>permission</key>
<array>
<string>none</string>
</array>
</dict>
</dict>
</dict>
</dict>
</dict>
</plist>
```
## Restrict specific devices identified by vendor ID, product ID, and serial number
The following example restricts two specific devices, identified by vendor ID `fff0`, product ID `1000`, and serial numbers `04ZSSMHI2O7WBVOA` and `04ZSSMHI2O7WBVOB`. At all other levels of the policy the permissions include all possible values (read, write, and execute), meaning that all other devices will be unrestricted.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>deviceControl</key>
<dict>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>block</string>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
<string>execute</string>
</array>
<key>vendors</key>
<dict>
<key>fff0</key>
<dict>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
<string>execute</string>
</array>
<key>products</key>
<dict>
<key>1000</key>
<dict>
<key>permission</key>
<array>
<string>read</string>
<string>write</string>
<string>execute</string>
</array>
<key>serialNumbers</key>
<dict>
<key>04ZSSMHI2O7WBVOA</key>
<array>
<string>none</string>
</array>
<key>04ZSSMHI2O7WBVOB</key>
<array>
<string>none</string>
</array>
</dict>
</dict>
</dict>
</dict>
</dict>
</dict>
</dict>
</dict>
</plist>
```
## Related topics
- [Overview of device control for macOS](mac-device-control-overview.md)

370
windows/security/threat-protection/microsoft-defender-atp/mac-device-control-overview.md Normal file
View File

@ -0,0 +1,370 @@
---
title: Device control for macOS
description: Learn how to configure Microsoft Defender for Endpoint for Mac to reduce threats from removable storage such as USB devices.
keywords: microsoft, defender, atp, mac, device, control, usb, removable, media
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: m365-security
ms.mktglfcycl: security
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.topic: conceptual
ms.technology: mde
---
# Device control for macOS
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
## Requirements
Device control for macOS has the following prerequisites:
>[!div class="checklist"]
> - MicrosoftDefenderfor Endpointentitlement(can betrial)
> - Minimum OS version: macOS 10.15.4 or higher
> - Minimum product version: 101.24.59
> - Your device must be running with system extensions (this is the default on macOS 11 Big Sur).
>
> You can check if your device is running on system extensions by running the following command and verify that it is printing `endpoint_security_extension` to the console:
>
> ```bash
> mdatp health --field real_time_protection_subsystem
> ```
> - Your device must be in `Beta` (previously called `InsiderFast`) Microsoft AutoUpdate update channel. For more information, see[Deploy updates for Microsoft Defender for Endpoint for Mac](mac-updates.md).
>
> You can check the update channel using the following command:
>
> ```bash
> mdatp health --field release_ring
> ```
>
> If the above command does not print either `Beta` or `InsiderFast`, execute the following command from the Terminal. The channel update takes effect next time the product starts (when the next product update is installed or when the device is rebooted).
>
> ```bash
> defaults write com.microsoft.autoupdate2 ChannelName -string Beta
> ```
>
> Alternatively, if you are in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see[Deploy updates for Microsoft Defender for Endpoint for Mac](mac-updates.md).
## Device control policy
To configure device control for macOS, you must create a policy that describes the restrictions you want to put in place within your organization.
The device control policy is included in the configuration profile used to configure all other product settings. For more information, see [Configuration profile structure](mac-preferences.md#configuration-profile-structure).
Within the configuration profile, the device control policy is defined in the following section:
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | deviceControl |
| **Data type** | Dictionary (nested preference) |
| **Comments** | See the following sections for a description of the dictionary contents. |
The device control policy can be used to:
- [Customize the URL target for notifications raised by device control](#customize-url-target-for-notifications-raised-by-device-control)
- [Allow or block removable devices](#allow-or-block-removable-devices)
### Customize URL target for notifications raised by device control
When the device control policy that you have put in place is enforced on a device (for example, access to a removable media device is restricted), a notification is displayed to the user.
![Device control notification](images/mac-device-control-notification.png)
When end users click this notification, a web page is opened in the default browser. You can configure the URL that is opened when end users click the notification.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | navigationTarget |
| **Data type** | String |
| **Comments** | If not defined, the product uses a default URL pointing to a generic page explaining the action taken by the product. |
### Allow or block removable devices
The removable media section of the device control policy is used to restrict access to removable media.
> [!NOTE]
> The following types of removable media are currently supported and can be included in the policy: USB storage devices.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | removableMediaPolicy |
| **Data type** | Dictionary (nested preference) |
| **Comments** | See the following sections for a description of the dictionary contents. |
This section of the policy is hierarchical, allowing for maximum flexibility and covering a wide range of use cases. At the top level are vendors, identified by a vendor ID. For each vendor, there are products, identified by a product ID. Finally, for each product there are serial numbers denoting specific devices.
```
|-- policy top level
|-- vendor 1
|-- product 1
|-- serial number 1
...
|-- serial number N
...
|-- product N
...
|-- vendor N
```
For information on how to find the device identifiers, see [Look up device identifiers](#look-up-device-identifiers).
The policy is evaluated from the most specific entry to the most general one. Meaning, when a device is plugged in, the product tries to find the most specific match in the policy for each removable media device and apply the permissions at that level. If there is no match, then the next best match is applied, all the way to the permission specified at the top level, which is the default when a device does not match any other entry in the policy.
#### Policy enforcement level
Under the removable media section, there is an option to set the enforcement level, which can take one of the following values:
- `audit` - Under this enforcement level, if access to a device is restricted, a notification is displayed to the user, however the device can still be used. This enforcement level can be useful to evaluate the effectiveness of a policy.
- `block` - Under this enforcement level, the operations that the user can perform on the device are limited to what is defined in the policy. Furthermore, a notification is raised to the user.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | enforcementLevel |
| **Data type** | String |
| **Possible values** | audit (default) <br/> block |
#### Default permission level
At the top level of the removable media section, you can configure the default permission level for devices that do not match anything else in the policy.
This setting can be set to:
- `none` - No operations can be performed on the device
- A combination of the following values:
- `read` - Read operations are permitted on the device
- `write` - Write operations are permitted on the device
- `execute` - Execute operations are permitted on the device
> [!NOTE]
> If `none` is present in the permission level, any other permissions (`read`, `write`, or `execute`) will be ignored.
> [!NOTE]
> The `execute` permission only refers to execution of Mach-O binaries. It does not include execution of scripts or other types of payloads.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | permission |
| **Data type** | Array of strings |
| **Possible values** | none <br/> read <br/> write <br/> execute |
#### Restrict removable media by vendor, product, and serial number
As described in [Allow or block removable devices](#allow-or-block-removable-devices), removable media such as USB devices can be identified by the vendor ID, product ID, and serial number.
At the top level of the removable media policy, you can optionally define more granular restrictions at the vendor level.
The `vendors` dictionary contains one or more entries, with each entry being identified by the vendor ID.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | vendors |
| **Data type** | Dictionary (nested preference) |
For each vendor, you can specify the desired permission level for devices from that vendor.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | permission |
| **Data type** | Array of strings |
| **Possible values** | Same as [Default permission level](#default-permission-level) |
Furthermore, you can optionally specify the set of products belonging to that vendor for which more granular permissions are defined. The `products` dictionary contains one or more entries, with each entry being identified by the product ID.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | products |
| **Data type** | Dictionary (nested preference) |
For each product, you can specify the desired permission level for that product.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | permission |
| **Data type** | Array of strings |
| **Possible values** | Same as [Default permission level](#default-permission-level) |
Furthermore, you can specify an optional set of serial numbers for which more granular permissions are defined.
