diff --git a/.acrolinx-config.edn b/.acrolinx-config.edn index 61cb120716..82c001e81f 100644 --- a/.acrolinx-config.edn +++ b/.acrolinx-config.edn @@ -1,6 +1,21 @@ {:allowed-branchname-matches ["master"] :allowed-filename-matches ["windows/"] + :targets + { + :counts { + ;;:spelling 10 + ;;:grammar 3 + ;;:total 15 ;; absolute flag count but i don't know the difference between this and issues + ;;:issues 15 ;; coming from the platform, will need to be tested. + } + :scores { + ;;:terminology 100 + :qualityscore 80 ;; Confirmed with Hugo that you just comment out the single score and leave the structure in place + ;;:spelling 40 + } + } + :guidance-profile "d2b6c2c8-00ee-47f1-8d10-b280cc3434c1" ;; Profile ID for "M365-specific" :acrolinx-check-settings @@ -12,7 +27,7 @@ "TERMINOLOGY_VALID" "VOICE_GUIDANCE" ] - "termSetNames" ["M365"] + "termSetNames" ["M365" "Products" "Microsoft"] } :template-header @@ -20,7 +35,15 @@ " ## Acrolinx Scorecards -**A minimum Acrolinx score of 20 is required.** +**The minimum Acrolinx topic score of 65 is required for all MARVEL content merged to the default branch.** + +If you need a scoring exception for content in this PR, add the *Sign off* and the *Acrolinx exception* labels to the PR. The PubOps Team will review the exception request and may take one or more of the following actions: + +- Work with you to resolve the issues requiring the exception. +- Escalate the exception request to the Acrolinx Review Team for review. +- Approve the exception and work with the GitHub Admin Team to merge the PR to the default branch. + +For more information about the exception criteria and exception process, see [Minimum Acrolinx topic scores for publishing](https://review.docs.microsoft.com/en-us/office-authoring-guide/acrolinx-min-score?branch=master). Click the scorecard links for each article to review the Acrolinx feedback on grammar, spelling, punctuation, writing style, and terminology: @@ -36,6 +59,6 @@ Click the scorecard links for each article to review the Acrolinx feedback on gr " **More info about Acrolinx** -We have set the minimum score to 20. This is effectively *not* setting a minimum score. If you need to bypass this score, please contact MARVEL PubOps. +Use the Acrolinx extension, or sidebar, in Visual Studio Code to check spelling, grammar, style, tone, clarity, and key terminology when you're creating or updating content. For more information, see [Use the Visual Studio Code extension to run Acrolinx locally](https://review.docs.microsoft.com/en-us/office-authoring-guide/acrolinx-vscode?branch=master). " } diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 3e1c1d1d11..f9ebdac192 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -390,7 +390,7 @@ "elizapo@microsoft.com" ], "sync_notification_subscribers": [ - "daniha@microsoft.com" + "dstrome@microsoft.com" ], "branches_to_filter": [ "" @@ -431,9 +431,9 @@ "template_folder": "_themes.pdf" } }, - "need_generate_pdf": false, - "need_generate_intellisense": false, "docs_build_engine": { "name": "docfx_v3" - } -} + }, + "need_generate_pdf": false, + "need_generate_intellisense": false +} \ No newline at end of file diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index aaf6321d69..f072b252df 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -79,6 +79,16 @@ "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-privacy", + "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-privacy", + "redirect_document_id": false }, { "source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md", @@ -148,7 +158,7 @@ { "source_path": "windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md", "redirect_url": "https://docs.microsoft.com/microsoft-365/security/mtp/top-scoring-industry-tests", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/information-protection/bitlocker/protect-bitlocker-from-pre-boot-attacks.md", @@ -857,12 +867,12 @@ }, { "source_path": "windows/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection", "redirect_document_id": true }, { "source_path": "windows/security/threat-protection/microsoft-defender-atp/emet-exploit-protection.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-exploit-guard", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection", "redirect_document_id": true }, { @@ -1210,11 +1220,6 @@ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction", "redirect_document_id": true }, - { - "source_path": "windows/security/threat-protection/windows-defender-atp/configuration-score.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", - "redirect_document_id": false - }, { "source_path": "windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access", @@ -1435,16 +1440,6 @@ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators", "redirect_document_id": false }, - { - "source_path": "windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection", - "redirect_document_id": true - }, - { - "source_path": "windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices", - "redirect_document_id": true - }, { "source_path": "windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection", @@ -1539,6 +1534,11 @@ "source_path": "windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list", + "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md", @@ -1795,6 +1795,21 @@ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation", "redirect_document_id": true }, + { + "source_path": "windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection", + "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard", + "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection", + "redirect_document_id": true + }, { "source_path": "windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score", @@ -1805,11 +1820,26 @@ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", "redirect_document_id": true }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/configuration-score.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices", + "redirect_document_id": true + }, { "source_path": "windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", "redirect_document_id": false }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/windows-defender-atp/configuration-score.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", + "redirect_document_id": false + }, { "source_path": "windows/security/threat-protection/windows-defender-atp/partner-applications.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/partner-applications", @@ -1834,6 +1864,11 @@ "source_path": "windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/windows-defender-atp/powerbi-reports.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/api-power-bi", + "redirect_document_id": true }, { "source_path": "windows/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md", @@ -1980,16 +2015,6 @@ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test", "redirect_document_id": true }, - { - "source_path": "windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection", - "redirect_document_id": true - }, - { - "source_path": "windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard", - "redirect_document_id": true - }, { "source_path": "windows/security/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection", @@ -2019,6 +2044,11 @@ "source_path": "windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list", + "redirect_document_id": false }, { "source_path": "windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md", @@ -2362,9 +2392,14 @@ }, { "source_path": "windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-windows-microsoft-antivirus", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus", "redirect_document_id": true }, + { + "source_path": "windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus", + "redirect_document_id": true + }, { "source_path": "windows/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus", @@ -2521,9 +2556,9 @@ "redirect_document_id": true }, { - "source_path": "windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md", + "source_path": "windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md", "redirect_url": "https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/threat-protection/windows-defender-application-control.md", @@ -14555,41 +14590,86 @@ "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policy-csps-supported-by-surface-hub", "redirect_document_id": false }, + { + "source_path": "windows/client-management/mdm/policy-csps-supported-by-surface-hub.md", + "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/policies-supported-by-iot-enterprise.md", "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise", "redirect_document_id": false }, + { + "source_path": "windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md", + "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-enterprise", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/policies-supported-by-iot-core.md", "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policy-csps-supported-by-iot-core", "redirect_document_id": false }, + { + "source_path": "windows/client-management/mdm/policy-csps-supported-by-iot-core.md", + "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/policies-supported-by-hololens2.md", "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policy-csps-supported-by-hololens2", "redirect_document_id": false }, + { + "source_path": "windows/client-management/mdm/policy-csps-supported-by-hololens2.md", + "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/policies-supported-by-hololens-1st-gen-development-edition.md", "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-development-edition", "redirect_document_id": false }, + { + "source_path": "windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-development-edition.md", + "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/policies-supported-by-hololens-1st-gen-commercial-suite.md", "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-commercial-suite", "redirect_document_id": false }, + { + "source_path": "windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-commercial-suite.md", + "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/policies-admx-backed.md", "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policy-csps-admx-backed", "redirect_document_id": false }, + { + "source_path": "windows/client-management/mdm/policy-csps-admx-backed.md", + "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policies-in-policy-csp-admx-backed", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/policies-supported-by-group-policy.md", "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policy-csps-supported-by-group-policy", "redirect_document_id": false }, + { + "source_path": "windows/client-management/mdm/policy-csps-supported-by-group-policy.md", + "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/mdm/policy-csps-that-can-be-set-using-eas.md", + "redirect_url": "https://docs.microsoft.com/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas", + "redirect_document_id": false + }, { "source_path": "windows/keep-secure/collect-wip-audit-event-logs.md", "redirect_url": "https://docs.microsoft.com/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs", @@ -15035,6 +15115,11 @@ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip", "redirect_document_id": true }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip", + "redirect_document_id": false + }, { "source_path": "windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/use-apis", @@ -15502,7 +15587,7 @@ }, { "source_path": "windows/hub/release-information.md", - "redirect_url": "https://docs.microsoft.com/windows/release-information", + "redirect_url": "https://docs.microsoft.com/windows/release-health/release-information", "redirect_document_id": true }, { @@ -15523,7 +15608,7 @@ { "source_path": "education/get-started/change-history-ms-edu-get-started.md", "redirect_url": "https://docs.microsoft.com/microsoft-365/education/deploy", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "education/get-started/get-started-with-microsoft-education.md", @@ -15594,6 +15679,11 @@ "source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac", + "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-whatsnew.md", @@ -15707,12 +15797,12 @@ }, { "source_path": "windows/release-information/status-windows-10-1703.yml", - "redirect_url": "https://docs.microsoft.com/windows/release-information/windows-message-center", + "redirect_url": "https://docs.microsoft.com/windows/release-health/windows-message-center", "redirect_document_id": true }, { "source_path": "windows/release-information/resolved-issues-windows-10-1703.yml", - "redirect_url": "https://docs.microsoft.com/windows/release-information/windows-message-center", + "redirect_url": "https://docs.microsoft.com/windows/release-health/windows-message-center", "redirect_document_id": false }, { @@ -16009,6 +16099,11 @@ "source_path": "windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/gov", + "redirect_document_id": true }, { "source_path": "windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md", @@ -16145,11 +16240,6 @@ "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus", "redirect_document_id": true }, - { - "source_path": "windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md", - "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus", - "redirect_document_id": true - }, { "source_path": "windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus", @@ -16429,6 +16519,21 @@ "source_path": "windows/deployment/windows-autopilot/windows-autopilot.md", "redirect_url": "https://docs.microsoft.com/mem/autopilot/windows-autopilot", "redirect_document_id": true + }, + { + "source_path": "windows/hub/windows-10.yml", + "redirect_url": "https://docs.microsoft.com/windows/windows-10", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives", + "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr", + "redirect_document_id": false } ] } diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000000..f66a07d2e4 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,5 @@ +{ + "cSpell.words": [ + "emie" + ] +} \ No newline at end of file diff --git a/bcs/docfx.json b/bcs/docfx.json index 2fa639d038..02fe77ff2d 100644 --- a/bcs/docfx.json +++ b/bcs/docfx.json @@ -36,7 +36,16 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/microsoft-365/business/breadcrumb/toc.json", - "extendBreadcrumb": true + "extendBreadcrumb": true, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/browsers/edge/TOC.md b/browsers/edge/TOC.md index 3314f77577..bae1f59877 100644 --- a/browsers/edge/TOC.md +++ b/browsers/edge/TOC.md @@ -28,6 +28,6 @@ ## [Change history for Microsoft Edge](change-history-for-microsoft-edge.md) -## [Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md) +## [Microsoft Edge Frequently Asked Questions (FAQ)](microsoft-edge-faq.yml) diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md index 2529a88fea..af27551fc8 100644 --- a/browsers/edge/change-history-for-microsoft-edge.md +++ b/browsers/edge/change-history-for-microsoft-edge.md @@ -60,7 +60,7 @@ We have discontinued the **Configure Favorites** group policy, so use the [Provi |New or changed topic | Description | |---------------------|-------------| -|[Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros](microsoft-edge-faq.md) | New | +|[Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros](microsoft-edge-faq.yml) | New | ## February 2017 diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index 640106062b..1ef3407e17 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -42,7 +42,16 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Edge" + "titleSuffix": "Edge", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "externalReference": [], "template": "op.html", diff --git a/browsers/edge/group-policies/index.yml b/browsers/edge/group-policies/index.yml index f55040beb3..8fb16843d8 100644 --- a/browsers/edge/group-policies/index.yml +++ b/browsers/edge/group-policies/index.yml @@ -1,229 +1,80 @@ -### YamlMime:YamlDocument +### YamlMime:Landing -documentType: LandingData - -title: Microsoft Edge Legacy group policies +title: Microsoft Edge Legacy group policies # < 60 chars +summary: Microsoft Edge Legacy works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. # < 160 chars metadata: - - title: Microsoft Edge Legacy group policies - - description: Learn how to configure group policies in Microsoft Edge Legacy on Windows 10. - - text: Some of the features in Microsoft Edge Legacy gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. (To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) - + title: Microsoft Edge Legacy # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # Required; article description that is displayed in search results. < 160 chars. keywords: Microsoft Edge Legacy, Windows 10, Windows 10 Mobile - ms.localizationpriority: medium - + ms.prod: edge author: shortpatti - ms.author: pashort - - ms.date: 10/02/2018 - - ms.topic: article - + ms.topic: landing-page ms.devlang: na - -sections: - -- title: - -- items: - - - type: markdown - - text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Microsoft Edge Legacy works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. - -- items: - - - type: list - - style: cards - - className: cardsE - - columns: 3 - - items: - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/address-bar-settings-gp - - html:

