From c0ad9f87a6835f35cf901fd660365bd2cc6bb769 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 11 Jul 2016 12:11:44 -0700 Subject: [PATCH 01/49] decision maker audience addition --- ...-windows-telemetry-in-your-organization.md | 193 ++++++++++++++---- 1 file changed, 149 insertions(+), 44 deletions(-) diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md index 1d4f6b116f..f69a2ac28e 100644 --- a/windows/manage/configure-windows-telemetry-in-your-organization.md +++ b/windows/manage/configure-windows-telemetry-in-your-organization.md @@ -17,34 +17,118 @@ author: brianlic-msft - Windows 10 Mobile - Windows Server 2016 Technical Preview -Use this article to make informed decisions about how you can configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services. +At Microsoft, we use Windows telemetry to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Telemetry gives users a voice in the operating system’s development. This guide describes the importance of Windows telemetry and how we protect that data. Additionally, it differentiates between telemetry and functional data. It also describes the telemetry levels that Windows supports. Of course, you can choose how much telemetry is shared with Microsoft, and this guide demonstrates how. ->**Note:**  This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those components use a different telemetry service than Windows and Windows Server. +To frame a discussion about telemetry, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows telemetry system in the following ways: -It describes the types of telemetry we gather and the ways you can manage its telemetry. This article also lists some examples of how telemetry can provide you with valuable insights into your enterprise deployments, and how Microsoft uses the data to quickly identify and address issues affecting its customers. +- **Control.** We offer customers control of the telemetry they share with us by providing easy-to-use management tools. +- **Transparency.** We are provide information about the telemetry that Windows and Windows Server collects so our customers can make informed decisions. +- **Security.** We encrypt telemetry in transit from your device and protect that data at our data centers using strong security measures. +- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right. +- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows telemetry system. Customer content inadvertently collected is kept confidential and not used for user targeting. +- **Benefits to you.** We collect Windows telemetry to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all of our customers. -We understand that the privacy and security of our customers’ information is important and we have taken a thoughtful and comprehensive approach to customer privacy and the protection of their data with Windows 10, Windows Server 2016 Technical Preview, and System Center 2016. +This article applies to Windows and Windows Server telemetry only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, telemetry controls, and so on. This article describes the types of telemetry we may gather, the ways you might manage it in your organization, and some examples of how telemetry can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers. + + +Use this article to make informed decisions about how you might configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services. ## Overview -In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC) on Windows Server, and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview, you can control telemetry streams by using Settings > Privacy, Group Policy, or MDM. - -Microsoft is committed to improving customer experiences in a mobile-first and cloud-first world, and it all starts with our customers. Telemetry is one critical way Microsoft is using data to improve our products and services. Telemetry gives every enterprise customer a voice that helps us shape future versions of Windows, Windows Server and System Center, allowing us to respond quickly to your feedback and providing new features and improved quality to our customers. - -Our goal is to leverage the aggregated data to drive changes in the product and ecosystem to improve our customer experiences. We are also partnering with enterprises to provide added value from the telemetry information shared by their devices. Some examples include identifying outdated patches and downloading the latest antimalware signatures to help keep their devices secure, identifying application compatibility issues prior to upgrades, and gaining insights into driver reliability issues affecting other customers. +In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview, you can control telemetry streams by using the Privacy option in Settings, Group Policy, or MDM. For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization. +## Understanding Windows telemetry + +Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us. + +The release cadence of Windows as a Service may be fast, so feedback is critical to its success. We rely on telemetry at each stage of the process to inform our decisions and prioritize our efforts. + +### What is Windows telemetry? +Windows telemetry is technical data about the device and is used in the following ways: + +- Keep Windows up to date +- Keep Windows secure, reliable, and performant +- Improve Windows – through the aggregate analysis of the use of Windows +- Personalize Windows engagement surfaces + +Here are some specific examples of Windows telemetry data: + +- Type of hardware being used +- Applications installed and usage details +- Reliability information on device drivers + +### What is NOT telemetry? + +Confusing telemetry with functional data can be easy. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not telemetry. For example, exchanging a user’s location for local weather or news is not an example of telemetry—it is functional data that the app or service requires to satisfy the user’s request. + +There are subtle differences between telemetry and functionality data. Windows collects and sends telemetry in the background automatically. You can control how much information is gathered by setting the telemetry level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data. + +If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services). + +The following are specific examples of functional data: + +- Current location for weather +- Bing searches +- Wallpaper and desktop settings synced across multiple devices + +### Telemetry gives users a voice + +Windows and Windows Server telemetry gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits. + +### Drive higher app and driver quality + +Our ability to collect telemetry that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Telemetry helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues. + +A real-world example of how Windows telemetry helps us quickly identify and fix issues is a particular version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our telemetry, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on telemetry from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Telemetry helped us find, fix, and resolve a big problem in just 48 hours. Many people were able to avoid losing data due to unplanned reboots without even knowing there was an issue. + +**From an enterprise perspective, this fast response may have avoided lost data and reduced costly support incidents.** + +### Improve end-user productivity + +Windows telemetry also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are: + +- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time. +- **Cortana.** We use telemetry to monitor the scalability of our cloud service, improving search performance. +- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later telemetry showed significantly higher usage of this feature. + +**These examples show how the use of telemetry data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.** + +### Insights into your own organization + +Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called Windows 10 Upgrade Analytics, will be available in Summer 2016. + +#### Windows 10 Upgrade Analytics + +Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. + +To better help customers through this difficult process, Microsoft developed Upgrade Analytics to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. + +With Windows telemetry enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. + +Use Upgrade Analytics to get: +• A visual workflow that guides you from pilot to production +• Detailed computer, driver, and application inventory +• Powerful computer level search and drill-downs +• Guidance and insights into application and driver compatibility issues with suggested fixes +• Data driven application rationalization tools +• Application usage information, allowing targeted validation; workflow to track validation progress and decisions +• Data export to commonly used software deployment tools + +The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. + + ## How is telemetry data handled by Microsoft? ### Data collection -Windows 10 and Windows Server 2016 Technical Preview includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology to gather and store telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. +Windows 10 and Windows Server 2016 Technical Preview includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. 1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces. 2. Events are gathered using public operating system event logging and tracing APIs. 3. You can configure the telemetry level by using an MDM policy, Group Policy, or registry settings. -4. The Connected User Experience and Telemetry component transmits telemetry data over HTTPS to Microsoft and uses certificate pinning. +4. The Connected User Experience and Telemetry component transmits the telemetry data. Info collected at the Enhanced and Full levels of telemetry is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels. @@ -56,21 +140,21 @@ All telemetry data is encrypted using SSL and uses certificate pinning during tr The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access. -The Connected User Experience and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com. +The following table defines the endpoints for telemetry services: -The Connected User Experience and Telemetry component also connects to settings-win.data.microsoft.com to download configuration information. - -[Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) connects to watson.telemetry.microsoft.com. - -[Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) connects to oca.telemetry.microsoft.com. +| Service | Endpoint | +| - | - | +| Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com
settings-win.data.microsoft.com | +| [Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com | +| [Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com | ### Data use and access -Data gathered from telemetry is used by Microsoft teams primarily to improve our customer experiences, and for security, health, quality, and performance analysis. The principle of least privileged guides access to telemetry data. Only Microsoft personnel with a valid business need are permitted access to the telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the Privacy Statement. We do share business reports with OEMs and third party partners that include aggregated, anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. +The principle of least privileged access guides access to telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). Microsoft may share business reports with OEMs and third party partners that include aggregated and anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. ### Retention -Microsoft believes in and practices information minimization. We strive to gather only the info we need, and store it for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Store purchase history. +Microsoft believes in and practices information minimization. We strive to gather only the info we need, and store it for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Windows Store purchase history. ## Telemetry levels @@ -81,19 +165,19 @@ The telemetry data is categorized into four levels: - **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. -- **Basic**. Basic device info, including: quality-related data, app compat, app usage data, and data from the **Security** level. +- **Basic**. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the **Security** level. - **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels. - **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels. -The levels are cumulative and are illustrated in the following diagram. These levels apply to all editions of Windows Server 2016 Technical Preview. +The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016 Technical Preview. ![breakdown of telemetry levels and types of administrative controls](images/priv-telemetry-levels.png) ### Security level -The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests secure with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions. +The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windos IoT Core editions. > **Note:**  If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. @@ -103,7 +187,7 @@ Windows Server Update Services (WSUS) and System Center Configuration Manager fu The data gathered at this level includes: -- **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsoft’s servers. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop). +- **Connected User Experience and Telemetry component settings**. If general telemetry data has been gathered and is queued, it is sent to Microsoft. Along with this telemetry, the Connected User Experience and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experience and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop). - **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. @@ -126,11 +210,11 @@ No user content, such as user files or communications, is gathered at the **Secu ### Basic level -The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent. +The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent. The data gathered at this level includes: -- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Preview instances in the ecosystem, including: +- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Preview in the ecosystem. Examples include: - Device attributes, such as camera resolution and display type @@ -156,7 +240,7 @@ The data gathered at this level includes: - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage. - - **App usage data**. Includes how an app is used, including how long an app is used for, when the app has focus, and when the app is started + - **App usage data**. Includes how an app is used, including how long an app is used, when the app has focus, and when the app is started - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. @@ -166,13 +250,13 @@ The data gathered at this level includes: - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements. -- **Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses. +- **Windows Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses. ### Enhanced level The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. -This is the default level, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues. +This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues. The data gathered at this level includes: @@ -202,6 +286,15 @@ However, before more data is gathered, Microsoft’s privacy governance team, in - All crash dump types, including heap dumps and full dumps. +## Enterprise management + +Sharing telemetry data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the telemetry level and managing specific components is the best option. + +Customers can set the telemetry level in both the user interface and with existing management tools. Users can change the telemetry level in the **Diagnostic and usage data** setting. In the Settings app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic, Enhanced, and Full. The Security level is not available. + +IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a telemetry level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security telemetry level is available when managing the policy. Setting the telemetry level through policy overrides users’ choices. The remainder of this section describes how to do that. + + ### Manage your telemetry settings We do not recommend that you turn off telemetry in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center. @@ -210,7 +303,7 @@ We do not recommend that you turn off telemetry in your organization as valuable You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on. -The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 Technical Preview is **Enhanced.** +The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 Technical Preview is **Enhanced**. ### Configure the operating system telemetry level @@ -218,14 +311,13 @@ You can configure your operating system telemetry settings using the management Use the appropriate value in the table below when you configure the management policy. -| Value | Level | Data gathered | -|-------|----------|---------------------------------------------------------------------------------------------------------------------------| -| **0** | Security | Security data only. | -| **1** | Basic | Security data, and basic system and quality data. | -| **2** | Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | -| **3** | Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | +| Level | Data gathered | Value | +| - | - | - | +| Security | Security data only. | **0** | +| Basic | Security data, and basic system and quality data. | **1** | +| Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | **2** | +| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** | -  ### Use Group Policy to set the telemetry level @@ -277,19 +369,32 @@ There are a few more settings that you can turn off that may send telemetry info >**Note:**  Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. -   +## Additional resources -## Examples of how Microsoft uses the telemetry data +FAQs: +- [Cortana, Search, and privacy](http://windows.microsoft.com/en-us/windows-10/cortana-privacy-faq) +- [Windows 10 feedback, diagnostics, and privacy](http://windows.microsoft.com/en-us/windows-10/feedback-diagnostics-privacy-faq) +- [Windows 10 camera and privacy](http://windows.microsoft.com/en-us/windows-10/camera-privacy-faq) +- [Windows 10 location service and privacy](http://windows.microsoft.com/en-us/windows-10/location-service-privacy) +- [Microsoft Edge and privacy](http://windows.microsoft.com/en-us/windows-10/edge-privacy-faq) +- [Windows 10 speech, inking, typing, and privacy](http://windows.microsoft.com/en-us/windows-10/speech-inking-typing-privacy-faq) +- [Windows Hello and privacy](http://windows.microsoft.com/en-us/windows-10/windows-hello-privacy-faq) +- [Wi-Fi Sense](http://windows.microsoft.com/en-us/windows-10/wi-fi-sense-faq) +- [Windows Update Delivery Optimization](http://windows.microsoft.com/en-us/windows-10/windows-update-delivery-optimization-faq) -### Drive higher application and driver quality in the ecosystem +Blogs: -Telemetry plays an important role in quickly identifying and fixing critical reliability and security issues in our customers’ deployments and configurations. Insights into the telemetry data we gather helps us to quickly identify crashes or hangs associated with a certain application or driver on a given configuration, like a particular storage type (for example, SCSI) or a memory size. For System Center, job usages and statuses can also help us enhance the job workload and the communication between System Center and its managed products. Microsoft’s ability to get this data from customers and drive improvements into the ecosystem helps raise the bar for the quality of System Center, Windows Server applications, Windows apps, and drivers. Real-time data about Windows installations reduces downtime and the cost associated with troubleshooting unreliable drivers or unstable applications. +- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) -### Reduce your total cost of ownership and downtime +Privacy Statement: -Telemetry provides a view of which features and services customers use most. For example, the telemetry data provides us with a heat map of the most commonly deployed Windows Server roles, most used Windows features, and which ones are used the least. This helps us make informed decisions on where we should invest our engineering resources to build a leaner operating system. For System Center, understanding the customer environment for management and monitoring will help drive the support compatibilities matrix, such as host and guest OS. This can help you use existing hardware to meet your business needs and reduce your total cost of ownership, as well as reducing downtime associated with security updates. +- [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement) -### Build features that address our customers’ needs +TechNet: -Telemetry also helps us better understand how customers deploy components, use features, and use services to achieve their business goals. Getting insights from that information helps us prioritize our engineering investments in areas that can directly affect our customers’ experiences and workloads. Some examples include customer usage of containers, storage, and networking configurations associated with Windows Server roles like Clustering and Web. Another example could be to find out when is CPU hyper-threading turned off and the resulting impact. We use the insights to drive improvements and intelligence into some of our management and monitoring solutions, to help customers diagnose quality issues, and save money by making fewer help calls to Microsoft. \ No newline at end of file +- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services) + +Web Pages: + +- [Privacy at Microsoft](http://privacy.microsoft.com) From a9c621ce22b0ddf001f9da3b29b4bf0dc83d4abf Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 11 Jul 2016 12:52:50 -0700 Subject: [PATCH 02/49] typos --- ...-windows-telemetry-in-your-organization.md | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md index f69a2ac28e..daaa0d03ee 100644 --- a/windows/manage/configure-windows-telemetry-in-your-organization.md +++ b/windows/manage/configure-windows-telemetry-in-your-organization.md @@ -108,13 +108,14 @@ To better help customers through this difficult process, Microsoft developed Upg With Windows telemetry enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. Use Upgrade Analytics to get: -• A visual workflow that guides you from pilot to production -• Detailed computer, driver, and application inventory -• Powerful computer level search and drill-downs -• Guidance and insights into application and driver compatibility issues with suggested fixes -• Data driven application rationalization tools -• Application usage information, allowing targeted validation; workflow to track validation progress and decisions -• Data export to commonly used software deployment tools + +- A visual workflow that guides you from pilot to production +- Detailed computer, driver, and application inventory +- Powerful computer level search and drill-downs +- Guidance and insights into application and driver compatibility issues with suggested fixes +- Data driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. @@ -371,7 +372,7 @@ There are a few more settings that you can turn off that may send telemetry info ## Additional resources -FAQs: +FAQs - [Cortana, Search, and privacy](http://windows.microsoft.com/en-us/windows-10/cortana-privacy-faq) - [Windows 10 feedback, diagnostics, and privacy](http://windows.microsoft.com/en-us/windows-10/feedback-diagnostics-privacy-faq) @@ -383,18 +384,18 @@ FAQs: - [Wi-Fi Sense](http://windows.microsoft.com/en-us/windows-10/wi-fi-sense-faq) - [Windows Update Delivery Optimization](http://windows.microsoft.com/en-us/windows-10/windows-update-delivery-optimization-faq) -Blogs: +Blogs - [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) -Privacy Statement: +Privacy Statement - [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement) -TechNet: +TechNet - [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services) -Web Pages: +Web Pages - [Privacy at Microsoft](http://privacy.microsoft.com) From 7a9f6cb26e9d80d61c2a69664b0673cdfc2c04f5 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 11 Jul 2016 16:49:47 -0700 Subject: [PATCH 03/49] tech review feedback --- .../configure-windows-telemetry-in-your-organization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md index daaa0d03ee..96c38f1e90 100644 --- a/windows/manage/configure-windows-telemetry-in-your-organization.md +++ b/windows/manage/configure-windows-telemetry-in-your-organization.md @@ -23,7 +23,7 @@ To frame a discussion about telemetry, it is important to understand Microsoft - **Control.** We offer customers control of the telemetry they share with us by providing easy-to-use management tools. - **Transparency.** We are provide information about the telemetry that Windows and Windows Server collects so our customers can make informed decisions. -- **Security.** We encrypt telemetry in transit from your device and protect that data at our data centers using strong security measures. +- **Security.** We encrypt telemetry in transit from your device and protect that data at our secure data centers. - **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right. - **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows telemetry system. Customer content inadvertently collected is kept confidential and not used for user targeting. - **Benefits to you.** We collect Windows telemetry to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all of our customers. @@ -46,7 +46,7 @@ Windows as a Service is a fundamental change in how Microsoft plans, builds, and The release cadence of Windows as a Service may be fast, so feedback is critical to its success. We rely on telemetry at each stage of the process to inform our decisions and prioritize our efforts. ### What is Windows telemetry? -Windows telemetry is technical data about the device and is used in the following ways: +Windows telemetry is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways: - Keep Windows up to date - Keep Windows secure, reliable, and performant From 273e49e5d732084070008dcd38fd6ba3f849934c Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 12 Jul 2016 09:48:14 -0700 Subject: [PATCH 04/49] pulling upgrade analytics section for now --- .../manage/configure-windows-telemetry-in-your-organization.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md index 96c38f1e90..dae64d2d07 100644 --- a/windows/manage/configure-windows-telemetry-in-your-organization.md +++ b/windows/manage/configure-windows-telemetry-in-your-organization.md @@ -95,6 +95,7 @@ Windows telemetry also helps Microsoft better understand how customers use (or d **These examples show how the use of telemetry data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.** + ## How is telemetry data handled by Microsoft? ### Data collection From 4573ff486cfab120c74635868cd6e43626ddffe9 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 12 Jul 2016 09:55:00 -0700 Subject: [PATCH 05/49] Pulled content out of topics and into its own to better address customer questions --- windows/keep-secure/TOC.md | 1 + ...reate-and-verify-an-efs-dra-certificate.md | 85 +++++++++++++++++++ .../create-edp-policy-using-intune.md | 48 +---------- .../create-edp-policy-using-sccm.md | 41 +-------- 4 files changed, 89 insertions(+), 86 deletions(-) create mode 100644 windows/keep-secure/create-and-verify-an-efs-dra-certificate.md diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 504f41304c..0e7321d864 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -22,6 +22,7 @@ ##### [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) ##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) #### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) +#### [Create and verify an Encrypting File System (EFS) DRA certificate](create-and-verify-an-efs-dra-certificate.md) ### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) #### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) #### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md new file mode 100644 index 0000000000..5f98952a87 --- /dev/null +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -0,0 +1,85 @@ + +--- +title: Create and verify an Encrypting File System (EFS) DRA certificate (Windows 10) +description: Follow these steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +--- + +# Create and verify an Encrypting File System (EFS) DRA certificate +**Applies to:** + +- Windows 10 Insider Preview +- Windows 10 Mobile Preview + +[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + +If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. + +The recovery process included in this topic only works for desktop devices. EDP deletes the data on Windows 10 Mobile devices. + +>**Important**
+If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. + +**To manually create an EFS DRA certificate** +1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. + +2. Run this command: + + `cipher /r:` + + Where *<EFSRA>* is the name of the .cer and .pfx files that you want to create. + +3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. + + The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. + + >**Important**
+ Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. + +4. Add your EFS DRA certificate to your EDP policy by using either Microsoft Intune or System Center Configuration Manager. + + >**Note**
+ To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic. + +**To verify your data recovery certificate is correctly set up on an EDP client computer** +1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. + +2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: + + `cipher /c ` + + Where *<filename>* is the name of the file you created in Step 1. + +3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. + +**To recover your data using the EFS DRA certificate in a test environment** +1. Copy your EDP-encrypted file to a location where you have admin access. + +2. Install the EFSDRA.pfx file, using your password. + +3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: + + `cipher /d ` + + Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. + +**To recover your EDP-protected desktop data after unenrollment** +1. Have your employee sign in to the unenrolled device, open a command prompt, and type: + `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW` + + Where `<”new_location”>` is a different location from where you store your recovery data. This location can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that you can reach while logged in as a data recovery agent. + +2. Sign in to a different device with administrator credentials that have access to your organization's Data Recovery Agent (DRA) certificate, and perform the file decryption and recovery by typing: + + `cipher.exe /D <“new_location”>` + +3. Sign in to the unenrolled device as the employee, and type: + + `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` + +4. Ask the employee to log back in to the device or to lock and unlock the device. + + The Windows Credential service automatically recovers the protected data from the `Recovery\Input` location. diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md index 17b58ff4b3..81f4eb2745 100644 --- a/windows/keep-secure/create-edp-policy-using-intune.md +++ b/windows/keep-secure/create-edp-policy-using-intune.md @@ -304,56 +304,10 @@ There are no default locations included with EDP, you must add each of your netw 2. Add as many locations as you need, and then click **OK**.