The `serialNumbers` dictionary contains one or more entries, with each entry being identified by the serial number.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | serialNumbers |
| **Data type** | Dictionary (nested preference) |
For each serial number, you can specify the desired permission level.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | permission |
| **Data type** | Array of strings |
| **Possible values** | Same as [Default permission level](#default-permission-level) |
#### Example device control policy
The following example shows how all of the above concepts can be combined into a device control policy. In the following example, note the hierarchical nature of the removable media policy.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>deviceControl</key>
<dict>
<key>navigationTarget</key>
<string>[custom URL for notifications]</string>
<key>removableMediaPolicy</key>
<dict>
<key>enforcementLevel</key>
<string>[enforcement level]</string> <!-- audit / block -->
<key>permission</key>
<array>
<string>[permission]</string> <!-- none / read / write / execute -->
<!-- other permissions -->
</array>
<key>vendors</key>
<dict>
<key>[vendor id]</key>
<dict>
<key>permission</key>
<array>
<string>[permission]</string> <!-- none / read / write / execute -->
<!-- other permissions -->
</array>
<key>products</key>
<dict>
<key>[product id]</key>
<dict>
<key>permission</key>
<array>
<string>[permission]</string> <!-- none / read / write / execute -->
<!-- other permissions -->
</array>
<key>serialNumbers</key>
<dict>
<key>[serial-number]</key>
<array>
<string>[permission]</string> <!-- none / read / write / execute -->
<!-- other permissions -->
</array>
<!-- other serial numbers -->
</dict>
</dict>
<!-- other products -->
</dict>
</dict>
<!-- other vendors -->
</dict>
</dict>
</dict>
</dict>
</plist>
```
We have included more examples of device control policies in the following documents:
- [Examples of device control policies for Intune](mac-device-control-intune.md)
- [Examples of device control policies for JAMF](mac-device-control-jamf.md)
#### Look up device identifiers
To find the vendor ID, product ID, and serial number of a USB device:
1. Log into a Mac device.
1. Plug in the USB device for which you want to look up the identifiers.
1. In the top-level menu of macOS, select **About This Mac**.
![About this Mac](images/mac-device-control-lookup-1.png)
1. Select **System Report**.
![System Report](images/mac-device-control-lookup-2.png)
1. From the left column, select **USB**.
![View of all USB devices](images/mac-device-control-lookup-3.png)
1. Under **USB Device Tree**, navigate to the USB device that you plugged in.
![Details of a USB device](images/mac-device-control-lookup-4.png)
1. The vendor ID, product ID, and serial number are displayed. When adding the vendor ID and product ID to the removable media policy, you must only add the part after `0x`. For example, in the below image, vendor ID is `1000` and product ID is `090c`.
#### Discover USB devices in your organization
You can view mount, unmount, and volume change events originating from USB devices in Microsoft Defender for Endpoint advanced hunting. These events can be helpful to identify suspicious usage activity or perform internal investigations.
```
DeviceEvents
| where ActionType == "UsbDriveMount" or ActionType == "UsbDriveUnmount" or ActionType == "UsbDriveDriveLetterChanged"
| where DeviceId == "<device ID>"
```
## Device control policy deployment
The device control policy must be included next to the other product settings, as described in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md).
This profile can be deployed using the instructions listed in [Configuration profile deployment](mac-preferences.md#configuration-profile-deployment).
## Troubleshooting tips
After pushing the configuration profile through Intune or JAMF, you can check if it was successfully picked up by the product by running the following command from the Terminal:
```bash
mdatp device-control removable-media policy list
```
This command will print to standard output the device control policy that the product is using. In case this prints `Policy is empty`, make sure that (a) the configuration profile has indeed been pushed to your device from the management console, and (b) it is a valid device control policy, as described in this document.
On a device where the policy has been delivered successfully and where there are one or more devices plugged in, you can run the following command to list all devices and the effective permissions applied to them.
```bash
mdatp device-control removable-media devices list
```
Example of output:
```Output
.Device(s)
|-o Name: Untitled 1, Permission ["read", "execute"]
| |-o Vendor: General "fff0"
| |-o Product: USB Flash Disk "1000"
| |-o Serial number: "04ZSSMHI2O7WBVOA"
| |-o Mount point: "/Volumes/TESTUSB"
```
In the above example, there is only one removable media device plugged in and it has `read` and `execute` permissions, according to the device control policy that was delivered to the device.
## Related topics
- [Examples of device control policies for Intune](mac-device-control-intune.md)
- [Examples of device control policies for JAMF](mac-device-control-jamf.md)

215
windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
View File

@ -75,12 +75,12 @@ You'll need to take the following steps:
1. Locate the file `WindowsDefenderATPOnboarding.plist` from the previous section.
![Image of file](images/plist-onboarding-file.png)
![Image of WindowsDefenderATPOnboarding file](images/plist-onboarding-file.png)
2. In the Jamf Pro dashboard, select **New**.
![Image of Jamf Pro dashboard](images/jamf-pro-configure-profile.png)
![Image of creating a new Jamf Pro dashboard](images/jamf-pro-configure-profile.png)
3. Enter the following details:
@ -93,13 +93,13 @@ You'll need to take the following steps:
4. In **Application & Custom Settings** select **Configure**.
![Image of configuration profile](images/jamfpro-mac-profile.png)
![Image of configurate app and custom settings](images/jamfpro-mac-profile.png)
5. Select **Upload File (PLIST file)** then in **Preference Domain** enter: `com.microsoft.wdav.atp`.
![Image of upload file](images/jamfpro-plist-upload.png)
![Image of jamfpro plist upload file](images/jamfpro-plist-upload.png)
![Image of upload file](images/jamfpro-plist-file.png)
![Image of upload file property List file](images/jamfpro-plist-file.png)
7. Select **Open** and select the onboarding file.
@ -118,17 +118,17 @@ You'll need to take the following steps:
![Image of target computers](images/jamfpro-target-computer.png)
![Image of target computers](images/jamfpro-targets.png)
![Image of targets](images/jamfpro-targets.png)
11. Select **Save**.
![Image of target computers](images/jamfpro-deployment-target.png)
![Image of deployment target computers](images/jamfpro-deployment-target.png)
![Image of target computers selected](images/jamfpro-target-selected.png)
12. Select **Done**.
![Image of target computers](images/jamfpro-target-group.png)
![Image of target group computers](images/jamfpro-target-group.png)
![List of configuration profiles](images/jamfpro-configuration-policies.png)
@ -268,7 +268,7 @@ You'll need to take the following steps:
3. In the Jamf Pro dashboard, select **General**.
![Image of Jamf Pro dashboard](images/644e0f3af40c29e80ca1443535b2fe32.png)
![Image of the new Jamf Pro dashboard](images/644e0f3af40c29e80ca1443535b2fe32.png)
4. Enter the following details:
@ -280,64 +280,64 @@ You'll need to take the following steps:
- Distribution Method: Install Automatically(default)
- Level: Computer Level(default)
![Image of configuration settings](images/3160906404bc5a2edf84d1d015894e3b.png)
![Image of MDATP MDAV configuration settings](images/3160906404bc5a2edf84d1d015894e3b.png)