Learn how you can configure Microsoft Edge to show search suggestions in the address bar.

- - image: - - src: https://docs.microsoft.com/media/common/i_http.svg - - title: Address bar - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/adobe-settings-gp - - html:

Learn how you can configure Microsoft Edge to load Adobe Flash content automatically.

- - image: - - src: https://docs.microsoft.com/media/common/i_setup.svg - - title: Adobe Flash - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/books-library-management-gp - - html:

Learn how you can set up and use the books library, such as using a shared books folder for students and teachers.

- - image: - - src: https://docs.microsoft.com/media/common/i_library.svg - - title: Books Library - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/browser-settings-management-gp - - html:

Learn how you can customize the browser settings, such as printing and saving browsing history, plus more.

- - image: - - src: https://docs.microsoft.com/media/common/i_management.svg - - title: Browser experience - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/developer-settings-gp - - html:

Learn how to configure Microsoft Edge for development and testing.

- - image: - - src: https://docs.microsoft.com/media/common/i_config-tools.svg - - title: Developer tools - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/extensions-management-gp - - html:

Learn how you can configure Microsoft Edge to either prevent or allow users to install and run unverified extensions.

- - image: - - src: https://docs.microsoft.com/media/common/i_extensions.svg - - title: Extensions - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/favorites-management-gp - - html:

Learn how you can provision a standard favorites list as well as keep the favorites lists in sync between IE11 and Microsoft Edge.

- - image: - - src: https://docs.microsoft.com/media/common/i_link.svg - - title: Favorites - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/home-button-gp - - html:

Learn how you can customize the home button or hide it.

- - image: - - src: https://docs.microsoft.com/media/common/i_setup.svg - - title: Home button - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp - - html:

Learn how you use Microsoft Edge and Internet Explorer together for a full browsing experience.

- - image: - - src: https://docs.microsoft.com/media/common/i_management.svg - - title: Interoperability and enterprise guidance - - - href: https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy - - html:

Learn how Microsoft Edge kiosk mode works with assigned access to let IT administrators create a tailored browsing experience designed for kiosk devices.

- - image: - - src: https://docs.microsoft.com/media/common/i_categorize.svg - - title: Kiosk mode deployment in Microsoft Edge - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/new-tab-page-settings-gp - - html:

Learn how to configure the New Tab page in Microsoft Edge.

- - image: - - src: https://docs.microsoft.com/media/common/i_setup.svg - - title: New Tab page - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/prelaunch-preload-gp - - html:

Learn how pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge.

- - image: - - src: https://docs.microsoft.com/media/common/i_setup.svg - - title: Prelaunch Microsoft Edge and preload tabs - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/search-engine-customization-gp - - html:

Learn how you can set the default search engine and configure additional ones.

- - image: - - src: https://docs.microsoft.com/media/common/i_search.svg - - title: Search engine customization - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/security-privacy-management-gp - - html:

Learn how you can keep your environment and users safe from attacks.

- - image: - - src: https://docs.microsoft.com/media/common/i_security-management.svg - - title: Security and privacy - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/start-pages-gp - - html:

Learn how to configure the Start pages in Microsoft Edge.

- - image: - - src: https://docs.microsoft.com/media/common/i_setup.svg - - title: Start page - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/sync-browser-settings-gp - - html:

Learn how to you can prevent the "browser" group from syncing and prevent users from turning on the Sync your Settings toggle.

- - image: - - src: https://docs.microsoft.com/media/common/i_sync.svg - - title: Sync browser - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/telemetry-management-gp - - html:

Learn how you can configure Microsoft Edge to collect certain data.

- - image: - - src: https://docs.microsoft.com/media/common/i_data-collection.svg - - title: Telemetry and data collection - - - href: https://docs.microsoft.com/microsoft-edge/deploy/available-policies - - html:

View all available group policies for Microsoft Edge on Windows 10.

- - image: - - src: https://docs.microsoft.com/media/common/i_policy.svg - - title: All group policies + ms.date: 08/28/2020 #Required; mm/dd/yyyy format. + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: What's new + linkLists: + - linkListType: whats-new + links: + - text: Documentation for Microsoft Edge version 77 or later + url: https://docs.microsoft.com/DeployEdge/ + - text: Microsoft Edge Legacy desktop app will reach end of support on March 9, 2021 + url: https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666 + + # Card (optional) + - title: Group policies configure guidance part 1 + linkLists: + - linkListType: reference + links: + - text: All group policies + url: /microsoft-edge/deploy/available-policies + - text: Address bar + url: /microsoft-edge/deploy/group-policies/address-bar-settings-gp + - text: Adobe Flash + url: /microsoft-edge/deploy/group-policies/adobe-settings-gp + - text: Books Library + url: /microsoft-edge/deploy/group-policies/books-library-management-gp + - text: Browser experience + url: /microsoft-edge/deploy/group-policies/browser-settings-management-gp + - text: Developer tools + url: /microsoft-edge/deploy/group-policies/developer-settings-gp + - text: Extensions + url: /microsoft-edge/deploy/group-policies/extensions-management-gp + - text: Favorites + url: /microsoft-edge/deploy/group-policies/favorites-management-gp + - text: Home button + url: /microsoft-edge/deploy/group-policies/home-button-gp + + # Card (optional) + - title: Group policies configure guidance part 2 + linkLists: + - linkListType: reference + links: + - text: Interoperability and enterprise mode + url: /microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp + - text: New Tab page + url: /microsoft-edge/deploy/group-policies/new-tab-page-settings-gp + - text: Kiosk mode deployment in Microsoft Edge + url: /microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy + - text: Prelaunch Microsoft Edge and preload tabs + url: /microsoft-edge/deploy/group-policies/prelaunch-preload-gp + - text: Search engine customization + url: /microsoft-edge/deploy/group-policies/search-engine-customization-gp + - text: Security and privacy + url: /microsoft-edge/deploy/group-policies/security-privacy-management-gp + - text: Start page + url: /microsoft-edge/deploy/group-policies/start-pages-gp + - text: Sync browser + url: /microsoft-edge/deploy/group-policies/sync-browser-settings-gp + - text: Telemetry and data collection + url: /microsoft-edge/deploy/group-policies/telemetry-management-gp + diff --git a/browsers/edge/group-policies/sync-browser-settings-gp.md b/browsers/edge/group-policies/sync-browser-settings-gp.md index cdce19d2e5..d948b2c862 100644 --- a/browsers/edge/group-policies/sync-browser-settings-gp.md +++ b/browsers/edge/group-policies/sync-browser-settings-gp.md @@ -6,17 +6,17 @@ manager: dansimp ms.author: dansimp author: dansimp ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: ms.localizationpriority: medium ms.topic: reference --- -# Sync browser settings +# Sync browser settings > [!NOTE] > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). -By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. +By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. ## Relevant policies @@ -38,7 +38,7 @@ You can find the Microsoft Edge Group Policy settings in the following location To verify the settings: 1. In the upper-right corner of Microsoft Edge, click **More** \(**...**\). 2. Click **Settings**. -3. Under Account, see if the setting is toggled on or off.

![Verify configuration](../images/sync-settings.PNG) +3. Under Account, see if the setting is toggled on or off.

![Verify configuration](../images/sync-settings.png) ## Do not sync browser settings diff --git a/browsers/edge/images/allow-smart-screen-validation.PNG b/browsers/edge/images/allow-smart-screen-validation.png similarity index 100% rename from browsers/edge/images/allow-smart-screen-validation.PNG rename to browsers/edge/images/allow-smart-screen-validation.png diff --git a/browsers/edge/images/sync-settings.PNG b/browsers/edge/images/sync-settings.png similarity index 100% rename from browsers/edge/images/sync-settings.PNG rename to browsers/edge/images/sync-settings.png diff --git a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md index c17f639024..375951a25c 100644 --- a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md +++ b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md @@ -2,7 +2,7 @@ author: eavena ms.author: eravena ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: audience: itpro manager: dansimp ms.prod: edge @@ -25,9 +25,9 @@ ms.topic: include --- -To verify Windows Defender SmartScreen is turned off (disabled): +To verify Windows Defender SmartScreen is turned off (disabled): 1. Click or tap **More** (…) and select **Settings** > **View Advanced settings**. -2. Verify the setting **Help protect me from malicious sites and download with Windows Defender SmartScreen** is disabled.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.PNG) +2. Verify the setting **Help protect me from malicious sites and download with Windows Defender SmartScreen** is disabled.