The **Add or Edit Enterprise Network Locations box** closes. -3. In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.

After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.

For steps about how to create and verify an EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) DRA certificate](#create-and-verify-an-encrypting-file-system-efs-dra-certificate) section of this topic. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.

+3. In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.

After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.

For steps about how to create and verify an EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) DRA certificate](create-and-verify-an-efs-dra-certificate.md) topic. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.

![Microsoft Intune: Specify a data recovery certificate for your policy](images/intune-data-recovery.png) -### Create and verify an Encrypting File System (EFS) DRA certificate -If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. - ->**Important**
-If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. To add your EFS DRA certificate to your policy by using Microsoft Intune, see Step 3 in the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic. - -**To manually create an EFS DRA certificate** -1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. - -2. Run this command: - - `cipher /r:` - - Where *<EFSRA>* is the name of the .cer and .pfx files that you want to create. - -3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. - - The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. - - >**Important**
- Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. - -4. Add your EFS DRA certificate to your EDP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic. - -**To verify your data recovery certificate is correctly set up on an EDP client computer** -1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. - -2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: - - `cipher /c ` - - Where *<filename>* is the name of the file you created in Step 1. - -3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. - -**To recover your data using the EFS DRA certificate in a test environment** -1. Copy your EDP-encrypted file to a location where you have admin access. - -2. Install the EFSDRA.pfx file, using your password. - -3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: - - `cipher /d ` - - Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. - ## Choose your optional EDP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional EDP settings. diff --git a/windows/keep-secure/create-edp-policy-using-sccm.md b/windows/keep-secure/create-edp-policy-using-sccm.md index 9fd513eda2..5668449d99 100644 --- a/windows/keep-secure/create-edp-policy-using-sccm.md +++ b/windows/keep-secure/create-edp-policy-using-sccm.md @@ -441,49 +441,12 @@ There are no default locations included with EDP, you must add each of your netw 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. + After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. - For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. + For steps about how to create and verify an EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) DRA certificate](create-and-verify-an-efs-dra-certificate.md) topic. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/edp-sccm-dra.png) -#### Create and verify an Encrypting File System (EFS) DRA certificate for EDP -If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. - ->**Important**
If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. - -**To manually create an EFS DRA certificate** -1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. -2. Run this command: - - `cipher /r:`
Where `` is the name of the .cer and .pfx files that you want to create. - -3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. - - The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. - - **Important**
Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. - -4. Add your EFS DRA certificate to your EDP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic. - -**To verify your data recovery certificate is correctly set up on an EDP client computer** -1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. - -2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: - - `cipher /c `
Where `` is the name of the file you created in Step 1. - -3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. - -**To recover your data using the EFS DRA certificate in a test environment** -1. Copy your EDP-encrypted file to a location where you have admin access. - -2. Install the EFSDRA.pfx file, using your password. - -3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: - - `cipher /d `
Where `` is the name of your encrypted file. For example, corporatedata.docx. - ### Choose your optional EDP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional EDP settings. From 4e064571bc7deb976fc431845058092773c6a3d7 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 12 Jul 2016 11:03:09 -0700 Subject: [PATCH 06/49] Updated formatting --- .../keep-secure/create-and-verify-an-efs-dra-certificate.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 5f98952a87..ae8da1f1a0 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -68,9 +68,10 @@ If you already have an EFS DRA certificate for your organization, you can skip c **To recover your EDP-protected desktop data after unenrollment** 1. Have your employee sign in to the unenrolled device, open a command prompt, and type: + `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW` - Where `<”new_location”>` is a different location from where you store your recovery data. This location can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that you can reach while logged in as a data recovery agent. + Where *<”new_location”>* is a different location from where you store your recovery data. This location can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that you can reach while logged in as a data recovery agent. 2. Sign in to a different device with administrator credentials that have access to your organization's Data Recovery Agent (DRA) certificate, and perform the file decryption and recovery by typing: From 2d47c556fc6877dd98a8fbdc1b6f124ee0d1019a Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 12 Jul 2016 11:16:46 -0700 Subject: [PATCH 07/49] PR feedback --- ...configure-windows-telemetry-in-your-organization.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md index dae64d2d07..9ab09a0d21 100644 --- a/windows/manage/configure-windows-telemetry-in-your-organization.md +++ b/windows/manage/configure-windows-telemetry-in-your-organization.md @@ -43,7 +43,7 @@ For Windows 10, we invite IT pros to join the [Windows Insider Program](http:// Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us. -The release cadence of Windows as a Service may be fast, so feedback is critical to its success. We rely on telemetry at each stage of the process to inform our decisions and prioritize our efforts. +The release cadence of Windows may be fast, so feedback is critical to its success. We rely on telemetry at each stage of the process to inform our decisions and prioritize our efforts. ### What is Windows telemetry? Windows telemetry is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways: @@ -61,9 +61,9 @@ Here are some specific examples of Windows telemetry data: ### What is NOT telemetry? -Confusing telemetry with functional data can be easy. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not telemetry. For example, exchanging a user’s location for local weather or news is not an example of telemetry—it is functional data that the app or service requires to satisfy the user’s request. +Telemetry can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not telemetry. For example, exchanging a user’s location for local weather or news is not an example of telemetry—it is functional data that the app or service requires to satisfy the user’s request. -There are subtle differences between telemetry and functionality data. Windows collects and sends telemetry in the background automatically. You can control how much information is gathered by setting the telemetry level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data. +There are subtle differences between telemetry and functional data. Windows collects and sends telemetry in the background automatically. You can control how much information is gathered by setting the telemetry level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data. If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services). @@ -81,9 +81,7 @@ Windows and Windows Server telemetry gives every user a voice in the operating s Our ability to collect telemetry that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Telemetry helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues. -A real-world example of how Windows telemetry helps us quickly identify and fix issues is a particular version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our telemetry, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on telemetry from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Telemetry helped us find, fix, and resolve a big problem in just 48 hours. Many people were able to avoid losing data due to unplanned reboots without even knowing there was an issue. - -**From an enterprise perspective, this fast response may have avoided lost data and reduced costly support incidents.** +A real-world example of how Windows telemetry helps us quickly identify and fix issues is a particular version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our telemetry, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on telemetry from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Telemetry helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls. ### Improve end-user productivity From 905d9446191ae2c61be625fdab2b34755796293c Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 12 Jul 2016 12:19:25 -0700 Subject: [PATCH 08/49] Fixing formatting --- .../keep-secure/create-and-verify-an-efs-dra-certificate.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index ae8da1f1a0..133b453239 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -24,6 +24,7 @@ The recovery process included in this topic only works for desktop devices. EDP If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. **To manually create an EFS DRA certificate** + 1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. 2. Run this command: @@ -45,6 +46,7 @@ If you already have an EFS DRA certificate for your organization, you can skip c To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic. **To verify your data recovery certificate is correctly set up on an EDP client computer** + 1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. 2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: @@ -56,6 +58,7 @@ If you already have an EFS DRA certificate for your organization, you can skip c 3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. **To recover your data using the EFS DRA certificate in a test environment** + 1. Copy your EDP-encrypted file to a location where you have admin access. 2. Install the EFSDRA.pfx file, using your password. @@ -67,6 +70,7 @@ If you already have an EFS DRA certificate for your organization, you can skip c Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. **To recover your EDP-protected desktop data after unenrollment** + 1. Have your employee sign in to the unenrolled device, open a command prompt, and type: `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW` From 2c8e5b7e4945b67aefb2f43a89881479cf799705 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 12 Jul 2016 14:06:14 -0700 Subject: [PATCH 09/49] Updated change history for new DRA topic --- .../keep-secure/change-history-for-keep-windows-10-secure.md | 1 + .../keep-secure/create-and-verify-an-efs-dra-certificate.md | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 812c222e48..ff277a1095 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |New | |[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New | diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 133b453239..03d72f1d40 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -1,6 +1,6 @@ --- -title: Create and verify an Encrypting File System (EFS) DRA certificate (Windows 10) +title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10) description: Follow these steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. ms.prod: w10 ms.mktglfcycl: explore @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security --- -# Create and verify an Encrypting File System (EFS) DRA certificate +# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate **Applies to:** - Windows 10 Insider Preview From 56ec734cade0f4b25a3e047b0ac4a45bed5879ed Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 13 Jul 2016 09:24:26 -0700 Subject: [PATCH 10/49] Created new topic for inclusion in the guidance area --- .../keep-secure/mandatory-settings-for-wip.md | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 windows/keep-secure/mandatory-settings-for-wip.md diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md new file mode 100644 index 0000000000..9c265848d2 --- /dev/null +++ b/windows/keep-secure/mandatory-settings-for-wip.md @@ -0,0 +1,31 @@ +--- +title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10) +description: This list provides all of the tasks that are required for the operating system to turn on Windows Information Protection (WIP) in your enterprise. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +--- + +# Mandatory tasks and settings required to turn on Windows Information Protection (WIP) +**Applies to:** + +- Windows 10 Insider Preview +- Windows 10 Mobile Preview + +[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + +This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP) in your enterprise. + +>**Important**
+All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md), based on the tool you're using in your enterprise. + + +|Task |Description | +|------------------------------------|--------------------------| +|Add at least one app rule in the **App rules** area in your WIP policy. |You must have at least one app rule specified in the **App rules** area of your WIP policy. For more info about where this area is and how to add an app rule, see the **Add individual apps to your Protected App list** section of the policy creation topics.| +|Pick your WIP protection level. |You must choose the level of protection level you want to apply to your WIP-protected content, including Override, Silent, or Block. For more info about where this area is and how to decide on your protection level, see the **Manage the EDP protection level for your enterprise data** section of the policy creation topics.| +|Specify your corporate identity. |You must specify your corporate identity, usually expressed as your primary Internet domain (for example, contoso.com). For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. | +|Specify your Enterprise Network Domain Names. |You must specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics. | +|Specify your Enterprise IPv4 Ranges. |Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics. | +|Include your Data Recovery Agent (DRA) certificate. |This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the **Create and verify an Encrypting File System (EFS) DRA certificate for EDP** section of the policy creation topics. | \ No newline at end of file From be179441ece74f8c7868c131255860d7ba79b7a1 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 13 Jul 2016 09:25:45 -0700 Subject: [PATCH 11/49] Added new topic for mandatory tasks --- windows/keep-secure/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 504f41304c..f478cdc121 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -23,6 +23,7 @@ ##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) #### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) ### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) +#### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) #### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) #### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) From 42bb28e4dfe877a4c1a96154da4e917136e8da71 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 15 Jul 2016 09:36:48 -0700 Subject: [PATCH 12/49] Updated to include both IPv4 and IPv6 --- windows/keep-secure/mandatory-settings-for-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md index 9c265848d2..9a23e25d67 100644 --- a/windows/keep-secure/mandatory-settings-for-wip.md +++ b/windows/keep-secure/mandatory-settings-for-wip.md @@ -27,5 +27,5 @@ All sections provided for more info appear in either the [Create a Windows Infor |Pick your WIP protection level. |You must choose the level of protection level you want to apply to your WIP-protected content, including Override, Silent, or Block. For more info about where this area is and how to decide on your protection level, see the **Manage the EDP protection level for your enterprise data** section of the policy creation topics.| |Specify your corporate identity. |You must specify your corporate identity, usually expressed as your primary Internet domain (for example, contoso.com). For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. | |Specify your Enterprise Network Domain Names. |You must specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics. | -|Specify your Enterprise IPv4 Ranges. |Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics. | +|Specify your Enterprise IPv4 or IPv6 Ranges. |Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics. | |Include your Data Recovery Agent (DRA) certificate. |This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the **Create and verify an Encrypting File System (EFS) DRA certificate for EDP** section of the policy creation topics. | \ No newline at end of file From 58c3cf81b95b0df8133fb5af8a02d7b7939cd17e Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 15 Jul 2016 10:17:23 -0700 Subject: [PATCH 13/49] Fixing image issue --- .../create-edp-policy-using-intune.md | 540 +++++++++++------- 1 file changed, 337 insertions(+), 203 deletions(-) diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md index 81f4eb2745..7f51444b81 100644 --- a/windows/keep-secure/create-edp-policy-using-intune.md +++ b/windows/keep-secure/create-edp-policy-using-intune.md @@ -27,315 +27,449 @@ We've received some great feedback from you, our Windows 10 Insider Preview cust Note that if you exit the **Policy** page before you've saved your new policy, your existing deployments won't be affected. However, if you save the policy without reconfiguring your apps, an updated policy will be deployed to your employees with an empty app rules list. ## Add an EDP policy -After you’ve installed and set up Intune for your organization, you must create an EDP-specific policy. +After you’ve set up Intune for your organization, you must create an EDP-specific policy. **To add an EDP policy** 1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area. -2. Go to **Windows**, click the **Enterprise Data Protection (Windows 10 and Mobile and later) policy**, pick the EDP template, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. +2. Go to **Windows**, click the **Enterprise data protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. ![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png) 3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. - ![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-namedescription.png) + ![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png) -## Add individual apps to your Protected App list +### Add app rules to your policy During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. -The steps to add your apps are based on the type of app it is; either a Universal Windows Platform (UWP) app, or a signed Desktop app, also known as a Classic Windows application. +The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file. ->**Important**
EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary and will encrypt all files they create or modify, meaning that they could encrypt personal data and cause data loss during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **Protected App** list.