5. In **Application & Custom Settings** select **Configure**.
![Image of configuration settings](images/e1cc1e48ec9d5d688087b4d771e668d2.png)
![Image of app and custom settings](images/e1cc1e48ec9d5d688087b4d771e668d2.png)
6. Select **Upload File (PLIST file)**.
![Image of configuration settings](images/6f85269276b2278eca4bce84f935f87b.png)
![Image of configuration settings plist file](images/6f85269276b2278eca4bce84f935f87b.png)
7. In **Preferences Domain**, enter `com.microsoft.wdav`, then select **Upload PLIST File**.
![Image of configuration settings](images/db15f147dd959e872a044184711d7d46.png)
![Image of configuration settings preferences domain](images/db15f147dd959e872a044184711d7d46.png)
8. Select **Choose File**.
![Image of configuration settings](images/526e978761fc571cca06907da7b01fd6.png)
![Image of configuration settings choose file](images/526e978761fc571cca06907da7b01fd6.png)
9. Select the **MDATP_MDAV_configuration_settings.plist**, then select **Open**.
![Image of configuration settings](images/98acea3750113b8dbab334296e833003.png)
![Image of mdatpmdav configuration settings](images/98acea3750113b8dbab334296e833003.png)
10. Select **Upload**.
![Image of configuration settings](images/0adb21c13206861ba9b30a879ade93d3.png)
![Image of configuration setting upload](images/0adb21c13206861ba9b30a879ade93d3.png)
![Image of configuration settings](images/f624de59b3cc86e3e2d32ae5de093e02.png)
![Image of configuration settings upload image](images/f624de59b3cc86e3e2d32ae5de093e02.png)
>[!NOTE]
>If you happen to upload the Intune file, you'll get the following error:<br>
>![Image of configuration settings](images/8e69f867664668796a3b2904896f0436.png)
>![Image of configuration settings intune file upload](images/8e69f867664668796a3b2904896f0436.png)
11. Select **Save**.
![Image of configuration settings](images/1b6b5a4edcb42d97f1e70a6a0fa48e3a.png)
![Image of configuration settings Save image](images/1b6b5a4edcb42d97f1e70a6a0fa48e3a.png)
12. The file is uploaded.
![Image of configuration settings](images/33e2b2a1611fdddf6b5b79e54496e3bb.png)
![Image of configuration settings file uploaded image](images/33e2b2a1611fdddf6b5b79e54496e3bb.png)
![Image of configuration settings](images/a422e57fe8d45689227e784443e51bd1.png)
![Image of configuration settings file uploaded](images/a422e57fe8d45689227e784443e51bd1.png)
13. Select the **Scope** tab.
![Image of configuration settings](images/9fc17529e5577eefd773c658ec576a7d.png)
![Image of configuration settings scope](images/9fc17529e5577eefd773c658ec576a7d.png)
14. Select **Contoso's Machine Group**.
15. Select **Add**, then select **Save**.
![Image of configuration settings](images/cf30438b5512ac89af1d11cbf35219a6.png)
![Image of configuration settings addsav](images/cf30438b5512ac89af1d11cbf35219a6.png)
![Image of configuration settings](images/6f093e42856753a3955cab7ee14f12d9.png)
![Image of configuration settings save add](images/6f093e42856753a3955cab7ee14f12d9.png)
16. Select **Done**. You'll see the new **Configuration profile**.
![Image of configuration settings](images/dd55405106da0dfc2f50f8d4525b01c8.png)
![Image of configuration settings config profile image](images/dd55405106da0dfc2f50f8d4525b01c8.png)
## Step 4: Configure notifications settings
@ -360,45 +360,45 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Distribution Method: Install Automatically(default)
- Level: Computer Level(default)
![Image of configuration settings](images/c9820a5ff84aaf21635c04a23a97ca93.png)
![Image of configuration settings mdatpmdav](images/c9820a5ff84aaf21635c04a23a97ca93.png)
5. Select **Upload File (PLIST file)**.
![Image of configuration settings](images/7f9138053dbcbf928e5182ee7b295ebe.png)
![Image of configuration settings upload plistfile](images/7f9138053dbcbf928e5182ee7b295ebe.png)
6. Select **Choose File** > **MDATP_MDAV_Notification_Settings.plist**.
![Image of configuration settings](images/4bac6ce277aedfb4a674f2d9fcb2599a.png)
![Image of configuration settings mdatpmdav notsettings](images/4bac6ce277aedfb4a674f2d9fcb2599a.png)
![Image of configuration settings](images/20e33b98eb54447881dc6c89e58b890f.png)
![Image of configuration settings mdatpmdav notifsettings](images/20e33b98eb54447881dc6c89e58b890f.png)
7. Select **Open** > **Upload**.
![Image of configuration settings](images/7697c33b9fd376ae5a8023d01f9d3857.png)
![Image of configuration settings upl img](images/7697c33b9fd376ae5a8023d01f9d3857.png)
![Image of configuration settings](images/2bda9244ec25d1526811da4ea91b1c86.png)
![Image of configuration settings upl image](images/2bda9244ec25d1526811da4ea91b1c86.png)
8. Select the **Scope** tab, then select **Add**.
![Image of configuration settings](images/441aa2ecd36abadcdd8aed03556080b5.png)
![Image of configuration settings scope add](images/441aa2ecd36abadcdd8aed03556080b5.png)
9. Select **Contoso's Machine Group**.
10. Select **Add**, then select **Save**.
![Image of configuration settings](images/09a275e321268e5e3ac0c0865d3e2db5.png)
![Image of configuration settings contoso machine grp save](images/09a275e321268e5e3ac0c0865d3e2db5.png)
![Image of configuration settings](images/4d2d1d4ee13d3f840f425924c3df0d51.png)
![Image of configuration settings add save](images/4d2d1d4ee13d3f840f425924c3df0d51.png)
11. Select **Done**. You'll see the new **Configuration profile**.
![Image of configuration setting](images/633ad26b8bf24ec683c98b2feb884bdf.png)
![Image of configuration setting done img](images/633ad26b8bf24ec683c98b2feb884bdf.png)
## Step 5: Configure Microsoft AutoUpdate (MAU)
@ -410,7 +410,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
<plist version="1.0">
<dict>
<key>ChannelName</key>
<string>Production</string>
<string>Current</string>
<key>HowToCheck</key>
<string>AutomaticDownload</string>
<key>EnableCheckForUpdatesButton</key>
@ -427,7 +427,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
3. In the Jamf Pro dashboard, select **General**.
![Image of configuration setting](images/eaba2a23dd34f73bf59e826217ba6f15.png)
![Image of configuration setting general image](images/eaba2a23dd34f73bf59e826217ba6f15.png)
4. Enter the following details:
@ -441,54 +441,54 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
5. In **Application & Custom Settings** select **Configure**.
![Image of configuration setting](images/1f72e9c15eaafcabf1504397e99be311.png)
![Image of configuration setting app and custom settings](images/1f72e9c15eaafcabf1504397e99be311.png)
