diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index c4199cc4dd..90e5c3177c 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1699,6 +1699,11 @@ "source_path": "windows/security/threat-protection/windows-defender-atp/manage-edr.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-edr", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/manage-edrmanage-edr.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response", + "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/windows-defender-atp/management-apis.md", diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index b1ce6d51a9..4da406434c 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -16,7 +16,6 @@ ms.topic: article # Create mandatory user profiles **Applies to** - - Windows 10 A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. @@ -76,7 +75,7 @@ First, you create a default user profile with the customizations that you want, > [!TIP] > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following: > - > ![Microsoft Bing Translator package](images/sysprep-error.png) + > ![Microsoft Bing Translator package error](images/sysprep-error.png) > > Use the [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log. @@ -89,11 +88,11 @@ Starting in Windows 10 version (2004) Open the Settings app and click on Advance 1. In **User Profiles**, click **Default Profile**, and then click **Copy To**. - ![Example of UI](images/copy-to.png) + ![Example of User Profiles UI](images/copy-to.png) 1. In **Copy To**, under **Permitted to use**, click **Change**. - ![Example of UI](images/copy-to-change.png) + ![Example of Copy To UI](images/copy-to-change.png) 1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone` or the group of users that the profile will be assigned to, click **Check Names**, and then click **OK**. @@ -101,13 +100,13 @@ Starting in Windows 10 version (2004) Open the Settings app and click on Advance - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path. - ![Example of UI](images/copy-to-path.png) + ![Example of Copy profile to](images/copy-to-path.png) - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. - Optionally, you can check the **Mandatory profile** checkbox. This step is not required but will set permissions that are more restrictive and we recommend doing so. - ![Example of UI](images/copy-to-path.png) + ![Example of Copy To UI with UNC path](images/copy-to-path.png) 1. Click **OK** to copy the default user profile. diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index 4f20ca31cd..8909e59d0c 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -23,10 +23,10 @@ To help diagnose enrollment or device management issues in Windows 10 devices m ![Access work or school page in Settings](images/diagnose-mdm-failures15.png) 1. At the bottom of the **Settings** page, click **Create report**. - ![Access work or school page in Settings](images/diagnose-mdm-failures16.png) + ![Access work or school page and then Create report](images/diagnose-mdm-failures16.png) 1. A window opens that shows the path to the log files. Click **Export**. - ![Access work or school page in Settings](images/diagnose-mdm-failures17.png) + ![Access work or school log files](images/diagnose-mdm-failures17.png) 1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report. @@ -294,21 +294,21 @@ For best results, ensure that the PC or VM on which you are viewing logs matches 3. Navigate to the etl file that you got from the device and then open the file. 4. Click **Yes** when prompted to save it to the new log format. - ![prompt](images/diagnose-mdm-failures10.png) + ![event viewer prompt](images/diagnose-mdm-failures10.png) ![diagnose mdm failures](images/diagnose-mdm-failures11.png) 5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu. - ![event viewer](images/diagnose-mdm-failures12.png) + ![event viewer actions](images/diagnose-mdm-failures12.png) 6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**. - ![event filter](images/diagnose-mdm-failures13.png) + ![event filter for Device Management](images/diagnose-mdm-failures13.png) 7. Now you are ready to start reviewing the logs. - ![event viewer](images/diagnose-mdm-failures14.png) + ![event viewer review logs](images/diagnose-mdm-failures14.png) ## Collect device state data @@ -336,9 +336,3 @@ Here's an example of how to collect current MDM device state data using the [Dia ```   - - - - - - diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index 9c1330bdc3..2d7b4b2b66 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -86,24 +86,29 @@ You can configure Windows to be in shared PC mode in a couple different ways: - Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps: 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + 2. Select **Devices** > **Windows** > **Configuration profiles** > **Create profile**. + 3. Enter the following properties: - - **Platform**: Select **Windows 10 and later**. - - **Profile**: Select **Templates** > **Shared multi-user device**. + - **Platform**: Select **Windows 10 and later**. + - **Profile**: Select **Templates** > **Shared multi-user device**. 4. Select **Create**. + 5. In **Basics**, enter the following properties: - - **Name**: Enter a descriptive name for the new profile. - - **Description**: Enter a description for the profile. This setting is optional, but recommended. + - **Name**: Enter a descriptive name for the new profile. + - **Description**: Enter a description for the profile. This setting is optional, but recommended. 6. Select **Next**. + 7. In **Configuration settings**, depending on the platform you chose, the settings you can configure are different. Choose your platform for detailed settings: 8. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**. - ![Shared PC settings in ICD](images/shared_pc_3.png) + > [!div class="mx-imgBorder"] + > ![Shared PC mode in the Configuration settings page](images/shared_pc_3.png) 9. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 4**. @@ -112,27 +117,27 @@ You can configure Windows to be in shared PC mode in a couple different ways: ![Shared PC settings in ICD](images/icd-adv-shared-pc.png) - WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following: - -``` -$sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC" -$sharedPC.EnableSharedPCMode = $True -$sharedPC.SetEduPolicies = $True -$sharedPC.SetPowerPolicies = $True -$sharedPC.MaintenanceStartTime = 0 -$sharedPC.SignInOnResume = $True -$sharedPC.SleepTimeout = 0 -$sharedPC.EnableAccountManager = $True -$sharedPC.AccountModel = 2 -$sharedPC.DeletionPolicy = 1 -$sharedPC.DiskLevelDeletion = 25 -$sharedPC.DiskLevelCaching = 50 -$sharedPC.RestrictLocalStorage = $False -$sharedPC.KioskModeAUMID = "" -$sharedPC.KioskModeUserTileDisplayText = "" -$sharedPC.InactiveThreshold = 0 -Set-CimInstance -CimInstance $sharedPC -Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC -``` + + ```powershell + $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC" + $sharedPC.EnableSharedPCMode = $True + $sharedPC.SetEduPolicies = $True + $sharedPC.SetPowerPolicies = $True + $sharedPC.MaintenanceStartTime = 0 + $sharedPC.SignInOnResume = $True + $sharedPC.SleepTimeout = 0 + $sharedPC.EnableAccountManager = $True + $sharedPC.AccountModel = 2 + $sharedPC.DeletionPolicy = 1 + $sharedPC.DiskLevelDeletion = 25 + $sharedPC.DiskLevelCaching = 50 + $sharedPC.RestrictLocalStorage = $False + $sharedPC.KioskModeAUMID = "" + $sharedPC.KioskModeUserTileDisplayText = "" + $sharedPC.InactiveThreshold = 0 + Set-CimInstance -CimInstance $sharedPC + Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC + ``` ### Create a provisioning package for shared use @@ -209,19 +214,24 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac ## Guidance for accounts on shared PCs * We recommend no local admin accounts on the PC to improve the reliability and security of the PC. + * When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out. * On a Windows PC joined to Azure Active Directory: * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. + * Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign-out. + * If admin accounts are necessary on the PC * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or * Create admin accounts before setting up shared PC mode, or * Create exempt accounts before signing out when turning shared pc mode on. + * The account management service supports accounts that are exempt from deletion. - * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key. - * To add the account SID to the registry key using PowerShell:
- ``` + * An account can be marked exempt from deletion by adding the account SID to the registry key: `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\`. + * To add the account SID to the registry key using PowerShell: + + ```powershell $adminName = "LocalAdmin" $adminPass = 'Pa$$word123' iex "net user /add $adminName $adminPass" @@ -232,8 +242,6 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac ``` - - ## Policies set by shared PC mode Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options. diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 355ea08482..baf64f9c7e 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -46,6 +46,7 @@ These steps will show you how to configure an Active Directory account with the On **DC01**: 1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on **DC01**. This script configures permissions to allow the **MDT_JD** account to manage computer accounts in the contoso > Computers organizational unit. + 2. Create the **MDT_JD** service account by running the following command from an elevated **Windows PowerShell prompt**: ```powershell @@ -60,19 +61,20 @@ On **DC01**: .\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso" ``` -The following is a list of the permissions being granted: - a. Scope: This object and all descendant objects - b. Create Computer objects - c. Delete Computer objects - d. Scope: Descendant Computer objects - e. Read All Properties - f. Write All Properties - g. Read Permissions - h. Modify Permissions - i. Change Password - j. Reset Password - k. Validated write to DNS host name - l. Validated write to service principal name + The following is a list of the permissions being granted: + + - Scope: This object and all descendant objects + - Create Computer objects + - Delete Computer objects + - Scope: Descendant Computer objects + - Read All Properties + - Write All Properties + - Read Permissions + - Modify Permissions + - Change Password + - Reset Password + - Validated write to DNS host name + - Validated write to service principal name ## Step 2: Set up the MDT production deployment share @@ -85,11 +87,17 @@ On **MDT01**: The steps for creating the deployment share for production are the same as when you created the deployment share for creating the custom reference image: 1. Ensure you are signed on as: contoso\administrator. + 2. In the **Deployment Workbench** console, right-click **Deployment Shares** and select **New Deployment Share**. + 3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**. + 4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**. + 5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**. + 6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**. + 7. Using **File Explorer**, verify that you can access the **\\\\MDT01\\MDTProduction$** share. ### Configure permissions for the production deployment share @@ -99,6 +107,7 @@ To read files in the deployment share, you need to assign **NTFS** and **SMB** p On **MDT01**: 1. Ensure you are signed in as **contoso\\administrator**. + 2. Modify the **NTFS** permissions for the **D:\\MDTProduction** folder by running the following command in an elevated **Windows PowerShell prompt**: ``` powershell @@ -115,11 +124,17 @@ The next step is to add a reference image into the deployment share with the set In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on **MDT01**. 1. Using the **Deployment Workbench**, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a **folder** named **Windows 10**. + 2. Right-click the **Windows 10** folder and select **Import Operating System**. + 3. On the **OS Type** page, select **Custom image file** and click **Next**. + 4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**. + 5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**. + 6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, click **Next** twice, and then click **Finish**. + 7. After adding the **Operating System**, double-click the added **Operating System** name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**. > [!NOTE] @@ -137,19 +152,28 @@ When you configure your **MDT Build Lab deployment** share, you can also add **a On **MDT01**: 1. Download the Enterprise distribution version of [**Adobe Acrobat Reader DC**](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100120140_en_US.exe) to **D:\\setup\\adobe** on MDT01. + 2. Extract the **.exe** file that you downloaded to a **.msi** (ex: .\AcroRdrDC2100120140_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). + 3. In the **Deployment Workbench**, expand the **MDT Production** node and navigate to the **Applications** node. + 4. Right-click the **Applications** node, and create a new folder named **Adobe**. + 5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**. + 6. On the **Application Type** page, select the **Application with source files** option and click **Next**. + 7. On the **Details** page, in the **Application Name** text box, type **Install - Adobe Reader** and click *Next**. + 8. On the **Source** page, in the **Source Directory** text box, browse to **D:\\setup\\adobe\\install** and click **Next**. + 9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and click **Next**. + 10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**. -![acroread image](../images/acroread.png) + ![acroread image](../images/acroread.png) -The Adobe Reader application added to the Deployment Workbench. + The Adobe Reader application added to the Deployment Workbench. ## Step 5: Prepare the drivers repository @@ -174,10 +198,12 @@ On **MDT01**: > In the steps below, it is critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system. 1. Using **File Explorer**, create the **D:\\drivers** folder. + 2. In the **D:\\drivers** folder, create the following folder structure: - 1. **WinPE x86** - 2. **WinPE x64** - 3. **Windows 10 x64** + - **WinPE x86** + - **WinPE x64** + - **Windows 10 x64** + 3. In the new **Windows 10 x64** folder, create the following folder structure: - Dell Inc - Latitude E7450 @@ -195,10 +221,12 @@ On **MDT01**: When you import drivers to the **MDT driver repository**, **MDT** creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This is done by creating logical folders in the Deployment Workbench. 