diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 71fca8b044..f4c65e9ed7 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -94,7 +94,7 @@ Endpoint detection and response capabilities are put in place to detect, investi - [Alerts](microsoft-defender-atp/alerts-queue.md) - [Historical endpoint data](microsoft-defender-atp/investigate-machines.md#timeline) - [Response orchestration](microsoft-defender-atp/response-actions.md) -- [Forensic collection](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines) +- [Forensic collection](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-devices) - [Threat intelligence](microsoft-defender-atp/threat-indicator-concepts.md) - [Advanced detonation and analysis service](microsoft-defender-atp/respond-file-alerts.md#deep-analysis) - [Advanced hunting](microsoft-defender-atp/advanced-hunting-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index 0d95a0d4e0..7cc627a141 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -29,7 +29,7 @@ ms.topic: article >[!Note] >- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. ->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. +>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. >-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index 9cb8182798..181ff9b9dd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -64,7 +64,7 @@ DeviceEvents You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app: -1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine. +1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device. 2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md index 0a85cb240c..d08c4e2bba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md @@ -28,7 +28,7 @@ Creates new [Alert](alerts.md) on top of **Event**.
**Microsoft Defender ATP Event** is required for the alert creation.
You will need to supply 3 parameters from the Event in the request: **Event Time**, **Machine ID** and **Report ID**. See example below.
You can use an event found in Advanced Hunting API or Portal. -
If there existing an open alert on the same Machine with the same Title, the new created alert will be merged with it. +
If there existing an open alert on the same Device with the same Title, the new created alert will be merged with it.
An automatic investigation starts automatically on alerts created via the API. @@ -48,7 +48,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information) ->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request @@ -71,7 +71,7 @@ Property | Type | Description :---|:---|:--- eventTime | DateTime(UTC) | The precise time of the event as string, as obtained from advanced hunting. e.g. ```2018-08-03T16:45:21.7115183Z``` **Required**. reportId | String | The reportId of the event, as obtained from advanced hunting. **Required**. -machineId | String | Id of the machine on which the event was identified. **Required**. +machineId | String | Id of the device on which the event was identified. **Required**. severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**. title | String | Title for the alert. **Required**. description | String | Description of the alert. **Required**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index b2fc09e758..c73456bd03 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -23,7 +23,7 @@ ms.topic: article **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. +Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. > [!NOTE] > To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. @@ -36,9 +36,9 @@ In Microsoft Defender Security Center, go to **Advanced hunting** and select an #### Required columns in the query results To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. -There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each machine. +There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device. -The sample query below counts the number of unique machines (`DeviceId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. +The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this count to find only the devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. ```kusto DeviceEvents @@ -72,19 +72,19 @@ When saved, a new or edited custom detection rule immediately runs and checks fo Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts. -### 3. Specify actions on files or machines. -Your custom detection rule can automatically take actions on files or machines that are returned by the query. +### 3. Specify actions on files or devices. +Your custom detection rule can automatically take actions on files or devices that are returned by the query. -#### Actions on machines -These actions are applied to machines in the `DeviceId` column of the query results: -- **Isolate machine** — applies full network isolation, preventing the machine from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about machine isolation](respond-machine-alerts.md#isolate-machines-from-the-network) -- **Collect investigation package** — collects machine information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-machines) -- **Run antivirus scan** — performs a full Windows Defender Antivirus scan on the machine -- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the machine +#### Actions on devices +These actions are applied to devices in the `DeviceId` column of the query results: +- **Isolate device** — applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network) +- **Collect investigation package** — collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices) +- **Run antivirus scan** — performs a full Windows Defender Antivirus scan on the device +- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the device #### Actions on files These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results: -- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected machine groups. This scope is independent of the scope of the rule. +- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule. - **Quarantine file** — deletes the file from its current location and places a copy in quarantine ### 4. Click **Create** to save and turn on the rule. diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md index 3216d16b87..35e3b7eb95 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md @@ -113,7 +113,7 @@ An allowed application or service only has write access to a controlled folder a ### Use Group Policy to allow specific apps -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md index 30dd08b49c..13358eb288 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md @@ -25,7 +25,7 @@ manager: dansimp Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. -You configure these settings using the Windows Security app on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell. +You configure these settings using the Windows Security app on an individual device, and then export the configuration as an XML file that you can deploy to other devices. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell. This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works. @@ -136,7 +136,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations. -Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines. +Exporting the configuration as an XML file allows you to copy the configuration from one device onto other devices. ## PowerShell reference @@ -145,7 +145,7 @@ Exporting the configuration as an XML file allows you to copy the configuration The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Security. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply. >[!IMPORTANT] - >Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overridden. + >Any changes that are deployed to a device through Group Policy will override the local configuration. When setting up an initial configuration, use a device that will not have a Group Policy configuration applied to ensure your changes aren't overridden. You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app: diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md index eec05ff19b..c4c4d72473 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md @@ -30,16 +30,16 @@ This section covers some of the most frequently asked questions regarding privac ## What data does Microsoft Defender ATP collect? -Microsoft Defender ATP will collect and store information from your configured machines in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes. +Microsoft Defender ATP will collect and store information from your configured devices in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes. -Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version). +Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and device details (such as device identifiers, names, and the operating system version). Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578). This data enables Microsoft Defender ATP to: - Proactively identify indicators of attack (IOAs) in your organization - Generate alerts if a possible attack was detected -- Provide your security operations with a view into machines, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network. +- Provide your security operations with a view into devices, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network. Microsoft does not use your data for advertising. diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md index a8b1269d9c..5876d6af46 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md @@ -35,12 +35,12 @@ The Microsoft Defender Advanced Threat Protection agent depends on Windows Defen >[!IMPORTANT] >Microsoft Defender ATP does not adhere to the Windows Defender Antivirus Exclusions settings. -You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). +You must configure Security intelligence updates on the Microsoft Defender ATP devices whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md). -If an onboarded machine is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode. +If an onboarded device is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode. Windows Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client. -The Windows Defender Antivirus interface will be disabled, and users on the machine will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options. +The Windows Defender Antivirus interface will be disabled, and users on the device will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options. For more information, see the [Windows Defender Antivirus and Microsoft Defender ATP compatibility topic](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md index a04a30abf0..5daf2b2aa2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md +++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md @@ -33,7 +33,7 @@ There are three phases in deploying Microsoft Defender ATP: The deployment guide will guide you through the recommended path in deploying Microsoft Defender ATP. -There are several methods you can use to onboard to the service. For information on other ways to onboard, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md). +There are several methods you can use to onboard to the service. For information on other ways to onboard, see [Onboard devices to Microsoft Defender ATP](onboard-configure.md). ## In Scope diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 942f37ced7..8e7931626c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -73,15 +73,15 @@ The following image shows an instance of unwanted software that was detected and ### Will EDR in block mode have any impact on a user's antivirus protection? -No. EDR in block mode does not affect third-party antivirus protection running on users' machines. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Windows Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected. +No. EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Windows Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected. ### Why do I need to keep Windows Defender Antivirus up to date? -Because Windows Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest machine learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Windows Defender Antivirus up to date. +Because Windows Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest device learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Windows Defender Antivirus up to date. ### Why do we need cloud protection on? -Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and machine learning models. +Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models. ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md index f78270d508..98fd86e3f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md @@ -34,7 +34,7 @@ You can enable controlled folder access by using any of these methods: * [Group Policy](#group-policy) * [PowerShell](#powershell) -[Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the machine. +[Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the device. Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include: @@ -91,7 +91,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt ## Group Policy -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 9c926b6d06..b0cad379e8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -41,9 +41,9 @@ You can enable each mitigation separately by using any of these methods: Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options. -You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines. +You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other devices. -You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine. +You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the device. ## Windows Security app @@ -132,7 +132,7 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt ## Group Policy -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 2. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index 382f789aa7..f827607d8a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -29,7 +29,7 @@ Enable security information and event management (SIEM) integration so you can p >[!NOTE] >- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. ->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. +>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. >- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). ## Prerequisites diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md index 1741fdf531..1d8f56f5e3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md @@ -1,5 +1,5 @@ --- -title: Enable Microsoft Defender ATP Insider Machine +title: Enable Microsoft Defender ATP Insider Device description: Install and use Microsoft Defender ATP for Mac. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh @@ -17,9 +17,9 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Enable Microsoft Defender ATP Insider Machine +# Enable Microsoft Defender ATP Insider Device -Endpoint detection and response capabilities in Microsoft Defender ATP for Mac are now in preview. To get these and other preview features, you must set up your Mac machine to be an "Insider" machine as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune). +Endpoint detection and response capabilities in Microsoft Defender ATP for Mac are now in preview. To get these and other preview features, you must set up your Mac device to be an "Insider" device as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune). >[!IMPORTANT] >Make sure you have enabled [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-atp-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md) and [manual deployment](mac-install-manually.md) instructions. @@ -125,7 +125,7 @@ h. Select  **Manage > Assignments**. In the  **Include**  tab, select  * >[!WARNING] >You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product. -## Enable the Insider program manually on a single machine +## Enable the Insider program manually on a single device In terminal, run: @@ -145,16 +145,16 @@ For versions earlier than 100.78.0, run: To get the latest version of the Microsoft Defender ATP for Mac, set the Microsoft AutoUpdate to “Fast Ring”. To get “Microsoft AutoUpdate”, download it from [Release history for Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/officeupdates/release-history-microsoft-autoupdate). -To verify you are running the correct version, run ‘mdatp --health’ on the machine. +To verify you are running the correct version, run ‘mdatp --health’ on the device. * The required version is 100.72.15 or later. * If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running ‘defaults read com.microsoft.autoupdate2’ from terminal. * To change update settings use documentation in [Update Office for Mac automatically](https://support.office.com/article/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1). * If