![Verify that Windows Defender SmartScreen is turned off (disabled)](../images/allow-smart-screen-validation.png) ### ADMX info and settings @@ -40,7 +40,7 @@ To verify Windows Defender SmartScreen is turned off (disabled): #### MDM settings - **MDM name:** Browser/[AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) - **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen - **Data type:** Integer #### Registry settings diff --git a/browsers/edge/index.yml b/browsers/edge/index.yml index 1b5a5891b6..0533a4dcb2 100644 --- a/browsers/edge/index.yml +++ b/browsers/edge/index.yml @@ -1,161 +1,93 @@ -### YamlMime:YamlDocument +### YamlMime:Landing -documentType: LandingData - -title: Microsoft Edge Legacy Group Policy configuration options +title: Microsoft Edge Group Legacy Policy configuration options # < 60 chars +summary: Learn how to deploy and configure group policies in Microsoft Edge Legacy on Windows 10. Some of the features coming to Microsoft Edge Legacy gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. # < 160 chars metadata: - - title: Microsoft Edge Group Legacy Policy configuration options - - description: - - text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Learn how to deploy and configure group policies in Microsoft Edge Legacy on Windows 10. Some of the features coming to Microsoft Edge Legacy gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. - + title: Microsoft Edge Group Legacy Policy configuration options # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Learn about interoperability goals and enterprise guidance along with system requirements, language support and frequently asked questions. # Required; article description that is displayed in search results. < 160 chars. + ms.prod: microsoft-edge keywords: Microsoft Edge Legacy, Windows 10 - ms.localizationpriority: medium - - author: shortpatti - - ms.author: pashort - - ms.date: 08/09/2018 - - ms.topic: article - - ms.devlang: na - -sections: - -- title: - -- items: - - - type: markdown - - text: (Note - You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/).) Learn about interoperability goals and enterprise guidance along with system requirements, language support and frequently asked questions.

IMPORTANT - The Microsoft Edge Legacy desktop app will reach end of support on March 9, 2021 in favor of the new Microsoft Edge. This means that Microsoft Edge Legacy will not receive security updates after that date. This change is applicable to all experiences that run in the Microsoft Edge Legacy desktop app. [Learn more](https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666) - -- items: - - - type: list - - style: cards - - className: cardsE - - columns: 3 - - items: - - - href: https://docs.microsoft.com/microsoft-edge/deploy/change-history-for-microsoft-edge - - html:

Learn more about the latest group policies and features added to Microsoft Edge.

- - image: - - src: https://docs.microsoft.com/media/common/i_whats-new.svg - - title: What's new - - - href: https://docs.microsoft.com/microsoft-edge/deploy/about-microsoft-edge - - html:

Learn about the system requirements and language support for Microsoft Edge.

- - image: - - src: https://docs.microsoft.com/media/common/i_overview.svg - - title: System requirements and supported languages - - - href: https://www.microsoft.com/en-us/WindowsForBusiness/Compare - - html:

Learn about the supported features & functionality in each Windows edition.

- - image: - - src: https://docs.microsoft.com/media/common/i_config-tools.svg - - title: Compare Windows 10 Editions - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/security-privacy-management-gp - - html:

Learn how Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows.

- - image: - - src: https://docs.microsoft.com/media/common/i_security-management.svg - - title: Security & protection - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp - - html:

Learn how you can use the Enterprise Mode site list for websites and apps that have compatibility problems in Microsoft Edge.

- - image: - - src: https://docs.microsoft.com/media/common/i_management.svg - - title: Interoperability & enterprise guidance - - - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/index - - html:

Learn about the advanced VPN features you can add to improve the security and availability of your VPN connection.

- - image: - - src: https://docs.microsoft.com/media/common/i_policy.svg - - title: Group policies & configuration options - -- items: - - - type: list - - style: cards - - className: cardsL - - items: - - - title: Microsoft Edge resources - - html:

Minimum system requirements

- -

Supported languages

- -

Document change history

- -

Compare Windows 10 Editions

- -

Microsoft Edge Dev blog

- -

Microsoft Edge Dev on Twitter

- -

Microsoft Edge changelog

- -

Measuring the impact of Microsoft Edge

- - - title: IE11 resources - - html:

Deploy Internet Explorer 11 (IE11) - IT Pros

- -

Internet Explorer Administration Kit 11 (IEAK 11)

- -

Download Internet Explorer 11

- - - title: Additional resources - - html:

Group Policy and the Group Policy Management Console (GPMC)

- -

Group Policy and the Local Group Policy Editor

- -

Group Policy and the Advanced Group Policy Management (AGPM)

- -

Group Policy and Windows PowerShell

- - - - - - + ms.topic: landing-page # Required + ms.collection: collection # Optional; Remove if no collection is used. + author: shortpatti #Required; your GitHub user alias, with correct capitalization. + ms.author: pashort #Required; microsoft alias of author; optional team alias. + ms.date: 07/07/2020 #Required; mm/dd/yyyy format. + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: About Microsoft Edge + linkLists: + - linkListType: whats-new + links: + - text: Documentation for Microsoft Edge version 77 or later + url: /DeployEdge + - text: Microsoft 365 apps say farewell to Internet Explorer 11 and Windows 10 sunsets Microsoft Edge Legacy + url: https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666 + - text: Latest group policies and features added to Microsoft Edge + url: /microsoft-edge/deploy/change-history-for-microsoft-edge + - linkListType: overview + links: + - text: System requirements and supported languages + url: /microsoft-edge/deploy/about-microsoft-edge + - text: Compare Windows 10 editions + url: https://www.microsoft.com/en-us/WindowsForBusiness/Compare + - text: Security & protection + url: /microsoft-edge/deploy/group-policies/security-privacy-management-gp + - text: Interoperability & enterprise guidance + url: /microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp + - text: Group policies & configuration options + url: /microsoft-edge/deploy/group-policies/ + + # Card (optional) + - title: Microsoft Edge resources + linkLists: + - linkListType: overview + links: + - text: Minimum system requirements + url: /microsoft-edge/deploy/about-microsoft-edge#minimum-system-requirements + - text: Supported languages + url: /microsoft-edge/deploy/about-microsoft-edge#supported-languages + - text: Document change history + url: /microsoft-edge/deploy/change-history-for-microsoft-edge + - text: Microsoft Edge Dev blog + url: https://blogs.windows.com/msedgedev + - text: Microsoft Edge Dev on Twitter + url: /microsoft-edge/deploy/about-microsoft-edge#supported-languages + - text: Microsoft Edge changelog + url: /microsoft-edge/deploy/change-history-for-microsoft-edge + - text: Measuring the impact of Microsoft Edge + url: https://blogs.windows.com/msedgedev + + # Card (optional) + - title: IE11 resources + linkLists: + - linkListType: overview + links: + - text: Deploy Internet Explorer 11 (IE11) - IT Pros + url: https://go.microsoft.com/fwlink/p/?LinkId=760644 + - text: Internet Explorer Administration Kit 11 (IEAK 11) + url: /internet-explorer/ie11-ieak + - linkListType: download + links: + - text: Download Internet Explorer 11 + url: https://go.microsoft.com/fwlink/p/?linkid=290956 + + # Card (optional) + - title: Additional resources + linkLists: + - linkListType: overview + links: + - text: Group Policy and the Group Policy Management Console (GPMC) + url: https://go.microsoft.com/fwlink/p/?LinkId=617921 + - text: Group Policy and the Local Group Policy Editor + url: https://go.microsoft.com/fwlink/p/?LinkId=617922 + - text: Group Policy and the Advanced Group Policy Management (AGPM) + url: https://go.microsoft.com/fwlink/p/?LinkId=617923 + - text: Group Policy and Windows PowerShell + url: https://go.microsoft.com/fwlink/p/?LinkId=617924 diff --git a/browsers/edge/microsoft-edge-faq.md b/browsers/edge/microsoft-edge-faq.md deleted file mode 100644 index 632905e3cb..0000000000 --- a/browsers/edge/microsoft-edge-faq.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros -ms.reviewer: -audience: itpro -manager: dansimp -description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems. -author: dansimp -ms.author: dansimp -ms.prod: edge -ms.topic: article -ms.mktglfcycl: general -ms.sitesec: library -ms.localizationpriority: medium ---- - -# Frequently Asked Questions (FAQs) for IT Pros - ->Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). - -## How can I get the next major version of Microsoft Edge, based on Chromium? -In December 2018, Microsoft [announced](https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-better-through-more-open-source-collaboration/#8jv53blDvL6TIKuS.97) our intention to adopt the Chromium open source project in the development of Microsoft Edge on the desktop, to create better web compatibility for our customers and less fragmentation of the web for all web developers. You can get more information at the [Microsoft Edge Insiders site](https://www.microsoftedgeinsider.com/). - -## What’s the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use? -Microsoft Edge is the default browser for all Windows 10 devices. It’s built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](emie-to-improve-compatibility.md) to automatically send users to Internet Explorer 11. - -For more information on how Internet Explorer and Microsoft Edge work together to support your legacy web apps, while still defaulting to the higher security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97). - -## Does Microsoft Edge work with Enterprise Mode? -[Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) helps you run many legacy web applications with better backward compatibility. You can configure both Microsoft Edge and Internet Explorer to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. - -## How do I customize Microsoft Edge and related settings for my organization? -You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals. - -## Is Adobe Flash supported in Microsoft Edge? -Adobe Flash is currently supported as a built-in feature of Microsoft Edge on PCs running Windows 10. In July 2017, Adobe announced that Flash support will end after 2020. With this change to Adobe support, we’ve started to phase Flash out of Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting group policy](https://docs.microsoft.com/microsoft-edge/deploy/available-policies#configure-the-adobe-flash-click-to-run-setting) - this lets you control which websites can run Adobe Flash content. - -To learn more about Microsoft’s plan for phasing Flash out of Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). - -## Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java? -No. Microsoft Edge doesn’t support ActiveX controls and BHOs like Silverlight or Java. If you’re running web apps that use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and standards support. - -## How often will Microsoft Edge be updated? -In Windows 10, we’re delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, while bigger feature updates are included in the Windows 10 releases on a semi-annual cadence. - -## How can I provide feedback on Microsoft Edge? -Microsoft Edge is an evergreen browser - we’ll continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. - -## Will Internet Explorer 11 continue to receive updates? -We’re committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it’s installed. For details, see [Lifecycle FAQ - Internet Explorer](https://support.microsoft.com/help/17454/). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge. - -## How do I find out what version of Microsoft Edge I have? -In the upper right corner of Microsoft Edge, click the ellipses icon (**...**), and then click **Settings**. Look in the **About Microsoft Edge** section to find your version. - -## What is Microsoft EdgeHTML? -Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform. (As opposed to *Microsoft Edge, based on Chromium*.) diff --git a/browsers/edge/microsoft-edge-faq.yml b/browsers/edge/microsoft-edge-faq.yml new file mode 100644 index 0000000000..751f40f4ea --- /dev/null +++ b/browsers/edge/microsoft-edge-faq.yml @@ -0,0 +1,74 @@ +### YamlMime:FAQ +metadata: + title: Microsoft Edge - Frequently Asked Questions (FAQ) for IT Pros + ms.reviewer: + audience: itpro + manager: dansimp + description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems. + author: dansimp + ms.author: dansimp + ms.prod: edge + ms.topic: article + ms.mktglfcycl: general + ms.sitesec: library + ms.localizationpriority: medium + +title: Frequently Asked Questions (FAQ) for IT Pros +summary: | + Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile + + > [!NOTE] + > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). + + +sections: + - name: Ignored + questions: + - question: How can I get the next major version of Microsoft Edge, based on Chromium? + answer: | + In December 2018, Microsoft [announced](https://blogs.windows.com/windowsexperience/2018/12/06/microsoft-edge-making-the-web-better-through-more-open-source-collaboration/#8jv53blDvL6TIKuS.97) our intention to adopt the Chromium open source project in the development of Microsoft Edge on the desktop, to create better web compatibility for our customers and less fragmentation of the web for all web developers. You can get more information at the [Microsoft Edge Insiders site](https://www.microsoftedgeinsider.com/). + + - question: What's the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use? + answer: | + Microsoft Edge is the default browser for all Windows 10 devices. It's built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](emie-to-improve-compatibility.md) to automatically send users to Internet Explorer 11. + + For more information on how Internet Explorer and Microsoft Edge work together to support your legacy web apps, while still defaulting to the higher security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97). + + - question: Does Microsoft Edge work with Enterprise Mode? + answer: | + [Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) helps you run many legacy web applications with better backward compatibility. You can configure both Microsoft Edge and Internet Explorer to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. + + - question: How do I customize Microsoft Edge and related settings for my organization? + answer: | + You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/) for a list of policies currently available for Microsoft Edge and configuration information. Note that the preview release of Chromium-based Microsoft Edge might not include management policies or other enterprise functionality; our focus during the preview is modern browser fundamentals. + + - question: Is Adobe Flash supported in Microsoft Edge? + answer: | + Adobe Flash is currently supported as a built-in feature of Microsoft Edge on PCs running Windows 10. In July 2017, Adobe announced that Flash support will end after 2020. With this change to Adobe support, we've started to phase Flash out of Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting group policy](https://docs.microsoft.com/microsoft-edge/deploy/available-policies#configure-the-adobe-flash-click-to-run-setting) - this lets you control which websites can run Adobe Flash content. + + To learn more about Microsoft's plan for phasing Flash out of Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). + + - question: Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java? + answer: | + No, Microsoft Edge doesn't support ActiveX controls and Browser Helper Objects (BHOs) like Silverlight or Java. If you're running web apps that use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in Internet Explorer 11. Internet Explorer 11 offers additional security, manageability, performance, backward compatibility, and standards support. + + - question: How often will Microsoft Edge be updated? + answer: | + In Windows 10, we're delivering Windows as a service, updated on a cadence driven by quality and the availability of new features. Microsoft Edge security updates are released every two to four weeks, while bigger feature updates are included in the Windows 10 releases on a semi-annual cadence. + + - question: How can I provide feedback on Microsoft Edge? + answer: | + Microsoft Edge is an evergreen browser - we'll continue to evolve both the web platform and the user interface with regular updates. To send feedback on user experience, or on broken or malicious sites, use the **Send Feedback** option under the ellipses icon (**...**) in the Microsoft Edge toolbar. + + - question: Will Internet Explorer 11 continue to receive updates? + answer: | + We're committed to keeping Internet Explorer a supported, reliable, and safe browser. Internet Explorer is still a component of Windows and follows the support lifecycle of the OS on which it's installed. For details, see [Lifecycle FAQ - Internet Explorer](https://support.microsoft.com/help/17454/). While we continue to support and update Internet Explorer, the latest features and platform updates will only be available in Microsoft Edge. + + - question: How do I find out which version of Microsoft Edge I have? + answer: | + In the upper-right corner of Microsoft Edge, select the ellipses icon (**...**), and then select **Settings**. Look in the **About Microsoft Edge** section to find your version. + + - question: What is Microsoft EdgeHTML? + answer: | + Microsoft EdgeHTML is the web rendering engine that powers the current Microsoft Edge web browser and Windows 10 web app platform (as opposed to *Microsoft Edge, based on Chromium*). + diff --git a/browsers/edge/microsoft-edge.yml b/browsers/edge/microsoft-edge.yml index 2b47ccaaf7..797d881911 100644 --- a/browsers/edge/microsoft-edge.yml +++ b/browsers/edge/microsoft-edge.yml @@ -1,60 +1,144 @@ -### YamlMime:YamlDocument +### YamlMime:Landing + +title: Microsoft Edge Legacy # < 60 chars +summary: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # < 160 chars -documentType: LandingData -title: Microsoft Edge metadata: - title: Microsoft Edge - description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. + title: Microsoft Edge Legacy # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # Required; article description that is displayed in search results. < 160 chars. keywords: Microsoft Edge, issues, fixes, announcements, Windows Server, advisories + ms.prod: edge ms.localizationpriority: medium author: lizap ms.author: elizapo manager: dougkim - ms.topic: article + ms.topic: landing-page ms.devlang: na + ms.date: 08/19/2020 #Required; mm/dd/yyyy format. -sections: -- items: - - type: markdown - text: " - Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. - " -- title: What's new -- items: - - type: markdown - text: " - Find out the latest and greatest news on Microsoft Edge.
- -