6. Select **Upload File (PLIST file)**.
![Image of configuration setting](images/1213872db5833aa8be535da57653219f.png)
![Image of configuration setting plist](images/1213872db5833aa8be535da57653219f.png)
7. In **Preference Domain** enter: `com.microsoft.autoupdate2`, then select **Upload PLIST File**.
![Image of configuration setting](images/1213872db5833aa8be535da57653219f.png)
![Image of configuration setting pref domain](images/1213872db5833aa8be535da57653219f.png)
8. Select **Choose File**.
![Image of configuration setting](images/335aff58950ce62d1dabc289ecdce9ed.png)
![Image of configuration setting choosefile](images/335aff58950ce62d1dabc289ecdce9ed.png)
9. Select **MDATP_MDAV_MAU_settings.plist**.
![Image of configuration setting](images/a26bd4967cd54bb113a2c8d32894c3de.png)
![Image of configuration setting mdatpmdavmau settings](images/a26bd4967cd54bb113a2c8d32894c3de.png)
10. Select **Upload**.
![Image of configuration setting](images/4239ca0528efb0734e4ca0b490bfb22d.png)
![Image of configuration setting uplimage](images/4239ca0528efb0734e4ca0b490bfb22d.png)
![Image of configuration setting](images/4ec20e72c8aed9a4c16912e01692436a.png)
![Image of configuration setting uplimg](images/4ec20e72c8aed9a4c16912e01692436a.png)
11. Select **Save**.
![Image of configuration setting](images/253274b33e74f3f5b8d475cf8692ce4e.png)
![Image of configuration setting saveimg](images/253274b33e74f3f5b8d475cf8692ce4e.png)
12. Select the **Scope** tab.
![Image of configuration setting](images/10ab98358b2d602f3f67618735fa82fb.png)
![Image of configuration setting scopetab](images/10ab98358b2d602f3f67618735fa82fb.png)
13. Select **Add**.
![Image of configuration setting](images/56e6f6259b9ce3c1706ed8d666ae4947.png)
![Image of configuration setting addimg1](images/56e6f6259b9ce3c1706ed8d666ae4947.png)
![Image of configuration setting](images/38c67ee1905c4747c3b26c8eba57726b.png)
![Image of configuration setting addimg2](images/38c67ee1905c4747c3b26c8eba57726b.png)
![Image of configuration setting](images/321ba245f14743c1d5d51c15e99deecc.png)
![Image of configuration setting addimg3](images/321ba245f14743c1d5d51c15e99deecc.png)
14. Select **Done**.
![Image of configuration setting](images/ba44cdb77e4781aa8b940fb83e3c21f7.png)
![Image of configuration setting doneimage](images/ba44cdb77e4781aa8b940fb83e3c21f7.png)
## Step 6: Grant full disk access to Microsoft Defender for Endpoint
1. In the Jamf Pro dashboard, select **Configuration Profiles**.
![Image of configuration setting](images/264493cd01e62c7085659d6fdc26dc91.png)
![Image of configuration setting config profile](images/264493cd01e62c7085659d6fdc26dc91.png)
2. Select **+ New**.
@ -502,11 +502,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Level: Computer level
![Image of configuration setting](images/ba3d40399e1a6d09214ecbb2b341923f.png)
![Image of configuration setting general](images/ba3d40399e1a6d09214ecbb2b341923f.png)
4. In **Configure Privacy Preferences Policy Control** select **Configure**.
![Image of configuration setting](images/715ae7ec8d6a262c489f94d14e1e51bb.png)
![Image of configuration privacy policy control](images/715ae7ec8d6a262c489f94d14e1e51bb.png)
5. In **Privacy Preferences Policy Control**, enter the following details:
@ -514,12 +514,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Identifier Type: Bundle ID
- Code Requirement: `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`
![Image of configuration setting](images/22cb439de958101c0a12f3038f905b27.png)
6. Select **+ Add**.
![Image of configuration setting](images/bd93e78b74c2660a0541af4690dd9485.png)
![Image of configuration setting add system policy all files](images/bd93e78b74c2660a0541af4690dd9485.png)
- Under App or service: Set to **SystemPolicyAllFiles**
@ -527,11 +526,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
7. Select **Save** (not the one at the bottom right).
![Image of configuration setting](images/6de50b4a897408ddc6ded56a09c09fe2.png)
![Image of configuration setting save images](images/6de50b4a897408ddc6ded56a09c09fe2.png)
8. Click the `+` sign next to **App Access** to add a new entry.
![Image of configuration setting](images/tcc-add-entry.png)
![Image of configuration setting app access](images/tcc-add-entry.png)
9. Enter the following details:
@ -541,7 +540,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
10. Select **+ Add**.
![Image of configuration setting](images/tcc-epsext-entry.png)
![Image of configuration setting tcc epsext entry](images/tcc-epsext-entry.png)
- Under App or service: Set to **SystemPolicyAllFiles**
@ -549,19 +548,19 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
11. Select **Save** (not the one at the bottom right).
![Image of configuration setting](images/tcc-epsext-entry2.png)
![Image of configuration setting tcc epsext image2](images/tcc-epsext-entry2.png)
12. Select the **Scope** tab.
![Image of configuration setting](images/2c49b16cd112729b3719724f581e6882.png)
![Image of configuration setting scope](images/2c49b16cd112729b3719724f581e6882.png)
13. Select **+ Add**.
![Image of configuration setting](images/57cef926d1b9260fb74a5f460cee887a.png)
![Image of configuration setting addimage](images/57cef926d1b9260fb74a5f460cee887a.png)
14. Select **Computer Groups** > under **Group Name** > select **Contoso's MachineGroup**.
![Image of configuration setting](images/368d35b3d6179af92ffdbfd93b226b69.png)
![Image of configuration setting contoso machinegrp](images/368d35b3d6179af92ffdbfd93b226b69.png)
15. Select **Add**.
@ -569,9 +568,9 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
17. Select **Done**.
![Image of configuration setting](images/809cef630281b64b8f07f20913b0039b.png)
![Image of configuration setting donimg](images/809cef630281b64b8f07f20913b0039b.png)
![Image of configuration setting](images/6c8b406ee224335a8c65d06953dc756e.png)
![Image of configuration setting donimg2](images/6c8b406ee224335a8c65d06953dc756e.png)
## Step 7: Approve Kernel extension for Microsoft Defender for Endpoint
@ -590,11 +589,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Distribution Method: Install Automatically
- Level: Computer Level
![Image of configuration settings](images/24e290f5fc309932cf41f3a280d22c14.png)
![Image of configuration settings mdatpmdav kernel](images/24e290f5fc309932cf41f3a280d22c14.png)
3. In **Configure Approved Kernel Extensions** select **Configure**.
![Image of configuration settings](images/30be88b63abc5e8dde11b73f1b1ade6a.png)
![Image of configuration settings approved kernel ext](images/30be88b63abc5e8dde11b73f1b1ade6a.png)
4. In **Approved Kernel Extensions** Enter the following details:
@ -602,11 +601,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Display Name: Microsoft Corp.