+>**Important**
+EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary, and EDP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your App Rules list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. ->**Note**
If you want to use **File hash** or **Path** rules, instead of Publisher rules, you must follow the steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic. +

+>**Note**
+If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps using Microsoft Intune and custom URI](add-apps-to-protected-list-using-custom-uri.md) topic. -**To add a UWP app** +#### Add a store app rule to your policy +For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. -1. From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.** +**To add a store app** +1. From the **App Rules** area, click **Add**. -2. Click **Universal App**, type the **Publisher Name** and the **Product Name** into the associated boxes, and then click **OK**. If you don't have the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps. + The **Add App Rule** box appears. - **To find the Publisher and Product name values for Microsoft Store apps without installing them** + ![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png) - 1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote. - - >**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the **Protected App** list. For info about how to do this, see the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic. +2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*. - 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. +3. Click **Allow** from the **Enterprise data protection mode** drop-down list. + + Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. Instructions for exempting an app are included in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp-restrictions) section of this topic. + +4. Pick **Store App** from the **Rule template** drop-down list. + + The box changes to show the store app rule options. + +5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is`CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`. + +If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps. + +**To find the Publisher and Product Name values for Store apps without installing them** +1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. + + >**Note**
+ If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps using Microsoft Intune and custom URI](add-apps-to-protected-list-using-custom-uri.md) topic. + +2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. + +3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value. - 3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/*9wzdncrfhvjl*/applockerdata, where *9wzdncrfhvjl* is replaced with your ID value. -

The API runs and opens a text editor with the app details. ``` json - { - "packageIdentityName": "Microsoft.Office.OneNote", - "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" - } + { + "packageIdentityName": "Microsoft.Office.OneNote", + "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" + } ``` - 4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune. +4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune. + + >**Important**
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
- >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. -

For example:
- ``` json + ``` json { - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } - ``` - - ![Microsoft Intune: Add a UWP app to the Protected Apps list](images/intune-addapps.png) + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + } + ``` - **To find the Publisher and Product name values for apps installed on Windows 10 Mobile phones** +**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** +1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. - 1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. + >**Note**
+ Your PC and phone must be on the same wireless network. + +2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. + +3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**. + +4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate. + +5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step. + +6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names. + +7. Start the app for which you're looking for the publisher and product name values. + +8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. + + >**Important**
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
- >**Note**
Your PC and phone must be on the same wireless network. - - 2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. - - 3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**. - - 4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate. - - 5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step. - - 6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names. - - 7. Start the app for which you're looking for the publisher and product name values - - 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. - - >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. -

For example:
- ``` json + ``` json { - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } - ``` + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + } + ``` -**To add a Classic Windows application** +#### Add a desktop app rule to your policy +For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. -1. From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.** -

A dialog box appears, letting you pick whether the app is a **Universal App** or a **Desktop App**. +**To add a desktop app** +1. From the **App Rules** area, click **Add**. + + The **Add App Rule** box appears. + + ![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png) + +2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. + +3. Click **Allow** from the **Enterprise data protection mode** drop-down list. + + Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. Instructions for exempting an app are included in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp-restrictions) section of this topic. + +4. Pick **Desktop App** from the **Rule template** drop-down list. + + The box changes to show the store app rule options. + +5. Pick the options you want to include for the app rule (see table), and then click **OK**. -2. Click **Desktop App**, pick the options you want (see table), and then click **OK**. - + - + - - - + + + - - - - - - + + - - + + - + + + + +
Option Manages
All fields left as "*"All fields left as “*” All files signed by any publisher. (Not recommended.)
Publisher selected All files signed by the named publisher.

This might be useful if your company is the publisher and signer of internal line-of-business apps.
Publisher and Product Name selected All files for the specified product, signed by the named publisher.
Publisher, Product Name, and File Name selected
Publisher, Product Name, and Binary name selected Any version of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, File Name, and File Version, Exactly selectedSpecified version of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, File Name, and File Version, And above selected
Publisher, Product Name, Binary name, and File Version, and above, selected Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.

This option is recommended for enlightened apps that weren't previously enlightened.
Publisher, Product Name, File Name, and File Version, And below selected
Publisher, Product Name, Binary name, and File Version, And below selected Specified version or older releases of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, Exactly selectedSpecified version of the named file or package for the specified product, signed by the named publisher.
If you’re unsure about what to include for the publisher, you can run this PowerShell command: -``` ps1 -Get-AppLockerFileInformation -Path "" +```ps1 + Get-AppLockerFileInformation -Path "" ``` -Where `""` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`. +Where `""` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`. In this example, you'd get the following info: ``` json -Path Publisher ----- --------- -%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... + Path Publisher + ---- --------- + %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... ``` Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box. -![Microsoft Intune: Add a Classic Windows app to the Protected Apps list](images/intune-add-desktop-app.png) +#### Add an AppLocker policy file +For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/applocker-overview) content. -## Exempt apps from EDP restrictions +**To create an app rule and xml file using the AppLocker tool** +1. Open the Local Security Policy snap-in (SecPol.msc). + +2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. + + ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) + +3. Right-click in the right-hand pane, and then click **Create New Rule**. + + The **Create Packaged app Rules** wizard appears. + +4. On the **Before You Begin** page, click **Next**. + + ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png) + +5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. + + ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png) + +6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. + + ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) + +7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos. + + ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) + +8. On the updated **Publisher** page, click **Create**. + + ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) + +9. Review the Local Security Policy snap-in to make sure your rule is correct. + + ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) + +10. In the left pane, right-click on **AppLocker**, and then click **Export policy**. + + The **Export policy** box opens, letting you export and save your new policy as XML. + + ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) + +11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. + + The policy is saved and you’ll see a message that says 1 rule was exported from the policy. + + **Example XML file**
+ This is the XML file that AppLocker creates for Microsoft Photos. + + ```xml + + + + + + + + + + + + + + + + ``` +12. After you’ve created your XML file, you need to import it by using Microsoft Intune. + +**To import your Applocker policy file app rule using Microsoft Intune** +1. From the **App Rules** area, click **Add**. + + The **Add App Rule** box appears. + + ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png) + +2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. + +3. Click **Allow** from the **Enterprise data protection mode** drop-down list. + + Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. Instructions for exempting an app are included in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp-restrictions) section of this topic. + +4. Pick **AppLocker policy file** from the **Rule template** drop-down list. + + The box changes to let you import your AppLocker XML policy file. + +5. Click **Import**, browse to your AppLocker XML file, click **Open**, and then click **OK** to close the **Add App Rule** box. + + The file is imported and the apps are added to your **App Rules** list. + +#### Exempt apps from EDP restrictions If you're running into compatibility issues where your app is incompatible with EDP, but still needs to be used with enterprise data, you can exempt the app from the EDP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. -**To exempt an UWP app** - -1. Follow the **Add a UWP app** steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic, through to Step 11. - -2. In the **OMA-URI** box at Step 12, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/edpexempt/StoreApp EXE`.

Where **edpexempt** is added as a substring, making the app exempt. - -3. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad. - -4. Copy the text that has a **Type** of Appx, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example: - - ``` - - ``` +**To exempt a store app, a desktop app, or an AppLocker policy file app rule** +1. From the **App Rules** area, click **Add**. -5. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.

After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic. + The **Add App Rule** box appears. -**To exempt a Classic Windows application** +2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*. -1. Follow the **Add a Classic Windows application app** steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic, through to Step 11. +3. Click **Exempt** from the **Enterprise data protection mode** drop-down list. -2. In the **OMA-URI** box at Step 12, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/edpexempt/EXE`.

Where **edpexempt** is added as a substring, making the app exempt. + Be aware that when you exempt apps, they’re allowed to bypass the EDP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. -3. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad. +4. Fill out the rest of the app rule info, based on the type of rule you’re adding: -4. Copy the text that has a **Type** of EXE, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example: + - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. - ``` - - ``` + - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. -5. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.

After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic. + - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. -## Manage the EDP protection level for your enterprise data +5. Click **OK**. + +### Manage the EDP protection mode for your enterprise data After you've added the apps you want to protect with EDP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your **Protected Apps** list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**. +We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**. - - - - - - - - - - - - - - - - - - - - - -
ModeDescription
BlockEDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.
OverrideEDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459).
SilentEDP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or EDP-protected data, are still blocked.
OffEDP is turned off and doesn't help to protect or audit your data.

After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives.

+|Mode |Description | +|-----|------------| +|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| +|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). | +|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or EDP-protected data, are still blocked.| +|Off (not recommended) |EDP is turned off and doesn't help to protect or audit your data.

After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives.| -![Microsoft Intune: Add the protection level for your Protected Apps list](images/intune-encryption-level.png) +![Microsoft Intune, Set the protection mode for your data](images/intune-protection-mode.png) -## Define your enterprise-managed identity domains -Specify your company’s enterprise identity, expressed as your primary internet domain. For example, if your company is Contoso, its enterprise identity might be contoso.com. The first listed domain (in this example, contoso.com) is the primary enterprise identity string used to tag files protected by any app on the **Protected App** list. +### Define your enterprise-managed corporate identity +Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by EDP. For example, emails using contoso.com are identified as being corporate and are restricted by your enterprise data protection policies. -You can also specify all the domains owned by your enterprise that are used for user accounts, separating them with the "|" character. For example, if Contoso also has some employees with email addresses or user accounts on the fabrikam.com domain, you would use contoso.com|fabrikam.com. +You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list. -This list of managed identity domains, along with the primary domain, make up the identity of your managing enterprise. User identities (user@domain) that end in any of the domains on this list, are considered managed. +**To add your corporate identity** +- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. -**To add your primary domain** + ![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png) -- Type the name of your primary domain into the **Primary domain** field. For example, *contoso.com*.