**The latest in Microsoft Edge**
See what's new for users and developers in the next update to Microsoft Edge - now available with the Windows 10 April 2018 update!
Find out more
**Evaluate the impact**
Review the latest Forrester Total Economic Impact (TEI) report to learn about the impact Microsoft Edge can have in your organization.
Download the reports

**Microsoft Edge for iOS and Android**
Microsoft Edge brings familiar features across your PC and phone, which allows browsing to go with you, no matter what device you use.
Learn more
**Application Guard**
Microsoft Edge with Windows Defender Application Guard is the most secure browser on Windows 10 Enterprise.
Learn more
- " -- title: Compatibility -- items: - - type: markdown - text: " - Even if you still have legacy apps in your organization, you can default to the secure, modern experience of Microsoft Edge and provide a consistent level of compatibility with existing legacy applications.
- -

**Test your site on Microsoft Edge**
Test your site on Microsoft Edge for free instantly, with remote browser testing powered by BrowserStack. You can also use the linting tool sonarwhal to assess your site's accessibility, speed, security, and more.
Test your site on Microsoft Edge for free on BrowserStack
Use sonarwhal to improve your website.
**Improve compatibility with Enterprise Mode**
With Enterprise Mode you can use Microsoft Edge as your default browser, while ensuring apps continue working on IE11.
Use Enterprise mode to improve compatibility
Turn on Enterprise Mode and use a site list
Enterprise Site List Portal
Ultimate browser strategy on Windows 10
**Web Application Compatibility Lab Kit**
The Web Application Compatibility Lab Kit is a primer for the features and techniques used to provide web application compatibility during a typical enterprise migration to Microsoft Edge.
Find out more
- " -- title: Security -- items: - - type: markdown - text: " - Microsoft Edge uses Windows Hello and Windows Defender SmartScreen to defend against phishing and malware. Take a look at some of the additional features behind the strong defense that Microsoft Edge provides against web-based attacks.
- -

**NSS Labs web browser security reports**
See the results of two global tests measuring how effective browsers are at protecting against socially engineered malware and phishing attacks.
Download the reports
**Microsoft Edge sandbox**
See how Microsoft Edge has significantly reduced the attack surface of the sandbox by configuring the app container to further reduce its privilege.
Find out more
**Windows Defender SmartScreen**
Manage your organization's computer settings with Group Policy and MDM settings to display a warning page to employees or block a site entirely.
Read the docs
- " -- title: Deployment and end user readiness -- items: - - type: markdown - text: " - Find resources and learn about features to help you deploy Microsoft Edge in your organization to get your users up and running quickly.
- -

**Deployment**
Find resources, learn about features, and get answers to commonly asked questions to help you deploy Microsoft Edge in your organization.
Microsoft Edge deployment guide
Microsoft Edge FAQ
System requirements and language support
Group Policy and MDM settings in Microsoft Edge
Download the Web Application Compatibility Lab Kit
Microsoft Edge training and demonstrations
**End user readiness**
Help your users get started on Microsoft Edge quickly and learn about features like tab management, instant access to Office files, and more.
Quick Start: Microsoft Edge (PDF, .98 MB)
Find it faster with Microsoft Edge (PDF, 605 KB)
Use Microsoft Edge to collaborate (PDF, 468 KB)
Import bookmarks
Password management
Microsoft Edge tips and tricks (video, 20:26)
- " -- title: Stay informed -- items: - - type: markdown - text: " - -