you are not using Office for Mac, download and run the AutoUpdate tool. -### A machine still does not appear on Microsoft Defender Security Center +### A device still does not appear on Microsoft Defender Security Center -After a successful deployment and onboarding of the correct version, check that the machine has connectivity to the cloud service by running ‘mdatp --connectivity-test’. +After a successful deployment and onboarding of the correct version, check that the device has connectivity to the cloud service by running ‘mdatp --connectivity-test’. * Check that you enabled the early preview flag. In terminal run “mdatp –health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”. diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md index a77a399d92..980238995f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md @@ -47,7 +47,7 @@ Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode ``` > [!TIP] -> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s). You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md index 1d9da1a791..ae0a15fe7f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md @@ -45,7 +45,7 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode ``` > [!TIP] -> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s). You can also use Group Policy, Intune, MDM, or Microsoft Endpoint Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md). ## Review controlled folder access events in Windows Event Viewer diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md index 83b638059c..bb935d1b6f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md @@ -21,9 +21,9 @@ ms.topic: article - [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation. +Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and device configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation. -The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action. +The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action. >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUM] @@ -31,7 +31,7 @@ With the simplified set-up experience, you can focus on running your own test sc You'll have full access to the powerful capabilities of the platform such as automated investigations, advanced hunting, and threat analytics, allowing you to test the comprehensive protection stack that Microsoft Defender ATP offers. -You can add Windows 10 or Windows Server 2019 machines that come pre-configured to have the latest OS versions and the right security components in place as well as Office 2019 Standard installed. +You can add Windows 10 or Windows Server 2019 devices that come pre-configured to have the latest OS versions and the right security components in place as well as Office 2019 Standard installed. You can also install threat simulators. Microsoft Defender ATP has partnered with industry leading threat simulation platforms to help you test out the Microsoft Defender ATP capabilities without having to leave the portal. @@ -43,7 +43,7 @@ You'll need to fulfill the [licensing requirements](minimum-requirements.md#lice You must have **Manage security settings** permissions to: - Create the lab -- Create machines +- Create devices - Reset password - Create simulations @@ -58,12 +58,12 @@ You can access the lab from the menu. In the navigation menu, select **Evaluatio ![Image of the evaluation lab on the menu](images/evaluation-lab-menu.png) >[!NOTE] ->- Each environment is provisioned with a limited set of test machines. ->- Depending the type of environment structure you select, machines will be available for the specified number of hours from the day of activation. ->- When you've used up the provisioned machines, no new machines are provided. A deleted machine does not refresh the available test machine count. ->- Given the limited resources, it’s advisable to use the machines carefully. +>- Each environment is provisioned with a limited set of test devices. +>- Depending the type of environment structure you select, devices will be available for the specified number of hours from the day of activation. +>- When you've used up the provisioned devices, no new devices are provided. A deleted device does not refresh the available test device count. +>- Given the limited resources, it’s advisable to use the devices carefully. -Already have a lab? Make sure to enable the new threat simulators and have active machines. +Already have a lab? Make sure to enable the new threat simulators and have active devices. ## Setup the evaluation lab @@ -71,7 +71,7 @@ Already have a lab? Make sure to enable the new threat simulators and have activ ![Image of the evaluation lab welcome page](images/evaluation-lab-setup.png) -2. Depending on your evaluation needs, you can choose to setup an environment with fewer machines for a longer period or more machines for a shorter period. Select your preferred lab configuration then select **Next**. +2. Depending on your evaluation needs, you can choose to setup an environment with fewer devices for a longer period or more devices for a shorter period. Select your preferred lab configuration then select **Next**. ![Image of lab configuration options](images/lab-creation-page.png) @@ -83,28 +83,28 @@ Already have a lab? Make sure to enable the new threat simulators and have activ >[!IMPORTANT] >You'll first need to accept and provide consent to the terms and information sharing statements. -4. Select the threat simulation agent you'd like to use and enter your details. You can also choose to install threat simulators at a later time. If you choose to install threat simulation agents during the lab setup, you'll enjoy the benefit of having them conveniently installed on the machines you add. +4. Select the threat simulation agent you'd like to use and enter your details. You can also choose to install threat simulators at a later time. If you choose to install threat simulation agents during the lab setup, you'll enjoy the benefit of having them conveniently installed on the devices you add. ![Image of summary page](images/lab-setup-summary.png) 5. Review the summary and select **Setup lab**. -After the lab setup process is complete, you can add machines and run simulations. +After the lab setup process is complete, you can add devices and run simulations. -## Add machines -When you add a machine to your environment, Microsoft Defender ATP sets up a well-configured machine with connection details. You can add Windows 10 or Windows Server 2019 machines. +## Add devices +When you add a device to your environment, Microsoft Defender ATP sets up a well-configured device with connection details. You can add Windows 10 or Windows Server 2019 devices. -The machine will be configured with the most up-to-date version of the OS and Office 2019 Standard as well as other apps such as Java, Python, and SysIntenals. +The device will be configured with the most up-to-date version of the OS and Office 2019 Standard as well as other apps such as Java, Python, and SysIntenals. >[!TIP] - > Need more machines in your lab? Submit a support ticket to have your request reviewed by the Microsoft Defender ATP team. + > Need more devices in your lab? Submit a support ticket to have your request reviewed by the Microsoft Defender ATP team. -If you chose to add a threat simulator during the lab setup, all machines will have the threat simulator agent installed in the machines that you add. +If you chose to add a threat simulator during the lab setup, all devices will have the threat simulator agent installed in the devices that you add. -The machine will automatically be onboarded to your tenant with the recommended Windows security components turned on and in audit mode - with no effort on your side. +The device will automatically be onboarded to your tenant with the recommended Windows security components turned on and in audit mode - with no effort on your side. - The following security components are pre-configured in the test machines: + The following security components are pre-configured in the test devices: - [Attack Surface Reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) - [Block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) @@ -116,35 +116,35 @@ The machine will automatically be onboarded to your tenant with the recommended - [Windows Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview) >[!NOTE] -> Windows