From 4743fe3434a5e4fd0362ac4bd3714f8783891094 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Wed, 2 May 2018 10:33:30 -0700 Subject: [PATCH 1/3] Updated Intune instructions. --- ...-first-sight-windows-defender-antivirus.md | 28 +++++++++++++------ 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index 9acab9ce56..cb413ea7c9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -11,13 +11,9 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 05/02/2018 --- - - - - # Enable the Block at First Sight feature **Applies to** @@ -30,6 +26,7 @@ ms.date: 04/30/2018 **Manageability available with** +- Intune - Group Policy - Windows Defender Security Center app @@ -58,8 +55,6 @@ In Windows 10, version 1803, the Block at First Sight feature can now block non- The Block at First Sight feature only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file. - - If the cloud backend is unable to make a determination, the file will be locked by Windows Defender AV while a copy is uploaded to the cloud. The cloud will perform additional analysis to reach a determination before it allows the file to run or blocks it in all future encounters, depending on whether the file is determined to be malicious or safe. In many cases this process can reduce the response time for new malware from hours to seconds. @@ -69,6 +64,23 @@ In many cases this process can reduce the response time for new malware from hou Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work. Usually, these settings are already enabled in most default Windows Defender AV deployments in enterprise networks. +### Confirm Block at First Sight is enabled with Intune + +1. In Intune, navigate to **Device configuration - Profiles | | Device restrictions | Windows Defender Antivirus**. + + > [!NOTE] + > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type. + +2. Verify these settings are configured as follows: + + - **Cloud-delivered protection**: **Enable** + - **File Blocking Level**: **High** + - **Time extension for file scanning by the cloud**: **50** + - **Prompt users before sample submission**: **Send all data without prompting** + +For more information about configuring Windows Defender AV device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). + +For a list of Windows Defender AV device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus). ### Confirm Block at First Sight is enabled with Group Policy @@ -113,7 +125,7 @@ The feature is automatically enabled as long as **Cloud-based protection** and * 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: -![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png) + ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png) 3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. From 85a69a0e6da58ce74b1c51059134b12b005d3382 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Wed, 2 May 2018 11:04:20 -0700 Subject: [PATCH 2/3] Fixed link and formatting. --- ...configure-block-at-first-sight-windows-defender-antivirus.md | 2 +- .../wdsc-windows-10-in-s-mode.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index cb413ea7c9..c2f08b09d3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -66,7 +66,7 @@ Block at First Sight requires a number of Group Policy settings to be configured ### Confirm Block at First Sight is enabled with Intune -1. In Intune, navigate to **Device configuration - Profiles | | Device restrictions | Windows Defender Antivirus**. +1. In Intune, navigate to **Device configuration - Profiles | *Profile name* | Device restrictions | Windows Defender Antivirus**. > [!NOTE] > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md index 658c5331ba..a4423252ca 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md @@ -34,7 +34,7 @@ The Windows Defender Security Center interface is a little different in Windows ![Screen shot of the Windows Defender Security Center app Virus & threat protection area in Windows 10 in S mode](images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png) -For more information about Windows 10 in S mode, including how to switch out of S mode, see Windows 10 Pro in S mode. +For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](https://docs.microsoft.com/en-us/windows/deployment/windows-10-pro-in-s-mode). ##Managing Windows Defender Security Center settings with Intune From 2cdf79009321e1032136ef927a806ced4c7deef0 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Wed, 2 May 2018 11:22:46 -0700 Subject: [PATCH 3/3] Fix formatting --- ...configure-block-at-first-sight-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index c2f08b09d3..d5bdf282dc 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -66,7 +66,7 @@ Block at First Sight requires a number of Group Policy settings to be configured ### Confirm Block at First Sight is enabled with Intune -1. In Intune, navigate to **Device configuration - Profiles | *Profile name* | Device restrictions | Windows Defender Antivirus**. +1. In Intune, navigate to **Device configuration - Profiles > *Profile name* > Device restrictions > Windows Defender Antivirus**. > [!NOTE] > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type.