**Sign up for the Windows IT Pro Insider**
Get the latest tools, tips, and expert guidance on deployment, management, security, and more.
Learn more
**Microsoft Edge Dev blog**
Keep up with the latest browser trends, security tips, and news for IT professionals.
Read the blog
**Microsoft Edge Dev on Twitter**
Get the latest news and updates from the Microsoft Web Platform team.
Visit Twitter
- " +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: What's new + linkLists: + - linkListType: whats-new + links: + - text: Documentation for Microsoft Edge version 77 or later + url: https://docs.microsoft.com/DeployEdge/ + - text: Microsoft Edge Legacy desktop app will reach end of support on March 9, 2021 + url: https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666 + - text: The latest in Microsoft Edge + url: https://blogs.windows.com/msedgedev/2018/04/30/edgehtml-17-april-2018-update/#C7jCBdbPSG6bCXHr.97 + - text: Microsoft Edge for iOS and Android + url: https://blogs.windows.com/windowsexperience/2017/11/30/microsoft-edge-now-available-for-ios-and-android + - text: Application Guard + url: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview + - linkListType: download + links: + - text: Evaluate the impact + url: /microsoft-edge/deploy/microsoft-edge-forrester + + # Card (optional) + - title: Test your site on Microsoft Edge + linkLists: + - linkListType: overview + links: + - text: Test your site on Microsoft Edge for free on BrowserStack + url: https://developer.microsoft.com/microsoft-edge/tools/remote/ + - text: Use sonarwhal to improve your website + url: https://sonarwhal.com/ + + # Card (optional) + - title: Improve compatibility with Enterprise Mode + linkLists: + - linkListType: how-to-guide + links: + - text: Use Enterprise mode to improve compatibility + url: /microsoft-edge/deploy/emie-to-improve-compatibility + - text: Turn on Enterprise Mode and use a site list + url: https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list + - text: Enterprise Site List Portal + url: https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal + + # Card (optional) + - title: Web Application Compatibility Lab Kit + linkLists: + - linkListType: overview + links: + - text: Overview + url: /microsoft-edge/deploy/emie-to-improve-compatibility + + # Card (optional) + - title: Security + linkLists: + - linkListType: download + links: + - text: NSS Labs web browser security reports + url: https://www.microsoft.com/download/details.aspx?id=54773 + - linkListType: overview + links: + - text: Microsoft Edge sandbox + url: https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/ + - text: Windows Defender SmartScreen + url: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview + + # Card (optional) + - title: Deployment + linkLists: + - linkListType: overview + links: + - text: Microsoft Edge deployment guide + url: /microsoft-edge/deploy/ + - text: Microsoft Edge FAQ + url: /microsoft-edge/deploy/microsoft-edge-faq + - text: System requirements and language support + url: /microsoft-edge/deploy/hardware-and-software-requirements + - text: Group Policy and MDM settings in Microsoft Edge + url: /microsoft-edge/deploy/available-policies + - text: Microsoft Edge training and demonstrations + url: /microsoft-edge/deploy/edge-technical-demos + - linkListType: download + links: + - text: Web Application Compatibility Lab Kit + url: https://www.microsoft.com/itpro/microsoft-edge/web-app-compat-toolkit + + # Card (optional) + - title: End user readiness + linkLists: + - linkListType: video + links: + - text: Microsoft Edge tips and tricks (video, 20:26) + url: https://myignite.microsoft.com/sessions/56630?source=sessions + - linkListType: download + links: + - text: Quick Start - Microsoft Edge (PDF, .98 MB) + url: https://go.microsoft.com/fwlink/?linkid=825648 + - text: Find it faster with Microsoft Edge (PDF, 605 KB) + url: https://go.microsoft.com/fwlink/?linkid=825661 + - text: Use Microsoft Edge to collaborate (PDF, 468 KB) + url: https://go.microsoft.com/fwlink/?linkid=825653 + - text: Group Policy and MDM settings in Microsoft Edge + url: /microsoft-edge/deploy/available-policies + - text: Microsoft Edge training and demonstrations + url: /microsoft-edge/deploy/edge-technical-demos + - linkListType: how-to-guide + links: + - text: Import bookmarks + url: https://microsoftedgetips.microsoft.com/2/39 + - text: Password management + url: https://microsoftedgetips.microsoft.com/2/18 + + # Card (optional) + - title: Stay informed + linkLists: + - linkListType: overview + links: + - text: Sign up for the Windows IT Pro Insider + url: https://aka.ms/windows-it-pro-insider + - text: Microsoft Edge Dev blog + url: https://blogs.windows.com/msedgedev + - text: Microsoft Edge Dev on Twitter + url: https://twitter.com/MSEdgeDev diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index 576a1de28f..a796135a6b 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -39,7 +39,16 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Internet Explorer" + "titleSuffix": "Internet Explorer", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "externalReference": [], "template": "op.html", diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md index edcb50cb9e..bd0befaee9 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md +++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md @@ -68,7 +68,7 @@ Additional information on Internet Explorer 11, including a Readiness Toolkit, t ## Availability of Internet Explorer 11 -Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the Microsoft Endpoint Configuration Manager and WSUS. +Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the Microsoft Endpoint Manager and WSUS. ## Prevent automatic installation of Internet Explorer 11 with WSUS diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.md b/browsers/internet-explorer/kb-support/ie-edge-faqs.md index 0257a9db03..5c29be5126 100644 --- a/browsers/internet-explorer/kb-support/ie-edge-faqs.md +++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.md @@ -10,9 +10,7 @@ ms.prod: internet-explorer ms.technology: ms.topic: kb-support ms.custom: CI=111020 -ms.localizationpriority: Normal -# localization_priority: medium -# ms.translationtype: MT +ms.localizationpriority: medium ms.date: 01/23/2020 --- # Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json index 5228341de6..6d55b1a859 100644 --- a/devices/hololens/docfx.json +++ b/devices/hololens/docfx.json @@ -45,7 +45,16 @@ "folder_relative_path_in_docset": "./" } - } + }, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/education/developers.yml b/education/developers.yml index 9e21b6d27f..6533d8c51c 100644 --- a/education/developers.yml +++ b/education/developers.yml @@ -18,16 +18,16 @@ additionalContent: # Card - title: UWP apps for education summary: Learn how to write universal apps for education. - url: https://docs.microsoft.com/en-us/windows/uwp/apps-for-education/ + url: https://docs.microsoft.com/windows/uwp/apps-for-education/ # Card - title: Take a test API summary: Learn how web applications can use the API to provide a locked down experience for taking tests. - url: https://docs.microsoft.com/en-us/windows/uwp/apps-for-education/take-a-test-api + url: https://docs.microsoft.com/windows/uwp/apps-for-education/take-a-test-api # Card - title: Office Education Dev center summary: Integrate with Office 365 across devices and services to extend Microsoft enterprise-scale compliance and security to students, teachers, and staff in your education app - url: https://dev.office.com/industry-verticals/edu + url: https://developer.microsoft.com/office/edu # Card - title: Data Streamer summary: Bring new STEM experiences into the classroom with real-time data in Excel using Data Streamer. Data Streamer can send data to Excel from a sensor or application. - url: https://docs.microsoft.com/en-us/microsoft-365/education/data-streamer \ No newline at end of file + url: https://docs.microsoft.com/microsoft-365/education/data-streamer diff --git a/education/docfx.json b/education/docfx.json index 809a2da28f..8ba1394c6d 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -7,7 +7,8 @@ "**/**.yml" ], "exclude": [ - "**/obj/**" + "**/obj/**", + "**/includes/**" ] } ], @@ -19,7 +20,8 @@ "**/*.svg" ], "exclude": [ - "**/obj/**" + "**/obj/**", + "**/includes/**" ] } ], diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md new file mode 100644 index 0000000000..156feee1de --- /dev/null +++ b/education/includes/education-content-updates.md @@ -0,0 +1,11 @@ + + + + +## Week of January 11, 2021 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 1/14/2021 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified | +| 1/14/2021 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified | diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index cbbdb3502b..3cd18bebdd 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -457,7 +457,7 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid X -Use Microsoft Endpoint Configuration Manager for management +Use Microsoft Endpoint Manager for management X X diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index 280778ccb4..d2a18c7393 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -26,69 +26,106 @@ This guide shows you how to deploy the Windows 10 operating system in a school d Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. Just as with building a house, you need a blueprint for what your district and individual schools should look like when it’s finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district. ->**Note**  This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/cloud-platform/mobile-device-management). +> [!NOTE] +> This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/cloud-platform/mobile-device-management). ### Plan a typical district configuration As part of preparing for your district deployment, you need to plan your district configuration — the focus of this guide. Figure 1 illustrates a typical finished district configuration that you can use as a model (the blueprint in our builder analogy) for the finished state. -![Typical district configuration for this guide](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide") +> [!div class="mx-imgBorder"] +> ![Typical district configuration for this guide](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide") *Figure 1. Typical district configuration for this guide* A *district* consists of multiple schools, typically at different physical locations. Figure 2 illustrates a typical school configuration within the district that this guide uses. -![Typical school configuration for this guide](images/edu-districtdeploy-fig2.png "Typical school configuration for this guide") +> [!div class="mx-imgBorder"] +> ![Typical school configuration for this guide](images/edu-districtdeploy-fig2.png "Typical school configuration for this guide") *Figure 2. Typical school configuration for this guide* Finally, each school consists of multiple classrooms. Figure 3 shows the classroom configuration this guide uses. -![Typical classroom configuration in a school](images/edu-districtdeploy-fig3.png "Typical classroom configuration in a school") +> [!div class="mx-imgBorder"] +> ![Typical classroom configuration in a school](images/edu-districtdeploy-fig3.png "Typical classroom configuration in a school") *Figure 3. Typical classroom configuration in a school* This district configuration has the following characteristics: * It contains one or more admin devices. + * It contains two or more schools. + * Each school contains two or more classrooms. + * Each classroom contains one teacher device. + * The classrooms connect to each other through multiple subnets. + * All devices in each classroom connect to a single subnet. + * All devices have high-speed, persistent connections to each other and to the Internet. + * All teachers and students have access to Microsoft Store or Microsoft Store for Business. + * You install a 64-bit version of Windows 10 on the admin device. + * You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device. + * You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device. - >**Note**  In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2. + + > [!NOTE] + > In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2. + * The devices use Azure AD in Office 365 Education for identity management. + * If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/). + * Use [Intune](https://docs.microsoft.com/intune/), [Mobile Device Management for Office 365](https://support.office.com/en-us/article/Set-up-Mobile-Device-Management-MDM-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy in AD DS](https://technet.microsoft.com/library/cc725828.aspx) to manage devices. + * Each device supports a one-student-per-device or multiple-students-per-device scenario. + * The devices can be a mixture of different make, model, and processor architecture (32-bit or 64-bit) or be identical. + * To initiate Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment (PXE) boot. + * The devices can be a mixture of different Windows 10 editions, such as Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education. Use these characteristics at a minimum as you deploy your schools. If your district deployment is less complex, you may want to review the guidance in [Deploy Windows 10 in a school](https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school). ->**Note**  This guide focuses on Intune as the mobile device management (MDM) solution. If you want to use an MDM solution other than Intune, ignore the Intune-specific content in this guide. For each section, contact your MDM provider to determine the features and management capabilities for your institution. +> [!NOTE] +> This guide focuses on Intune as the mobile device management (MDM) solution. If you want to use an MDM solution other than Intune, ignore the Intune-specific content in this guide. For each section, contact your MDM provider to determine the features and management capabilities for your institution. Office 365 Education allows: * Students and faculty to use Microsoft Office to create and edit Microsoft Word, OneNote, PowerPoint, and Excel documents in a browser. + * Teachers to use the [OneNote Class Notebook app](https://www.onenote.com/classnotebook) to share content and collaborate with students. + * Faculty to use the [OneNote Staff Notebooks app](https://www.onenote.com/staffnotebookedu) to collaborate with other teachers, the administration, and faculty. + * Teachers to employ Sway to create interactive educational digital storytelling. + * Students and faculty to use email and calendars, with mailboxes up to 50 GB per user. + * Faculty to use advanced email features like email archiving and legal hold capabilities. + * Faculty to help prevent unauthorized users from accessing documents and email by using Microsoft Azure Rights Management. + * Faculty to use advanced compliance tools on the unified eDiscovery pages in the Office 365 Compliance Center. + * Faculty to host online classes, parent–teacher conferences, and other collaboration in Skype for Business. + * Students and faculty to access up to 1 TB of personal cloud storage that users inside and outside the educational institution can share through OneDrive for Business. + * Teachers to provide collaboration in the classroom through Microsoft SharePoint Online team sites. + * Students and faculty to use Office 365 Video to manage videos. + * Students and faculty to use Yammer to collaborate through private social networking. + * Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices). For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://products.office.com/en-us/academic). @@ -105,7 +142,7 @@ This guide focuses on LTI deployments to deploy the reference device. You can us MDT includes the Deployment Workbench, a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices. -LTI performs deployment from a *deployment share* — a network-shared folder on the device on which you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section. +LTI performs deployment from a *deployment share* — a network-shared folder on the device on which you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in [Prepare the admin device](#prepare-the-admin-device), earlier in this article. The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements. @@ -114,9 +151,13 @@ ZTI performs fully automated deployments using Configuration Manager and MDT. Al The configuration process requires the following devices: * **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK, MDT, and the Configuration Manager Console on this device. + * **Reference devices.** These are the devices that you will use as a template for the faculty and student devices. You install Windows 10 and Windows desktop apps on these devices, and then capture an image (.wim file) of the devices. + You will have a reference device for each type of device in your district. For example, if your district has Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you would have a reference device for each model. For more information about approved Windows 10 devices, see [Explore devices](https://www.microsoft.com/windows/view-all). + * **Faculty and staff devices.** These are the devices that the teachers, faculty, and staff use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices. + * **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them. The high-level process for deploying and configuring devices within individual classrooms, individual schools, and the district as a whole is as follows and illustrated in Figure 4: @@ -139,7 +180,8 @@ The high-level process for deploying and configuring devices within individual c 9. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS–Azure AD integration. -![How district configuration works](images/edu-districtdeploy-fig4.png "How district configuration works") +> [!div class="mx-imgBorder"] +> ![How district configuration works](images/edu-districtdeploy-fig4.png "How district configuration works") *Figure 4. How district configuration works* @@ -160,7 +202,7 @@ Before you select the deployment and management methods, you need to review the |Scenario feature |Cloud-centric|On-premises and cloud| |---|---|---| |Identity management | Azure AD (stand-alone or integrated with on-premises AD DS) | AD DS integrated with Azure AD | -|Windows 10 deployment | MDT only | Microsoft Endpoint Configuration Manager with MDT | +|Windows 10 deployment | MDT only | Microsoft Endpoint Manager with MDT | |Configuration setting management | Intune | Group Policy