- Team ID: UBF8T346G9
![Image of configuration settings](images/39cf120d3ac3652292d8d1b6d057bd60.png)
![Image of configuration settings appr kernel extension](images/39cf120d3ac3652292d8d1b6d057bd60.png)
5. Select the **Scope** tab.
![Image of configuration settings](images/0df36fc308ba569db204ee32db3fb40a.png)
![Image of configuration settings scope tab img](images/0df36fc308ba569db204ee32db3fb40a.png)
6. Select **+ Add**.
@ -614,15 +613,15 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
8. Select **+ Add**.
![Image of configuration settings](images/0dde8a4c41110dbc398c485433a81359.png)
![Image of configuration settings add images](images/0dde8a4c41110dbc398c485433a81359.png)
9. Select **Save**.
![Image of configuration settings](images/0add8019b85a453b47fa5c402c72761b.png)
![Image of configuration settings saveimag](images/0add8019b85a453b47fa5c402c72761b.png)
10. Select **Done**.
![Image of configuration settings](images/1c9bd3f68db20b80193dac18f33c22d0.png)
![Image of configuration settings doneimag](images/1c9bd3f68db20b80193dac18f33c22d0.png)
## Step 8: Approve System extensions for Microsoft Defender for Endpoint
@ -641,11 +640,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- Distribution Method: Install Automatically
- Level: Computer Level
![Image of configuration settings](images/sysext-new-profile.png)
![Image of configuration settings sysext new prof](images/sysext-new-profile.png)
3. In **System Extensions** select **Configure**.
![Image of configuration settings](images/sysext-configure.png)
![Image of configuration settings sysext config](images/sysext-configure.png)
4. In **System Extensions** enter the following details:
@ -656,11 +655,11 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
- **com.microsoft.wdav.epsext**
- **com.microsoft.wdav.netext**
![Image of configuration settings](images/sysext-configure2.png)
![Image of configuration settings sysextconfig2](images/sysext-configure2.png)
5. Select the **Scope** tab.
![Image of configuration settings](images/0df36fc308ba569db204ee32db3fb40a.png)
![Image of configuration settings scopeimage](images/0df36fc308ba569db204ee32db3fb40a.png)
6. Select **+ Add**.
@ -668,15 +667,15 @@ These steps are applicable of macOS 10.15 (Catalina) or newer.
8. Select **+ Add**.
![Image of configuration settings](images/0dde8a4c41110dbc398c485433a81359.png)
![Image of configuration settings addima](images/0dde8a4c41110dbc398c485433a81359.png)
9. Select **Save**.
![Image of configuration settings](images/sysext-scope.png)
![Image of configuration settings sysext scope](images/sysext-scope.png)
10. Select **Done**.
![Image of configuration settings](images/sysext-final.png)
![Image of configuration settings sysext-final](images/sysext-final.png)
## Step 9: Configure Network Extension
@ -704,19 +703,19 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender
5. Select **Choose File** and select `microsoft.network-extension.signed.mobileconfig`.
![Image of upload window](images/netext-choose-file.png)
![Image of upload window netext choose file](images/netext-choose-file.png)
6. Select **Upload**.
![Image of upload window](images/netext-upload-file2.png)
![Image of upload window netext upload file2](images/netext-upload-file2.png)
7. After uploading the file, you are redirected to a new page to finalize the creation of this profile.
![Image of new configuration profile](images/netext-profile-page.png)
![Image of new configuration profile netext profile page](images/netext-profile-page.png)
8. Select the **Scope** tab.
![Image of configuration settings](images/0df36fc308ba569db204ee32db3fb40a.png)
![Image of configuration settings sco tab](images/0df36fc308ba569db204ee32db3fb40a.png)
9. Select **+ Add**.
@ -724,15 +723,15 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender
11. Select **+ Add**.
![Image of configuration settings](images/0dde8a4c41110dbc398c485433a81359.png)
![Image of configuration settings adim](images/0dde8a4c41110dbc398c485433a81359.png)
12. Select **Save**.
![Image of configuration settings](images/netext-scope.png)
![Image of configuration settings savimg netextscop](images/netext-scope.png)
13. Select **Done**.
![Image of configuration settings](images/netext-final.png)
![Image of configuration settings netextfinal](images/netext-final.png)
## Step 10: Schedule scans with Microsoft Defender for Endpoint for Mac
Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp).
@ -741,22 +740,22 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
1. Navigate to where you saved `wdav.pkg`.
![Image of file explorer](images/8dde76b5463047423f8637c86b05c29d.png)
![Image of file explorer wdav pkg](images/8dde76b5463047423f8637c86b05c29d.png)
2. Rename it to `wdav_MDM_Contoso_200329.pkg`.
![Image of file explorer](images/fb2220fed3a530f4b3ef36f600da0c27.png)
![Image of file explorer1 wdavmdmpkg](images/fb2220fed3a530f4b3ef36f600da0c27.png)
3. Open the Jamf Pro dashboard.
![Image of configuration settings](images/990742cd9a15ca9fdd37c9f695d1b9f4.png)
![Image of configuration settings jamfpro](images/990742cd9a15ca9fdd37c9f695d1b9f4.png)
4. Select your computer and click the gear icon at the top, then select **Computer Management**.
![Image of configuration settings](images/b6d671b2f18b89d96c1c8e2ea1991242.png)
![Image of configuration settings compmgmt](images/b6d671b2f18b89d96c1c8e2ea1991242.png)
5. In **Packages**, select **+ New**.
![A picture containing bird Description automatically generated](images/57aa4d21e2ccc65466bf284701d4e961.png)
![A picture containing bird Description automatically generated package new](images/57aa4d21e2ccc65466bf284701d4e961.png)
6. In **New Package** Enter the following details:
@ -765,7 +764,7 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
- Category: None (default)
- Filename: Choose File
![Image of configuration settings](images/21de3658bf58b1b767a17358a3f06341.png)
![Image of configuration settings general tab](images/21de3658bf58b1b767a17358a3f06341.png)
Open the file and point it to `wdav.pkg` or `wdav_MDM_Contoso_200329.pkg`.
@ -779,75 +778,75 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
**Limitations tab**<br> Keep default values.
![Image of configuration settings](images/56dac54634d13b2d3948ab50e8d3ef21.png)
![Image of configuration settings limitation tab](images/56dac54634d13b2d3948ab50e8d3ef21.png)
8. Select **Save**. The package is uploaded to Jamf Pro.
![Image of configuration settings](images/33f1ecdc7d4872555418bbc3efe4b7a3.png)
![Image of configuration settings pack upl jamf pro](images/33f1ecdc7d4872555418bbc3efe4b7a3.png)
It can take a few minutes for the package to be available for deployment.