-If you have multiple domains, you must separate them with the "|" character. For example, `contoso.com|fabrikam.com`. +### Choose where apps can access enterprise data +After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. - ![Microsoft Intune: Add the primary internet domain for your enterprise identity](images/intune-primary-domain.png) - -## Choose where apps can access enterprise data -After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.

-There are no default locations included with EDP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). +There are no default locations included with EDP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). >**Important**
-- Every EDP policy should include policy that defines your enterprise network locations.

+- Every EDP policy should include policy that defines your enterprise network locations.

- Classless Inter-Domain Routing (CIDR) notation isn’t supported for EDP configurations. -**To specify where your protected apps can find and send enterprise data on the network** +**To define where your protected apps can find and send enterprise data on you network** -1. Add additional network locations your apps can access by clicking **Add**, typing a description into the **Description** box, and then choosing your location type, including: +1. Add additional network locations your apps can access by clicking **Add**. + + The **Add or edit corporate network definition** box appears. + +2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. + + ![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png) +

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Network location typeFormatDescription
Enterprise Cloud Resources**With proxy:**

contoso.sharepoint.com,proxy.contoso.com|
contoso.visualstudio.com,proxy.contoso.com

**Without proxy:**

contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by EDP.

For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example:

`URL <,proxy>|URL <,proxy>`

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example:

`URL <,proxy>|URL <,proxy>|/*AppCompat*/`

Enterprise Network Domain Namesdomain1.contoso.com,domain2.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.

Enterprise Proxy Serversdomain1.contoso.com:80;
domain2.contoso.com:137		Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with EDP.

This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for EDP-protected traffic.

This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise Internal Proxy Serversproxy1.contoso.com;
proxy2.contoso.com		Specify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-EDP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise IPv4 Range**Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,10.0.0.1-10.255.255.254		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Enterprise IPv6 Range**Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:
ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

- - ![Microsoft Intune: Choose the primary domain and the other network locations for protected apps](images/intune-networklocation.png) + + Network location type + Format + Description + + + Enterprise Cloud Resources + **With proxy:** contoso.sharepoint.com,proxy.contoso.com|
contoso.visualstudio.com,proxy.contoso.com

**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com + Specify the cloud resources to be treated as corporate and protected by EDP.

For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/` + + + Enterprise Network Domain Names (Required) + corp.contoso.com,region.contoso.com + Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter. + + + Enterprise Proxy Servers + proxy.contoso.com:80;proxy2.contoso.com:137 + Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with EDP.

This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for EDP-protected traffic.

This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.

If you have multiple resources, you must separate them using the ";" delimiter. + + + Enterprise Internal Proxy Servers + contoso.internalproxy1.com;contoso.internalproxy2.com + Specify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-EDP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter. + + + Enterprise IPv4 Range (Required, if not using IPv6) + **Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254 + Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter. + + + Enterprise IPv6 Range (Required, if not using IPv4) + **Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter. + + + Neutral Resources + sts.contoso.com,sts.contoso2.com + Specify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter. + + -2. Add as many locations as you need, and then click **OK**.

The **Add or Edit Enterprise Network Locations box** closes. +3. Add as many locations as you need, and then click **OK**. -3. In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.

After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.

For steps about how to create and verify an EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) DRA certificate](create-and-verify-an-efs-dra-certificate.md) topic. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.

+ The **Add corporate network definition** box closes. - ![Microsoft Intune: Specify a data recovery certificate for your policy](images/intune-data-recovery.png) +4. Decide if you want to Windows to look for additional network settings: -## Choose your optional EDP-related settings + - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. + + - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. + + - **Show the enterprise data protection icon overlay on your allowed apps that are EDP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the enterprise data protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps. + +5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. + + ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png) + + After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. + + For steps about how to create and verify an EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) DRA certificate](create-and-verify-an-efs-dra-certificate.md) topic. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. + +### Choose your optional EDP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional EDP settings. -**To add your optional settings** +![Microsoft Intune, Choose any additional, optional settings](images/intune-optional-settings.png) -1. Choose to set any or all of the optional EDP-related settings: +**To set your optional settings** +1. Choose to set any or all of the optional settings: - - **Allow the user to decrypt data that was created or edited by the apps configured above.** Clicking **Yes**, or turning off this setting in Intune, lets your employees right-click to decrypt their protected app data, along with the option to decrypt data in the **Save As** box and the **Save As** file picker . Clicking **No** removes the **Decrypt** option and saves all data for protected apps as enterprise-encrypted. + - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: + + - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. + + - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. - - **Protect app content when the device is in a locked state for the apps configured above.** Clicking **Yes** lets EDP help to secure protected app content when a mobile device is locked. We recommend turning this option on to help prevent data leaks from things such as email text that appears on the **Lock** screen of a Windows 10 Mobile phone. + - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether apps can show corporate data on a Windows 10 Mobile device **Lock** screen. The options are: + + - **Yes (recommended).** Stop apps from reading corporate data on Windows 10 Mobile device when the screen is locked. + + - **No, or not configured.** Allows apps to read corporate data on Windows 10 Mobile device when the screen is locked. - ![Microsoft Intune: Optional EDP settings](images/intune-edpsettings.png) + - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from enterprise data protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: -2. Click **Save Policy**. + - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. + + - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. + + - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: + + - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps. + + - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. + + - **Show the enterprise data protection icon overlay.** Determines whether the enterprise data protection icon overlay appears on corporate files or in the **Start** menu, on top of the tiles for your unenlightened protected apps. The options are: + + - **Yes (recommended).** Allows the enterprise data protection icon overlay to appear for files or on top of the tiles for your unenlightened protected apps in the **Start** menu. + + - **No, or not configured.** Stops the enterprise data protection icon overlay from appearing for files or on top of the tiles for your unenlightened protected apps in the **Start** menu. + +2. Click **Save Policy**. ## Related topics - [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) - [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) - [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) -- [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) - - - -  - -  - - - - - +- [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) \ No newline at end of file From fbe41720ed152269e3b4f3db517154804a320063 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 15 Jul 2016 11:22:20 -0700 Subject: [PATCH 14/49] Updated for publish --- .../keep-secure/change-history-for-keep-windows-10-secure.md | 1 + windows/keep-secure/mandatory-settings-for-wip.md | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 8a96eaa113..d43c87c4e9 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| +|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New | |[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New | |[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |New | |[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (multiple topics) | Updated | diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md index 9a23e25d67..bc0c26537d 100644 --- a/windows/keep-secure/mandatory-settings-for-wip.md +++ b/windows/keep-secure/mandatory-settings-for-wip.md @@ -1,6 +1,7 @@ --- title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10) -description: This list provides all of the tasks that are required for the operating system to turn on Windows Information Protection (WIP) in your enterprise. +description: This list provides all of the tasks that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) in your enterprise. +keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection, protected apps, protected app list, App Rules, Allowed apps list ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -15,7 +16,7 @@ ms.pagetype: security [Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] -This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP) in your enterprise. +This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection(EDP), in your enterprise. >**Important**
All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md), based on the tool you're using in your enterprise. From ab1347da137452e8e0765e04c798d3e7c5b2fd26 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Fri, 15 Jul 2016 11:58:45 -0700 Subject: [PATCH 15/49] Fixed a typo --- ...ments-and-deployment-planning-guidelines-for-device-guard.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index 2c6b76c490..9a91fc9bee 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -57,8 +57,6 @@ The following tables provide more information about the hardware, firmware, and The following tables describes additional hardware and firmware requirements, and the additional protections that are available when those requirements are met. We strongly recommend the following additional protections, which help you maximize the benefits that Device Guard can provide. - to take advantage of all the security options Device Guard can provide. - ### 2015 Additional Qualification Requirements for Device Guard (Windows 10, version 1507 and Windows 10, version 1511) |Additional Protections - requirement | Description | From 46ca2a3d5eb56dfd20f5471417f0a8827a5fa4dc Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 15 Jul 2016 11:59:54 -0700 Subject: [PATCH 16/49] Changed App rules to App Rules --- windows/keep-secure/mandatory-settings-for-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md index bc0c26537d..8a68a0c1ac 100644 --- a/windows/keep-secure/mandatory-settings-for-wip.md +++ b/windows/keep-secure/mandatory-settings-for-wip.md @@ -24,7 +24,7 @@ All sections provided for more info appear in either the [Create a Windows Infor |Task |Description | |------------------------------------|--------------------------| -|Add at least one app rule in the **App rules** area in your WIP policy. |You must have at least one app rule specified in the **App rules** area of your WIP policy. For more info about where this area is and how to add an app rule, see the **Add individual apps to your Protected App list** section of the policy creation topics.| +|Add at least one app rule in the **App Rules** area in your WIP policy. |You must have at least one app rule specified in the **App Rules** area of your WIP policy. For more info about where this area is and how to add an app rule, see the **Add individual apps to your Protected App list** section of the policy creation topics.| |Pick your WIP protection level. |You must choose the level of protection level you want to apply to your WIP-protected content, including Override, Silent, or Block. For more info about where this area is and how to decide on your protection level, see the **Manage the EDP protection level for your enterprise data** section of the policy creation topics.| |Specify your corporate identity. |You must specify your corporate identity, usually expressed as your primary Internet domain (for example, contoso.com). For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. | |Specify your Enterprise Network Domain Names. |You must specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics. | From 025f685626aa1aed85a9dd08dfc69784348e90f0 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 15 Jul 2016 12:19:47 -0700 Subject: [PATCH 17/49] Updated parent topic for new child topic --- windows/keep-secure/guidance-and-best-practices-edp.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/guidance-and-best-practices-edp.md b/windows/keep-secure/guidance-and-best-practices-edp.md index 805ac84dfc..dbbf9a2d3a 100644 --- a/windows/keep-secure/guidance-and-best-practices-edp.md +++ b/windows/keep-secure/guidance-and-best-practices-edp.md @@ -23,6 +23,7 @@ This section includes info about the enlightened Microsoft apps, including how t ## In this section |Topic |Description | |------|------------| +|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection(EDP), in your enterprise. | |[Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your **Protected Apps** list. | |[Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) |We've come up with a list of suggested testing scenarios that you can use to test EDP in your company. | From 8bfbea21ba52d8d1fb49fdb46116e9518e111024 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Fri, 15 Jul 2016 14:16:19 -0700 Subject: [PATCH 18/49] correcting typo --- devices/surface-hub/connect-and-display-with-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md index 35d14c4df5..e5250193a8 100644 --- a/devices/surface-hub/connect-and-display-with-surface-hub.md +++ b/devices/surface-hub/connect-and-display-with-surface-hub.md @@ -130,7 +130,7 @@ When a Surface hub is connected to guest computer with the wired connect USB por - HID-compliant mouse -**Universal serial bus conntrollers** +**Universal serial bus controllers** - Generic USB hub From 0850fc354fc42f9d563a2836fc2e8c90916b3702 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 15 Jul 2016 15:50:47 -0700 Subject: [PATCH 19/49] Added missing space between words --- windows/keep-secure/guidance-and-best-practices-edp.md | 2 +- windows/keep-secure/mandatory-settings-for-wip.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/guidance-and-best-practices-edp.md b/windows/keep-secure/guidance-and-best-practices-edp.md index dbbf9a2d3a..fd1ffe2dcd 100644 --- a/windows/keep-secure/guidance-and-best-practices-edp.md +++ b/windows/keep-secure/guidance-and-best-practices-edp.md @@ -23,7 +23,7 @@ This section includes info about the enlightened Microsoft apps, including how t ## In this section |Topic |Description | |------|------------| -|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection(EDP), in your enterprise. | +|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. | |[Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your **Protected Apps** list. | |[Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) |We've come up with a list of suggested testing scenarios that you can use to test EDP in your company. | diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md index 8a68a0c1ac..56b79bc283 100644 --- a/windows/keep-secure/mandatory-settings-for-wip.md +++ b/windows/keep-secure/mandatory-settings-for-wip.md @@ -16,7 +16,7 @@ ms.pagetype: security [Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] -This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection(EDP), in your enterprise. +This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. >**Important**
All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md), based on the tool you're using in your enterprise. From 7fbffa54c4f1f9b59bcb39a785cab234872720cf Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Fri, 15 Jul 2016 17:51:39 -0700 Subject: [PATCH 20/49] Folded in add'l feedback from Suhas --- ...sed-security-and-code-integrity-policies.md | 6 +++--- ...ent-planning-guidelines-for-device-guard.md | 18 ++++++++++-------- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md b/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md index 07a789467a..f0e196b799 100644 --- a/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md +++ b/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md @@ -27,11 +27,11 @@ The following table lists security threats and describes the corresponding Devic | Security threat in the enterprise | How a Device Guard feature helps protect against the threat | | --------------------------------- | ----------------------------------------------------------- | -| **Exposure to new malware**, for which the "signature" is not yet known | **Code integrity policies**:  You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than trying to stay ahead of attackers by maintaining a constantly-updated list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.

**Specialized hardware required?** No security-related hardware features are required, although code integrity policies are strengthened by such features, as described in the last three rows of this table. | +| **Exposure to new malware**, for which the "signature" is not yet known | **Code integrity policies**:  You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than trying to stay ahead of attackers by maintaining a constantly-updated list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.
Only code that is verified by Code Integrity, usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.

**Specialized hardware required?** No security-related hardware features are required, although code integrity policies are strengthened by such features, as described in the last three rows of this table. | | **Exposure to unsigned code** (most malware is unsigned) | **Code integrity policies, plus catalog files as needed**:  Because most malware is unsigned, using a code integrity policy (which in most cases requires signed code) can immediately help protect against a large number of threats. However, many organizations use unsigned line-of-business (LOB) applications, for which the process of signing might be difficult. This has changed in Windows 10, because you can use a tool called Package Inspector to create a *catalog* of all deployed and executed binary files for your trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by code integrity policies in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.

**Specialized hardware required?** No security-related hardware features are required for creating and using code integrity policies and catalogs. However, code integrity policies and catalogs are strengthened by the hardware features, as described in later rows of this table. | -| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**:  This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.