Defender Antivirus will be on (not in audit). If Windows Defender Antivirus blocks you from running your simulation, you may turn off real-time protection on the machine through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). +> Windows Defender Antivirus will be on (not in audit). If Windows Defender Antivirus blocks you from running your simulation, you may turn off real-time protection on the device through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). Automated investigation settings will be dependent on tenant settings. It will be configured to be semi-automated by default. For more information, see [Overview of Automated investigations](automated-investigations.md). >[!NOTE] ->The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections. +>The connection to the test devices is done using RDP. Make sure that your firewall settings allow RDP connections. -1. From the dashboard, select **Add machine**. +1. From the dashboard, select **Add device**. -2. Choose the type of machine to add. You can choose to add Windows 10 or Windows Server 2019. +2. Choose the type of device to add. You can choose to add Windows 10 or Windows Server 2019. - ![Image of lab setup with machine options](images/add-machine-options.png) + ![Image of lab setup with device options](images/add-machine-options.png) >[!NOTE] - >If something goes wrong with the machine creation process, you'll be notified and you'll need to submit a new request. If the machine creation fails, it will not be counted against the overall allowed quota. + >If something goes wrong with the device creation process, you'll be notified and you'll need to submit a new request. If the device creation fails, it will not be counted against the overall allowed quota. -3. The connection details are displayed. Select **Copy** to save the password for the machine. +3. The connection details are displayed. Select **Copy** to save the password for the device. >[!NOTE] >The password is only displayed once. Be sure to save it for later use. - ![Image of machine added with connection details](images/add-machine-eval-lab.png) + ![Image of device added with connection details](images/add-machine-eval-lab.png) -4. Machine set up begins. This can take up to approximately 30 minutes. +4. Device set up begins. This can take up to approximately 30 minutes. -5. See the status of test machines, the risk and exposure levels, and the status of simulator installations by selecting the **Machines** tab. +5. See the status of test devices, the risk and exposure levels, and the status of simulator installations by selecting the **Devices** tab. - ![Image of machines tab](images/machines-tab.png) + ![Image of devices tab](images/machines-tab.png) >[!TIP] @@ -153,7 +153,7 @@ Automated investigation settings will be dependent on tenant settings. It will b ## Simulate attack scenarios -Use the test machines to run your own attack simulations by connecting to them. +Use the test devices to run your own attack simulations by connecting to them. You can simulate attack scenarios using: - The ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials) @@ -166,11 +166,11 @@ If you are looking for a pre-made simulation, you can use our ["Do It Yourself" >[!NOTE] ->The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections. +>The connection to the test devices is done using RDP. Make sure that your firewall settings allow RDP connections. -1. Connect to your machine and run an attack simulation by selecting **Connect**. +1. Connect to your device and run an attack simulation by selecting **Connect**. - ![Image of the connect button for test machines](images/test-machine-table.png) + ![Image of the connect button for test devices](images/test-machine-table.png) 2. Save the RDP file and launch it by selecting **Connect**. @@ -179,24 +179,24 @@ If you are looking for a pre-made simulation, you can use our ["Do It Yourself" >[!NOTE] >If you don't have a copy of the password saved during the initial setup, you can reset the password by selecting **Reset password** from the menu: > ![Image of reset password](images/reset-password-test-machine.png)
- > The machine will change it’s state to “Executing password reset", then you’ll be presented with your new password in a few minutes. + > The device will change it’s state to “Executing password reset", then you’ll be presented with your new password in a few minutes. -3. Enter the password that was displayed during the machine creation step. +3. Enter the password that was displayed during the device creation step. ![Image of window to enter credentials](images/enter-password.png) -4. Run Do-it-yourself attack simulations on the machine. +4. Run Do-it-yourself attack simulations on the device. ### Threat simulator scenarios -If you chose to install any of the supported threat simulators during the lab setup, you can run the built-in simulations on the evaluation lab machines. +If you chose to install any of the supported threat simulators during the lab setup, you can run the built-in simulations on the evaluation lab devices. Running threat simulations using third-party platforms is a good way to evaluate Microsoft Defender ATP capabilities within the confines of a lab environment. >[!NOTE] >Before you can run simulations, ensure the following requirements are met: ->- Machines must be added to the evaluation lab +>- Devices must be added to the evaluation lab >- Threat simulators must be installed in the evaluation lab 1. From the portal select **Create simulation**. @@ -249,7 +249,7 @@ Each simulation comes with an in-depth description of the attack scenario and re ## Evaluation report -The lab reports summarize the results of the simulations conducted on the machines. +The lab reports summarize the results of the simulations conducted on the devices. ![Image of the evaluation report](images/eval-report.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md index 2fe02c746b..2ae42ae30e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md @@ -29,12 +29,12 @@ ms.date: 05/21/2018 -You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual machines. +You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual devices. -For example, if machines are not appearing in the **Machines list**, you might need to look for event IDs on the machines. You can then use this table to determine further troubleshooting steps. +For example, if devices are not appearing in the **Devices list**, you might need to look for event IDs on the devices. You can then use this table to determine further troubleshooting steps. > [!NOTE] -> It can take several days for machines to begin reporting to the Microsoft Defender ATP service. +> It can take several days for devices to begin reporting to the Microsoft Defender ATP service. **Open Event Viewer and find the Microsoft Defender ATP service event log:** @@ -67,7 +67,7 @@ For example, if machines are not appearing in the **Machines list**, you might n 2 Microsoft Defender Advanced Threat Protection service shutdown. -Occurs when the machine is shut down or offboarded. +Occurs when the device is shut down or offboarded. Normal operating notification; no action required. @@ -93,17 +93,17 @@ The service could not contact the external processing servers at that URL. 6 Microsoft Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. -The machine did not onboard correctly and will not be reporting to the portal. +The device did not onboard correctly and will not be reporting to the portal. Onboarding must be run before starting the service.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. +See Onboard Windows 10 devices. 7 Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: variable. -Variable = detailed error description. The machine did not onboard correctly and will not be reporting to the portal. +Variable = detailed error description. The device did not onboard correctly and will not be reporting to the portal. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. +See Onboard Windows 10 devices. 8 @@ -111,28 +111,28 @@ See Onboard Windows 10 machines. +See Onboard Windows 10 devices. 9 Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: variable. -During onboarding: The machine did not onboard correctly and will not be reporting to the portal.