1. On **MDT01**, using Deployment Workbench, select the **Out-of-Box Drivers** node. + 2. In the **Out-Of-Box Drivers** node, create the following folder structure: - 1. **WinPE x86** - 2. **WinPE x64** - 3. **Windows 10 x64** + - **WinPE x86** + - **WinPE x64** + - **Windows 10 x64** + 3. In the **Windows 10 x64** folder, create the following folder structure: - Dell Inc - Latitude E7450 @@ -211,16 +239,17 @@ When you import drivers to the **MDT driver repository**, **MDT** creates a sing The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in an elevated **Windows PowerShell prompt**: -``` powershell +```powershell Get-WmiObject -Class:Win32_ComputerSystem ``` + Or, you can use this command in a normal command prompt: -``` +```console wmic csproduct get name ``` -If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536). +If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post, entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536). ![drivers](../images/fig4-oob-drivers.png) @@ -234,19 +263,22 @@ The drivers that are used for the boot images (Windows PE) are Windows 10 driver On **MDT01**: 1. In the **Deployment Workbench**, under the **MDT Production** node, expand the **Advanced Configuration** node, right-click the **Selection Profiles** node, and select **New Selection Profile**. + 2. In the **New Selection Profile Wizard**, create a **selection profile** with the following settings: - 1. Selection Profile name: **WinPE x86** - 2. Folders: Select the **WinPE x86 folder** in **Out-of-Box Drivers**. - 3. Click **Next**, **Next**, and **Finish**. + - Selection Profile name: **WinPE x86** + - Folders: Select the **WinPE x86 folder** in **Out-of-Box Drivers**. + - Click **Next**, **Next**, and **Finish**. + 3. Right-click the **Selection Profiles** node again, and select **New Selection Profile**. + 4. In the **New Selection Profile Wizard**, create a **selection profile** with the following settings: - 1. Selection Profile name: **WinPE x64** - 2. Folders: Select the **WinPE x64 folder** in **Out-of-Box Drivers**. - 3. Click **Next**, **Next**, and **Finish**. + - Selection Profile name: **WinPE x64** + - Folders: Select the **WinPE x64 folder** in **Out-of-Box Drivers**. + - Click **Next**, **Next**, and **Finish**. -![figure 5](../images/fig5-selectprofile.png) + ![figure 5](../images/fig5-selectprofile.png) -Creating the WinPE x64 selection profile. + Creating the WinPE x64 selection profile. ### Extract and import drivers for the x64 boot image @@ -255,9 +287,16 @@ Creating the WinPE x64 selection profile. On **MDT01**: 1. Download **PROWinx64.exe** from Intel.com (ex: [PROWinx64.exe](https://downloadcenter.intel.com/downloads/eula/25016/Intel-Network-Adapter-Driver-for-Windows-10?httpDown=https%3A%2F%2Fdownloadmirror.intel.com%2F25016%2Feng%2FPROWinx64.exe)). -2. Extract **PROWinx64.exe** to a temporary folder - in this example to the **C:\\Tmp\\ProWinx64** folder. Note that extracting the **.exe** file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the **.exe** terminates. + +2. Extract **PROWinx64.exe** to a temporary folder—in this example to the **C:\\Tmp\\ProWinx64** folder. + + > [!NOTE] + > Extracting the **.exe** file manually requires an extraction utility. You can also run the .exe and it will self-extract files to the **%userprofile%\AppData\Local\Temp\RarSFX0** directory. This directory is temporary and will be deleted when the **.exe** terminates. + 3. Using **File Explorer**, create the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. + 4. Copy the content of the **C:\\Tmp\\PROWinx64\\PRO1000\\Winx64\\NDIS64** folder to the **D:\\Drivers\\WinPE x64\\Intel PRO1000** folder. + 5. In the **Deployment Workbench**, expand the **MDT Production** > **Out-of-Box Drivers** node, right-click the **WinPE x64** node, select **Import Drivers**, and use the following driver source directory to import drivers: **D:\\Drivers\\WinPE x64\\Intel PRO1000**. ### Download, extract, and import drivers @@ -266,7 +305,8 @@ On **MDT01**: For the **ThinkStation P500** model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6. -![ThinkStation image](../images/thinkstation.png) +> [!div class="mx-imgBorder"] +> ![ThinkStation image](../images/thinkstation.png) To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543). @@ -275,9 +315,12 @@ In this example, we assume you have downloaded and extracted the drivers using T On **MDT01**: 1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Lenovo** node. -2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)** -The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers. +2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: + + **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)** + + The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers. ### For the Latitude E7450 @@ -288,7 +331,10 @@ In these steps, we assume you have downloaded and extracted the CAB file for the On **MDT01**: 1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc** node. -2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Dell Inc\\Latitude E7450** + +2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: + + **D:\\Drivers\\Windows 10 x64\\Dell Inc\\Latitude E7450** ### For the HP EliteBook 8560w @@ -299,7 +345,10 @@ In these steps, we assume you have downloaded and extracted the drivers for the On **MDT01**: 1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node. -2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** + +2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: + + **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** ### For the Microsoft Surface Laptop @@ -308,7 +357,10 @@ For the Microsoft Surface Laptop model, you find the drivers on the Microsoft we On **MDT01**: 1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Microsoft** node. -2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** + +2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: + + **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** ## Step 6: Create the deployment task sequence @@ -319,40 +371,46 @@ This section will show you how to create the task sequence used to deploy your p On **MDT01**: 1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 10**. + 2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - 1. Task sequence ID: W10-X64-001 - 2. Task sequence name: Windows 10 Enterprise x64 RTM Custom Image - 3. Task sequence comments: Production Image - 4. Template: Standard Client Task Sequence - 5. Select OS: Windows 10 Enterprise x64 RTM Custom Image - 6. Specify Product Key: Do not specify a product key at this time - 7. Full Name: Contoso - 8. Organization: Contoso - 9. Internet Explorer home page: https://www.contoso.com - 10. Admin Password: Do not specify an Administrator Password at this time + - Task sequence ID: W10-X64-001 + - Task sequence name: Windows 10 Enterprise x64 RTM Custom Image + - Task sequence comments: Production Image + - Template: Standard Client Task Sequence + - Select OS: Windows 10 Enterprise x64 RTM Custom Image + - Specify Product Key: Do not specify a product key at this time + - Full Name: Contoso + - Organization: Contoso + - Internet Explorer home page: https://www.contoso.com + - Admin Password: Do not specify an Administrator Password at this time ### Edit the Windows 10 task sequence 1. Continuing from the previous procedure, right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**. -2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings: - 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings: - 1. Name: Set DriverGroup001 - 2. Task Sequence Variable: DriverGroup001 - 3. Value: Windows 10 x64\\%Make%\\%Model% - 2. Configure the **Inject Drivers** action with the following settings: - 1. Choose a selection profile: Nothing - 2. Install all drivers from the selection profile - >[!NOTE] - >The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting. +2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings: + + 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings: + - Name: Set DriverGroup001 + - Task Sequence Variable: DriverGroup001 + - Value: Windows 10 x64\\%Make%\\%Model% + + 2. Configure the **Inject Drivers** action with the following settings: + - Choose a selection profile: Nothing + - Install all drivers from the selection profile + + > [!NOTE] + > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting. 3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action. + 4. State Restore. Enable the **Windows Update (Post-Application Installation)** action. + 3. Click **OK**. -![drivergroup](../images/fig6-taskseq.png) + ![drivergroup](../images/fig6-taskseq.png) -The task sequence for production deployment. + The task sequence for production deployment. ## Step 7: Configure the MDT production deployment share @@ -368,95 +426,104 @@ On **MDT01**: 1. Right-click the **MDT Production** deployment share and select **Properties**. 2. Select the **Rules** tab and replace the existing rules with the following information (modify the domain name, WSUS server, and administrative credentials to match your environment): - ``` - [Settings] - Priority=Default - - [Default] - _SMSTSORGNAME=Contoso - OSInstall=YES - UserDataLocation=AUTO - TimeZoneName=Pacific Standard Time - AdminPassword=pass@word1 - JoinDomain=contoso.com - DomainAdmin=CONTOSO\MDT_JD - DomainAdminPassword=pass@word1 - MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com - SLShare=\\MDT01\Logs$ - ScanStateArgs=/ue:*\* /ui:CONTOSO\* - USMTMigFiles001=MigApp.xml - USMTMigFiles002=MigUser.xml - HideShell=YES - ApplyGPOPack=NO - WSUSServer=mdt01.contoso.com:8530 - SkipAppsOnUpgrade=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=NO - SkipDomainMembership=YES - SkipUserData=YES - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=NO - SkipBitLocker=YES - SkipSummary=YES - SkipCapture=YES - SkipFinalSummary=NO - ``` + ``` + [Settings] + Priority=Default + + [Default] + _SMSTSORGNAME=Contoso + OSInstall=YES + UserDataLocation=AUTO + TimeZoneName=Pacific Standard Time + AdminPassword=pass@word1 + JoinDomain=contoso.com + DomainAdmin=CONTOSO\MDT_JD + DomainAdminPassword=pass@word1 + MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com + SLShare=\\MDT01\Logs$ + ScanStateArgs=/ue:*\* /ui:CONTOSO\* + USMTMigFiles001=MigApp.xml + USMTMigFiles002=MigUser.xml + HideShell=YES + ApplyGPOPack=NO + WSUSServer=mdt01.contoso.com:8530 + SkipAppsOnUpgrade=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=NO + SkipDomainMembership=YES + SkipUserData=YES + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=NO + SkipBitLocker=YES + SkipSummary=YES + SkipCapture=YES + SkipFinalSummary=NO + ``` 3. Click **Edit Bootstrap.ini** and modify using the following information: -``` -[Settings] -Priority=Default + ``` + [Settings] + Priority=Default -[Default] -DeployRoot=\\MDT01\MDTProduction$ -UserDomain=CONTOSO -UserID=MDT_BA -UserPassword=pass@word1 -SkipBDDWelcome=YES -``` + [Default] + DeployRoot=\\MDT01\MDTProduction$ + UserDomain=CONTOSO + UserID=MDT_BA + UserPassword=pass@word1 + SkipBDDWelcome=YES + ``` 4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected. + 5. On the **General** sub tab (still under the main Windows PE tab), configure the following settings: - - In the **Lite Touch Boot Image Settings** area: - 1. Image description: MDT Production x86 - 2. ISO file name: MDT Production x86.iso + + In the **Lite Touch Boot Image Settings** area: + + - Image description: MDT Production x86 + - ISO file name: MDT Production x86.iso - > [!NOTE] - > - >Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests. + > [!NOTE] + > + > Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests. 6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option. + 7. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. + 8. On the **General** sub tab, configure the following settings: - - In the **Lite Touch Boot Image Settings** area: - 1. Image description: MDT Production x64 - 2. ISO file name: MDT Production x64.iso + + In the **Lite Touch Boot Image Settings** area: + + - Image description: MDT Production x64 + - ISO file name: MDT Production x64.iso + 9. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option. + 10. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box. + 11. Click **OK**. ->[!NOTE] ->It will take a while for the Deployment Workbench to create the monitoring database and web service. + >[!NOTE] + >It will take a while for the Deployment Workbench to create the monitoring database and web service. + ![figure 8](../images/mdt-07-fig08.png) -![figure 8](../images/mdt-07-fig08.png) - -The Windows PE tab for the x64 boot image. + The Windows PE tab for the x64 boot image. ### The rules explained The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup. -> ->You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials. +You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials. ### The Bootstrap.ini file This is the MDT Production Bootstrap.ini: + ``` [Settings] Priority=Default @@ -472,6 +539,7 @@ SkipBDDWelcome=YES ### The CustomSettings.ini file This is the CustomSettings.ini file with the new join domain information: + ``` [Settings] Priority=Default @@ -528,32 +596,44 @@ If your organization has a Microsoft Software Assurance agreement, you also can If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following: ->DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop). Note: MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**. + +> [!NOTE] +> DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop). +> +> MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**. On **MDT01**: 1. Download MDOP 2015 and copy the DaRT 10 installer file to the D:\\Setup\\DaRT 10 folder on MDT01 (DaRT\\DaRT 10\\Installers\\\\\x64\\MSDaRT100.msi). + 2. Install DaRT 10 (MSDaRT10.msi) using the default settings. - ![DaRT image](../images/dart.png) + ![DaRT image](../images/dart.png) 2. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively. + 3. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**. + 4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected. + 5. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox. - ![DaRT selection](../images/mdt-07-fig09.png) + ![DaRT selection](../images/mdt-07-fig09.png) - Selecting the DaRT 10 feature in the deployment share. + Selecting the DaRT 10 feature in the deployment share. 8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. + 9. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box. + 10. Click **OK**. ### Update the deployment share Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This is the process during which the Windows PE boot images are created. + 1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**. + 2. Use the default options for the Update Deployment Share Wizard. >[!NOTE] @@ -570,12 +650,14 @@ You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparati On **MDT01**: 1. Open the Windows Deployment Services console, expand the **Servers** node and then expand **MDT01.contoso.com**. + 2. Right-click **Boot Images** and select **Add Boot Image**. + 3. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings. -![figure 9](../images/mdt-07-fig10.png) + ![figure 9](../images/mdt-07-fig10.png) -The boot image added to the WDS console. + The boot image added to the WDS console. ### Deploy the Windows 10 client @@ -584,13 +666,15 @@ At this point, you should have a solution ready for deploying the Windows 10 cl On **HV01**: 1. Create a virtual machine with the following settings: - 1. Name: PC0005 - 2. Store the virtual machine in a different location: C:\VM - 3. Generation: 2 - 4. Memory: 2048 MB - 5. Network: Must be able to connect to \\MDT01\MDTProduction$ - 6. Hard disk: 60 GB (dynamic disk) - 7. Installation Options: Install an operating system from a network-based installation server + + - Name: PC0005 + - Store the virtual machine in a different location: C:\VM + - Generation: 2 + - Memory: 2048 MB + - Network: Must be able to connect to \\MDT01\MDTProduction$ + - Hard disk: 60 GB (dynamic disk) + - Installation Options: Install an operating system from a network-based installation server + 2. Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server. ![figure 10](../images/mdt-07-fig11.png) @@ -598,15 +682,18 @@ On **HV01**: The initial PXE boot process of PC0005. 3. After Windows PE has booted, complete the Windows Deployment Wizard using the following setting: - 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image - 2. Computer Name: **PC0005** - 3. Applications: Select the **Install - Adobe Reader** checkbox. -4. Setup now begins and does the following: - 1. Installs the Windows 10 Enterprise operating system. - 2. Installs the added application. - 3. Updates the operating system via your local Windows Server Update Services (WSUS) server. -![pc0005 image1](../images/pc0005-vm.png) + - Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image + - Computer Name: **PC0005** + - Applications: Select the **Install - Adobe Reader** checkbox. + +4. Setup now begins and does the following: + + - Installs the Windows 10 Enterprise operating system. + - Installs the added application. + - Updates the operating system via your local Windows Server Update Services (WSUS) server. + + ![pc0005 image1](../images/pc0005-vm.png) ### Application installation @@ -621,12 +708,14 @@ Since you have enabled the monitoring on the MDT Production deployment share, yo On **MDT01**: 1. In the Deployment Workbench, expand the **MDT Production** deployment share folder. + 2. Select the **Monitoring** node, and wait until you see PC0005. + 3. Double-click PC0005, and review the information. -![figure 11](../images/mdt-07-fig13.png) + ![figure 11](../images/mdt-07-fig13.png) -The Monitoring node, showing the deployment progress of PC0005. + The Monitoring node, showing the deployment progress of PC0005. ### Use information in the Event Viewer @@ -656,9 +745,9 @@ On **MDT01**: 3. Right-click the **MDT Production** deployment share folder and select **Update Deployment Share**. 4. After updating the deployment share, use the Windows Deployment Services console to, verify that the multicast namespace was created. -![figure 13](../images/mdt-07-fig15.png) + ![figure 13](../images/mdt-07-fig15.png) -The newly created multicast namespace. + The newly created multicast namespace. ## Use offline media to deploy Windows 10 @@ -673,15 +762,18 @@ To filter what is being added to the media, you create a selection profile. When On **MDT01**: 1. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click **Selection Profiles**, and select **New Selection Profile**. + 2. Use the following settings for the New Selection Profile Wizard: - 1. General Settings - - Selection profile name: Windows 10 Offline Media - 2. Folders - 1. Applications / Adobe - 2. Operating Systems / Windows 10 - 3. Out-Of-Box Drivers / WinPE x64 - 4. Out-Of-Box Drivers / Windows 10 x64 - 5. Task Sequences / Windows 10 + + - General Settings + - Selection profile name: Windows 10 Offline Media + + - Folders + - Applications / Adobe + - Operating Systems / Windows 10 + - Out-Of-Box Drivers / WinPE x64 + - Out-Of-Box Drivers / Windows 10 x64 + - Task Sequences / Windows 10 ![offline media](../images/mdt-offline-media.png) @@ -695,10 +787,11 @@ In these steps, you generate offline media from the MDT Production deployment sh >When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media. 2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**. + 3. Use the following settings for the New Media Wizard: - General Settings - 1. Media path: **D:\\MDTOfflineMedia** - 2. Selection profile: **Windows 10 Offline Media** + - Media path: **D:\\MDTOfflineMedia** + - Selection profile: **Windows 10 Offline Media** ### Configure the offline media @@ -707,16 +800,22 @@ Offline media has its own rules, its own Bootstrap.ini and CustomSettings.ini fi On **MDT01**: 1. Copy the CustomSettings.ini file from the **D:\MDTProduction\Control** folder to **D:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files. + 2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**. + 3. In the **General** tab, configure the following: - 1. Clear the Generate x86 boot image check box. - 2. ISO file name: Windows 10 Offline Media.iso + - Clear the Generate x86 boot image check box. + - ISO file name: Windows 10 Offline Media.iso + 4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**. + 5. On the **General** sub tab, configure the following settings: - 1. In the **Lite Touch Boot Image Settings** area: - - Image description: MDT Production x64 - 2. In the **Windows PE Customizations** area, set the Scratch space size to 128. + - In the **Lite Touch Boot Image Settings** area: + - Image description: MDT Production x64 + - In the **Windows PE Customizations** area, set the Scratch space size to 128. + 6. On the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option. + 7. Click **OK**. ### Generate the offline media @@ -726,6 +825,7 @@ You have now configured the offline media deployment share, however the share ha On **MDT01**: 1. In the Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node. + 2. Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **D:\\MDTOfflineMedia\\Content** folder. The process might require several minutes. ### Create a bootable USB stick @@ -733,15 +833,20 @@ On **MDT01**: The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it is often more efficient to use USB sticks instead since they are faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.) >[!TIP] ->In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM:
 
Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
 
Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
 
To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (\True\), so this must be changed and the offline media content updated. +>In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM:
 
Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
 
Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
 
To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`True`), so this must be changed and the offline media content updated. Follow these steps to create a bootable USB stick from the offline media content: 1. On a physical machine running Windows 7 or later, insert the USB stick you want to use. + 2. Copy the content of the **MDTOfflineMedia\\Content** folder to the root of the USB stick. + 3. Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**. + 4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you really only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F. + 5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter). + 6. In the Diskpart utility, type **active**, and then type **exit**. ## Unified Extensible Firmware Interface (UEFI)-based deployments diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md index 364700c9e3..01b7db6d7d 100644 --- a/windows/deployment/update/windows-update-resources.md +++ b/windows/deployment/update/windows-update-resources.md @@ -6,7 +6,6 @@ ms.mktglfcycl: audience: itpro ms.localizationpriority: medium ms.audience: itpro -ms.date: 09/18/2018 ms.reviewer: manager: laurawi ms.topic: article @@ -16,7 +15,15 @@ author: jaimeo # Windows Update - additional resources -> Applies to: Windows 10 +**Applies to**: + +- Windows 10 +- Windows Server 2016 +- Windows Server 2019 + +> [!NOTE] +> Windows Server 2016 supports policies available in Windows 10, version 1607. Windows Server 2019 supports policies available in Windows 10, version 1809. + The following resources provide additional information about using Windows Update. diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index 1d42b159e5..3bf28483bf 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -49,10 +49,13 @@ The process proceeds as follows: 1. Perform one of the following tasks: - Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard. - Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT. + 1. Microsoft verifies the KMS host key, and an activation object is created. + 1. Client computers are activated by receiving the activation object from a domain controller during startup. - ![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg) + > [!div class="mx-imgBorder"] + > ![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg) **Figure 10**. The Active Directory-based activation flow @@ -72,7 +75,9 @@ When a reactivation event occurs, the client queries AD DS for the activation o **To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:** 1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller. + 1. Launch Server Manager. + 1. Add the Volume Activation Services role, as shown in Figure 11. ![Adding the Volume Activation Services role](../images/volumeactivationforwindows81-11.jpg) @@ -101,18 +106,17 @@ When a reactivation event occurs, the client queries AD DS for the activation o ![Entering your KMS host key](../images/volumeactivationforwindows81-14.jpg) + **Figure 15**. Choosing how to activate your product + > [!NOTE] > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed. - - - - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584) - - - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164) - - - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342) - - - **Figure 15**. Choosing how to activate your product + > + > + > - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584) + > + > - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164) + > + > - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342) 1. After activating the key, click **Commit**, and then click **Close**. @@ -121,15 +125,21 @@ When a reactivation event occurs, the client queries AD DS for the activation o To verify your Active Directory-based activation configuration, complete the following steps: 1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing. + 1. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key. + 1. If the computer is not joined to your domain, join it to the domain. + 1. Sign in to the computer. + 1. Open Windows Explorer, right-click **Computer**, and then click **Properties**. + 1. Scroll down to the **Windows activation** section, and verify that this client has been activated. > [!NOTE] > If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used. -> To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-management-tool). + > + > To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-management-tool). ## See also diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 9fb64c43d7..300e9da96e 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -21,7 +21,7 @@ ms.topic: article Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to **Windows 10 Enterprise** automatically if they are subscribed to Windows 10 Enterprise E3 or E5. -With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions – **Windows 10 Education**. +With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions—**Windows 10 Education**. The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices. @@ -68,12 +68,19 @@ The following figure illustrates how deploying Windows 10 has evolved with each ![Illustration of how Windows 10 deployment has evolved](images/sa-evolution.png) - **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
+ - **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a “repair upgrade” because the OS version was the same before and after).  This was a lot easier than wipe-and-load, but it was still time-consuming.
+ - **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU.  This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
+ - **Windows 10, version 1607** made a big leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise.  In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.
+ - **Windows 10, version 1703** made this “step-up” from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
+ - **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, very similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
+ - **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.
+ - **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription. ## Requirements @@ -106,21 +113,29 @@ To resolve this issue: If the device is running Windows 10, version 1703, 1709, or 1803, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal. If the device is running Windows 10, version 1809 or later: -1. Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch. -2. When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below: -![Subscription Activation with MFA example 1](images/sa-mfa1.png)
-![Subscription Activation with MFA example 2](images/sa-mfa2.png)
-![Subscription Activation with MFA example 3](images/sa-mfa3.png) +- Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch. + +- When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below: + + ![Subscription Activation with MFA example 1](images/sa-mfa1.png)
+ + ![Subscription Activation with MFA example 2](images/sa-mfa2.png)
+ + ![Subscription Activation with MFA example 3](images/sa-mfa3.png) ### Windows 10 Education requirements -1. Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded. -2. A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security > Activation. -3. The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription. -4. Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. +- Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded. -> If Windows 10 Pro is converted to Windows 10 Pro Education [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition. +- A device with a Windows 10 Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**. + +- The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription. + +- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. + +> [!IMPORTANT] +> If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition. ## Benefits @@ -132,15 +147,19 @@ With Windows 10 Enterprise or Windows 10 Education, businesses and institutions You can benefit by moving to Windows as an online service in the following ways: -1. Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization. -2. User logon triggers a silent edition upgrade, with no reboot required -3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys. -4. Compliance support via seat assignment. -5. Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs. +- Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization. + +- User logon triggers a silent edition upgrade, with no reboot required. + +- Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys. + +- Compliance support via seat assignment. + +- Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs. ## How it works -The device is AAD joined from Settings > Accounts > Access work or school. +The device is AAD joined from **Settings > Accounts > Access work or school**. The IT administrator assigns Windows 10 Enterprise to a user. See the following figure. @@ -158,26 +177,35 @@ Before Windows 10, version 1903:
After Windows 10, version 1903:
![1903](images/after.png) -Note: -1. A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). -2. A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). +> [!NOTE] +> +> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). +> +> - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). ### Scenarios -**Scenario #1**:  You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). +#### Scenario #1 + +You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device. -**Scenario #2**:  You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). +#### Scenario #2 + +You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer: -
+```console
 cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43
+``` The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate.  This key comes from [Appendix A: KMS Client Setup Keys](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)) in the Volume Activation guide.  It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro. -**Scenario #3**:  Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts.  The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in. +#### Scenario #3 + +Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts.  The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in. In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, it’s really simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above. @@ -205,7 +233,7 @@ If you are using Windows 10, version 1607, 1703, or 1709 and have already deploy If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt: -
+```console
 @echo off
 FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO  (
 SET "ProductKey=%%A"
@@ -219,18 +247,24 @@ echo No key present
 echo Installing %ProductKey%
 changepk.exe /ProductKey %ProductKey%
 )
-
+``` ### Obtaining an Azure AD license Enterprise Agreement/Software Assurance (EA/SA): + - Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea). + - The license administrator can assign seats to Azure AD users with the same process that is used for O365. + - New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription. Microsoft Products & Services Agreements (MPSA): + - Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions. + - Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service. + - New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method. ### Deploying licenses diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 35853c7fd0..b06b997753 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -44,44 +44,61 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se ### Connect Azure Active Directory with the PIN reset service 1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. + 2. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account. - ![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png) + + ![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png) + 3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant. + 4. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account. - ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png) + + ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png) -> [!NOTE] -> After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant. + > [!NOTE] + > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant. 5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant. - ![PIN reset service permissions page](images/pinreset/pin-reset-applications.png) + + > [!div class="mx-imgBorder"] + > ![PIN reset service permissions page](images/pinreset/pin-reset-applications.png) ### Configure Windows devices to use PIN reset using Group Policy You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object. 1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory. + 2. Edit the Group Policy object from Step 1. + 3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**. + 4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC. #### Create a PIN Reset Device configuration profile using Microsoft Intune 1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account. + 2. Click **Endpoint Security** > **Account Protection** > **Properties**. + 3. Set **Enable PIN recovery** to **Yes**. > [!NOTE] > You can also setup PIN recovery using configuration profiles. > 1. Sign in to Endpoint Manager. +> > 2. Click **Devices** > **Configuration Profiles** > Create a new profile or edit an existing profile using the Identity Protection profile type. +> > 3. Set **Enable PIN recovery** to **Yes**. #### Assign the PIN Reset Device configuration profile using Microsoft Intune -1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account. +1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account. + 2. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration. + 3. In the device configuration profile, select **Assignments**. + 4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups. ## On-premises Deployments @@ -106,15 +123,15 @@ On-premises deployments provide users with the ability to reset forgotten PINs e #### Reset PIN above the Lock Screen - 1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in - 2. Enter your password and press enter. - 3. Follow the instructions provided by the provisioning process - 4. When finished, unlock your desktop using your newly created PIN. +1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in +2. Enter your password and press enter. +3. Follow the instructions provided by the provisioning process +4. When finished, unlock your desktop using your newly created PIN. You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - **General limitations**](https://docs.microsoft.com/azure/active-directory/authentication/howto-sspr-windows#general-limitations). > [!NOTE] -> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video. +> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience). ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index dba7425369..f1e784ee1e 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -13,7 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: pahuijbr manager: dansimp -ms.date: 02/12/2021 +ms.date: 03/05/2021 ms.technology: mde --- @@ -408,6 +408,20 @@ We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