**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). | +| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**:  This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy.
With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code. The hypervisor, the most privileged level of system software, enforces R/W/X permissions across system memory. Code integrity checks are performed in a secure environment which is resistant to attack from kernel mode software, and page permissions for kernel mode are set and maintained by the hypervisor. Even if there are vulnerabilities that allow memory modification, like a buffer overflow, the modified memory cannot be executed.

**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). | | **DMA-based attacks**, for example, attacks launched from a malicious device that reads secrets from memory, making the enterprise more vulnerable to attack | **Virtualization-based security (VBS) using IOMMUs**:  With this type of VBS protection, when the DMA-based attack makes a memory request, input/output memory management units (IOMMUs) will evaluate the request and deny access.

**Specialized hardware required?** Yes, IOMMUs are a hardware feature that supports the hypervisor, and if you choose hardware that includes them, they can help protect against malicious attempts to access memory. | -| **Exposure to boot kits** or to other forms of malware that runs early in the boot process, or in kernel after startup | **Universal Extensible Firmware Interface (UEFI) Secure Boot**:   Secure Boot and related methods protect the boot process and firmware from tampering.

**Specialized hardware required?** With UEFI Secure Boot, the requirements are firmware requirements. For more information, see [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). | +| **Exposure to boot kits or to a physically present attacker at boot time** | **Universal Extensible Firmware Interface (UEFI) Secure Boot**:   Secure Boot and related methods protect the boot process and firmware from tampering. This tampering can come from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup. UEFI is locked down (Boot order, Boot entries, Secure Boot, Virtualization extensions, IOMMU, Microsoft UEFI CA), so the settings in UEFI cannot be changed to compromise Device Guard security.

**Specialized hardware required?** With UEFI Secure Boot, the requirements are firmware requirements. For more information, see [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). | In this guide, you learn about the individual features found within Device Guard as well as how to plan for, configure, and deploy them. Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as [Credential Guard](credential-guard.md) and [AppLocker](applocker-overview.md). diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index 9a91fc9bee..3fe868fb12 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -17,7 +17,7 @@ This article describes the following: - [Hardware, firmware, and software requirements for Device Guard](#hardware-firmware-and-software-requirements-for-device-guard) - [Device Guard requirements for baseline protections](#device-guard-requirements-for-baseline-protections) - - [Device Guard requirements for additional protections](#device-guard-requirements-for-additional-protections) + - [Device Guard requirements for improved security](#device-guard-requirements-for-improved-security) - [Device Guard deployment in different scenarios: types of devices](#device-guard-deployment-in-different-scenarios-types-of-devices) - [Reviewing your applications: application signing and catalog files](#reviewing-your-applications-application-signing-and-catalog-files) - [Code integrity policy formats and signing](#code-integrity-policy-formats-and-signing) @@ -32,11 +32,13 @@ For example, hardware that includes CPU virtualization extensions and SLAT will You can deploy Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh. -The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. +The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. - + -> **Note**  For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow. +> **Notes** +> - To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#how-device-guard-features-help-protect-against-threats). +> - For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow. ## Device Guard requirements for baseline protections @@ -51,15 +53,15 @@ The following tables provide more information about the hardware, firmware, and -> **Important**  The preceding table lists requirements for baseline protections. The following table lists requirements for additional protections. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support additional protections. +> **Important**  The preceding table lists requirements for baseline protections. The following table lists requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide. -## Device Guard requirements for additional protections +## Device Guard requirements for improved security -The following tables describes additional hardware and firmware requirements, and the additional protections that are available when those requirements are met. We strongly recommend the following additional protections, which help you maximize the benefits that Device Guard can provide. +The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met. ### 2015 Additional Qualification Requirements for Device Guard (Windows 10, version 1507 and Windows 10, version 1511) -|Additional Protections - requirement | Description | +| Protections for Improved Security - requirement | Description | |---------------------------------------------|----------------------------------------------------| | Firmware: **Securing Boot Configuration and Management** | **Requirements**:
- BIOS password or stronger authentication must be supported.
- In the BIOS configuration, BIOS authentication must be set.
- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.