During offboarding: Failed to change the service start type. The offboarding process continues. +During onboarding: The device did not onboard correctly and will not be reporting to the portal.

During offboarding: Failed to change the service start type. The offboarding process continues. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. +See Onboard Windows 10 devices. 10 Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable. -The machine did not onboard correctly and will not be reporting to the portal. +The device did not onboard correctly and will not be reporting to the portal. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. +See Onboard Windows 10 devices. 11 Onboarding or re-onboarding of Microsoft Defender Advanced Threat Protection service completed. -The machine onboarded correctly. +The device onboarded correctly. Normal operating notification; no action required.
-It may take several hours for the machine to appear in the portal. +It may take several hours for the device to appear in the portal. 12 @@ -142,7 +142,7 @@ It may take several hours for the machine to appear in the portal. 13 -Microsoft Defender Advanced Threat Protection machine ID calculated: variable. +Microsoft Defender Advanced Threat Protection device ID calculated: variable. Normal operating process. Normal operating notification; no action required. @@ -159,7 +159,7 @@ The service could not contact the external processing servers at that URL. An error occurred with the Windows telemetry service. Ensure the diagnostic data service is enabled.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. +See Onboard Windows 10 devices. 18 @@ -183,25 +183,25 @@ If this error persists after a system restart, ensure all Windows updates have f 25 Microsoft Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: variable. -The machine did not onboard correctly. +The device did not onboard correctly. It will report to the portal, however the service may not appear as registered in SCCM or the registry. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. +See Onboard Windows 10 devices. 26 Microsoft Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: variable. -The machine did not onboard correctly.
+The device did not onboard correctly.
It will report to the portal, however the service may not appear as registered in SCCM or the registry. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. +See Onboard Windows 10 devices. 27 Microsoft Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender Antivirus. Onboarding process failed. Failure code: variable. -Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Microsoft Defender ATP. +Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Microsoft Defender ATP. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines.
+See Onboard Windows 10 devices.
Ensure real-time antimalware protection is running properly. @@ -210,20 +210,20 @@ Ensure real-time antimalware protection is running properly. An error occurred with the Windows telemetry service. Ensure the diagnostic data service is enabled.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. +See Onboard Windows 10 devices. 29 Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 This event occurs when the system can't read the offboarding parameters. -Ensure the machine has Internet access, then run the entire offboarding process again. Ensure the offboarding package has not expired. +Ensure the device has Internet access, then run the entire offboarding process again. Ensure the offboarding package has not expired. 30 Microsoft Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender Antivirus. Failure code: variable. -Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Microsoft Defender ATP. +Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Microsoft Defender ATP. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines
+See Onboard Windows 10 devices
Ensure real-time antimalware protection is running properly. @@ -236,14 +236,14 @@ Ensure real-time antimalware protection is running properly. 32 Microsoft Defender Advanced Threat Protection service failed to request to stop itself after offboarding process. Failure code: %1 An error occurred during offboarding. -Reboot the machine. +Reboot the device. 33 Microsoft Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: variable. -A unique identifier is used to represent each machine that is reporting to the portal.
-If the identifier does not persist, the same machine might appear twice in the portal. -Check registry permissions on the machine to ensure the service can update the registry. +A unique identifier is used to represent each device that is reporting to the portal.
+If the identifier does not persist, the same device might appear twice in the portal. +Check registry permissions on the device to ensure the service can update the registry. 34 @@ -251,7 +251,7 @@ If the identifier does not persist, the same machine might appear twice in the p An error occurred with the Windows telemetry service. Ensure the diagnostic data service is enabled.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. +See Onboard Windows 10 devices. 35 @@ -269,31 +269,31 @@ See [!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ->- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md index 4fa6891d4f..5fed8ccf11 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md @@ -1,7 +1,7 @@ --- title: Get machines security states collection API -description: Retrieve a collection of machine security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP. -keywords: apis, graph api, supported apis, get, machine, security, state +description: Retrieve a collection of device security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP. +keywords: apis, graph api, supported apis, get, device, security, state search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -23,7 +23,7 @@ ms.topic: article - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Retrieves a collection of machines security states. +Retrieves a collection of devices security states. ## Permissions User needs read permissions. @@ -60,7 +60,7 @@ Content-type: application/json **Response** Here is an example of the response. -Field *id* contains machine id and equal to the field *id** in machines info. +Field *id* contains device id and equal to the field *id** in devices info. ``` HTTP/1.1 200 OK diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md index 86ce1c9e6a..3b41ca66ef 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md @@ -1,7 +1,7 @@ --- -title: Get missing KBs by machine ID -description: Retrieves missing KBs by machine Id -keywords: apis, graph api, supported apis, get, list, file, information, machine id, threat & vulnerability management api, mdatp tvm api +title: Get missing KBs by device ID +description: Retrieves missing KBs by device Id +keywords: apis, graph api, supported apis, get, list, file, information, device id, threat & vulnerability management api, mdatp tvm api search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -16,13 +16,13 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get missing KBs by machine ID +# Get missing KBs by device ID **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Retrieves missing KBs by machine Id +Retrieves missing KBs by device Id ## HTTP request @@ -42,7 +42,7 @@ Empty ## Response -If successful, this method returns 200 OK, with the specified machine missing kb data in the body. +If successful, this method returns 200 OK, with the specified device missing kb data in the body. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md index 986c832afc..3ecec47c0d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md @@ -38,7 +38,7 @@ Delegated (work or school account) | Machine.CollectForensics | 'Collect forensi >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md index 449efaf986..9c2965fd9c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md @@ -1,7 +1,7 @@ --- -title: List machines by recommendation -description: Retrieves a list of machines associated with the security recommendation. -keywords: apis, graph api, supported apis, get, security recommendation for vulnerable machines, threat and vulnerability management, threat and vulnerability management api +title: List devices by recommendation +description: Retrieves a list of devices associated with the security recommendation. +keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -16,13 +16,13 @@ ms.collection: M365-security-compliance ms.topic: article --- -# List machines by recommendation +# List devices by recommendation **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease information](../../includes/prerelease.md)] -Retrieves a list of machines associated with the security recommendation. +Retrieves a list of devices associated with the security recommendation. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. @@ -48,7 +48,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful, this method returns 200 OK with the list of machines associated with the security recommendation. +If successful, this method returns 200 OK with the list of devices associated with the security recommendation. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md index 61ca64ff6b..67e29e0532 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md @@ -1,7 +1,7 @@ --- title: Get security recommendations -description: Retrieves a collection of security recommendations related to a given machine ID. -keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per machine, threat & vulnerability management api, mdatp tvm api +description: Retrieves a collection of security recommendations related to a given device ID. +keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, mdatp tvm api search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -22,7 +22,7 @@ ms.topic: article [!include[Prerelease information](../../includes/prerelease.md)] -Retrieves a collection of security recommendations related to a given machine ID. +Retrieves a collection of security recommendations related to a given device ID. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md index c57fe74368..2276c784bf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md @@ -1,6 +1,6 @@ --- title: Get software by Id -description: Retrieves a list of exposure scores by machine group. +description: Retrieves a list of exposure scores by device group. keywords: apis, graph api, supported apis, get, software, mdatp tvm api search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md index b2e2bce19f..0a052683b6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md @@ -44,7 +44,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ->- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md index ec84fa1f38..e55f0b9188 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md @@ -1,6 +1,6 @@ --- title: Get user related machines API -description: Retrieves a collection of machines related to a given user ID. +description: Retrieves a collection of devices related to a given user ID. keywords: apis, graph api, supported apis, get, user, user related alerts search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -24,7 +24,7 @@ ms.topic: article ## API description -Retrieves a collection of machines related to a given user ID. +Retrieves a collection of devices related to a given user ID. ## Limitations @@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ->- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- Response will include only devices that the user can access, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md index 8b8c759287..e7f542720d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md @@ -69,7 +69,7 @@ IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'S **IsolationType** controls the type of isolation to perform and can be one of the following: - Full – Full isolation -- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network) for more details) +- Selective – Restrict only limited set of applications from accessing the network (see [Isolate devices from the network](respond-machine-alerts.md#isolate-devices-from-the-network) for more details) ## Response diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md index a6b23d0ed7..06f252e536 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md @@ -1,7 +1,7 @@ --- -title: Take response actions on a machine in Microsoft Defender ATP -description: Take response actions on a machine such as isolating machines, collecting an investigation package, managing tags, running av scan, and restricting app execution. -keywords: respond, isolate, isolate machine, collect investigation package, action center, restrict, manage tags, av scan, restrict app +title: Take response actions on a device in Microsoft Defender ATP +description: Take response actions on a device such as isolating devices, collecting an investigation package, managing tags, running av scan, and restricting app execution. +keywords: respond, isolate, isolate device, collect investigation package, action center, restrict, manage tags, av scan, restrict app search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,16 +17,16 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Take response actions on a machine +# Take response actions on a device **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-respondmachine-abovefoldlink) -Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center. +Quickly respond to detected attacks by isolating devices or collecting an investigation package. After taking action on devices, you can check activity details on the Action center. -Response actions run along the top of a specific machine page and include: +Response actions run along the top of a specific device page and include: - Manage tags - Initiate Automated Investigation @@ -34,56 +34,56 @@ Response actions run along the top of a specific machine page and include: - Collect investigation package - Run antivirus scan - Restrict app execution -- Isolate machine +- Isolate device - Consult a threat expert - Action center ![Image of response actions](images/response-actions.png) - You can find machine pages from any of the following views: + You can find device pages from any of the following views: -- **Security operations dashboard** - Select a machine name from the Machines at risk card. -- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. -- **Machines list** - Select the heading of the machine name from the machines list. -- **Search box** - Select Machine from the drop-down menu and enter the machine name. +- **Security operations dashboard** - Select a device name from the Devices at risk card. +- **Alerts queue** - Select the device name beside the device icon from the alerts queue. +- **Devices list** - Select the heading of the device name from the devices list. +- **Search box** - Select Device from the drop-down menu and enter the device name. >[!IMPORTANT] -> - These response actions are only available for machines on Windows 10, version 1703 or later. -> - For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party capabilities. +> - These response actions are only available for devices on Windows 10, version 1703 or later. +> - For non-Windows platforms, response capabilities (such as Device isolation) are dependent on the third-party capabilities. ## Manage tags -Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. +Add or manage tags to create a logical group affiliation. Device tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. -For more information on machine tagging, see [Create and manage machine tags](machine-tags.md). +For more information on device tagging, see [Create and manage device tags](machine-tags.md). ## Initiate Automated Investigation -You can start a new general purpose automated investigation on the machine if needed. While an investigation is running, any other alert generated from the machine will be added to an ongoing Automated investigation until that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added to the investigation. +You can start a new general purpose automated investigation on the device if needed. While an investigation is running, any other alert generated from the device will be added to an ongoing Automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md). ## Initiate Live Response Session -Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time. +Live response is a capability that gives you instantaneous access to a device using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time. Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats. -For more information on live response, see [Investigate entities on machines using live response](live-response.md) +For more information on live response, see [Investigate entities on devices using live response](live-response.md) -## Collect investigation package from machines +## Collect investigation package from devices -As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker. +As part of the investigation or response process, you can collect an investigation package from a device. By collecting the investigation package, you can identify the current state of the device and further understand the tools and techniques used by the attacker. -To download the package (Zip file) and investigate the events that occurred on a machine +To download the package (Zip file) and investigate the events that occurred on a device -1. Select **Collect investigation package** from the row of response actions at the top of the machine page. +1. Select **Collect investigation package** from the row of response actions at the top of the device page. 2. Specify in the text box why you want to perform this action. Select **Confirm**. 3. The zip file will download Alternate way: -1. Select **Action center** from the response actions section of the machine page. +1. Select **Action center** from the response actions section of the device page. ![Image of action center button](images/action-center-package-collection.png) @@ -95,12 +95,12 @@ The package contains the following folders: | Folder | Description | |:---|:---------| -|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine.

NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” | -|Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). | +|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the device.

NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” | +|Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the device. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). | |Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.

- ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process.

- Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces.

ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.

- DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections.

- IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.

- FirewallExecutionLog.txt and pfirewall.log | | Prefetch files| Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list.

- Prefetch folder – Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files.

- PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. | -| Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state. | -| Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically. | +| Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the device. This can be useful when identifying a suspicious process and its state. | +| Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen device to look for suspicious code which was set to run automatically. | | Security event log| Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy.

NOTE: Open the event log file using Event viewer. | | Services| Contains a .CSV file which lists services and their states. | | Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement.

Contains files for SMBInboundSessions and SMBOutboundSession.

NOTE: If there are no sessions (inbound or outbound), you'll get a text file which tell you that there are no SMB sessions found. | @@ -110,85 +110,85 @@ The package contains the following folders: |WdSupportLogs| Provides the MpCmdRunLog.txt and MPSupportFiles.cab | | CollectionSummaryReport.xls| This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors. | -## Run Windows Defender Antivirus scan on machines +## Run Windows Defender Antivirus scan on devices -As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine. +As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device. >[!IMPORTANT] ->- This action is available for machines on Windows 10, version 1709 or later. +>- This action is available for devices on Windows 10, version 1709 or later. >- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). One you have selected **Run antivirus scan**, select the scan type that you'd like to run (quick or full) and add a comment before confirming the scan. ![Image of notification to select quick scan or full scan and add comment](images/run-antivirus.png) -The Action center will show the scan information and the machine timeline will include a new event, reflecting that a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced during the scan. +The Action center will show the scan information and the device timeline will include a new event, reflecting that a scan action was submitted on the device. Windows Defender AV alerts will reflect any detections that surfaced during the scan. ## Restrict app execution In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. >[!IMPORTANT] -> - This action is available for machines on Windows 10, version 1709 or later. +> - This action is available for devices on Windows 10, version 1709 or later. > - This feature is available if your organization uses Windows Defender Antivirus. > - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). -To restrict an application from running, a code integrity policy is applied that only allows files to run if they are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities. +To restrict an application from running, a code integrity policy is applied that only allows files to run if they are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised devices and performing further malicious activities. >[!NOTE] ->You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change to say **Remove app restrictions**, and then you take the same steps as restricting app execution. +>You’ll be able to reverse the restriction of applications from running at any time. The button on the device page will change to say **Remove app restrictions**, and then you take the same steps as restricting app execution. -Once you have selected **Restrict app execution** on the machine page, type a comment and select **Confirm**. The Action center will show the scan information and the machine timeline will include a new event. +Once you have selected **Restrict app execution** on the device page, type a comment and select **Confirm**. The Action center will show the scan information and the device timeline will include a new event. ![Image of app restriction notification](images/restrict-app-execution.png) -**Notification on machine user**:
+**Notification on device user**:
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running: ![Image of app restriction](images/atp-app-restriction.png) -## Isolate machines from the network +## Isolate devices from the network -Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement. +Depending on the severity of the attack and the sensitivity of the device, you might want to isolate the device from the network. This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement. >[!IMPORTANT] ->- Full isolation is available for machines on Windows 10, version 1703. ->- Selective isolation is available for machines on Windows 10, version 1709 or later. +>- Full isolation is available for devices on Windows 10, version 1703. +>- Selective isolation is available for devices on Windows 10, version 1709 or later. -This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Microsoft Defender ATP service, which continues to monitor the machine. +This device isolation feature disconnects the compromised device from the network while retaining connectivity to the Microsoft Defender ATP service, which continues to monitor the device. On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation'). >[!NOTE] ->You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say **Release from isolation**, and then you take the same steps as isolating the machine. +>You’ll be able to reconnect the device back to the network at any time. The button on the device page will change to say **Release from isolation**, and then you take the same steps as isolating the device. -Once you have selected **Isolate machine** on the machine page, type a comment and select **Confirm**. The Action center will show the scan information and the machine timeline will include a new event. +Once you have selected **Isolate device** on the device page, type a comment and select **Confirm**. The Action center will show the scan information and the device timeline will include a new event. -![Image of isolate machine](images/isolate-machine.png) +![Image of isolate device](images/isolate-machine.png) >[!NOTE] ->The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated. +>The device will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the device is isolated. -**Notification on machine user**:
-When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network: +**Notification on device user**:
+When a device is being isolated, the following notification is displayed to inform the user that the device is being isolated from the network: ![Image of no network connection](images/atp-notification-isolate.png) ## Consult a threat expert -You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard. +You can consult a Microsoft threat expert for more insights regarding a potentially compromised device or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised device, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard. See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details. ## Check activity details in Action center -The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the following details: +The **Action center** provides information on actions that were taken on a device or file. You’ll be able to view the following details: - Investigation package collection - Antivirus scan - App restriction -- Machine isolation +- Device isolation All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed. diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md index 7d6e7647cc..70da268198 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md @@ -1,6 +1,6 @@ --- title: Troubleshoot Microsoft Defender ATP onboarding issues -description: Troubleshoot issues that might arise during the onboarding of machines or to the Microsoft Defender ATP service. +description: Troubleshoot issues that might arise during the onboarding of devices or to the Microsoft Defender ATP service. keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -26,36 +26,36 @@ ms.topic: troubleshooting You might need to troubleshoot the Microsoft Defender ATP onboarding process if you encounter issues. -This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the machines. +This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the devices. ## Troubleshoot issues with onboarding tools -If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines.md) after an hour, it might indicate an onboarding or connectivity problem. +If you have completed the onboarding process and don't see devices in the [Devices list](investigate-machines.md) after an hour, it might indicate an onboarding or connectivity problem. ### Troubleshoot onboarding when deploying with Group Policy -Deployment with Group Policy is done by running the onboarding script on the machines. The Group Policy console does not indicate if the deployment has succeeded or not. +Deployment with Group Policy is done by running the onboarding script on the devices. The Group Policy console does not indicate if the deployment has succeeded or not. -If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines.md) after an hour, you can check the output of the script on the machines. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script). +If you have completed the onboarding process and don't see devices in the [Devices list](investigate-machines.md) after an hour, you can check the output of the script on the devices. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script). -If the script completes successfully, see [Troubleshoot onboarding issues on the machines](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur. +If the script completes successfully, see [Troubleshoot onboarding issues on the devices](#troubleshoot-onboarding-issues-on-the-device) for additional errors that might occur. ### Troubleshoot onboarding issues when deploying with Microsoft Endpoint Configuration Manager -When onboarding machines using the following versions of Configuration Manager: +When onboarding devices using the following versions of Configuration Manager: - Microsoft Endpoint Configuration Manager - System Center 2012 Configuration Manager - System Center 2012 R2 Configuration Manager -Deployment with the above-mentioned versions of Configuration Manager is done by running the onboarding script on the machines. You can track the deployment in the Configuration Manager Console. +Deployment with the above-mentioned versions of Configuration Manager is done by running the onboarding script on the devices. You can track the deployment in the Configuration Manager Console. -If the deployment fails, you can check the output of the script on the machines. +If the deployment fails, you can check the output of the script on the devices. -If the onboarding completed successfully but the machines are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the machine](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur. +If the onboarding completed successfully but the devices are not showing up in the **Devices list** after an hour, see [Troubleshoot onboarding issues on the device](#troubleshoot-onboarding-issues-on-the-device) for additional errors that might occur. ### Troubleshoot onboarding when deploying with a script -**Check the result of the script on the machine**: +**Check the result of the script on the device**: 1. Click **Start**, type **Event Viewer**, and press **Enter**. 2. Go to **Windows Logs** > **Application**. @@ -70,7 +70,7 @@ Event ID | Error Type | Resolution steps :---|:---|:--- 5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. 10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
Verify that the script has been run as an administrator. -15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).

If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again. +15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).

If the device is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the device. If rebooting the device doesn't address the issue, upgrade to KB4015217 and try onboarding again. 15 | Failed to start SENSE service | If the message of the error is: System error 577 or error 1058 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions. 30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md). 35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md). @@ -80,7 +80,7 @@ Event ID | Error Type | Resolution steps ### Troubleshoot onboarding issues using Microsoft Intune You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue. -If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. +If you have configured policies in Intune and they are not propagated on devices, you might need to configure automatic MDM enrollment. Use the following tables to understand the possible causes of issues while onboarding: @@ -95,9 +95,9 @@ If none of the event logs and troubleshooting steps work, download the Local scr Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps :---|:---|:---|:---|:--- -0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.

**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-machine-event-log) section.

Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). +0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.

**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the device event log](#view-agent-onboarding-errors-in-the-device-event-log) section.

Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). | | | | Onboarding
Offboarding
SampleSharing | **Possible cause:** Microsoft Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.

**Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```

If it doesn't exist, open an elevated command and add the key. - | | | | SenseIsRunning
OnboardingState
OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.