![Image of configuration settings](images/1626d138e6309c6e87bfaab64f5ccf7b.png)
![Image of configuration settings pack upl](images/1626d138e6309c6e87bfaab64f5ccf7b.png)
9. Navigate to the **Policies** page.
![Image of configuration settings](images/f878f8efa5ebc92d069f4b8f79f62c7f.png)
![Image of configuration settings polocies](images/f878f8efa5ebc92d069f4b8f79f62c7f.png)
10. Select **+ New** to create a new policy.
![Image of configuration settings](images/847b70e54ed04787e415f5180414b310.png)
![Image of configuration settings new policy](images/847b70e54ed04787e415f5180414b310.png)
11. In **General** Enter the following details:
- Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later
![Image of configuration settings](images/625ba6d19e8597f05e4907298a454d28.png)
![Image of configuration settingsmdatponboard ](images/625ba6d19e8597f05e4907298a454d28.png)
12. Select **Recurring Check-in**.
![Image of configuration settings](images/68bdbc5754dfc80aa1a024dde0fce7b0.png)
![Image of configuration settings recur checkin](images/68bdbc5754dfc80aa1a024dde0fce7b0.png)
13. Select **Save**.
14. Select **Packages > Configure**.
![Image of configuration settings](images/8fb4cc03721e1efb4a15867d5241ebfb.png)
![Image of configuration settings pack configure](images/8fb4cc03721e1efb4a15867d5241ebfb.png)
15. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
![Image of configuration settings](images/526b83fbdbb31265b3d0c1e5fbbdc33a.png)
![Image of configuration settings MDATP and MDA add](images/526b83fbdbb31265b3d0c1e5fbbdc33a.png)
16. Select **Save**.
![Image of configuration settings](images/9d6e5386e652e00715ff348af72671c6.png)
![Image of configuration settingssavimg](images/9d6e5386e652e00715ff348af72671c6.png)
17. Select the **Scope** tab.
![Image of configuration settings](images/8d80fe378a31143db9be0bacf7ddc5a3.png)
![Image of configuration settings scptab](images/8d80fe378a31143db9be0bacf7ddc5a3.png)
18. Select the target computers.
![Image of configuration settings](images/6eda18a64a660fa149575454e54e7156.png)
![Image of configuration settings tgtcomp](images/6eda18a64a660fa149575454e54e7156.png)
**Scope**
Select **Add**.
![Image of configuration settings](images/1c08d097829863778d562c10c5f92b67.png)
![Image of configuration settings ad1img](images/1c08d097829863778d562c10c5f92b67.png)
![Image of configuration settings](images/216253cbfb6ae738b9f13496b9c799fd.png)
![Image of configuration settings ad2img](images/216253cbfb6ae738b9f13496b9c799fd.png)
**Self-Service**
![Image of configuration settings](images/c9f85bba3e96d627fe00fc5a8363b83a.png)
![Image of configuration settings selfservice](images/c9f85bba3e96d627fe00fc5a8363b83a.png)
19. Select **Done**.
![Image of configuration settings](images/99679a7835b0d27d0a222bc3fdaf7f3b.png)
![Image of configuration settings do1img](images/99679a7835b0d27d0a222bc3fdaf7f3b.png)
![Image of configuration settings](images/632aaab79ae18d0d2b8e0c16b6ba39e2.png)
![Image of configuration settings do2img](images/632aaab79ae18d0d2b8e0c16b6ba39e2.png)

94
windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md
View File

@ -57,8 +57,100 @@ The following steps can be used to troubleshoot and mitigate these issues:
If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md).
If the performance problem persists while real-time protection is off, the origin of the problem could be the endpoint detection and response component. In this case, please contact customer support for further instructions and mitigation.
2. Open Finder and navigate to **Applications** > **Utilities**. Open **Activity Monitor** and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers.
3. Configure Microsoft Defender for Endpoint for Mac with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
1. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Mac.
> [!NOTE]
> This feature is available in version 100.90.70 or newer.
This feature is enabled by default on the **Dogfood** and **InsiderFast** channels. If you're using a different update channel, this feature can be enabled from the command line:
```bash
mdatp config real-time-protection-statistics --value enabled
```
This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:
```bash
mdatp health --field real_time_protection_enabled
```
Verify that the **real_time_protection_enabled** entry is true. Otherwise, run the following command to enable it:
```bash
mdatp config real-time-protection --value enabled
```
```output
Configuration property updated
```
To collect current statistics, run:
```bash
mdatp config real-time-protection --value enabled
```
> [!NOTE]
> Using **--output json** (note the double dash) ensures that the output format is ready for parsing.
The output of this command will show all processes and their associated scan activity.
1. On your Mac system, download the sample Python parser high_cpu_parser.py using the command:
```bash
wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py
```
The output of this command should be similar to the following:
```Output
--2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.
mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.xxx.xxx
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)| 151.101.xxx.xxx| :443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1020 [text/plain]
Saving to: 'high_cpu_parser.py'
100%[===========================================>] 1,020 --.-K/s in
0s
```
1. Next, type the following commands:
```bash
chmod +x high_cpu_parser.py
```
```bash
cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log
```
The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is te process name, and the last column is the number of scanned files, sorted by impact.
For example, the output of the command will be something like the below:
```output
... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10
27432 None 76703
73467 actool 1249
73914 xcodebuild 1081
73873 bash 1050
27475 None 836
1 launchd 407
73468 ibtool 344
549 telemetryd_v1 325
4764 None 228
125 CrashPlanService 164
```
To improve the performance of Defender for Endpoint for Mac, locate the one with the highest number under the Total files scanned row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md).
> [!NOTE]
> The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.
1. Configure Microsoft Defender for Endpoint for Mac with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
See [Configure and validate exclusions for Microsoft Defender for Endpoint for Mac](mac-exclusions.md) for details.

2
windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md
View File

@ -55,7 +55,7 @@ These steps assume you already have Defender for Endpoint running on your device
If your device isn't already in the Insider Fast update channel, execute the following command from the Terminal. The channel update takes effect the next time the product starts (when the next product update is installed, or when the device is rebooted).
```bash
defaults write com.microsoft.autoupdate2 ChannelName -string InsiderFast
defaults write com.microsoft.autoupdate2 ChannelName -string Beta
```
Alternatively, if you're in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see [Deploy updates for Microsoft Defender ATP for Mac: Set the channel name](mac-updates.md#set-the-channel-name).

39
windows/security/threat-protection/microsoft-defender-atp/mac-updates.md
View File

@ -57,19 +57,27 @@ This section describes the most common preferences that can be used to configure
### Set the channel name
The channel determines the type and frequency of updates that are offered through MAU. Devices in `InsiderFast` (corresponding to the Insider Fast channel) can try out new features before devices in `External` (corresponding to the Insider Slow channel) and `Production`.
The channel determines the type and frequency of updates that are offered through MAU. Devices in `Beta` can try out new features before devices in `Preview` and `Current`.
The `Production` channel contains the most stable version of the product.
The `Current` channel contains the most stable version of the product.
>[!IMPORTANT]
> Prior to Microsoft AutoUpdate version 4.29, channels had different names:
>
> - `Beta` was named `InsiderFast` (Insider Fast)
> - `Preview` was named `External` (Insider Slow)
> - `Current` was named `Production`
>[!TIP]
>In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to `InsiderFast` or `External`.
>In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to `Beta` or `Preview`.
|||
|:---|:---|
|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | ChannelName |
| **Data type** | String |
| **Possible values** | InsiderFast <br/> External <br/> Production |
| **Possible values** | Beta <br/> Preview <br/> Current |
|||
>[!WARNING]
>This setting changes the channel for all applications that are updated through Microsoft AutoUpdate. To change the channel only for Microsoft Defender for Endpoint for Mac, execute the following command after replacing `[channel-name]` with the desired channel:
@ -82,62 +90,67 @@ The `Production` channel contains the most stable version of the product.