**Security benefits**:
- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | From 59be37e069b0a06888ba50bd414a4cfe4e24824b Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Sat, 16 Jul 2016 20:14:38 -0700 Subject: [PATCH 21/49] added localization priority --- .../manage/configure-windows-telemetry-in-your-organization.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md index 9ab09a0d21..9861c18217 100644 --- a/windows/manage/configure-windows-telemetry-in-your-organization.md +++ b/windows/manage/configure-windows-telemetry-in-your-organization.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security +LocalizationPriority: High author: brianlic-msft --- From 8b94e572c540946802a3a066bac9edea7a7acc37 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Sat, 16 Jul 2016 20:15:59 -0700 Subject: [PATCH 22/49] added localization priority --- ...-windows-operating-system-components-to-microsoft-services.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 4c01926131..f127fe3045 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -6,6 +6,7 @@ keywords: privacy, manage connections to Microsoft ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +LocalizationPriority: High author: brianlic-msft --- From 11d3a695ab9ae7cdce85ba5b35e72ab5cc7fb073 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Sat, 16 Jul 2016 20:22:17 -0700 Subject: [PATCH 23/49] fixed link --- ...ments-and-deployment-planning-guidelines-for-device-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index 3fe868fb12..9db41d44f1 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -37,7 +37,7 @@ The following tables provide more information about the hardware, firmware, and > **Notes** -> - To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#how-device-guard-features-help-protect-against-threats). +> - To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). > - For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow. ## Device Guard requirements for baseline protections From 5796f0c8fae7af25872357b48b8175e0e5bd518c Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 16:20:01 +1000 Subject: [PATCH 24/49] create new individual topics for onboarding --- ...ows-defender-advanced-threat-protection.md | 104 ++++++++++++++ ...ows-defender-advanced-threat-protection.md | 90 ++++++++++++ ...ows-defender-advanced-threat-protection.md | 81 +++++++++++ ...ows-defender-advanced-threat-protection.md | 62 +++++++++ ...ows-defender-advanced-threat-protection.md | 131 +----------------- ...ows-defender-advanced-threat-protection.md | 20 --- 6 files changed, 339 insertions(+), 149 deletions(-) create mode 100644 windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md create mode 100644 windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md create mode 100644 windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md create mode 100644 windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..f169e2f545 --- /dev/null +++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -0,0 +1,104 @@ +--- +title: Configure Windows Defender ATP endpoints using Group Policy +description: Use Group Policy to deploy the configuration package on endpoints so that they are onboarded to the service. +keywords: configure endpoints using group policy, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, group policy +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +--- + +## Configure endpoints using Group Policy + +**Applies to:** + +- Windows 10 Insider Preview Build 14332 or later +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + +> **Note**  To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. + +1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): + + a. Click **Endpoint Management** on the **Navigation pane**. + + b. Select **Group Policy**, click **Download package** and save the .zip file. + +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*. + +3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. + +4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**. + +5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**. + +6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**. + +7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box. + +8. Go to the **Actions** tab and click **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOnboardingScript.cmd* file. + +9. Click **OK** and close any open GPMC windows. + +## Additional Windows Defender ATP configuration settings + +You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature. + +## Configure sample collection settings using Group Policy +1. On your GP management machine, copy the following files from the + configuration package: + + a. Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_ + + b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_ + +2. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor**, go to **Computer configuration**. + +4. Click **Policies**, then **Administrative templates**. + +5. Click **Windows components** and then **Windows Advanced Threat Protection**. + +6. Choose to enable or disable sample sharing from your endpoints. + +## Offboard endpoints using Group Policy +For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. + +> **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. + +1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): + + a. Click **Endpoint Management** on the **Navigation pane**. + b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. + +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. + +3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click Edit. + +4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**. + +5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**. + +6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**. + +7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check-box. + +8. Go to the **Actions** tab and click **New...**. Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd* file. + +9. Click **OK** and close any open GPMC windows. + +## Monitor endpoint configuration using Group Policy +With Group Policy there isn’t an option to monitor deployment of policies on the endpoints. Monitoring can be done directly on the portal, or by using the different deployment tools. + +## Monitor endpoints using the portal +1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/). +2. Click **Machines view**. +3. Verify that endpoints are appearing. + +> **Note**  It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. + + diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..9d0c4df281 --- /dev/null +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -0,0 +1,90 @@ +--- +title: Configure Windows Defender ATP endpoints using Mobile Device Management tools +description: Use Mobile Device Management tools to deploy the configuration package on endpoints so that they are onboarded to the service. +keywords: configure endpoints using mdm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, mdm +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +--- + +# Configure endpoints using Mobile Device Management tools + +**Applies to:** + +- Windows 10 Insider Preview Build 14332 or later +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + +You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints. + +For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx). + +> **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. + +## Configure endpoints using Microsoft Intune + +For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx). + +> **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. + +1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): + + a. Click **Endpoint Management** on the **Navigation pane**. + + b. Select **Microsoft Intune**, click **Download package** and save the .zip file. + +2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATP.onboarding*. + +3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). + +Onboarding - Use the onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to: + - Onboarding + - Health Status for onboarded machines + - Configuration for onboarded machines + +> **Warning**  These two groups must not be deployed on the same machine at same time, otherwise this will cause unpredictable collisions. + +Policy | OMA-URI | Type | Description | Value +:---|:---|:---|:---|:--- +Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Onboarding | Copy content from onboarding MDM file +Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | Windows Defender ATP service is running | TRUE + | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | Onboarded to Windows Defender ATP | 1 + | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Onboarded to Organization ID | Use OrgID from onboarding file + Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | Windows Defender ATP Sample sharing is enabled | 0 or 1
Default value: 1 + + +> **Note**  Policies **Health Status for onboarded machines** and **Health Status for offboarded machines** use read-only properties and can't be remediated. + +## Offboard and monitor endpoints using Mobile Device Management tools + +For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. + +> **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. + +1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): + + a. Click **Endpoint Management** on the **Navigation pane**. + b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. + +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.offboarding*. + +3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). + +Offboarding - Use the offboarding policies to remove configuration settings on endpoints. These policies can be sub-categorized to: + - Offboarding + - Health Status for offboarded machines + - Configuration for offboarded machines + +Policy | OMA-URI | Type | Description | Value +:---|:---|:---|:---|:--- +Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Offboarding | Copy content from offboarding MDM file + Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | Windows Defender ATP service is not running | FALSE + | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | Offboarded from Windows Defender ATP | 0 + +> **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. + + diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..7536a1eee6 --- /dev/null +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -0,0 +1,81 @@ +--- +title: Configure Windows Defender ATP endpoints using System Center Configuration Manager +description: Use System Center Configuration Manager to deploy the configuration package on endpoints so that they are onboarded to the service. +keywords: configure endpoints using sccm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +--- + +# Configure endpoints with System Center Configuration Manager + +**Applies to:** + +- Windows 10 Insider Preview Build 14332 or later +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + +## Configure endpoints using System Center Configuration Manager (current branch) version 1606 +System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP) section. + +> **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. + +## Configure endpoints using System Center 2012 Configuration Manager or later versions +You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in System Center 2012 Configuration Manager or later versions, including: System Center 2012 R2 Configuration Manager, System Center Configuration Manager and System Center Configuration Manager (current branch), version 1602 or earlier. + +1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): + + a. Click **Endpoint Management** on the **Navigation pane**. + + b. Select **System Center Configuration Manager**, click **Download package**, and save the .zip file. + +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. + +3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. + +4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic. + + a. Choose a predefined device collection to deploy the package to. + +## Offboard endpoints using System Center Configuration Manager +For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. + +> **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. + +1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): + + a. Click Endpoint Management on the Navigation pane. + b. Under Endpoint offboarding section, select System Center Configuration Manager (current branch) version 1602 or earlier, click Download package, and save the .zip file. + +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. + +3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. + +4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic. + + a. Choose a predefined device collection to deploy the package to. + +## Monitor endpoint configuration using System Center Configuration Manager +Monitoring with SCCM consists of two parts: + +1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network. + +2. Checking that the endpoints are compliant with the Windows Defender ATP service (this ensures the endpoint can complete the onboarding process and can continue to report data to the service). + +**To confirm the configuration package has been correctly deployed:** + +1. In the SCCM console, click **Monitoring** at the bottom of the navigation pane. + +2. Click **Overview** and then **Deployments**. + +3. Click on the deployment with the package name. + +4. Review the status indicators under **Completion Statistics** and **Content Status**. + +If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information. + +![SCCM showing successful deployment with no errors](images/sccm-deployment.png) \ No newline at end of file diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..2209348988 --- /dev/null +++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -0,0 +1,62 @@ +--- +title: Configure Windows Defender ATP endpoints using a local script +description: Use a local script to deploy the configuration package on endpoints so that they are onboarded to the service. +keywords: configure endpoints using a local script, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +--- + +# Configure endpoints using a local script +You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network. + + +1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): + + a. Click **Endpoint Management** on the **Navigation pane**. + + b. Select **Local Script**, click **Download package** and save the .zip file. + + +2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. + +3. Open an elevated command-line prompt on the endpoint and run the script: + + a. Click **Start** and type **cmd**. + + b. Right-click **Command prompt** and select **Run as administrator**. + + ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) + +4. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`* + +5. Press the **Enter** key or click **OK**. + +See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry. + +## Offboard endpoints using a local script +For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. + +> **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. + +1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): + + a. Click **Endpoint Management** on the **Navigation pane**. + b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. + +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. + +3. Open an elevated command-line prompt on the endpoint and run the script: + + a. Click **Start** and type **cmd**. + + b. Right-click **Command prompt** and select **Run as administrator**. + + ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) + +4. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`* + +5. Press the **Enter** key or click **OK**. \ No newline at end of file diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md index d2cc59754d..8ad58fa146 100644 --- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -24,137 +24,10 @@ Endpoints in your organization must be configured so that the Windows Defender A Windows Defender ATP supports the following deployment tools and methods: - Group Policy -- System Center Configuration Manager (current branch) version 1606 -- System Center 2012 Configuration manager or later versions -- Mobile Device Management -- Microsoft Intune +- System Center Configuration Manager +- Mobile Device Management (including Microsoft Intune) - Local script -## Configure endpoints with Group Policy - -> **Note**  To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. - -1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - - a. Click **Endpoint Management** on the **Navigation pane**. - - b. Select **Group Policy**, click **Download package** and save the .zip file. - -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*. - -3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. - -4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**. - -5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**. - -6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**. - -7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box. - -8. Go to the **Actions** tab and click **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOnboardingScript.cmd* file. - -9. Click **OK** and close any open GPMC windows. - -For additional settings, see the [Additional configuration settings section](additional-configuration-windows-defender-advanced-threat-protection.md). - -## Configure endpoints with System Center Configuration Manager (current branch) version 1606 -System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP) section. - -> **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. - -## Configure endpoints with System Center 2012 Configuration Manager or later versions -You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in System Center 2012 Configuration Manager or later versions, including: System Center 2012 R2 Configuration Manager, System Center Configuration Manager and System Center Configuration Manager (current branch), version 1602 or earlier. - -1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - - a. Click **Endpoint Management** on the **Navigation pane**. - - b. Select **System Center Configuration Manager**, click **Download package**, and save the .zip file. - -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. - -3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. - -4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic. - - a. Choose a predefined device collection to deploy the package to. - -## Configure endpoints with Mobile Device Management tools -You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints. - -For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx). - -> **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. - -## Configure endpoints with Microsoft Intune - -For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx). - -> **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. - -1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - - a. Click **Endpoint Management** on the **Navigation pane**. - - b. Select **Microsoft Intune**, click **Download package** and save the .zip file. - -2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATP.onboarding*. - -3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). - -These policies are categorized into two groups: -- Onboarding - Use the onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to: - - Onboarding - - Health Status for onboarded machines - - Configuration for onboarded machines -- Offboarding - Use the offboarding policies to remove configuration settings on endpoints. These policies can be sub-categorized to: - - Offboarding - - Health Status for offboarded machines - - Configuration for offboarded machines - -> **Warning**  These two groups must not be deployed on the same machine at same time, otherwise this will cause unpredictable collisions. - -Policy | OMA-URI | Type | Description | Value -:---|:---|:---|:---|:--- -Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Onboarding | Copy content from onboarding MDM file -Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | Windows Defender ATP service is running | TRUE - | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | Onboarded to Windows Defender ATP | 1 - | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Onboarded to Organization ID | Use OrgID from onboarding file - Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | Windows Defender ATP Sample sharing is enabled | 0 or 1
Default value: 1 - Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Offboarding | Copy content from offboarding MDM file - Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | Windows Defender ATP service is not running | FALSE - | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | Offboarded from Windows Defender ATP | 0 - -> **Note**  Policies **Health Status for onboarded machines** and **Health Status for offboarded machines** use read-only properties and can't be remediated. - -## Configure endpoints individually with a local script - -You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network. - - -1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - - a. Click **Endpoint Management** on the **Navigation pane**. - - b. Select **Local Script**, click **Download package** and save the .zip file. - - -2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. - -3. Open an elevated command-line prompt on the endpoint and run the script: - - a. Click **Start** and type **cmd**. - - b. Right-click **Command prompt** and select **Run as administrator**. - - ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) - -4. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`* - -5. Press the **Enter** key or click **OK**. - -See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry. ## Related topics - [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md index 8babe1f172..1fbfe3d5ef 100644 --- a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md @@ -36,27 +36,7 @@ Monitoring can be done directly on the portal, or by using System Center Configu > **Note**  It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. -## Monitor with System Center Configuration Manager -Monitoring with SCCM consists of two parts: - -1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network. - -2. Checking that the endpoints are compliant with the Windows Defender ATP service (this ensures the endpoint can complete the onboarding process and can continue to report data to the service). - -**To confirm the configuration package has been correctly deployed:** - -1. In the SCCM console, click **Monitoring** at the bottom of the navigation pane. - -2. Click **Overview** and then **Deployments**. - -3. Click on the deployment with the package name. - -4. Review the status indicators under **Completion Statistics** and **Content Status**. - -If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information. - -![SCCM showing successful deployment with no errors](images/sccm-deployment.png) ## Related topics From 6ba7e97cc95453970e87d5bbf99b81e424c1e9fa Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 16:28:50 +1000 Subject: [PATCH 25/49] add new topics in TOC --- windows/keep-secure/TOC.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 6d463f47d2..0d946ebdf1 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -682,6 +682,13 @@ #### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md) #### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) ##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) +###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +####### [Configure endpoints using SCCM 2016](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-(current-branch)-version-1606)) +####### [Configure endpoints using SCCM 2012](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-2012-or-later-versions) +###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) +####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) +###### [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) ##### [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) ##### [Additional configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md) ##### [Monitor onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) From 1a852d7c04059ad22b1404146ae2e61da1aa080f Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 17:51:45 +1000 Subject: [PATCH 26/49] fix extension names --- windows/keep-secure/TOC.md | 4 +--- ...-windows-defender-advanced-threat-protection.md | 5 +++-- ...-windows-defender-advanced-threat-protection.md | 6 ++++-- ...-windows-defender-advanced-threat-protection.md | 14 ++++++++------ ...-windows-defender-advanced-threat-protection.md | 4 ++-- 5 files changed, 18 insertions(+), 15 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 0d946ebdf1..33111e697a 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -684,14 +684,12 @@ ##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -####### [Configure endpoints using SCCM 2016](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-(current-branch)-version-1606)) +####### [Configure endpoints using SCCM 1606](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-(current-branch)-version-1606)) ####### [Configure endpoints using SCCM 2012](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-2012-or-later-versions) ###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) ####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) ###### [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) ##### [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -##### [Additional configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md) -##### [Monitor onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) ##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) #### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) #### [Use the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index f169e2f545..4a37f932dc 100644 --- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -21,6 +21,7 @@ author: mjcaparas > **Note**  To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. +### Onboard endpoints 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Endpoint Management** on the **Navigation pane**. @@ -47,7 +48,7 @@ author: mjcaparas You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature. -## Configure sample collection settings using Group Policy +### Configure sample collection settings using Group Policy 1. On your GP management machine, copy the following files from the configuration package: @@ -65,7 +66,7 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa 6. Choose to enable or disable sample sharing from your endpoints. -## Offboard endpoints using Group Policy +### Offboard endpoints For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. > **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 9d0c4df281..72fa25d9dd 100644 --- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -31,6 +31,8 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre > **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. +### Onboard and monitor endpoints + 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Endpoint Management** on the **Navigation pane**. @@ -59,7 +61,7 @@ Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThrea > **Note**  Policies **Health Status for onboarded machines** and **Health Status for offboarded machines** use read-only properties and can't be remediated. -## Offboard and monitor endpoints using Mobile Device Management tools +### Offboard and monitor endpoints For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. @@ -70,7 +72,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days a. Click **Endpoint Management** on the **Navigation pane**. b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.offboarding*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*. 