+1.1.2103.01 + + Package version: **1.1.2103.01** + Platform version: **4.18.2101.9** + Engine version: **1.17800.5** + Signature version: **1.331.2302.0** + +### Fixes +- None + +### Additional information +- None +
+
1.1.2102.03  Package version: **1.1.2102.03** diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 3c666c381b..bc10aad249 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -25,6 +25,14 @@ ms.technology: mde The following information lists the updates made to the Microsoft Defender for Endpoint APIs and the dates they were made. + +> [!TIP] +> RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: +>``` +>https://docs.microsoft.com/api/search/rss?search=%22Release+notes+for+updates+made+to+the+Microsoft+Defender+for+Endpoint+set+of+APIs%22&locale=en-us&facet=&%24filter=scopes%2Fany%28t%3A+t+eq+%27Windows+10%27%29 +>``` + + ### 10.02.2021
diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 98632acbf5..77eb8fddab 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -120,7 +120,7 @@ Spreadsheet of domains list | Description For more information, see [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md). > [!NOTE] -> The spreadsheet contains commercial URLs as well, make sure you check the "US Gov" tabs.
When filtering look for the records labeled as "US Gov" and your specific cloud under the geography column. +> The spreadsheet contains commercial URLs as well, make sure you check the "US Gov" tabs.
When filtering, look for the records labeled as "US Gov" and your specific cloud under the geography column.
@@ -155,7 +155,7 @@ Threat analytics | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/ch Web content filtering | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development Integrations: Azure Sentinel | ![Yes](../images/svg/check-yes.svg) | ![No](../images/svg/check-no.svg) In development | ![No](../images/svg/check-no.svg) In development Integrations: Microsoft Cloud App Security | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog -Integrations: Microsoft Compliance Center | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog +Integrations: Microsoft Compliance Manager | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog Integrations: Microsoft Defender for Identity | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog Integrations: Microsoft Defender for Office 365 | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog Integrations: Microsoft Endpoint DLP | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/esentire-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/esentire-logo.png new file mode 100644 index 0000000000..0e0c4f181e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/esentire-logo.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/onevinn-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/onevinn-logo.png new file mode 100644 index 0000000000..4740d09144 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/onevinn-logo.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/quorum-logo.png b/windows/security/threat-protection/microsoft-defender-atp/images/quorum-logo.png new file mode 100644 index 0000000000..39596ac21d Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/quorum-logo.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/techniques-cmd.png b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-cmd.png new file mode 100644 index 0000000000..881b6aac22 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-cmd.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/techniques-hunting.png b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-hunting.png new file mode 100644 index 0000000000..2969a418ef Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-hunting.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/techniques-sha1.png b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-sha1.png new file mode 100644 index 0000000000..bc18a8fed6 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/techniques-sha1.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/timeline-columns.png b/windows/security/threat-protection/microsoft-defender-atp/images/timeline-columns.png new file mode 100644 index 0000000000..8c6a1403e4 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/timeline-columns.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md index 6fb9cb19ea..ce5f2102a5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md @@ -99,3 +99,10 @@ Defender for Endpoint for iOS enables admins to configure custom indicators on i ## Report unsafe site Phishing websites impersonate trustworthy websites for the purpose of obtaining your personal or financial information. Visit the [Provide feedback about network protection](https://www.microsoft.com/wdsi/filesubmission/exploitguard/networkprotection) page if you want to report a website that could be a phishing site. + +## Battery Consumption issues on iOS when Microsoft Defender for Endpoint is installed + +The battery usage by an app is computed by Apple based on a multitude of factors including CPU and Network usage. Microsoft Defender for Endpoint uses a local/loop-back VPN in the background to check web traffic for any malicious websites or connections. Network packets from any app go through this check and that causes the battery usage of Microsoft Defender for Endpoint to be computed inaccurately. This gives a false impression to the user. The actual battery consumption of Microsoft Defender for Endpoint is lesser than what is shown on the Battery Settings page on the device. This is based on conducted tests done on the Microsoft Defender for Endpoint app to understand battery consumption. + +Also the VPN used is a local VPN and unlike traditional VPNs, network traffic is not sent outside the device. + diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index 0a9a064d62..4d25ed5831 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -89,7 +89,7 @@ You'll need to enable, at least, the minimum Remediation Level for a given Devic Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments, see [Create and manage roles](user-roles.md). > [!IMPORTANT] - > The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The button is greyed out for users with only delegated permissions. + > The option to upload a file to the library is only available to those with the appropriate RBAC permissions, specifically Manage security settings role. The button is greyed out for users with only delegated permissions.For more information, see [Permission options](user-roles.md#permission-options). Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permissions are controlled by RBAC custom role. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md deleted file mode 100644 index 5ba421a832..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: Manage endpoint detection and response capabilities -description: Manage endpoint detection and response capabilities -ms.reviewer: -keywords: -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: - - m365-security-compliance - - m365initiative-defender-endpoint -ms.topic: conceptual -ms.technology: mde ---- - -# Manage endpoint detection and response capabilities - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - -**Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/p/?linkid=2118804) - -> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) - -Manage the alerts queue, investigate devices in the devices list, take response actions, and hunt for possible threats in your organization using advanced hunting. - - -## In this section -Topic | Description -:---|:--- -[Alerts queue](alerts-queue-endpoint-detection-response.md)| View the alerts surfaced in Microsoft Defender Security Center. -[Devices list](machines-view-overview.md) | Learn how you can view and manage the devices list, manage device groups, and investigate device related alerts. -[Take response actions](response-actions.md)| Take response actions on devices and files to quickly respond to detected attacks and contain threats. -[Query data using advanced hunting](advanced-hunting-query-language.md)| Proactively hunt for possible threats across your organization using a powerful search and query tool. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md index 46fb06d87e..6e71214d72 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md @@ -32,7 +32,6 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide. - :::image type="content" source="images/mcafee-mde-migration.png" alt-text="Overview of migrating from McAfee to Defender for Endpoint"::: When you make the switch from McAfee to Defender for Endpoint, you begin with your McAfee solution in active mode, configure Defender for Endpoint in passive mode, onboard to Defender for Endpoint, and then set Defender for Endpoint to active mode and remove McAfee. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md index ae512cbab1..de8ffa73ee 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md @@ -37,19 +37,16 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho **Welcome to Phase 3 of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps: -1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint). -2. [Run a detection test](#run-a-detection-test). -3. [Uninstall McAfee](#uninstall-mcafee). -4. [Make sure Microsoft Defender for Endpoint is in active mode](#make-sure-microsoft-defender-for-endpoint-is-in-active-mode). +1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint) +2. [Run a detection test](#run-a-detection-test) +3. [Uninstall McAfee](#uninstall-mcafee) +4. [Make sure Microsoft Defender for Endpoint is in active mode](#make-sure-microsoft-defender-for-endpoint-is-in-active-mode) ## Onboard devices to Microsoft Defender for Endpoint 1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in. - 2. Choose **Settings** > **Device management** > **Onboarding**. - 3. In the **Select operating system to start onboarding process** list, select an operating system. - 4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article). ### Onboarding methods @@ -59,10 +56,10 @@ Deployment methods vary, depending on which operating system is selected. Refer |Operating system |Method | |---------|---------| |Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm)
- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)

**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | -|- Windows 8.1 Enterprise
- Windows 8.1 Pro
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)

**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). | -|- Windows Server 2019 and later
- Windows Server 2019 core edition
- Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)

**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | +| Windows 8.1 Enterprise

Windows 8.1 Pro

Windows 7 SP1 Enterprise

Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)

**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). | +|Windows Server 2019 and later

Windows Server 2019 core edition

Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)

**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | |- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)
- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) | -|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra)

iOS

Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) | +|macOS:
10.15 (Catalina)
10.14 (Mojave)
10.13 (High Sierra)

iOS

Linux:
RHEL 7.2+
CentOS Linux 7.2+
Ubuntu 16 LTS, or higher LTS
SLES 12+
Debian 9+
Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) | ## Run a detection test @@ -71,9 +68,9 @@ To verify that your onboarded devices are properly connected to Microsoft Defend |Operating system |Guidance | |---------|---------| -|- Windows 10
- Windows Server 2019
- Windows Server, version 1803
- Windows Server 2016
- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).

Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. | -|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).

For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). | -|Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
`mdatp health --field real_time_protection_enabled`.

2. Open a Terminal window, and run the following command:
`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.

3. Run the following command to list any detected threats:
`mdatp threat list`.

For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). | +|Windows 10

Windows Server 2019

Windows Server, version 1803

Windows Server 2016

Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).

Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. | +|macOS
10.15 (Catalina)
10.14 (Mojave)
10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).

For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). | +|Linux:
RHEL 7.2+
CentOS Linux 7.2+
Ubuntu 16 LTS, or higher LTS
SLES 12+
Debian 9+
Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
`mdatp health --field real_time_protection_enabled`.
2. Open a Terminal window, and run the following command:
`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.
3. Run the following command to list any detected threats:
`mdatp threat list`.

For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). | ## Uninstall McAfee diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md index 2db3d956e7..c58cadecc9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md @@ -39,9 +39,9 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho This migration phase includes the following steps: 1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices) -2. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint). -3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center). -4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings). +2. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint) +3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center) +4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings) ## Get and deploy updates across your organization's devices @@ -50,13 +50,9 @@ As a best practice, keep your organization's devices and endpoints up to date. M ### Make sure your McAfee solution is up to date Keep McAfee up to date, and make sure that your organization's devices have the latest security updates. Need help? Here are some McAfee resources: - - [McAfee Enterprise Product Documentation: How Endpoint Security Works](https://docs.mcafee.com/bundle/endpoint-security-10.7.x-common-product-guide-windows/page/GUID-1207FF39-D1D2-481F-BBD9-E4079112A8DD.html) - - [McAfee Knowledge Center Technical Article: Windows Security Center intermittently incorrectly reports that Endpoint Security is disabled when running on Windows 10](https://kc.mcafee.com/corporate/index?page=content&id=KB91830) - - [McAfee Knowledge Center Technical Article: Windows Security Center reports Endpoint Security is disabled when Endpoint Security is running](https://kc.mcafee.com/corporate/index?page=content&id=KB91428) - - Your McAfee support ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com)) ### Make sure your organization's devices are up to date @@ -76,11 +72,8 @@ Need help updating your organization's devices? See the following resources: Now that you've updated your organization's devices, the next step is to get Microsoft Defender for Endpoint, assign licenses, and make sure the service is provisioned. 1. Buy or try Microsoft Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp). - 2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state). - 3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender for Endpoint setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration). - 4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender for Endpoint setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration). At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). @@ -95,14 +88,12 @@ The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions. 1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control). - 2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control). If your organization requires a method other than Intune, choose one of the following options: - [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration) - [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm) - [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview) - 3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)). ## Configure device proxy and internet connectivity settings @@ -111,12 +102,12 @@ To enable communication between your devices and Microsoft Defender for Endpoint |Capabilities | Operating System | Resources | |--|--|--| -|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-health/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) | -|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) | -|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | -|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-health/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