Change how often MAU searches for updates.
|||
|:---|:---|
|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | UpdateCheckFrequency |
| **Data type** | Integer |
| **Default value** | 720 (minutes) |
| **Comment** | This value is set in minutes. |
|||
### Change how MAU interacts with updates
Change how MAU searches for updates.
|||
|:---|:---|
|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | HowToCheck |
| **Data type** | String |
| **Possible values** | Manual <br/> AutomaticCheck <br/> AutomaticDownload |
| **Comment** | Note that AutomaticDownload will do a download and install silently if possible. |
|||
### Change whether the "Check for Updates" button is enabled
Change whether local users will be able to click the "Check for Updates" option in the Microsoft AutoUpdate user interface.
|||
|:---|:---|
|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | EnableCheckForUpdatesButton |
| **Data type** | Boolean |
| **Possible values** | True (default) <br/> False |
|||
### Disable Insider checkbox
Set to true to make the "Join the Office Insider Program..." checkbox unavailable / greyed out to users.
|||
|:---|:---|
|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | DisableInsiderCheckbox |
| **Data type** | Boolean |
| **Possible values** | False (default) <br/> True |
|||
### Limit the telemetry that is sent from MAU
Set to false to send minimal heartbeat data, no application usage, and no environment details.
|||
|:---|:---|
|:--|:--|
| **Domain** | com.microsoft.autoupdate2 |
| **Key** | SendAllTelemetryEnabled |
| **Data type** | Boolean |
| **Possible values** | True (default) <br/> False |
|||
## Example configuration profile
The following configuration profile is used to:
- Place the device in the Insider Fast channel
- Place the device in the Beta channel
- Automatically download and install updates
- Enable the "Check for updates" button in the user interface
- Allow users on the device to enroll into the Insider channels
@ -150,7 +163,7 @@ The following configuration profile is used to:
<plist version="1.0">
<dict>
<key>ChannelName</key>
<string>InsiderFast</string>
<string>Beta</string>
<key>HowToCheck</key>
<string>AutomaticDownload</string>
<key>EnableCheckForUpdatesButton</key>
@ -210,7 +223,7 @@ The following configuration profile is used to:
<key>PayloadEnabled</key>
<true/>
<key>ChannelName</key>
<string>InsiderFast</string>
<string>Beta</string>
<key>HowToCheck</key>
<string>AutomaticDownload</string>
<key>EnableCheckForUpdatesButton</key>

5
windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
View File

@ -36,6 +36,11 @@ ms.technology: mde
> [!IMPORTANT]
> Support for macOS 10.13 (High Sierra) has been discontinued on February 15th, 2021.
## 101.23.64 (20.121021.12364.0)
- Added a new option to the command-line tool to view information about the last on-demand scan. To view information about the last on-demand scan, run `mdatp health --details antivirus`
- Performance improvements & bug fixes
## 101.22.79 (20.121012.12279.0)
- Performance improvements & bug fixes

10
windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
View File

@ -40,20 +40,22 @@ This managed threat hunting service provides expert-driven insights and data thr
> [!NOTE]
> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service.
If you're a Microsoft Defender for Endpoint customer, you need to apply for Microsoft Threat Experts - Targeted Attack Notifications to get special insights and analysis that help identify the most critical threats so you can respond to them quickly. Contact your account team or Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand to consult with our threat experts on relevant detections and adversaries.
If you're a Microsoft Defender for Endpoint customer, you need to apply for **Microsoft Threat Experts - Targeted Attack Notifications** to get special insights and analysis that help identify the most critical threats in your environment so you can respond to them quickly.
To enroll to Microsoft Threat Experts - Targeted Attack Notifications benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts - Targeted Attack Notifications** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications.
Contact your account team or Microsoft representative to subscribe to **Microsoft Threat Experts - Experts on Demand** to consult with our threat experts on relevant detections and adversaries that your organization is facing.
See [Configure Microsoft Threat Experts capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#before-you-begin) for details.
## Targeted attack notification
Microsoft Threat Experts provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyberespionage. These notifications shows up as a new alert. The managed hunting service includes:
## Microsoft Threat Experts - Targeted attack notification
Microsoft Threat Experts - Targeted attack notification provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyberespionage. These notifications shows up as a new alert. The managed hunting service includes:
- Threat monitoring and analysis, reducing dwell time and risk to the business
- Hunter-trained artificial intelligence to discover and prioritize both known and unknown attacks
- Identifying the most important risks, helping SOCs maximize time and energy
- Scope of compromise and as much context as can be quickly delivered to enable fast SOC response.
## Collaborate with experts, on demand
## Microsoft Threat Experts - Experts on Demand
Customers can engage our security experts directly from within Microsoft Defender Security Center for timely and accurate response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised devices, root cause of a suspicious network connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can:
- Get additional clarification on alerts including root cause or scope of the incident
- Gain clarity into suspicious device behavior and next steps if faced with an advanced attacker

22
windows/security/threat-protection/microsoft-defender-atp/network-protection.md
View File

@ -31,6 +31,11 @@ ms.date: 03/08/2021
Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that might host phishing scams, exploits, and other malicious content on the Internet. Network protection expands the scope of [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
Network protection is supported on Windows, beginning with Windows 10, version 1709.
Network Protection is not yet supported on other operating systems. To learn which Web Protection functionality is supported using the Edge (Chromium) browser, see [Web protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview) to find out which Web Protection functionality is supported using the Edge (Chromium) browser.
Network Protection extends the protection in [Web protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview) to an OS level and would thus provide Web protection functionality in Edge to other supported browsers as well as non-browser applications.
In addition, Network Protection provides visibility and blocking of Indicators of Compromise (IOCs) when used with [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) including the enforcement of your [custom indicator list](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).
For more information about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
@ -88,6 +93,23 @@ This procedure creates a custom view that filters to only show the following eve
| 1125 | Event when network protection fires in audit mode |
| 1126 | Event when network protection fires in block mode |
## Considerations for Windows virtual desktop running Windows 10 Enterprise Multi-Session
Due to the multi-user nature of this operating system, please observe the following:
1. Network Protection is a machine-wide feature and cannot be targeted to specific user (sessions).
2. This applies to Web content filtering policies as well.
3. If differentiation between user groups is required, consider creating separate Windows Virtual Desktop host pools and assignments.
4. Test Network Protection in audit mode to test behavior before blocking.
5. Due to the multi-user nature, you may consider resizing your deployment accordingly.
Alternative option:
For Windows 10 Enterprise Multi-Session 1909 and up, used in Windows Virtual Desktop on Azure, Network protection for Microsoft Edge can be enabled using the following method:
1. Use Turn on network protection - Windows security | Microsoft Docs and follow the instructions to apply your policy
2. Execute the following PowerShell command: Set-MpPreference -AllowNetworkProtectionOnWinServer 1
## Related articles
- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrates how the feature works, and what events would typically be created.

13
windows/security/threat-protection/microsoft-defender-atp/preview.md
View File

@ -31,14 +31,11 @@ ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink)
The Defender for Endpoint service is constantly being updated to include new feature enhancements and capabilities.
> [!TIP]
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink)
Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience.
>[!TIP]
@ -64,14 +61,6 @@ The following features are included in the preview release:
- [Device health and compliance report](machine-reports.md) <br/> The device health and compliance report provides high-level information about the devices in your organization.
- [Information protection](information-protection-in-windows-overview.md)<BR>
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender for Endpoint is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices.
>[!NOTE]
>Partially available from Windows 10, version 1809.
- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019) <BR> Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices.