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 7536a1eee6..c4ac346a95 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security author: mjcaparas --- -# Configure endpoints with System Center Configuration Manager +# Configure endpoints uisng System Center Configuration Manager **Applies to:** @@ -24,8 +24,10 @@ System Center Configuration Manager (current branch) version 1606, currently in > **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. -## Configure endpoints using System Center 2012 Configuration Manager or later versions -You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in System Center 2012 Configuration Manager or later versions, including: System Center 2012 R2 Configuration Manager, System Center Configuration Manager and System Center Configuration Manager (current branch), version 1602 or earlier. +## Configure endpoints using System Center Configuration Manager (current branch) version 1602 or earlier versions +You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in System Center Configuration Manager (current branch), version 1602 or earlier, including: System Center 2012 R2 Configuration Manager and System Center 2012 Configuration Manager. + +### Onboard endpoints 1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): @@ -41,7 +43,7 @@ You can use System Center Configuration Manager’s existing functionality to cr a. Choose a predefined device collection to deploy the package to. -## Offboard endpoints using System Center Configuration Manager +### Offboard endpoints For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. > **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. @@ -51,7 +53,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days a. Click Endpoint Management on the Navigation pane. b. Under Endpoint offboarding section, select System Center Configuration Manager (current branch) version 1602 or earlier, click Download package, and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.cmd*. 3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. @@ -59,7 +61,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days a. Choose a predefined device collection to deploy the package to. -## Monitor endpoint configuration using System Center Configuration Manager +### Monitor endpoint configuration using System Center Configuration Manager Monitoring with SCCM consists of two parts: 1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network. diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md index 2209348988..61c7f401cc 100644 --- a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -47,7 +47,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days a. Click **Endpoint Management** on the **Navigation pane**. b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_\.cmd*. 3. Open an elevated command-line prompt on the endpoint and run the script: @@ -57,6 +57,6 @@ For security reasons, the package used to offboard endpoints will expire 30 days ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) -4. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`* +4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_\.cmd* 5. Press the **Enter** key or click **OK**. \ No newline at end of file From 42ad97dacef62abc76f51a7f8fb76b7687ed74a0 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 18:24:44 +1000 Subject: [PATCH 27/49] add related topics, update table --- ...p-windows-defender-advanced-threat-protection.md | 4 ++++ ...m-windows-defender-advanced-threat-protection.md | 4 ++++ ...m-windows-defender-advanced-threat-protection.md | 7 ++++++- ...t-windows-defender-advanced-threat-protection.md | 8 +++++++- ...s-windows-defender-advanced-threat-protection.md | 13 +++++++------ ...e-windows-defender-advanced-threat-protection.md | 2 -- 6 files changed, 28 insertions(+), 10 deletions(-) diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index 4a37f932dc..60cced9f5d 100644 --- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -103,3 +103,7 @@ With Group Policy there isn’t an option to monitor deployment of policies on t > **Note**  It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. +## Related topics +- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 72fa25d9dd..1b027dbcf2 100644 --- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -90,3 +90,7 @@ Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | > **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. +## Related topics +- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index c4ac346a95..d4cb1cc475 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -80,4 +80,9 @@ Monitoring with SCCM consists of two parts: If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information. -![SCCM showing successful deployment with no errors](images/sccm-deployment.png) \ No newline at end of file +![SCCM showing successful deployment with no errors](images/sccm-deployment.png) + +## Related topics +- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md index 61c7f401cc..ee77bcc824 100644 --- a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -59,4 +59,10 @@ For security reasons, the package used to offboard endpoints will expire 30 days 4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_\.cmd* -5. Press the **Enter** key or click **OK**. \ No newline at end of file +5. Press the **Enter** key or click **OK**. + + +## Related topics +- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md index 8ad58fa146..0028b5478b 100644 --- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -28,9 +28,10 @@ Windows Defender ATP supports the following deployment tools and methods: - Mobile Device Management (including Microsoft Intune) - Local script - -## Related topics -- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md) -- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +## In this section +Topic | Description +:---|:--- +[Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) | Use Group Policy to deploy the configuration package on endpoints. +[Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on endpoints. +[Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Managment tools or Microsoft Intune to deploy the configuration package on endpoints. +[Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) | Learn how to use the local script to deploy the configuration package on endpoints. diff --git a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md index 668883a264..3cfcbb1cde 100644 --- a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md @@ -36,6 +36,4 @@ Topic | Description :---|:--- [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure endpoints in your enterprise. [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings. -[Additional configuration settings] (additional-configuration-windows-defender-advanced-threat-protection.md) | Learn how to configure settings for sample sharing used in the deep analysis feature. -[Monitor onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) | Learn how you can monitor the onboarding to ensure your endpoints are correctly configured and are sending telemetry reports. [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding. From 503fcca7068431ff5392fdfcf3db2e8baf2da72d Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 18:37:45 +1000 Subject: [PATCH 28/49] fixing anchor links --- windows/keep-secure/TOC.md | 2 +- ...ndpoints-sccm-windows-defender-advanced-threat-protection.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 33111e697a..9275942925 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -684,7 +684,7 @@ ##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -####### [Configure endpoints using SCCM 1606](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-(current-branch)-version-1606)) +####### [Configure endpoints using SCCM 1606]() ####### [Configure endpoints using SCCM 2012](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-2012-or-later-versions) ###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) ####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index d4cb1cc475..0def99f471 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -19,6 +19,7 @@ author: mjcaparas [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + ## Configure endpoints using System Center Configuration Manager (current branch) version 1606 System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP) section. From 61b75109aa088eb6cc5aec05cc7dcc760c149566 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 19:11:25 +1000 Subject: [PATCH 29/49] fixing anchor link --- windows/keep-secure/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 9275942925..75bdcca63f 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -684,7 +684,7 @@ ##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -####### [Configure endpoints using SCCM 1606]() +####### [Configure endpoints using SCCM 1606] ####### [Configure endpoints using SCCM 2012](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-2012-or-later-versions) ###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) ####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) From f25776cd8bb71c6bdd4189c9b5f871405282eec1 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 19:46:31 +1000 Subject: [PATCH 30/49] update anchor, update toc, update title --- windows/keep-secure/TOC.md | 2 +- ...-endpoints-gp-windows-defender-advanced-threat-protection.md | 2 +- ...ndpoints-sccm-windows-defender-advanced-threat-protection.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 75bdcca63f..634f47eedf 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -684,7 +684,7 @@ ##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -####### [Configure endpoints using SCCM 1606] +####### [Configure endpoints using SCCM 1606](#sccm1606) ####### [Configure endpoints using SCCM 2012](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-2012-or-later-versions) ###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) ####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index 60cced9f5d..2f8fc98460 100644 --- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security author: mjcaparas --- -## Configure endpoints using Group Policy +# Configure endpoints using Group Policy **Applies to:** diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 0def99f471..d33636f939 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ author: mjcaparas [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - + ## Configure endpoints using System Center Configuration Manager (current branch) version 1606 System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP) section. From 3ae5868b0b944fd20678c733413e25b743dd9acd Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 19:56:00 +1000 Subject: [PATCH 31/49] fixing link --- windows/keep-secure/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 634f47eedf..4847d00389 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -684,7 +684,7 @@ ##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -####### [Configure endpoints using SCCM 1606](#sccm1606) +####### [Configure endpoints using SCCM 1606](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#sccm1606) ####### [Configure endpoints using SCCM 2012](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-2012-or-later-versions) ###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) ####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) From 21fba964ecf0d96ad25481c6bb68f3ee7f310f24 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 20:02:43 +1000 Subject: [PATCH 32/49] remove old text topic --- ...gure-windows-defender-advanced-threat-protection.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md index 3cfcbb1cde..942dfa02ee 100644 --- a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md @@ -21,16 +21,6 @@ author: iaanw You need to onboard to Windows Defender ATP before you can use the service. - - - - ## In this section Topic | Description :---|:--- From f6c56953a10819057c3a2ad897e489655ab086a4 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 20:03:56 +1000 Subject: [PATCH 33/49] fix typo --- ...dpoints-sccm-windows-defender-advanced-threat-protection.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index d33636f939..fef8fdb284 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -10,7 +10,8 @@ ms.pagetype: security author: mjcaparas --- -# Configure endpoints uisng System Center Configuration Manager +# Configure endpoints using System Center Configuration Manager + **Applies to:** From dc779d17515afb8f4d424f428a11c82cd9ddd9b1 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 20:18:02 +1000 Subject: [PATCH 34/49] test link --- ...ndpoints-sccm-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index fef8fdb284..6c7eaeb7d1 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -20,7 +20,7 @@ author: mjcaparas [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - + ## Configure endpoints using System Center Configuration Manager (current branch) version 1606 System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP) section. From 6234a105d3465fdf03f088b3a3481f56f634ec31 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 20:30:16 +1000 Subject: [PATCH 35/49] fix Related topics --- ...ows-defender-advanced-threat-protection.md | 47 ------- ...ows-defender-advanced-threat-protection.md | 3 - ...ows-defender-advanced-threat-protection.md | 3 - ...ows-defender-advanced-threat-protection.md | 46 ------- ...ows-defender-advanced-threat-protection.md | 121 ------------------ ...ows-defender-advanced-threat-protection.md | 4 +- 6 files changed, 1 insertion(+), 223 deletions(-) delete mode 100644 windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md delete mode 100644 windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md delete mode 100644 windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md diff --git a/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 93d466aa32..0000000000 --- a/windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: Additional Windows Defender ATP configuration settings -description: Use the Group Policy Console to configure settings that enable sample sharing from your endpoints. These settings are used in the deep analysis feature. -keywords: configuration settings, Windows Defender ATP configuration settings, Windows Defender Advanced Threat Protection configuration settings, group policy Management Editor, computer configuration, policies, administrative templates, -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.pagetype: security -ms.sitesec: library -author: mjcaparas ---- - -# Additional Windows Defender ATP configuration settings - -**Applies to** - -- Windows 10 Insider Preview Build 14332 or later -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature. - -## Configure sample collection settings with Group Policy -1. On your GP management machine, copy the following files from the - configuration package: - - a. Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_ - - b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_ - -2. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**. - -3. In the **Group Policy Management Editor**, go to **Computer configuration**. - -4. Click **Policies**, then **Administrative templates**. - -5. Click **Windows components** and then **Windows Advanced Threat Protection**. - -6. Choose to enable or disable sample sharing from your endpoints. - -## Related topics - -- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 0c31cc5832..27177d0829 100644 --- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -179,8 +179,5 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover If the any of the verification steps indicate a fail, then verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs. ## Related topics - - [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md) -- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md index 6e239a2aea..f019d14fdf 100644 --- a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md @@ -242,9 +242,6 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen ## Related topics - - [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) - [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md) -- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) - [Troubleshoot Windows Defender ATP](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 1fbfe3d5ef..0000000000 --- a/windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: Monitor Windows Defender ATP onboarding -description: Monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports. -keywords: monitor onboarding, monitor Windows Defender ATP onboarding, monitor Windows Defender Advanced Threat Protection onboarding -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: mjcaparas ---- - -# Monitor Windows Defender Advanced Threat Protection onboarding - -**Applies to:** - -- Windows 10 Insider Preview Build 14322 or later -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -You can monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports. - -You might need to monitor the onboarding if the package did not configure the registry correctly, or the reporting client did not start or execute correctly. - -Monitoring can be done directly on the portal, or by using System Center Configuration Manager (SCCM). - -## Monitor with the portal - -1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/). - -2. Click **Machines view**. - -3. Verify that endpoints are appearing. - - -> **Note**  It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. - - - -## Related topics - -- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 790d75a1dd..0000000000 --- a/windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,121 +0,0 @@ ---- -title: Windows Defender ATP service onboarding -description: Assign users to the Windows Defender ATP service application in Azure Active Directory to grant access to the portal. -keywords: service onboarding, Windows Defender Advanced Threat Protection service onboarding, manage users, -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: mjcaparas ---- - -# Windows Defender ATP service onboarding - -**Applies to:** - -- Windows 10 Insider Preview Build 14332 or later -- Azure Active Directory -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -You have to assign users to the Windows Defender ATP Service application in Azure Active Directory (AAD) before they can access the portal. - -**Manage user access to the Windows Defender ATP portal**: - -1. When you first go to the [Windows Defender ATP portal](https://securitycenter.windows.com/) and your directory does not - have users assigned to the Windows ATP Service application, you will - be directed to open the [Microsoft Azure Dashboard](https://portal.azure.com) to manage user access. - - > **Note**  In AAD, a directory is essentially a tenant. See the [Azure AD documentation](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx) for more information on how tenants work with AAD. - -2. Ensure you have logged in to Microsoft Azure with an account that - has permissions to assign users to an application in AAD. You might - need to sign out of Microsoft Azure and then sign back in again if - you used a different account to sign in to the Windows Defender ATP - portal: - - a. On the top menu, click the signed-in user’s name. - - b. Click **Sign out**. - - ![Azure sign out](images/azure-signout.png) - - c. Go the [Microsoft Azure Dashboard](https://portal.azure.com) again where you will be asked to sign in. - - d. Sign in with the correct user name and password for an account that has permissions to assign users in AAD. - -3. On the **Microsoft Azure Dashboard**, click **Browse** in the navigation pane and then click **Active Directory** to open the [Azure Management Portal](https://manage.windowsazure.com/). - - ![Azure Active Directory menu](images/azure-browse.png) - -4. You might need to open the **Directory** section of the [Azure Management Portal](https://manage.windowsazure.com/) so you can access your directory. There are two ways you can do this: - - a. Click the arrow icon above the list of directories to see the full list of directories in the main area of the portal. - - ![Azure organization menu](images/azure-org-directory.png) - - b. Scroll down in the navigation pane and click **Active Directory**. - - ![Azure active directory](images/azure-active-directory.png) - -5. Click the directory that contains the Windows Defender ATP application. In the following example, the directory is - called **Contoso**. - - ![Azure active directory list](images/azure-active-directory-list.png) - - > **Note**  You can also access your directory by going straight to the [Azure Management Portal](https://manage.windowsazure.com/), clicking Active Directory and then finding your directory in the list. - -6. Click **Applications** from the top menu bar. - - ![Example organization in Azure Active Directory](images/contoso.png) - -7. Click the **Windows ATP Service** application. The dashboard for the application is shown. - - ![Example selected organization in Azure Active Directory](images/contoso-application.png) - - > **Note**  The application might have a slightly different name than the one shown here. It might be called **Windows Defender ATP Service**. - -8. Click **Users** from the top menu bar. A list of users that are in the directory is displayed. - - ![Example windows atp service users](images/windows-atp-service.png) - - ![Example user assignment to the windows atp service](images/assign-users.png) - - > **Note**  If you do not normally work with AAD, you might not see any users in the directory, or we might have created a test tenant specifically for a single user’s account. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section for instructions on adding users to a directory. - -9. Select the user you want manage. - -10. Click **Assign**. - -11. Confirm that you want to enable access for the user from the notification bar. If you click **Yes**, the user is given access to the Windows Defender ATP portal. One or more progress bars will appear that indicates the user is being assigned a role, and you will see confirmation messages. You don’t need to do anything with the messages, they will go away after a short period of time. - - ![Confirmation page to enable access to users](images/confirm-user-access.png) - -12. To remove the user's access, click **Remove**. - -13. Select the **Disable access to this app for the selected users** checkbox, and then click **Complete** ![Complete icon](images/check-icon.png). One or more progress bars will appear, followed by confirmation messages. The messages will disappear after a short period. - - ![Remove menu](images/remove-menu.png) - -14. To remove the access for all users, click **Manage access**. If you click **Complete** ![Complete icon](images/check-icon.png), you will not see the Windows ATP Service in the list of applications in your directory. - - > **Note**  If you want to give access to users again, see the Manage access for all users in Azure Active Directory topic in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md). - -15. You can continue assigning roles for other users in your organization now, or you can return to the Windows Defender ATP portal to complete the service onboarding wizard. - - > **Note**  You need to assign roles for every user in your organization that requires access to the Windows Defender ATP portal. You can assign roles at any time by going to the Azure Management Portal, clicking **Active Directory**, and then finding your directory in the list and following the steps above. - -When you have finished assigning roles, return to the [Windows Defender ATP portal](https://securitycenter.windows.com) and refresh the -page. - -Follow the steps in the onboarding wizard to complete the onboarding process. - -At the end of the wizard, you can download the Group Policy configuration package which you will use to configure endpoints on your network. You can also download the package from the **Endpoint Management** menu on the portal after you have completed the onboarding wizard. - -## Related topics -- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) -- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) -- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 5cb5400bb0..b9baeb947e 100644 --- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -436,8 +436,6 @@ Log in to the application in the Azure Management Portal again: --> ## Related topics - - [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) - [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) -- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md) -- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) + From 2a590e99160f488b3f89d48c1f4777321ca11fb7 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 20:40:33 +1000 Subject: [PATCH 36/49] swap description and value from table --- ...dm-windows-defender-advanced-threat-protection.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 1b027dbcf2..a06b2c7212 100644 --- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -50,13 +50,13 @@ Onboarding - Use the onboarding policies to deploy configuration settings on end > **Warning**  These two groups must not be deployed on the same machine at same time, otherwise this will cause unpredictable collisions. -Policy | OMA-URI | Type | Description | Value +Policy | OMA-URI | Type | Value | Description :---|:---|:---|:---|:--- -Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Onboarding | Copy content from onboarding MDM file -Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | Windows Defender ATP service is running | TRUE - | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | Onboarded to Windows Defender ATP | 1 - | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Onboarded to Organization ID | Use OrgID from onboarding file - Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | Windows Defender ATP Sample sharing is enabled | 0 or 1
Default value: 1 +Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Copy content from onboarding MDM file | Onboarding +Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE | Windows Defender ATP service is running + | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP + | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID + Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1