| -|Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | -|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender for Endpoint for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) +|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) | [Windows 10](https://docs.microsoft.com/windows/release-health/release-information)

[Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)

[Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) | +|EDR | [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)

[Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)

[Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)

[Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)

[Windows 7 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) | +|EDR |macOS:
10.15 (Catalina)
10.14 (Mojave)
10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) | [Windows 10](https://docs.microsoft.com/windows/release-health/release-information)

[Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)

[Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)

[Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus) | +|Antivirus |macOS:
10.15 (Catalina)
10.14 (Mojave)
10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|Antivirus |Linux:
RHEL 7.2+
CentOS Linux 7.2+
Ubuntu 16 LTS, or higher LTS
SLES 12+
Debian 9+
Oracle Linux 7.2 |[Microsoft Defender for Endpoint for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) ## Next step diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md index a1cf1d63fe..ec50768993 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md @@ -35,13 +35,13 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho ||*You are here!* | | **Welcome to the Setup phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps: -1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode). -2. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus). -3. [Add Microsoft Defender for Endpoint to the exclusion list for McAfee](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-mcafee). -4. [Add McAfee to the exclusion list for Microsoft Defender Antivirus](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-antivirus). -5. [Add McAfee to the exclusion list for Microsoft Defender for Endpoint](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-for-endpoint). +1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode) +2. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus) +3. [Add Microsoft Defender for Endpoint to the exclusion list for McAfee](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-mcafee) +4. [Add McAfee to the exclusion list for Microsoft Defender Antivirus](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-antivirus) +5. [Add McAfee to the exclusion list for Microsoft Defender for Endpoint](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-for-endpoint) 6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units). -7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection). +7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection) ## Enable Microsoft Defender Antivirus and confirm it's in passive mode @@ -49,27 +49,21 @@ On certain versions of Windows, such as Windows Server, Microsoft Defender Antiv This step of the migration process includes the following tasks: - [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server) -- [Reinstalling Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server); +- [Reinstalling Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server) - [Setting Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) -- [Enabling Microsoft Defender Antivirus on your Windows client devices](#enable-microsoft-defender-antivirus-on-your-windows-client-devices); and -- [Confirming that Microsoft Defender Antivirus is set to passive mode](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode). +- [Enabling Microsoft Defender Antivirus on your Windows client devices](#enable-microsoft-defender-antivirus-on-your-windows-client-devices) +- [Confirming that Microsoft Defender Antivirus is set to passive mode](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode) ### Set DisableAntiSpyware to false on Windows Server The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false: 1. On your Windows Server device, open Registry Editor. - 2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`. - 3. In that folder, look for a DWORD entry called **DisableAntiSpyware**. - - If you do not see that entry, you're all set. - - If you do see **DisableAntiSpyware**, proceed to step 4. - 4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**. - 5. Set the value to `0`. (This sets the registry key's value to *false*.) > [!TIP] @@ -84,21 +78,13 @@ The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/d > - Windows Server 2016 1. As a local administrator on the endpoint or device, open Windows PowerShell. - -2. Run the following PowerShell cmdlets:
- +2. Run the following PowerShell cmdlets:
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
- - `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
- -> [!NOTE] -> When using the DISM command within a task sequence running PS, the following path to cmd.exe is required. -> Example:
-> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
-> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
- -3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
- + `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`

+ When using the DISM command within a task sequence running PS, the following path to cmd.exe is required. Here are some examples: + `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
+ `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`

+3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
`Get-Service -Name windefend` #### Are you using Windows Server 2016? @@ -116,11 +102,8 @@ Because your organization is still using McAfee, you must set Microsoft Defender 1. Open Registry Editor, and then navigate to
`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`. - -2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings: - +2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings: - Set the DWORD's value to **1**. - - Under **Base**, select **Hexadecimal**. > [!NOTE] @@ -137,9 +120,9 @@ To enable Microsoft Defender Antivirus, we recommend using Intune. However, you |Method |What to do | |---------|---------| -|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)

**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.

2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure.
If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).

3. Select **Properties**, and then select **Configuration settings: Edit**.

4. Expand **Microsoft Defender Antivirus**.

5. Enable **Cloud-delivered protection**.

6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.

7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.

8. Select **Review + save**, and then choose **Save**.

For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).| -|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).

**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. | -|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
or
[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.

2. Look for a policy called **Turn off Microsoft Defender Antivirus**.

3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.

**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. | +|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)

**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure.
If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
3. Select **Properties**, and then select **Configuration settings: Edit**.
4. Expand **Microsoft Defender Antivirus**.
5. Enable **Cloud-delivered protection**.
6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.
7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.
8. Select **Review + save**, and then choose **Save**.

For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).| +|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).

**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. | +|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
or
[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.
2. Look for a policy called **Turn off Microsoft Defender Antivirus**.
3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.

**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. | ### Confirm that Microsoft Defender Antivirus is in passive mode @@ -147,8 +130,8 @@ Microsoft Defender Antivirus can run alongside McAfee if you set Microsoft Defen |Method |What to do | |---------|---------| -|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.

2. Type `sc query windefend`, and then press Enter.

3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. | -|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.

2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.

3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.| +|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. | +|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.| > [!NOTE] > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. @@ -174,8 +157,8 @@ The specific exclusions to configure depend on which version of Windows your end |OS |Exclusions | |--|--| -|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information))
- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`

`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`

`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`

`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
| -|- [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`

**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.

`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`

`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`

`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`

`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`

`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`

`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` | +|Windows 10, [version 1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information))

Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed

[Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)

[Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`

`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`

`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`

`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe` | +| [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)

[Windows 7](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)

[Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)

[Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)

[Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`

**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.

`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`

`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`

`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`

`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`

`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`

`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` | ## Add McAfee to the exclusion list for Microsoft Defender Antivirus @@ -191,33 +174,27 @@ You can choose from several methods to add your exclusions to Microsoft Defender |Method | What to do| |--|--| -|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)

**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.

2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.

3. Under **Manage**, select **Properties**.

4. Select **Configuration settings: Edit**.

5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.

6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).

7. Choose **Review + save**, and then choose **Save**. | -|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.

2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. | -|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.

2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.

3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.

4. Double-click the **Path Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.

5. Click **OK**.

6. Double-click the **Extension Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.

7. Click **OK**. | -|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.

2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.

3. Specify your path and process exclusions. | -|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.

2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` | +|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)

**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.
3. Under **Manage**, select **Properties**.
4. Select **Configuration settings: Edit**.
5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.
6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).
7. Choose **Review + save**, and then choose **Save**. | +|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.
2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. | +|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
4. Double-click the **Path Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
6. Double-click the **Extension Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**. | +|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. | +|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` | ## Add McAfee to the exclusion list for Microsoft Defender for Endpoint To add exclusions to Microsoft Defender for Endpoint, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files). 1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in. - 2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**. - 3. On the **File hashes** tab, choose **Add indicator**. - -3. On the **Indicator** tab, specify the following settings: +4. On the **Indicator** tab, specify the following settings: - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.) - Under **Expires on (UTC)**, choose **Never**. - -4. On the **Action** tab, specify the following settings: +5. On the **Action** tab, specify the following settings: - **Response Action**: **Allow** - Title and description - -5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**. - -6. On the **Summary** tab, review the settings, and then click **Save**. +6. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**. +7. On the **Summary** tab, review the settings, and then click **Save**. ### Find a file hash using CMPivot @@ -226,15 +203,10 @@ CMPivot is an in-console utility for Configuration Manager. CMPivot provides acc To use CMPivot to get your file hash, follow these steps: 1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites). - 2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot). - 3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`). - 4. Select the **Query** tab. - 5. In the **Device Collection** list, and choose **All Systems (default)**. - 6. In the query box, type the following query:
```kusto @@ -248,16 +220,14 @@ File(c:\\windows\\notepad.exe) | Collection type | What to do | |--|--| -|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.

Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.

Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).

2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.

3. Choose **+ Add device group**.

4. Specify a name and description for the device group.

5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).

6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).

7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.

8. Choose **Done**. | -|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.

Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). | -|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.

Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). | +|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.

Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.

Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.
3. Choose **+ Add device group**.
4. Specify a name and description for the device group.
5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).
7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.
8. Choose **Done**. | +|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.

Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). | +|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.

Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). | ## Configure antimalware policies and real-time protection Using Configuration Manager and your device collection(s), configure your antimalware policies. - - See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies). - - While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus). > [!TIP] diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md index 6a1580f180..54207a51bc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md @@ -1,7 +1,7 @@ --- title: Configure Microsoft Cloud App Security integration ms.reviewer: -description: Learn how to turn on the settings to enable the Microsoft Defender ATP integration with Microsoft Cloud App Security. +description: Learn how to turn on the settings to enable the Microsoft Defender for Endpoint integration with Microsoft Cloud App Security. keywords: cloud, app, security, settings, integration, discovery, report search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -35,7 +35,7 @@ To benefit from Microsoft Defender for Endpoint cloud app discovery signals, tur >[!NOTE] >This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. -> See [Microsoft Defender for Endpoint integration with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration) for detailed integration of Microsoft Defender for Endpoint with Microsoft Cloud App Security. +> See [Microsoft Defender for Endpoint integration with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/mde-integration) for detailed integration of Microsoft Defender for Endpoint with Microsoft Cloud App Security. ## Enable Microsoft Cloud App Security in Microsoft Defender for Endpoint @@ -52,7 +52,7 @@ To view and access Microsoft Defender for Endpoint data in Microsoft Cloud Apps For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps). -If you are interested in trying Microsoft Cloud App Security, see [Microsoft Cloud App Security Trial](https://signup.microsoft.com/Signup?OfferId=757c4c34-d589-46e4-9579-120bba5c92ed&ali=1). +If you're interested in trying Microsoft Cloud App Security, see [Microsoft Cloud App Security Trial](https://signup.microsoft.com/Signup?OfferId=757c4c34-d589-46e4-9579-120bba5c92ed&ali=1). ## Related topic - [Microsoft Cloud App Security integration](microsoft-cloud-app-security-integration.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md index ca77be9029..d318d49479 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md @@ -38,7 +38,10 @@ Logo |Partner name | Description ![Image of CSIS Managed Detection & Response logo](images/csis-logo.png)| [CSIS Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2091005) | 24/7 monitoring and analysis of security alerts giving companies actionable insights into what, when and how security incidents have taken place ![Image of Dell Technologies Advanced Threat Protection logo](images/dell-logo.png)| [Dell Technologies Advanced Threat Protection](https://go.microsoft.com/fwlink/?linkid=2091004) | Professional monitoring service for malicious behavior and anomalies with 24/7 capability ![Image of DXC-Managed Endpoint Threat Detection and Response logo](images/dxc-logo.png)| [DXC-Managed Endpoint Threat Detection and Response](https://go.microsoft.com/fwlink/?linkid=2090395) | Identify endpoint threats that evade traditional security defenses and contain them in hours or minutes, not days +![Image of eSentire log](images/esentire-logo.png) | [eSentire Managed Detection and Response](https://go.microsoft.com/fwlink/?linkid=2154970) | 24x7 threat investigations and response via Microsoft Defender for Endpoint. ![Image of NTT Security logo](images/ntt-logo.png)| [NTT Security](https://go.microsoft.com/fwlink/?linkid=2095320) | NTT's EDR Service provides 24/7 security monitoring & response across your endpoint and network +![Image of OneVinn logo](images/onevinn-logo.png) | [Onevinn MDR](https://go.microsoft.com/fwlink/?linkid=2155203)| 24/7 Managed Detection and Response built on Microsoft Defender and Azure Sentinel, enriched with Onevinn's threat intelligence. +![Image of Quorum Cyber logo](images/quorum-logo.png) | [Quorum Cyber](https://go.microsoft.com/fwlink/?linkid=2155202)| A cutting-edge Threat Hunting & Security Engineering service. ![Image of Red Canary logo](images/redcanary-logo.png)| [Red Canary](https://go.microsoft.com/fwlink/?linkid=2103852) | Red Canary is a security operations partner for modern teams, MDR deployed in minutes ![Image of SecureWorks Managed Detection and Response Powered by Red Cloak logo](images/secureworks-logo.png)| [SecureWorks Managed Detection and Response Powered by Red Cloak](https://go.microsoft.com/fwlink/?linkid=2133634) | Secureworks combines threat intelligence and 20+ years of experience into SaaS and managed security solutions ![Image of sepagoSOC logo](images/sepago-logo.png)| [sepagoSOC](https://go.microsoft.com/fwlink/?linkid=2090491) | Ensure holistic security through sophisticated automated workflows in your zero trust environment diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-windows-10-multi-session-device.md similarity index 93% rename from windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md rename to windows/security/threat-protection/microsoft-defender-atp/onboard-windows-10-multi-session-device.md index 034d227013..ea3eb1315c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-windows-10-multi-session-device.md @@ -45,7 +45,7 @@ Microsoft recommends onboarding Windows Virtual Desktop as a single entry per vi Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD image. This way, you can be sure that this onboarding script runs immediately at first boot. It is executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you are using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy. > [!NOTE] -> The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It is NOT recommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 & 2 take this into account. +> The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It is _not_ recommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 & 2 take this into account. ## Scenarios There are several ways to onboard a WVD host machine: @@ -64,24 +64,36 @@ Follow the instructions for a single entry for each device. This scenario uses a centrally located script and runs it using a domain-based group policy. You can also place the script in the golden image and run it in the same way. #### Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center -1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) - - In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**. - - Select Windows 10 as the operating system. - - In the **Deployment method** field, select VDI onboarding scripts for non-persistent endpoints. - - Click **Download package** and save the .zip file. + +1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip). + + 1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**. + 1. Select Windows 10 as the operating system. + 1. In the **Deployment method** field, select VDI onboarding scripts for non-persistent endpoints. + 1. Click **Download package** and save the .zip file. + 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called **OptionalParamsPolicy** and the files **WindowsDefenderATPOnboardingScript.cmd** and **Onboard-NonPersistentMachine.ps1**. #### Use Group Policy management console to run the script when the virtual machine starts + 1. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. + 2. In the Group Policy Management Editor, go to **Computer configuration** > **Preferences** > **Control panel settings**. + 3. Right-click **Scheduled tasks**, click **New**, and then select **Immediate Task** (At least Windows 7). + 4. In the Task window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM. Click **Check Names** and then click OK. `NT AUTHORITY\SYSTEM` appears as the user account under which the task will run. + 5. Select **Run whether user is logged on or not** and select the **Run with highest privileges** option. + 6. Go to the **Actions** tab and select **New**. Confirm that **Start a program** is selected in the **Action** field. + 7. Specify the following:
+ - Action = **Start a program** - Program/Script = `C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe` - Add Arguments (optional) = `-ExecutionPolicy Bypass -command "& \\Path\To\Onboard-NonPersistentMachine.ps1"` + 8. Select **OK** and close any open GPMC windows. ### Scenario 3: Onboarding using management tools diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md index 7f7ba5bcc3..886f5f8e14 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md @@ -54,11 +54,11 @@ Deployment methods vary, depending on which operating system is selected. Refer |Operating system |Method | |---------|---------| -|Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm)
- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)