**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot onboarding issues on the machine](#troubleshoot-onboarding-issues-on-the-machine).

Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). + | | | | SenseIsRunning
OnboardingState
OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.

**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot onboarding issues on the device](#troubleshoot-onboarding-issues-on-the-device).

Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). || | | All | **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

Currently is supported platforms: Enterprise, Education, and Professional.
Server is not supported. 0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

Currently is supported platforms: Enterprise, Education, and Professional. @@ -108,9 +108,9 @@ The following table provides information on issues with non-compliance and how y Case | Symptoms | Possible cause and troubleshooting steps :---|:---|:--- -1 | Machine is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already.

**Troubleshooting steps:** Wait for OOBE to complete. -2 | Machine is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the machine as non-compliant by SenseIsRunning when DM session occurs on system start.

**Troubleshooting steps:** The issue should automatically be fixed within 24 hours. -3 | Machine is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same machine at same time. +1 | Device is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already.

**Troubleshooting steps:** Wait for OOBE to complete. +2 | Device is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the device as non-compliant by SenseIsRunning when DM session occurs on system start.

**Troubleshooting steps:** The issue should automatically be fixed within 24 hours. +3 | Device is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same device at same time.
Mobile Device Management (MDM) event logs @@ -125,16 +125,16 @@ ID | Severity | Event description | Troubleshooting steps :---|:---|:---|:--- 1819 | Error | Microsoft Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760). -## Troubleshoot onboarding issues on the machine -If the deployment tools used does not indicate an error in the onboarding process, but machines are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender ATP agent: -- [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-machine-event-log) +## Troubleshoot onboarding issues on the device +If the deployment tools used does not indicate an error in the onboarding process, but devices are still not appearing in the devices list in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender ATP agent: +- [View agent onboarding errors in the device event log](#view-agent-onboarding-errors-in-the-device-event-log) - [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled) - [Ensure the service is set to start](#ensure-the-service-is-set-to-start) -- [Ensure the machine has an Internet connection](#ensure-the-machine-has-an-internet-connection) +- [Ensure the device has an Internet connection](#ensure-the-device-has-an-internet-connection) - [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) -### View agent onboarding errors in the machine event log +### View agent onboarding errors in the device event log 1. Click **Start**, type **Event Viewer**, and press **Enter**. @@ -155,31 +155,31 @@ If the deployment tools used does not indicate an error in the onboarding proces Event ID | Message | Resolution steps :---|:---|:--- -5 | Microsoft Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection). +5 | Microsoft Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection). 6 | Microsoft Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-script.md). -7 | Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection), then run the entire onboarding process again. +7 | Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection), then run the entire onboarding process again. 9 | Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script.md).

If the event happened during offboarding, contact support. 10 | Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script.md).

If the problem persists, contact support. -15 | Microsoft Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection). +15 | Microsoft Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection). 17 | Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-script.md). If the problem persists, contact support. 25 | Microsoft Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support. 27 | Failed to enable Microsoft Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support. -29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the machine has Internet access, then run the entire offboarding process again. +29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the device has Internet access, then run the entire offboarding process again. 30 | Failed to disable $(build.sense.productDisplayName) mode in Microsoft Defender Advanced Threat Protection. Failure code: %1 | Contact support. -32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the machine. -55 | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the machine. +32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the device. +55 | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the device. 63 | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type. 64 | Starting stopped external service. Name: %1, exit code: %2 | Contact support if the event keeps re-appearing. 68 | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3 | Identify what is causing changes in start type. Fix mentioned service start type. 69 | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists.
-There are additional components on the machine that the Microsoft Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Microsoft Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly. +There are additional components on the device that the Microsoft Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Microsoft Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly. ### Ensure the diagnostic data service is enabled -If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the machine. The service might have been disabled by other programs or user configuration changes. +If the devices aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the device. The service might have been disabled by other programs or user configuration changes. First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't). @@ -187,7 +187,7 @@ First, you should check that the service is set to start automatically when Wind **Use the command line to check the Windows 10 diagnostic data service startup type**: -1. Open an elevated command-line prompt on the machine: +1. Open an elevated command-line prompt on the device: a. Click **Start**, type **cmd**, and press **Enter**. @@ -208,7 +208,7 @@ First, you should check that the service is set to start automatically when Wind **Use the command line to set the Windows 10 diagnostic data service to automatically start:** -1. Open an elevated command-line prompt on the machine: +1. Open an elevated command-line prompt on the device: a. Click **Start**, type **cmd**, and press **Enter**. @@ -234,7 +234,7 @@ First, you should check that the service is set to start automatically when Wind sc start diagtrack ``` -### Ensure the machine has an Internet connection +### Ensure the device has an Internet connection The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. @@ -249,7 +249,7 @@ If the verification fails and your environment is using a proxy to connect to th **Symptom**: Onboarding successfully completes, but you see error 577 or error 1058 when trying to start the service. -**Solution**: If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy. +**Solution**: If your devices are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy. - Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared: @@ -291,15 +291,15 @@ You might also need to check the following: ![Image of Microsoft Monitoring Agent Properties](images/atp-mma-properties.png) -- Check to see that machines are reflected in the **Machines list** in the portal. +- Check to see that devices are reflected in the **Devices list** in the portal. -## Confirming onboarding of newly built machines -There may be instances when onboarding is deployed on a newly built machine but not completed. +## Confirming onboarding of newly built devices +There may be instances when onboarding is deployed on a newly built device but not completed. The steps below provide guidance for the following scenario: -- Onboarding package is deployed to newly built machines +- Onboarding package is deployed to newly built devices - Sensor does not start because the Out-of-box experience (OOBE) or first user logon has not been completed -- Machine is turned off or restarted before the end user performs a first logon +- Device is turned off or restarted before the end user performs a first logon - In this scenario, the SENSE service will not start automatically even though onboarding package was deployed >[!NOTE] @@ -406,6 +406,6 @@ The steps below provide guidance for the following scenario: ## Related topics - [Troubleshoot Microsoft Defender ATP](troubleshoot-mdatp.md) -- [Onboard machines](onboard-configure.md) -- [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md) +- [Onboard devices](onboard-configure.md) +- [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md)