Default value: 1 | Windows Defender ATP Sample sharing is enabled > **Note**  Policies **Health Status for onboarded machines** and **Health Status for offboarded machines** use read-only properties and can't be remediated. From 430159e5140f2b40603bbf9d1e14879f038f5889 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 20:42:02 +1000 Subject: [PATCH 37/49] add anchor, update TOC --- windows/keep-secure/TOC.md | 2 +- ...ndpoints-sccm-windows-defender-advanced-threat-protection.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 4847d00389..aea7299ce0 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -685,7 +685,7 @@ ###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) ####### [Configure endpoints using SCCM 1606](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#sccm1606) -####### [Configure endpoints using SCCM 2012](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-system-center-configuration-manager-2012-or-later-versions) +####### [Configure endpoints using SCCM 2012](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#sccm1602) ###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) ####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) ###### [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 6c7eaeb7d1..a46848c5fc 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -26,6 +26,7 @@ System Center Configuration Manager (current branch) version 1606, currently in > **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. + ## Configure endpoints using System Center Configuration Manager (current branch) version 1602 or earlier versions You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in System Center Configuration Manager (current branch), version 1602 or earlier, including: System Center 2012 R2 Configuration Manager and System Center 2012 Configuration Manager. From d2d42ea05710513e32aeb27117cc023720841e4a Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 20:45:36 +1000 Subject: [PATCH 38/49] fix dead link --- ...stigate-files-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md index c7e1a14928..5dfb3959f9 100644 --- a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md @@ -121,7 +121,7 @@ HKLM\SOFTWARE\Policies\Microsoft\Sense\AllowSampleCollection Value = 0 - block sample collection Value = 1 - allow sample collection ``` -5. Change the organizational unit through the Group Policy. See [Configure with Group Policy](additional-configuration-windows-defender-advanced-threat-protection.md#configure-with-group-policy). +5. Change the organizational unit through the Group Policy. See [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md). 6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com). > **Note**  If the value *AllowSampleCollection* is not available, the client will allow sample collection by default. From 037efac74643b5c26a0c2d26c0168054be6b57b8 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 21:07:43 +1000 Subject: [PATCH 39/49] remove extra note, update file extension --- ...-windows-defender-advanced-threat-protection.md | 2 +- ...-windows-defender-advanced-threat-protection.md | 14 ++++++-------- ...-windows-defender-advanced-threat-protection.md | 2 +- 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index 2f8fc98460..9f63869e32 100644 --- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -19,7 +19,7 @@ author: mjcaparas [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] -> **Note**  To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later. +> **Note**  To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later. ### Onboard endpoints 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index a06b2c7212..4d464268ea 100644 --- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -29,8 +29,6 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx). -> **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. - ### Onboard and monitor endpoints 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): @@ -44,9 +42,9 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). Onboarding - Use the onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to: - - Onboarding - - Health Status for onboarded machines - - Configuration for onboarded machines +- Onboarding +- Health Status for onboarded machines +- Configuration for onboarded machines > **Warning**  These two groups must not be deployed on the same machine at same time, otherwise this will cause unpredictable collisions. @@ -77,9 +75,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). Offboarding - Use the offboarding policies to remove configuration settings on endpoints. These policies can be sub-categorized to: - - Offboarding - - Health Status for offboarded machines - - Configuration for offboarded machines +- Offboarding +- Health Status for offboarded machines +- Configuration for offboarded machines Policy | OMA-URI | Type | Description | Value :---|:---|:---|:---|:--- diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index a46848c5fc..2fab49e4ef 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -56,7 +56,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days a. Click Endpoint Management on the Navigation pane. b. Under Endpoint offboarding section, select System Center Configuration Manager (current branch) version 1602 or earlier, click Download package, and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.cmd*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. 3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. From a1772b7bc300ecc680ecda8f740f1d1e65eeba02 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 21:28:46 +1000 Subject: [PATCH 40/49] updates based on Naama's feedback --- windows/keep-secure/TOC.md | 2 -- ...indows-defender-advanced-threat-protection.md | 8 +++++--- ...indows-defender-advanced-threat-protection.md | 16 ++++++++-------- ...indows-defender-advanced-threat-protection.md | 15 +++++++++------ ...indows-defender-advanced-threat-protection.md | 3 ++- 5 files changed, 24 insertions(+), 20 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index aea7299ce0..c34ebed59a 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -684,8 +684,6 @@ ##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -####### [Configure endpoints using SCCM 1606](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#sccm1606) -####### [Configure endpoints using SCCM 2012](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md#sccm1602) ###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) ####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) ###### [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index 9f63869e32..d8db5694c4 100644 --- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -48,7 +48,7 @@ author: mjcaparas You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature. -### Configure sample collection settings using Group Policy +### Configure sample collection settings 1. On your GP management machine, copy the following files from the configuration package: @@ -74,6 +74,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Endpoint Management** on the **Navigation pane**. + b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. @@ -92,7 +93,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days 9. Click **OK** and close any open GPMC windows. -## Monitor endpoint configuration using Group Policy +## Monitor endpoint configuration With Group Policy there isn’t an option to monitor deployment of policies on the endpoints. Monitoring can be done directly on the portal, or by using the different deployment tools. ## Monitor endpoints using the portal @@ -106,4 +107,5 @@ With Group Policy there isn’t an option to monitor deployment of policies on t ## Related topics - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) - [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) +- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 4d464268ea..410e537b06 100644 --- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -14,7 +14,7 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Insider Preview Build 14379 or later - Windows Defender Advanced Threat Protection (Windows Defender ATP) [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] @@ -35,9 +35,9 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre a. Click **Endpoint Management** on the **Navigation pane**. - b. Select **Microsoft Intune**, click **Download package** and save the .zip file. + b. Select **Mobile Device Management/Microsoft Intune**, click **Download package** and save the .zip file. -2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATP.onboarding*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATP.onboarding*. 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). @@ -68,9 +68,10 @@ For security reasons, the package used to offboard endpoints will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Endpoint Management** on the **Navigation pane**. - b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*. + b. Under **Endpoint offboarding** section, select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file. + +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*. 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). @@ -85,10 +86,9 @@ Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | Windows Defender ATP service is not running | FALSE | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | Offboarded from Windows Defender ATP | 0 -> **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. - ## Related topics - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 2fab49e4ef..1c057d851f 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -15,7 +15,7 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Insider Preview Build 14379 or later - Windows Defender Advanced Threat Protection (Windows Defender ATP) [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] @@ -36,7 +36,7 @@ You can use System Center Configuration Manager’s existing functionality to cr a. Click **Endpoint Management** on the **Navigation pane**. - b. Select **System Center Configuration Manager**, click **Download package**, and save the .zip file. + b. Select **System Center Configuration Manager (current branch) version 1602**, click **Download package**, and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. @@ -47,14 +47,16 @@ You can use System Center Configuration Manager’s existing functionality to cr a. Choose a predefined device collection to deploy the package to. ### Offboard endpoints + For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. > **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click Endpoint Management on the Navigation pane. - b. Under Endpoint offboarding section, select System Center Configuration Manager (current branch) version 1602 or earlier, click Download package, and save the .zip file. + a. Click **Endpoint Management** on the **Navigation pane**. + + b. Under **Endpoint offboarding** section, select **System Center Configuration Manager (current branch) version 1602 or earlier**, click **Download package**, and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. @@ -64,7 +66,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days a. Choose a predefined device collection to deploy the package to. -### Monitor endpoint configuration using System Center Configuration Manager +### Monitor endpoint configuration Monitoring with SCCM consists of two parts: 1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network. @@ -88,4 +90,5 @@ If there are failed deployments (endpoints with **Error**, **Requirements Not Me ## Related topics - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md index ee77bcc824..eacde8021a 100644 --- a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -65,4 +65,5 @@ For security reasons, the package used to offboard endpoints will expire 30 days ## Related topics - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) \ No newline at end of file From edbd2654237e9127c4c8308ec77614dfa49f38db Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 21:40:08 +1000 Subject: [PATCH 41/49] add or earlier --- ...ndpoints-sccm-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 1c057d851f..5a35bad778 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -36,7 +36,7 @@ You can use System Center Configuration Manager’s existing functionality to cr a. Click **Endpoint Management** on the **Navigation pane**. - b. Select **System Center Configuration Manager (current branch) version 1602**, click **Download package**, and save the .zip file. + b. Select **System Center Configuration Manager (current branch) version 1602 or earlier**, click **Download package**, and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. From ac5820fcd75a587fdeb7648322c0522d76661b40 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 21:46:40 +1000 Subject: [PATCH 42/49] swap desc and value, update build number --- ...nts-mdm-windows-defender-advanced-threat-protection.md | 8 ++++---- ...ts-sccm-windows-defender-advanced-threat-protection.md | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 410e537b06..ec376fe348 100644 --- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -80,11 +80,11 @@ Offboarding - Use the offboarding policies to remove configuration settings on e - Health Status for offboarded machines - Configuration for offboarded machines -Policy | OMA-URI | Type | Description | Value +Policy | OMA-URI | Type | Value | Description :---|:---|:---|:---|:--- -Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Offboarding | Copy content from offboarding MDM file - Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | Windows Defender ATP service is not running | FALSE - | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | Offboarded from Windows Defender ATP | 0 +Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding + Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running + | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP ## Related topics diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 5a35bad778..3f7fac27dc 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -15,7 +15,7 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14379 or later +- Windows 10 Insider Preview Build 14332 or later - Windows Defender Advanced Threat Protection (Windows Defender ATP) [Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] From c9fa2bb11b6b34a8350161c716906e6159924465 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 18 Jul 2016 22:44:56 +1000 Subject: [PATCH 43/49] updates on style and remove notes --- ...dm-windows-defender-advanced-threat-protection.md | 12 +++++------- ...pt-windows-defender-advanced-threat-protection.md | 6 +++--- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index ec376fe348..22692ee168 100644 --- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -23,8 +23,6 @@ You can use mobile device management (MDM) solutions to configure endpoints. Win For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx). -> **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. - ## Configure endpoints using Microsoft Intune For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx). @@ -46,8 +44,6 @@ Onboarding - Use the onboarding policies to deploy configuration settings on end - Health Status for onboarded machines - Configuration for onboarded machines -> **Warning**  These two groups must not be deployed on the same machine at same time, otherwise this will cause unpredictable collisions. - Policy | OMA-URI | Type | Value | Description :---|:---|:---|:---|:--- Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Copy content from onboarding MDM file | Onboarding @@ -57,7 +53,7 @@ Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThrea Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1
Default value: 1 | Windows Defender ATP Sample sharing is enabled -> **Note**  Policies **Health Status for onboarded machines** and **Health Status for offboarded machines** use read-only properties and can't be remediated. +> **Note**  Policies **Health Status for onboarded machines** use read-only properties and can't be remediated. ### Offboard and monitor endpoints @@ -85,8 +81,10 @@ Policy | OMA-URI | Type | Value | Description Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP - - + +> **Note**  Policies **Health Status for offboarded machines** use read-only properties and can't be remediated. + + ## Related topics - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md index eacde8021a..37cff93fb6 100644 --- a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -31,7 +31,7 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) -4. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`* +4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd* 5. Press the **Enter** key or click **OK**. @@ -47,7 +47,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days a. Click **Endpoint Management** on the **Navigation pane**. b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_\.cmd*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. 3. Open an elevated command-line prompt on the endpoint and run the script: @@ -57,7 +57,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) -4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_\.cmd* +4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd* 5. Press the **Enter** key or click **OK**. From 552aeed362b9adcda0ee4891cd7e7e00486c8ad7 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:02:15 -0700 Subject: [PATCH 44/49] Added new Mandatory tasks and settings required to turn on Windows Information Protection (WIP) topic --- .../keep-secure/change-history-for-keep-windows-10-secure.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index bf5a309fca..34c8880202 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,9 +16,10 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| +|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |New | -|[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New | |[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |New | +|[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New | |[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (multiple topics) | Updated | |[Device Guard deployment guide](device-guard-deployment-guide.md) (multiple topics) | Updated | From b9cb066d7e176a543ec0f77851b247c369bc9e41 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:04:57 -0700 Subject: [PATCH 45/49] Put wrong file into master --- ...ange-history-for-keep-windows-10-secure.md | 1 - ...reate-and-verify-an-efs-dra-certificate.md | 90 ------------------- 2 files changed, 91 deletions(-) delete mode 100644 windows/keep-secure/create-and-verify-an-efs-dra-certificate.md diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 34c8880202..4b25f1edc5 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -17,7 +17,6 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| |[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New | -|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |New | |[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |New | |[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New | |[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (multiple topics) | Updated | diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md deleted file mode 100644 index 03d72f1d40..0000000000 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ /dev/null @@ -1,90 +0,0 @@ - ---- -title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10) -description: Follow these steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ---- - -# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate -**Applies to:** - -- Windows 10 Insider Preview -- Windows 10 Mobile Preview - -[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. - -The recovery process included in this topic only works for desktop devices. EDP deletes the data on Windows 10 Mobile devices. - ->**Important**
-If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. - -**To manually create an EFS DRA certificate** - -1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. - -2. Run this command: - - `cipher /r:` - - Where *<EFSRA>* is the name of the .cer and .pfx files that you want to create. - -3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. - - The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. - - >**Important**
- Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. - -4. Add your EFS DRA certificate to your EDP policy by using either Microsoft Intune or System Center Configuration Manager. - - >**Note**
- To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic. - -**To verify your data recovery certificate is correctly set up on an EDP client computer** - -1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. - -2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: - - `cipher /c ` - - Where *<filename>* is the name of the file you created in Step 1. - -3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. - -**To recover your data using the EFS DRA certificate in a test environment** - -1. Copy your EDP-encrypted file to a location where you have admin access. - -2. Install the EFSDRA.pfx file, using your password. - -3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: - - `cipher /d ` - - Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. - -**To recover your EDP-protected desktop data after unenrollment** - -1. Have your employee sign in to the unenrolled device, open a command prompt, and type: - - `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW` - - Where *<”new_location”>* is a different location from where you store your recovery data. This location can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that you can reach while logged in as a data recovery agent. - -2. Sign in to a different device with administrator credentials that have access to your organization's Data Recovery Agent (DRA) certificate, and perform the file decryption and recovery by typing: - - `cipher.exe /D <“new_location”>` - -3. Sign in to the unenrolled device as the employee, and type: - - `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` - -4. Ask the employee to log back in to the device or to lock and unlock the device. - - The Windows Credential service automatically recovers the protected data from the `Recovery\Input` location. From 71310e481808cd79d6f110e0ec5e37ee84fcf764 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:18:36 -0700 Subject: [PATCH 46/49] Removed incorrect topic from TOC --- windows/keep-secure/TOC.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 83d4e0b32d..e2590ac099 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -29,7 +29,6 @@ ##### [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) ##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) #### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) -#### [Create and verify an Encrypting File System (EFS) DRA certificate](create-and-verify-an-efs-dra-certificate.md) ### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) #### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) From 03863ebc285236bd598eee63b0f6971bce40fc6d Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Mon, 18 Jul 2016 09:19:48 -0700 Subject: [PATCH 47/49] fixed bad metadata --- windows/plan/best-practice-recommendations-for-windows-to-go.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/plan/best-practice-recommendations-for-windows-to-go.md b/windows/plan/best-practice-recommendations-for-windows-to-go.md index c9cc2ac741..33789da365 100644 --- a/windows/plan/best-practice-recommendations-for-windows-to-go.md +++ b/windows/plan/best-practice-recommendations-for-windows-to-go.md @@ -5,7 +5,7 @@ ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86 keywords: best practices, USB, device, boot ms.prod: w10 ms.mktglfcycl: plan -pagetype: mobility +ms.pagetype: mobility ms.sitesec: library author: mtniehaus --- From 5cabbaa87b52cce58a524b6b24eb8d6a9d87eac1 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 09:23:43 -0700 Subject: [PATCH 48/49] Pulled links for deleted topics --- windows/keep-secure/create-edp-policy-using-intune.md | 2 +- windows/keep-secure/create-edp-policy-using-sccm.md | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md index 7f51444b81..b38806e217 100644 --- a/windows/keep-secure/create-edp-policy-using-intune.md +++ b/windows/keep-secure/create-edp-policy-using-intune.md @@ -426,7 +426,7 @@ There are no default locations included with EDP, you must add each of your netw After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. - For steps about how to create and verify an EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) DRA certificate](create-and-verify-an-efs-dra-certificate.md) topic. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. + ### Choose your optional EDP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional EDP settings. diff --git a/windows/keep-secure/create-edp-policy-using-sccm.md b/windows/keep-secure/create-edp-policy-using-sccm.md index 5668449d99..90bc450386 100644 --- a/windows/keep-secure/create-edp-policy-using-sccm.md +++ b/windows/keep-secure/create-edp-policy-using-sccm.md @@ -443,8 +443,6 @@ There are no default locations included with EDP, you must add each of your netw After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. - For steps about how to create and verify an EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) DRA certificate](create-and-verify-an-efs-dra-certificate.md) topic. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. - ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/edp-sccm-dra.png) ### Choose your optional EDP-related settings From a589e5e2756d550d377cd3c55f6b69886a5773c7 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 09:29:43 -0700 Subject: [PATCH 49/49] Fixing text due to adding the wrong file and having to pull it --- .../create-edp-policy-using-intune.md | 42 +++++++++++++++++- .../create-edp-policy-using-sccm.md | 43 ++++++++++++++++++- 2 files changed, 81 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md index b38806e217..49a3959cc2 100644 --- a/windows/keep-secure/create-edp-policy-using-intune.md +++ b/windows/keep-secure/create-edp-policy-using-intune.md @@ -422,11 +422,49 @@ There are no default locations included with EDP, you must add each of your netw 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png) + ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png) After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. - + For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. + +#### Create and verify an Encrypting File System (EFS) DRA certificate for EDP +If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name *EFSDRA*; however, this name can be replaced with anything that makes sense to you. + +>**Important**
If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. + +**To manually create an EFS DRA certificate** +1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. + +2. Run this command: + + `cipher /r:`
Where `` is the name of the .cer and .pfx files that you want to create. + +3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. + + The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. + + >**Important**
Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. + +4. Add your EFS DRA certificate to your EDP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic. + +**To verify your data recovery certificate is correctly set up on an EDP client computer** +1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. + +2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: + + `cipher /c `
Where `` is the name of the file you created in Step 1. + +3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. + +**To recover your data using the EFS DRA certificate in a test environment** +1. Copy your EDP-encrypted file to a location where you have admin access. + +2. Install the EFSDRA.pfx file, using your password. + +3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: + + `cipher /d `
Where `` is the name of your encrypted file. For example, corporatedata.docx. ### Choose your optional EDP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional EDP settings. diff --git a/windows/keep-secure/create-edp-policy-using-sccm.md b/windows/keep-secure/create-edp-policy-using-sccm.md index 90bc450386..ee26d44b41 100644 --- a/windows/keep-secure/create-edp-policy-using-sccm.md +++ b/windows/keep-secure/create-edp-policy-using-sccm.md @@ -440,11 +440,50 @@ There are no default locations included with EDP, you must add each of your netw - **Show the enterprise data protection icon overlay on your allowed apps that are EDP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the enterprise data protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps. 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - - After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/edp-sccm-dra.png) + After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. + + For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. + +#### Create and verify an Encrypting File System (EFS) DRA certificate for EDP +If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. + +>**Important**
If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. + +**To manually create an EFS DRA certificate** +1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. +2. Run this command: + + `cipher /r:`
Where `` is the name of the .cer and .pfx files that you want to create. + +3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. + + The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. + + >**Important**
Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. + +4. Add your EFS DRA certificate to your EDP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic. + +**To verify your data recovery certificate is correctly set up on an EDP client computer** +1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. + +2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: + + `cipher /c `
Where `` is the name of the file you created in Step 1. + +3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. + +**To recover your data using the EFS DRA certificate in a test environment** +1. Copy your EDP-encrypted file to a location where you have admin access. + +2. Install the EFSDRA.pfx file, using your password. + +3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: + + `cipher /d `
Where `` is the name of your encrypted file. For example, corporatedata.docx. + ### Choose your optional EDP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional EDP settings.