**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | -|- Windows 8.1 Enterprise
- Windows 8.1 Pro
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)

**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). | -|- Windows Server 2019 and later
- Windows Server 2019 core edition
- Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)

**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | -|- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)
- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) | -|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra)

iOS

Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) | +| Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm)
- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)

**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | +| Windows 8.1 Enterprise

Windows 8.1 Pro

Windows 7 SP1 Enterprise

Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)

**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). | +| Windows Server 2019 and later

Windows Server 2019 core edition

Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)

**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | +|Windows Server 2016

Windows Server 2012 R2

Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)
- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) | +| macOS:
10.15 (Catalina)
10.14 (Mojave)
10.13 (High Sierra)

iOS

Linux:
RHEL 7.2+
CentOS Linux 7.2+
Ubuntu 16 LTS, or higher LTS
SLES 12+
Debian 9+
Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) | ## Run a detection test @@ -66,9 +66,9 @@ To verify that your onboarded devices are properly connected to Microsoft Defend |Operating system |Guidance | |---------|---------| -|- Windows 10
- Windows Server 2019
- Windows Server, version 1803
- Windows Server 2016
- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).

Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. | -|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).

For more information, see [Microsoft Defender for Endpoint for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). | -|Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
`mdatp health --field real_time_protection_enabled`.

2. Open a Terminal window, and run the following command:
`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.

3. Run the following command to list any detected threats:
`mdatp threat list`.

For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). | +| Windows 10

Windows Server 2019

Windows Server, version 1803

Windows Server 2016

Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).

Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. | +|macOS:
10.15 (Catalina)
10.14 (Mojave)
10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).

For more information, see [Microsoft Defender for Endpoint for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). | +|Linux:
RHEL 7.2+
CentOS Linux 7.2+
Ubuntu 16 LTS, or higher LTS
SLES 12+
Debian 9+
Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
`mdatp health --field real_time_protection_enabled`.

2. Open a Terminal window, and run the following command:
`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.

3. Run the following command to list any detected threats:
`mdatp threat list`.

For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). | ## Uninstall your non-Microsoft solution diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md index 0abb46ac9e..035dc8fa0a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md +++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md @@ -37,9 +37,9 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho This migration phase includes the following steps: 1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices) -2. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint). -3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center). -4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings). +2. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint) +3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center) +4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings) ## Get and deploy updates across your organization's devices @@ -97,12 +97,12 @@ To enable communication between your devices and Microsoft Defender for Endpoint |Capabilities | Operating System | Resources | |--|--|--| -|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-health/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) | -|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) | -|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | -|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-health/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
| -|Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | -|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender for Endpoint for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) | +|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |[Windows 10](https://docs.microsoft.com/windows/release-health/release-information)

[Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)

[Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) | +|EDR |[Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)

[Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)

[Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)

[Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)

[Windows 7 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) | +|EDR |macOS:
10.15 (Catalina)
10.14 (Mojave)
10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |[Windows 10](https://docs.microsoft.com/windows/release-health/release-information)

[Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)

[Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)

[Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
| +|Antivirus |macOS:
10.15 (Catalina)
10.14 (Mojave)
10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|Antivirus |Linux:
RHEL 7.2+
CentOS Linux 7.2+
Ubuntu 16 LTS, or higher LTS
SLES 12+
Debian 9+
Oracle Linux 7.2 |[Microsoft Defender for Endpoint for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) | ## Next step diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md index 75cc95cdab..615ac69697 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md @@ -34,13 +34,13 @@ ms.reviewer: jesquive, chventou, jonix, chriggs, owtho ||*You are here!* | | **Welcome to the Setup phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps: -1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode). -2. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus). -3. [Add Microsoft Defender for Endpoint to the exclusion list for your existing endpoint solution](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution). -4. [Add your existing solution to the exclusion list for Microsoft Defender Antivirus](#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus). -5. [Add your existing solution to the exclusion list for Microsoft Defender for Endpoint](#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-for-endpoint). -6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units). -7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection). +1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode) +2. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus) +3. [Add Microsoft Defender for Endpoint to the exclusion list for your existing endpoint solution](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution) +4. [Add your existing solution to the exclusion list for Microsoft Defender Antivirus](#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus) +5. [Add your existing solution to the exclusion list for Microsoft Defender for Endpoint](#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-for-endpoint) +6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units) +7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection) ## Enable Microsoft Defender Antivirus and confirm it's in passive mode @@ -48,10 +48,10 @@ On certain versions of Windows, such as Windows Server, Microsoft Defender Antiv This step of the migration process includes the following tasks: - [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server) -- [Reinstalling Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server); +- [Reinstalling Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server) - [Setting Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) -- [Enabling Microsoft Defender Antivirus on your Windows client devices](#enable-microsoft-defender-antivirus-on-your-windows-client-devices); and -- [Confirming that Microsoft Defender Antivirus is set to passive mode](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode). +- [Enabling Microsoft Defender Antivirus on your Windows client devices](#enable-microsoft-defender-antivirus-on-your-windows-client-devices) +- [Confirming that Microsoft Defender Antivirus is set to passive mode](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode) ### Set DisableAntiSpyware to false on Windows Server @@ -90,7 +90,7 @@ The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/d #### Are you using Windows Server 2016? -If you're using Windows Server 2016 and are having trouble enabling Microsoft Defender Antivirus, use the following PowerShell cmdlet: +If you're using Windows Server 2016 and are having trouble enabling Microsoft Defender Antivirus, use the following PowerShell cmdlet on the device: `mpcmdrun -wdenable` @@ -158,8 +158,8 @@ The specific exclusions to configure depend on which version of Windows your end |OS |Exclusions | |--|--| -|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information))
- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
| -|- [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` | +|Windows 10, [version 1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information))

Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed

[Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)

[Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`

`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`

`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`

`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe` | +|[Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)

[Windows 7](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)

[Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)

[Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)

[Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`

**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`

`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`

`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`

`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`

`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`

`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` | ## Add your existing solution to the exclusion list for Microsoft Defender Antivirus diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md index 875014bddb..eea4a8b5c6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md @@ -36,10 +36,10 @@ ms.reviewer: depicker, yongrhee, chriggs **Welcome to Phase 3 of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This migration phase includes the following steps: -1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint). -2. [Run a detection test](#run-a-detection-test). -3. [Uninstall Symantec](#uninstall-symantec). -4. [Make sure Microsoft Defender for Endpoint is in active mode](#make-sure-microsoft-defender-for-endpoint-is-in-active-mode). +1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint) +2. [Run a detection test](#run-a-detection-test) +3. [Uninstall Symantec](#uninstall-symantec) +4. [Make sure Microsoft Defender for Endpoint is in active mode](#make-sure-microsoft-defender-for-endpoint-is-in-active-mode) ## Onboard devices to Microsoft Defender for Endpoint @@ -55,10 +55,10 @@ Deployment methods vary, depending on which operating system is selected. Refer |Operating system |Method | |---------|---------| |Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm)
- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)

**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | -|- Windows 8.1 Enterprise
- Windows 8.1 Pro
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)

**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). | -|- Windows Server 2019 and later
- Windows Server 2019 core edition
- Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)

**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | -|- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)
- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) | -|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra)

iOS

Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) | +| Windows 8.1 Enterprise

Windows 8.1 Pro

Windows 7 SP1 Enterprise

Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)

**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). | +|Windows Server 2019 and later

Windows Server 2019 core edition

Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)

**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | +|Windows Server 2016

Windows Server 2012 R2

Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)
- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) | +|macOS:
10.15 (Catalina)
10.14 (Mojave)
10.13 (High Sierra)

iOS

Linux:
RHEL 7.2+
CentOS Linux 7.2+
Ubuntu 16 LTS, or higher LTS
SLES 12+
Debian 9+
Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) | ## Run a detection test @@ -66,9 +66,9 @@ To verify that your onboarded devices are properly connected to Microsoft Defend |Operating system |Guidance | |---------|---------| -|- Windows 10
- Windows Server 2019
- Windows Server, version 1803
- Windows Server 2016
- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).

Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. | -|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).

For more information, see [Microsoft Defender for Endpoint for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). | -|Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
`mdatp health --field real_time_protection_enabled`.

2. Open a Terminal window, and run the following command:
`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.

3. Run the following command to list any detected threats:
`mdatp threat list`.

For more information, see [Microsoft Defender for Endpoint for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). | +|Windows 10

Windows Server 2019

Windows Server, version 1803

Windows Server 2016

Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).

Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. | +|macOS
10.15 (Catalina)
10.14 (Mojave)
10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).

For more information, see [Microsoft Defender for Endpoint for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). | +|Linux:
RHEL 7.2+
CentOS Linux 7.2+
Ubuntu 16 LTS, or higher LTS
SLES 12+
Debian 9+
Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
`mdatp health --field real_time_protection_enabled`.
2. Open a Terminal window, and run the following command:
`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.
3. Run the following command to list any detected threats:
`mdatp threat list`.