> [!TIP]
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-belowfoldlink)

1
windows/security/threat-protection/security-compliance-toolkit-10.md
View File

@ -31,7 +31,6 @@ The Security Compliance Toolkit consists of:
- Windows 10 Version 20H2 (October 2020 Update)
- Windows 10 Version 2004 (May 2020 Update)
- Windows 10 Version 1909 (November 2019 Update)
- Windows 10 Version 1903 (May 2019 Update)
- Windows 10 Version 1809 (October 2018 Update)
- Windows 10 Version 1803 (April 2018 Update)
- Windows 10 Version 1607 (Anniversary Update)

64
windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
View File

@ -10,11 +10,10 @@ ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
author: dansimp
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 05/21/2019
ms.technology: mde
---
@ -92,4 +91,65 @@ Example 3: Allows a specific COM object to register in PowerShell
</Value>
</Setting>
```
### How to configure settings for the CLSIDs
Given the following example of an error in the Event Viewer (**Application and Service Logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**):
Log Name: Microsoft-Windows-AppLocker/MSI and Script
Source: Microsoft-Windows-AppLocker
Date: 11/11/2020 1:18:11 PM
Event ID: 8036
Task Category: None
Level: Error
Keywords:
User: S-1-5-21-3340858017-3068726007-3466559902-3647
Computer: contoso.com
Description:
{f8d253d9-89a4-4daa-87b6-1168369f0b21} was prevented from running due to Config CI policy.
Event XML:
```XML
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-AppLocker" Guid="{cbda4dbf-8d5d-4f69-9578-be14aa540d22}" />
<EventID>8036</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000000</Keywords>
<TimeCreated SystemTime="2020-11-11T19:18:11.4029179Z" />
<EventRecordID>819347</EventRecordID>
<Correlation ActivityID="{61e3e871-adb0-0047-c9cc-e761b0add601}" />
<Execution ProcessID="21060" ThreadID="23324" />
<Channel>Microsoft-Windows-AppLocker/MSI and Script</Channel>
<Computer>contoso.com</Computer>
<Security UserID="S-1-5-21-3340858017-3068726007-3466559902-3647" />
</System>
<EventData>
<Data Name="IsApproved">false</Data>
<Data Name="CLSID">{f8d253d9-89a4-4daa-87b6-1168369f0b21}</Data>
</EventData>
</Event>
```
To add this CLSID to the existing policy, use the following steps:
1. Open PowerShell ISE with Administrative privileges.
2. Copy and edit this command, then run it from the admin PowerShell ISE. Consider the policy name to be `WDAC_policy.xml`.
```PowerShell
PS C:\WINDOWS\system32> Set-CIPolicySetting -FilePath <path to policy xml>\WDAC_policy.xml -Key 8856f961-340a-11d0-a96b-00c04fd705a2 -Provider WSH -Value True -ValueName EnterpriseDefinedClsId -ValueType Boolean
```
Once the command has been run, you will find that the following section is added to the policy XML.
```XML
<Settings>
<Setting Provider="WSH" Key="8856f961-340a-11d0-a96b-00c04fd705a2" ValueName="EnterpriseDefinedClsId">
<Value>
<Boolean>true</Boolean>
</Value>
</Setting>
```

40
windows/whats-new/whats-new-windows-10-version-2004.md
View File

@ -33,7 +33,7 @@ To download and install Windows 10, version 2004, use Windows Update (**Settings
- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
- Windows Hello PIN sign-in support is [added to Safe mode](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#windows-hello-pin-in-safe-mode-build-18995).
- Windows Hello PIN sign-in support is [added to Safe mode](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
@ -108,17 +108,17 @@ Windows PowerShell cmdlets have been improved:
- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting.
Additional improvements:
- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
- Automatic cloud-based congestion detection is available for PCs with cloud service support.
The following [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) policies are removed in this release:
- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
- Reason: Replaced with separate policies for foreground and background
- Reason: Replaced with separate policies for foreground and background.
- Max Upload Bandwidth (DOMaxUploadBandwidth)
- Reason: impacts uploads to internet peers only, which isn't used in Enterprises.
- Reason: Impacts uploads to internet peers only, which isn't used in enterprises.
- Absolute max throttle (DOMaxDownloadBandwidth)
- Reason: separated to foreground and background
- Reason: Separated to foreground and background.
### Windows Update for Business
@ -182,7 +182,7 @@ Also see information about the exciting new Edge browser [here](https://blogs.wi
## Application settings
This release enables explicit [control over when Windows automatically restarts apps](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#control-over-restarting-apps-at-sign-in-build-18965) that were open when you restart your PC.
This release enables explicit [Control over restarting apps at sign-in (Build 18965)](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#control-over-restarting-apps-at-sign-in-build-18965) that were open when you restart your PC.
## Windows Shell
@ -208,7 +208,7 @@ Windows Search is improved in several ways. For more information, see [Superchar
### Virtual Desktops
You can now [rename your virtual desktops](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#renaming-your-virtual-desktops-build-18975), instead of getting stuck with the system-issued names like Desktop 1.
There is a new [Update on Virtual Desktop renaming (Build 18975)](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#update-on-virtual-desktop-renaming-build-18975), where, instead of getting stuck with the system-issued names like Desktop 1, you can now rename your virtual desktops more freely.
### Bluetooth pairing
@ -216,13 +216,13 @@ Pairing Bluetooth devices with your computer will occur through notifications, s
### Reset this PC
The 'reset this PC' recovery function now includes a [cloud download](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-reset-this-pc-option-cloud-download-build-18970) option.
The 'reset this PC' recovery function now includes a [cloud download](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#reset-your-pc-from-the-cloud-build-18970) option.
### Task Manager
The following items are added to Task Manager in this release:
- GPU Temperature is available on the Performance tab for devices with a dedicated GPU card.
- Disk type is now [listed for each disk on the Performance tab](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#disk-type-visible-in-task-manager-performance-tab-build-18898).
- Disk type is now [listed for each disk on the Performance tab](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#disk-type-now-visible-in-task-manager-performance-tab-build-18898).
## Graphics & display
@ -232,7 +232,7 @@ The following items are added to Task Manager in this release:
### 2-in-1 PCs
A [new tablet experience](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-tablet-experience-for-2-in-1-convertible-pcs-build-18970) for two-in-one convertible PCs is available. The screen will be optimized for touch when you detach your two-in-one's keyboard, but you'll still keep the familiar look of your desktop without interruption.
See [Introducing a new tablet experience for 2-in-1 convertible PCs! (Build 18970)](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#introducing-a-new-tablet-experience-for-2-in-1-convertible-pcs-build-18970) for details on a new tablet experience for two-in-one convertible PCs that is now available. The screen will be optimized for touch when you detach your two-in-one's keyboard, but you'll still keep the familiar look of your desktop without interruption.
### Specialized displays
@ -256,13 +256,13 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha
## See Also
- [Whats new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.<br>
- [Whats new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.<br>
- [What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.<br>
- [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.<br>
- [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See whats new in other versions of Windows 10.<br>
- [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.<br>
- [What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new): A preview of new features for businesses.<br>
- [What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.<br>
- [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.<br>
- [Windows 10 features were no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.<br>
- [Whats new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.
- [Whats new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.
- [What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
- [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
- [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See whats new in other versions of Windows 10.
- [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.
- [What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/Active-Dev-Branch): A preview of new features for businesses.
- [What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.
- [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
- [Windows 10 features were no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.