For more information, see [Microsoft Defender for Endpoint for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). | ## Uninstall Symantec diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md index 6971395c3d..5b1490bd1b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md @@ -37,9 +37,9 @@ ms.reviewer: depicker, yongrhee, chriggs **Welcome to the Prepare phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This migration phase includes the following steps: -1. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint). -2. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center). -3. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings). +1. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint) +2. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center) +3. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings) ## Get Microsoft Defender for Endpoint @@ -75,12 +75,12 @@ To enable communication between your devices and Microsoft Defender for Endpoint |Capabilities | Operating System | Resources | |:----|:----|:---| -|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-health/release-information/)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) | -|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) | -|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | -|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-health/release-information/)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
| -|Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft -Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | -|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender for Endpoint for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) | +|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |[Windows 10](https://docs.microsoft.com/windows/release-health/release-information/)

[Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)

[Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) | +|EDR |[Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)

[Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)

[Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)

[Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)

[Windows 7 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) | +|EDR |macOS:
10.15 (Catalina)
10.14 (Mojave)
10.13 (High Sierra) |[Microsoft Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |[Windows 10](https://docs.microsoft.com/windows/release-health/release-information/)

[Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)

[Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)

[Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
| +|Antivirus |macOS:
10.15 (Catalina)
10.14 (Mojave)
10.13 (High Sierra) |[Microsoft -Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|Antivirus |Linux:
RHEL 7.2+
CentOS Linux 7.2+
Ubuntu 16 LTS, or higher LTS
SLES 12+
Debian 9+
Oracle Linux 7.2 |[Microsoft Defender for Endpoint for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) | ## Next step diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md index 14c748835b..a743eb9874 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md @@ -35,9 +35,9 @@ ms.reviewer: depicker, yongrhee, chriggs **Welcome to the Setup phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This phase includes the following steps: -1. [Enable or reinstall Microsoft Defender Antivirus (for certain versions of Windows)](#enable-or-reinstall-microsoft-defender-antivirus-for-certain-versions-of-windows). -2. [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus). -3. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus). +1. [Enable or reinstall Microsoft Defender Antivirus (for certain versions of Windows)](#enable-or-reinstall-microsoft-defender-antivirus-for-certain-versions-of-windows) +2. [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus) +3. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus) 4. [Add Microsoft Defender for Endpoint to the exclusion list for Symantec](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-symantec). 5. [Add Symantec to the exclusion list for Microsoft Defender Antivirus](#add-symantec-to-the-exclusion-list-for-microsoft-defender-antivirus). 6. [Add Symantec to the exclusion list for Microsoft Defender for Endpoint](#add-symantec-to-the-exclusion-list-for-microsoft-defender-for-endpoint). diff --git a/windows/security/threat-protection/microsoft-defender-atp/techniques-device-timeline.md b/windows/security/threat-protection/microsoft-defender-atp/techniques-device-timeline.md index 354403163d..baa3deac5f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/techniques-device-timeline.md +++ b/windows/security/threat-protection/microsoft-defender-atp/techniques-device-timeline.md @@ -52,18 +52,18 @@ Select the specific *Attack technique* to open the related ATT&CK technique page You can copy an entity's details when you see a blue icon on the right. For instance, to copy a related file's SHA1, select the blue page icon. -![Copy entity details](images/techniques-side-pane-clickable.png) +![Copy entity details](images/techniques-sha1.png) You can do the same for command lines. -![Copy command line](images/techniques-side-pane-command.png) +![Copy command line](images/techniques-cmd.png) ## Investigate related events To use [advanced hunting](advanced-hunting-overview.md) to find events related to the selected Technique, select **Hunt for related events**. This leads to the advanced hunting page with a query to find events related to the Technique. -![Hunt for related events](images/techniques-hunt-for-related-events.png) +![Hunt for related events](images/techniques-hunting.png) >[!NOTE] >Querying using the **Hunt for related events** button from a Technique side pane displays all the events related to the identified technique but does not include the Technique itself in the query results. @@ -78,7 +78,7 @@ You can customize which columns to expose. You can also filter for flagged event ### Choose columns to expose You can choose which columns to expose in the timeline by selecting the **Choose columns** button. -![Customize columns](images/filter-customize-columns.png) +![Customize columns](images/timeline-columns.png) From there you can select which information set to include. diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 072625e781..dd9655ac64 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -36,7 +36,7 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use ## Microsoft Intune ->Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching. +Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching. ## Security @@ -100,24 +100,37 @@ Endpoint detection and response is improved. Enterprise customers can now take a - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed. **Threat response** is improved when an attack is detected, enabling immediate action by security teams to contain a breach: -- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. + - [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. Additional capabilities have been added to help you gain a holistic view on **investigations** include: + - [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. + - [Query data using Advanced hunting in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) + - [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) + - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. + - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. + - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Microsoft Defender for Endpoint. Other enhanced security features include: + - [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues. + - [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. + - [Integration with Azure Defender](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers. + - [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Defender for Endpoint monitored machines. + - [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. + - [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor. + - [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on. @@ -172,10 +185,16 @@ For example, you can choose the XTS-AES 256 encryption algorithm, and have it ap To achieve this: 1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. + 2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. - - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users. + + > [!IMPORTANT] + > The encryption policy must be assigned to **devices** in the group, not users. + 3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. - - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts. + + > [!IMPORTANT] + > If the ESP is not enabled, the policy will not apply before encryption starts. ### Identity protection @@ -186,16 +205,25 @@ Improvements have been added are to Windows Hello for Business and Credential Gu New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) include: + - You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). + - For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal. + - For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset). -[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section. +[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration). + - Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). + - Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. + - Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. + - You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. + - New [public API](https://docs.microsoft.com/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. + - It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off). For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97) @@ -204,7 +232,10 @@ For more information, see: [Windows Hello and FIDO2 Security Keys enable secure Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. -Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. Please note that Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. +Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. + +> [!NOTE] +> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations). @@ -245,7 +276,8 @@ A new security policy setting We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: -![Virus & threat protection settings](../images/virus-and-threat-protection.png "Virus & threat protection settings") +> [!div class="mx-imgBorder"] +> ![Virus & threat protection settings](../images/virus-and-threat-protection.png "Virus & threat protection settings") ## Deployment @@ -277,14 +309,17 @@ For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). The following new DISM commands have been added to manage feature updates: - DISM /Online /Initiate-OSUninstall - – Initiates a OS uninstall to take the computer back to the previous installation of windows. - DISM /Online /Remove-OSUninstall - – Removes the OS uninstall capability from the computer. - DISM /Online /Get-OSUninstallWindow - – Displays the number of days after upgrade during which uninstall can be performed. - DISM /Online /Set-OSUninstallWindow - – Sets the number of days after upgrade during which uninstall can be performed. +- **DISM /Online /Initiate-OSUninstall** + - Initiates an OS uninstall to take the computer back to the previous installation of windows. + +- **DISM /Online /Remove-OSUninstall** + - Removes the OS uninstall capability from the computer. + +- **DISM /Online /Get-OSUninstallWindow** + - Displays the number of days after upgrade during which uninstall can be performed. + +- **DISM /Online /Set-OSUninstallWindow** + - Sets the number of days after upgrade during which uninstall can be performed. For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options). @@ -300,20 +335,22 @@ For more information, see [Run custom actions during feature update](https://doc It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. - /PostRollback [\setuprollback.cmd] [/postrollback {system / admin}] +`/PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]` -For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21) +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21). New command-line switches are also available to control BitLocker: - Setup.exe /BitLocker AlwaysSuspend - – Always suspend bitlocker during upgrade. - Setup.exe /BitLocker TryKeepActive - – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade. - Setup.exe /BitLocker ForceKeepActive - – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade. +- **Setup.exe /BitLocker AlwaysSuspend** + - Always suspend BitLocker during upgrade. -For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33) +- **Setup.exe /BitLocker TryKeepActive** + - Enable upgrade without suspending BitLocker, but if upgrade does not work, then suspend BitLocker and complete the upgrade. + +- **Setup.exe /BitLocker ForceKeepActive** + - Enable upgrade without suspending BitLocker, but if upgrade does not work, fail the upgrade. + +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33). ### Feature update improvements @@ -332,20 +369,27 @@ SetupDiag works by searching Windows Setup log files. When searching log files, If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash! **To enable fast sign-in:** + 1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise LTSC 2019. + 2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in. + 3. Sign-in to a shared PC with your account. You'll notice the difference! - ![fast sign-in](../images/fastsignin.png "fast sign-in") + ![fast sign-in](../images/fastsignin.png "fast sign-in") ### Web sign-in to Windows 10 Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing "web sign-in," a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML). **To try out web sign-in:** + 1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). + 2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. + 3. On the lock screen, select web sign-in under sign-in options. + 4. Click the "Sign in" button to continue. ![Web sign-in](../images/websignin.png "web sign-in") @@ -386,7 +430,7 @@ Maintaining devices is made easier with Device Health, a new, premium analytic t ### Accessibility -"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post. +"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/), a blog post. ### Privacy @@ -404,7 +448,7 @@ If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.micro Intune and Microsoft Endpoint Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. -For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803) +For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803). ### OS uninstall period @@ -433,7 +477,9 @@ Previously, the customized taskbar could only be deployed using Group Policy or [Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: - Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) + - Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) + - Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist). ## Windows Update @@ -481,7 +527,7 @@ Added policies include: - [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching) - [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size) -To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization) +To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization). ### Uninstalled in-box apps no longer automatically reinstall @@ -564,11 +610,11 @@ Several network stack enhancements are available in this release. Some of these In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx). -How it works: +#### How it works Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. -Miracast over Infrastructure offers a number of benefits: +#### Miracast over Infrastructure offers a number of benefits - Windows automatically detects when sending the video stream over this path is applicable. - Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network. @@ -577,18 +623,22 @@ Miracast over Infrastructure offers a number of benefits: - It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct. - It leverages an existing connection which both reduces the time to connect and provides a very stable stream. -Enabling Miracast over Infrastructure: +#### Enabling Miracast over Infrastructure If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: - The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise LTSC 2019, or a later OS. + - A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*. - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. - As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. + - The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. + - Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. -It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. +> [!IMPORTANT] +> Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. ## Registry editor improvements @@ -603,12 +653,15 @@ Azure Active Directory and Active Directory users using Windows Hello for Busine To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. - Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. + - Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. See the following example: ![Enter your credentials](../images/RDPwBioTime.png "Windows Hello") -![Enter your credentials](../images/RDPwBio2.png "Windows Hello personal") + +![Initiate a Remote Desktop connection](../images/RDPwBio2.png "Windows Hello personal") + ![Microsoft Hyper-V Server 2016](../images/hyper-v.png "Microsoft Hyper-V Server 2016") ## See Also