Intune| |App and update management | Intune |Microsoft Endpoint Configuration Manager

Intune| @@ -174,14 +216,14 @@ These scenarios assume the need to support: Some constraints exist in these scenarios. As you select the deployment and management methods for your device, keep the following constraints in mind: * You can use Group Policy or Intune to manage configuration settings on a device but not both. -* You can use Microsoft Endpoint Configuration Manager or Intune to manage apps and updates on a device but not both. +* You can use Microsoft Endpoint Manager or Intune to manage apps and updates on a device but not both. * You cannot manage multiple users on a device with Intune if the device is AD DS domain joined. Use the cloud-centric scenario and on-premises and cloud scenario as a guide for your district. You may need to customize these scenarios, however, based on your district. As you go through the [Select the deployment methods](#select-the-deployment-methods), [Select the configuration setting management methods](#select-the-configuration-setting-management-methods), and the [Select the app and update management products](#select-the-app-and-update-management-products) sections, remember these scenarios and use them as the basis for your district. ### Select the deployment methods -To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Configuration Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution. +To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution. @@ -249,7 +291,7 @@ Select this method when you:

The disadvantages of this method are that it:

@@ -265,7 +307,7 @@ Record the deployment methods you selected in Table 3. |Selection | Deployment method| |--------- | -----------------| | |MDT by itself | -| |Microsoft Endpoint Configuration Manager and MDT| +| |Microsoft Endpoint Manager and MDT| *Table 3. Deployment methods selected* @@ -441,12 +483,12 @@ Select this method when you:

- + - + diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md index ffd93b2784..4ea2ef6556 100644 --- a/windows/client-management/mdm/applocker-ddf-file.md +++ b/windows/client-management/mdm/applocker-ddf-file.md @@ -1,6 +1,6 @@ --- title: AppLocker DDF file -description: See the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider. +description: Learn about the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider. ms.assetid: 79E199E0-5454-413A-A57A-B536BDA22496 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/applocker-xsd.md b/windows/client-management/mdm/applocker-xsd.md index d07e9eea71..3e03f501a8 100644 --- a/windows/client-management/mdm/applocker-xsd.md +++ b/windows/client-management/mdm/applocker-xsd.md @@ -1,6 +1,6 @@ --- title: AppLocker XSD -description: Here's the XSD for the AppLocker CSP. +description: View the XSD for the AppLocker CSP. The AppLocker CSP XSD provides an example of how the schema is organized. ms.assetid: 70CF48DD-AD7D-4BCF-854F-A41BFD95F876 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index 0e1870a49d..15937b2e7c 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -1,6 +1,6 @@ --- title: Deploy and configure App-V apps using MDM -description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Endpoint Configuration Manager or App-V server. +description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Endpoint Manager or App-V server. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -15,7 +15,7 @@ manager: dansimp ## Executive summary -

Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using Microsoft Endpoint Configuration Manager or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.

+

Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using Microsoft Endpoint Manager or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.

MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.

diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index c4844e943d..703958aa0e 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -1,6 +1,6 @@ --- title: AssignedAccess DDF -description: AssignedAccess DDF +description: Learn how the OMA DM device description framework (DDF) for the AssignedAccess configuration service provider. ms.assetid: 224FADDB-0EFD-4E5A-AE20-1BD4ABE24306 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 8e84d077d5..b511fd100f 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -165,7 +165,10 @@ The following image illustrates how MDM applications will show up in the Azure a ### Add cloud-based MDM to the app gallery -You should work with the Azure AD engineering team if your MDM application is cloud-based. The following table shows the required information to create an entry in the Azure AD app gallery. +> [!NOTE] +> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application + +The following table shows the required information to create an entry in the Azure AD app gallery.
Microsoft Endpoint Configuration Manager and Intune (hybrid)Microsoft Endpoint Manager and Intune (hybrid)

Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.

Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.

Select this method when you:

    -
  • Selected Microsoft Endpoint Configuration Manager to deploy Windows 10.
    • +
  • Selected Microsoft Endpoint Manager to deploy Windows 10.
  • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
  • Want to manage domain-joined devices.
  • Want to manage Azure AD domain-joined devices.
    • @@ -483,9 +525,9 @@ Record the app and update management methods that you selected in Table 7. |Selection | Management method| |----------|------------------| -| |Microsoft Endpoint Configuration Manager by itself| +| |Microsoft Endpoint Manager by itself| | |Intune by itself| -| |Microsoft Endpoint Configuration Manager and Intune (hybrid mode)| +| |Microsoft Endpoint Manager and Intune (hybrid mode)| *Table 7. App and update management methods selected* @@ -512,7 +554,8 @@ For more information about installing the Windows ADK, see [Step 2-2: Install Wi Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment. It is a free tool available directly from Microsoft. You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 64-bit version of MDT to support deployment of 32-bit and 64-bit operating systems. ->**Note**  If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32-bit versions of the operating system. +> [!NOTE] +> If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32-bit versions of the operating system. For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com/library/dn759415.aspx#InstallingaNewInstanceofMDT). @@ -526,15 +569,17 @@ For more information about how to create a deployment share, see [Step 3-1: Crea ### Install the Configuration Manager console ->**Note**  If you selected Microsoft Endpoint Configuration Manager to deploy Windows 10 or manage your devices (in the [Select the deployment methods](#select-the-deployment-methods) and [Select the configuration setting management methods](#select-the-configuration-setting-management-methods) sections, respectively), perform the steps in this section. Otherwise, skip this section and continue to the next. +> [!NOTE] +> If you selected Microsoft Endpoint Manager to deploy Windows 10 or manage your devices (in the [Select the deployment methods](#select-the-deployment-methods) and [Select the configuration setting management methods](#select-the-configuration-setting-management-methods) sections, respectively), perform the steps in this section. Otherwise, skip this section and continue to the next. You can use Configuration Manager to manage Windows 10 deployments, Windows desktop apps, Microsoft Store apps, and software updates. To manage Configuration Manager, you use the Configuration Manager console. You must install the Configuration Manager console on every device you use to manage Configuration Manager (specifically, the admin device). The Configuration Manager console is automatically installed when you install Configuration Manager primary site servers. -For more information about how to install the Configuration Manager console, see [Install Microsoft Endpoint Configuration Manager consoles](https://technet.microsoft.com/library/mt590197.aspx#bkmk_InstallConsole). +For more information about how to install the Configuration Manager console, see [Install Microsoft Endpoint Manager consoles](https://technet.microsoft.com/library/mt590197.aspx#bkmk_InstallConsole). ### Configure MDT integration with the Configuration Manager console ->**Note**  If you selected MDT only to deploy Windows 10 and your apps (and not Microsoft Endpoint Configuration Manager) in the [Select the deployment methods](#select-the-deployment-methods) section, then skip this section and continue to the next. +> [!NOTE] +> If you selected MDT only to deploy Windows 10 and your apps (and not Microsoft Endpoint Configuration Manager) in [Select the deployment methods](#select-the-deployment-methods), earlier in this article, then skip this section and continue to the next. You can use MDT with Configuration Manager to make ZTI operating system deployment easier. To configure MDT integration with Configuration Manager, run the Configure ConfigMgr Integration Wizard. This wizard is installed when you install MDT. @@ -544,7 +589,7 @@ For more information, see [Enable Configuration Manager Console Integration for #### Summary -In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later to capture a reference image. You can also use the MDT deployment share to deploy Windows 10 and your apps to faculty and students (if that’s the method you selected in the [Select the deployment methods](#select-the-deployment-methods) section). Finally, you installed the Configuration Manager console and configured MDT integration with the Configuration Manager console. +In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later to capture a reference image. You can also use the MDT deployment share to deploy Windows 10 and your apps to faculty and students (if that’s the method you selected in [Select the deployment methods](#select-the-deployment-methods), earlier in this article). Finally, you installed the Configuration Manager console and configured MDT integration with the Configuration Manager console. ## Create and configure Office 365 @@ -590,13 +635,19 @@ You will use the Office 365 Education license plan information you record in Tab To create a new Office 365 Education subscription for use in the classroom, use your educational institution’s email account. There are no costs to you or to students for signing up for Office 365 Education subscriptions. ->**Note**  If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Create user accounts in Office 365](#create-user-accounts-in-office-365). +> [!NOTE] +> If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Create user accounts in Office 365](#create-user-accounts-in-office-365). #### To create a new Office 365 subscription 1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar. - > **Note**  If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window by using one of the following methods: - >
    • In Microsoft Edge, open the Microsoft Edge app (press Ctrl+Shift+P, or click or tap More actions), and then click or tap New InPrivate window.
    • In Internet Explorer 11, open Internet Explorer 11 (press Ctrl+Shift+P, or click or tap Settings), click or tap Safety, and then click or tap InPrivate Browsing.
    + + > [!NOTE] + > If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window by using one of the following methods: + > + > - In Microsoft Edge, open the Microsoft Edge app (press Ctrl+Shift+P, or click or tap More actions), and then click or tap New InPrivate window. + > + > - In Internet Explorer 11, open Internet Explorer 11 (press Ctrl+Shift+P, or click or tap Settings), click or tap Safety, and then click or tap InPrivate Browsing. 2. On the **Get started** page, in **Enter your school email address**, type your school email address, and then click **Sign up**. @@ -631,7 +682,8 @@ Now that you have created your new Office 365 Education subscription, add the do To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant. ->**Note**  By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up: Technical FAQ](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US&WT.mc_id=eml_CXM__33537_MOD_EDU_Student_Advantage_Rush). +> [!NOTE] +> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up: Technical FAQ](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US&WT.mc_id=eml_CXM__33537_MOD_EDU_Student_Advantage_Rush). Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks: @@ -640,7 +692,8 @@ Office 365 uses the domain portion of the user’s email address to know which O You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before you allow other faculty and students to join Office 365. ->**Note**  You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. +> [!NOTE] +> You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins). @@ -651,13 +704,15 @@ By default, all new Office 365 Education subscriptions have automatic tenant joi *Table 10. Windows PowerShell commands to enable or disable automatic tenant join* ->**Note**  If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant. +> [!NOTE] +> If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant. ### Disable automatic licensing To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval. ->**Note**  By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section. +> [!NOTE] +> By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section. Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 11. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins). @@ -678,7 +733,7 @@ The following Azure AD Premium features are not in Azure AD Basic: * Allow designated users to manage group membership * Dynamic group membership based on user metadata -* Azure multifactor authentication (MFA; see [What is Azure Multi-Factor Authentication](https://azure.microsoft.com/documentation/articles/multi-factor-authentication/)) +* Azure AD Multi-Factor Authentication (MFA; see [What is Azure AD Multi-Factor Authentication](https://azure.microsoft.com/documentation/articles/multi-factor-authentication/)) * Identify cloud apps that your users run * Self-service recovery of BitLocker * Add local administrator accounts to Windows 10 devices @@ -709,9 +764,11 @@ Now that you have an Office 365 subscription, you must determine how you’ll cr In this method, you have an on-premises AD DS domain. As shown in Figure 5, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD. ->**Note**  Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/library/dn510997.aspx). +> [!NOTE] +> Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/library/dn510997.aspx). -![Automatic synchronization between AD DS and Azure AD](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Azure AD") +> [!div class="mx-imgBorder"] +> ![Automatic synchronization between AD DS and Azure AD](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Azure AD") *Figure 5. Automatic synchronization between AD DS and Azure AD* @@ -721,7 +778,8 @@ For more information about how to perform this step, see the [Integrate on-premi In this method, you have no on-premises AD DS domain. As shown in Figure 6, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies. -![Bulk import into Azure AD from other sources](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources") +> [!div class="mx-imgBorder"] +> ![Bulk import into Azure AD from other sources](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources") *Figure 6. Bulk import into Azure AD from other sources* @@ -742,7 +800,8 @@ In this section, you selected the method for creating user accounts in your Offi You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS. ->**Note**  If your institution does not have an on-premises AD DS domain, you can skip this section. +> [!NOTE] +> If your institution does not have an on-premises AD DS domain, you can skip this section. ### Select a synchronization model @@ -752,13 +811,15 @@ You can deploy the Azure AD Connect tool: - **On premises.** As shown in Figure 7, Azure AD Connect runs on premises, which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server. - ![Azure AD Connect on premises](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises") + > [!div class="mx-imgBorder"] + > ![Azure AD Connect on premises](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises") *Figure 7. Azure AD Connect on premises* - **In Azure.** As shown in Figure 8, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises. - ![Azure AD Connect in Azure](images/edu-districtdeploy-fig8.png "Azure AD Connect in Azure") + > [!div class="mx-imgBorder"] + > ![Azure AD Connect in Azure](images/edu-districtdeploy-fig8.png "Azure AD Connect in Azure") *Figure 8. Azure AD Connect in Azure* @@ -815,7 +876,8 @@ In this section, you selected your synchronization model, deployed Azure AD Conn You can bulk-import user and group accounts into your on-premises AD DS domain. Bulk-importing accounts helps reduce the time and effort needed to create users compared to creating the accounts manually in the Office 365 Admin portal. First, you select the appropriate method for bulk-importing user accounts into AD DS. Next, you create the .csv file that contains the user accounts. Finally, you use the selected method to import the .csv file into AD DS. ->**Note**  If your institution doesn’t have an on-premises AD DS domain, you can skip this section. +> [!NOTE] +> If your institution doesn’t have an on-premises AD DS domain, you can skip this section. ### Select the bulk import method @@ -823,7 +885,7 @@ Several methods are available to bulk-import user accounts into AD DS domains. T |Method |Description and reason to select this method | |-------|---------------------------------------------| -|Ldifde.exe|This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| +|Ldifde.exe|This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren't comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| |VBScript|This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/scriptcenter/dd939958.aspx).| |Windows PowerShell|This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).| @@ -845,7 +907,8 @@ After you have selected your user and group account bulk import method, you’re With the bulk-import source file finished, you’re ready to import the user and group accounts into AD DS. The steps for importing the file are slightly different for each method. ->**Note**  Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts. +> [!NOTE] +> Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts. For more information about how to import user accounts into AD DS by using: @@ -865,7 +928,8 @@ You can bulk-import user and group accounts directly into Office 365, reducing t Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. ->**Note**  If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. +> [!NOTE] +> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. You can use the Microsoft 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users). @@ -873,7 +937,8 @@ The bulk-add process assigns the same Office 365 Education license plan to all u For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365 - Admin help](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US). ->**Note**  If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process. +> [!NOTE] +> If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process. The email accounts are assigned temporary passwords on creation. You must communicate these temporary passwords to your users before they can sign in to Office 365. @@ -881,13 +946,15 @@ The email accounts are assigned temporary passwords on creation. You must commun Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources. ->**Note**  If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. +> [!NOTE] +> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. For information about creating security groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US). You can add and remove users from security groups at any time. ->**Note**  Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may have to sign out, and then sign in again for the change to take effect. +> [!NOTE] +> Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may have to sign out, and then sign in again for the change to take effect. ### Create email distribution groups @@ -895,7 +962,8 @@ Microsoft Exchange Online uses an email distribution group as a single email rec You can create email distribution groups based on job role (such as teacher, administration, or student) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group. ->**Note**  Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until the creation process ends before you can perform the following steps. +> [!NOTE] +> Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until the creation process ends before you can perform the following steps. For information about creating email distribution groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US). @@ -957,7 +1025,8 @@ After you create the Microsoft Store for Business portal, configure it by using Now that you have created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this from the **Inventory** page in Microsoft Store for Business. ->**Note**  Your educational institution can now use a credit card or purchase order to pay for apps in Microsoft Store for Business. +> [!NOTE] +> Your educational institution can now use a credit card or purchase order to pay for apps in Microsoft Store for Business. You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users to install the apps. @@ -989,13 +1058,15 @@ Depending on your school’s requirements, you may need any combination of the f * Upgrade institution-owned devices to Windows 10 Education. * Deploy new instances of Windows 10 Education so that new devices have a known configuration. ->**Note**  Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business—features not available in Windows 10 Home. For more information about how to upgrade Windows 10 Home to Windows 10 Pro or Windows 10 Education, see [Windows 10 edition upgrade](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades). +> [!NOTE] +> Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business—features not available in Windows 10 Home. For more information about how to upgrade Windows 10 Home to Windows 10 Pro or Windows 10 Education, see [Windows 10 edition upgrade](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades). For more information about the Windows 10 editions, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32-bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above. ->**Note**  On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources. +> [!NOTE] +> On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources. Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture. @@ -1077,7 +1148,7 @@ At the end of this section, you should know the Windows 10 editions and processo ## Prepare for deployment -Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and Microsoft Endpoint Configuration Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Microsoft Store apps, and device drivers. +Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and Microsoft Endpoint Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Microsoft Store apps, and device drivers. ### Configure the MDT deployment share @@ -1173,7 +1244,8 @@ For more information about how to update a deployment share, see #enforceLockdown ``` diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index 80555a4b90..4197cf6869 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -30,10 +30,10 @@ Windows 10, version 1607 introduces two editions designed for the unique needs o Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). -For Cortana[1](#footnote1), +For Cortana[1](#footnote1): - If you're using version 1607, Cortana is removed. -- If you're using new devices with version 1703, Cortana is turned on by default. -- If you're upgrading from version 1607 to version 1703, Cortana will be enabled. +- If you're using new devices with version 1703 or later, Cortana is turned on by default. +- If you're upgrading from version 1607 to version 1703 or later, Cortana will be enabled. You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). @@ -49,10 +49,10 @@ Customers who deploy Windows 10 Pro are able to configure the product to have si Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). -For Cortana1, +For Cortana1: - If you're using version 1607, Cortana1 is removed. -- If you're using new devices with version 1703, Cortana is turned on by default. -- If you're upgrading from version 1607 to version 1703, Cortana will be enabled. +- If you're using new devices with version 1703 or later, Cortana is turned on by default. +- If you're upgrading from version 1607 to version 1703 or later, Cortana will be enabled. You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). diff --git a/gdpr/docfx.json b/gdpr/docfx.json index 2fd5e0e9f9..9b8ee64f65 100644 --- a/gdpr/docfx.json +++ b/gdpr/docfx.json @@ -34,7 +34,16 @@ "ms.author": "lizross", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app" + "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/smb/docfx.json b/smb/docfx.json index a5644a3f2b..379f9d6f3e 100644 --- a/smb/docfx.json +++ b/smb/docfx.json @@ -30,6 +30,7 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/smb/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "feedback_system": "None", "hideEdit": true, "_op_documentIdPathDepotMapping": { diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md index b343954c9a..c57643bd16 100644 --- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md +++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md @@ -17,6 +17,23 @@ ms.date: 10/17/2017 # Add unsigned app to code integrity policy +> [!IMPORTANT] +> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020. +> +> Following are the major changes we are making to the service: +> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. +> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files. +> +> The following functionality will be available via these PowerShell cmdlets: +> - Get a CI policy +> - Sign a CI policy +> - Sign a catalog +> - Download root cert +> - Download history of your signing operations +> +> For any questions, please contact us at DGSSMigration@microsoft.com. + **Applies to** @@ -45,7 +62,7 @@ Before you get started, be sure to review these best practices and requirements: **Best practices** -- **Naming convention** -- Using a naming convention makes it easier to find deployed catalog files. We'll use \*-Contoso.cat as the naming convention in this topic. For more information, see the section Inventorying catalog files by using Microsoft Endpoint Configuration Manager in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide). +- **Naming convention** -- Using a naming convention makes it easier to find deployed catalog files. We'll use \*-Contoso.cat as the naming convention in this topic. For more information, see the section Inventorying catalog files by using Microsoft Endpoint Manager in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide). - **Where to deploy code integrity policy** -- The [code integrity policy that you created](#create-ci-policy) should be deployed to the system on which you are running Package Inspector. This will ensure that the code integrity policy binaries are trusted. Copy the commands for each step into an elevated Windows PowerShell session. You'll use Package Inspector to find and trust all binaries in the app. @@ -100,4 +117,4 @@ Catalog signing is a vital step to adding your unsigned apps to your code integr When you use the Device Guard signing portal to sign a catalog file, the signing certificate is added to the default policy. When you download the signed catalog file, you should also download the default policy and merge this code integrity policy with your existing code integrity policies to protect machines running the catalog file. You need to do this step to trust and run your catalog files. For more information, see the Merging code integrity policies in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide). 6. Open the root certificate that you downloaded, and follow the steps in **Certificate Import wizard** to install the certificate in your machine's certificate store. -7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with Microsoft Endpoint Configuration Manager in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide). +7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with Microsoft Endpoint Manager in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide). diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md index 6a2720e035..a891ecd541 100644 --- a/store-for-business/device-guard-signing-portal.md +++ b/store-for-business/device-guard-signing-portal.md @@ -17,6 +17,23 @@ ms.date: 10/17/2017 # Device Guard signing +> [!IMPORTANT] +> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020. +> +> Following are the major changes we are making to the service: +> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. +> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files. +> +> The following functionality will be available via these PowerShell cmdlets: +> - Get a CI policy +> - Sign a CI policy +> - Sign a catalog +> - Download root cert +> - Download history of your signing operations +> +> For any questions, please contact us at DGSSMigration@microsoft.com. + **Applies to** diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md index 33b58da4ab..8a5ead4fe6 100644 --- a/store-for-business/distribute-offline-apps.md +++ b/store-for-business/distribute-offline-apps.md @@ -18,10 +18,10 @@ ms.date: 10/17/2017 # Distribute offline apps -**Applies to** +**Applies to:** -- Windows 10 -- Windows 10 Mobile +- Windows 10 +- Windows 10 Mobile Offline licensing is a new licensing option for Windows 10 with Microsoft Store for Business and Microsoft Store for Education. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business and Microsoft Store for Education. This model allows organizations to deploy apps when users or devices do not have connectivity to the Store. @@ -29,23 +29,23 @@ Offline licensing is a new licensing option for Windows 10 with Microsoft Store Offline-licensed apps offer an alternative to online apps, and provide additional deployment options. Some reasons to use offline-licensed apps: -- **You don't have access to Microsoft Store services** - If your employees don't have access to the internet and Microsoft Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps. +- **You don't have access to Microsoft Store services** - If your employees don't have access to the Internet and Microsoft Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps. -- **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD). +- **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD). -- **Your employees do not have Azure Active Directory (AD) accounts** - Azure AD accounts are required for employees that install apps assigned to them from Microsoft Store or that claim apps from a private store. +- **Your employees do not have Azure Active Directory (AD) accounts** - Azure AD accounts are required for employees that install apps assigned to them from Microsoft Store or that claim apps from a private store. ## Distribution options for offline-licensed apps You can't distribute offline-licensed apps directly from Microsoft Store. Once you download the items for the offline-licensed app, you have options for distributing the apps: -- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft Windows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows). +- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft Windows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows). -- **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages). +- **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages). -- **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics: +- **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics: - [Manage apps from Microsoft Store for Business with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business) - - [Manage apps from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune)
    + - [Manage apps from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/windows-store-for-business)
    For third-party MDM providers or management servers, check your product documentation. @@ -53,23 +53,22 @@ For third-party MDM providers or management servers, check your product document There are several items to download or create for offline-licensed apps. The app package and app license are required; app metadata and app frameworks are optional. This section includes more info on each item, and tells you how to download an offline-licensed app. -- **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata. +- **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata. -- **App package** - App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices. +- **App package** - App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices. -- **App license** - App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM. +- **App license** - App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM. -- **App frameworks** - App frameworks are optional. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected. +- **App frameworks** - App frameworks are optional. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected. -     -**To download an offline-licensed app** +**To download an offline-licensed app** -1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**. -3. Click **Settings**. -4. Click **Shop**. Search for the **Shopping experience** section, change the License type to **Offline**, and click **Get the app**, which will add the app to your inventory. -5. Click **Manage**. You now have access to download the appx bundle package metadata and license file. -6. Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.) +1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com). +2. Click **Manage**. +3. Click **Settings**. +4. Click **Shop**. Search for the **Shopping experience** section, change the License type to **Offline**, and click **Get the app**, which will add the app to your inventory. +5. Click **Manage**. You now have access to download the appx bundle package metadata and license file. +6. Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.) - **To download app metadata**: Choose the language for the app metadata, and then click **Download**. Save the downloaded app metadata. This is optional. - **To download app package**: Click to expand the package details information, choose the Platform and Architecture combination that you need for your organization, and then click **Download**. Save the downloaded app package. This is required. @@ -78,16 +77,3 @@ There are several items to download or create for offline-licensed apps. The app > [!NOTE] > You need the framework to support your app package, but if you already have a copy, you don't need to download it again. Frameworks are backward compatible. - - - -   - -  - -  - - - - - diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md new file mode 100644 index 0000000000..82518ed170 --- /dev/null +++ b/store-for-business/includes/store-for-business-content-updates.md @@ -0,0 +1,18 @@ + + + + +## Week of January 25, 2021 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 1/29/2021 | [Distribute offline apps (Windows 10)](/microsoft-store/distribute-offline-apps) | modified | + + +## Week of January 11, 2021 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 1/14/2021 | [Add unsigned app to code integrity policy (Windows 10)](/microsoft-store/add-unsigned-app-to-code-integrity-policy) | modified | diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md index 4b9707b563..59be6fdc1c 100644 --- a/store-for-business/microsoft-store-for-business-overview.md +++ b/store-for-business/microsoft-store-for-business-overview.md @@ -12,7 +12,7 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: medium -ms.date: 10/17/2017 +ms.date: --- # Microsoft Store for Business and Microsoft Store for Education overview @@ -22,7 +22,10 @@ ms.date: 10/17/2017 - Windows 10 - Windows 10 Mobile -Designed for organizations, Microsoft Store for Business and Microsoft Store for Education give IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Microsoft Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Microsoft Store, or connect with management solutions for more options. +Designed for organizations, Microsoft Store for Business and Microsoft Store for Education give IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Microsoft Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Microsoft Store, or connect with management solutions for more options. + +> [!IMPORTANT] +> Customers who are in the Office 365 GCC environment or are eligible to buy with government pricing cannot use Microsoft Store for Business. ## Features Organizations or schools of any size can benefit from using Microsoft Store for Business or Microsoft Store for Education: diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md index c540dd2199..0dc7ab9ece 100644 --- a/store-for-business/prerequisites-microsoft-store-for-business.md +++ b/store-for-business/prerequisites-microsoft-store-for-business.md @@ -12,7 +12,7 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: medium -ms.date: 10/13/2017 +ms.date: --- # Prerequisites for Microsoft Store for Business and Education @@ -22,6 +22,9 @@ ms.date: 10/13/2017 - Windows 10 - Windows 10 Mobile +> [!IMPORTANT] +> Customers who are in the Office 365 GCC environment or are eligible to buy with government pricing cannot use Microsoft Store for Business. + There are a few prerequisites for using Microsoft Store for Business or Microsoft Store for Education. ## Prerequisites @@ -64,7 +67,7 @@ If your organization restricts computers on your network from connecting to the starting with Windows 10, version 1607) Store for Business requires Microsoft Windows HTTP Services (WinHTTP) to install, or update apps. -For more information about how to configure WinHTTP proxy settings to devices, see [Use Group Policy to apply WinHTTP proxy settings to Windows clients](https://support.microsoft.com/en-us/help/4494447/use-group-policy-to-apply-winhttp-proxy-settings-to-clients). +For more information about how to configure WinHTTP proxy settings to devices, see [Use Group Policy to apply WinHTTP proxy settings to Windows clients](https://support.microsoft.com/help/4494447/use-group-policy-to-apply-winhttp-proxy-settings-to-clients). diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md index e0db1ee7c7..6512584c76 100644 --- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md +++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md @@ -17,6 +17,24 @@ ms.date: 10/17/2017 # Sign code integrity policy with Device Guard signing +> [!IMPORTANT] +> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020. +> +> Following are the major changes we are making to the service: +> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. +> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files. +> +> The following functionality will be available via these PowerShell cmdlets: +> - Get a CI policy +> - Sign a CI policy +> - Sign a catalog +> - Download root cert +> - Download history of your signing operations +> +> For any questions, please contact us at DGSSMigration@microsoft.com. + + **Applies to** - Windows 10 diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json index 9df4554e37..3f6ef46e23 100644 --- a/windows/access-protection/docfx.json +++ b/windows/access-protection/docfx.json @@ -40,7 +40,16 @@ "depot_name": "MSDN.win-access-protection", "folder_relative_path_in_docset": "./" } - } + }, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], }, "fileMetadata": {}, "template": [], diff --git a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md index 1ef657304d..8e37f9eb2f 100644 --- a/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md +++ b/windows/application-management/app-v/appv-add-or-remove-an-administrator-with-the-management-console.md @@ -1,6 +1,6 @@ --- title: How to Add or Remove an Administrator by Using the Management Console (Windows 10) -description: How to add or remove an administrator by using the Management Console +description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console. author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md index ce050e817b..c26f77e8e4 100644 --- a/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-add-or-upgrade-packages-with-the-management-console.md @@ -1,6 +1,6 @@ --- title: How to Add or Upgrade Packages by Using the Management Console (Windows 10) -description: How to add or upgrade packages by using the Management Console +description: Add or remove an administrator on the Microsoft Application Virtualization (App-V) server by using the Management Console. author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-administering-appv-with-powershell.md b/windows/application-management/app-v/appv-administering-appv-with-powershell.md index ea02c9ad1f..58a0c8b25d 100644 --- a/windows/application-management/app-v/appv-administering-appv-with-powershell.md +++ b/windows/application-management/app-v/appv-administering-appv-with-powershell.md @@ -1,6 +1,6 @@ --- title: Administering App-V by using Windows PowerShell (Windows 10) -description: Administering App-V by Using Windows PowerShell +description: Administer App-V by using Windows PowerShell and learn where to find more information about PowerShell for App-V. author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md index a913ce8a38..88430660e3 100644 --- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md +++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md @@ -1,6 +1,6 @@ --- title: Application Publishing and Client Interaction (Windows 10) -description: Application publishing and client interaction. +description: Learn technical information about common App-V Client operations and their integration with the local operating system. author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md index 6bb52f7eb3..8c4f4b2b2d 100644 --- a/windows/application-management/app-v/appv-available-mdm-settings.md +++ b/windows/application-management/app-v/appv-available-mdm-settings.md @@ -1,6 +1,6 @@ --- title: Available Mobile Device Management (MDM) settings for App-V (Windows 10) -description: A list of the available MDM settings for App-V on Windows 10. +description: Learn the available Mobile Device Management (MDM) settings you can use to configure App-V on Windows 10. author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md index 099bcdf1c4..d3c80a88c9 100644 --- a/windows/application-management/app-v/appv-capacity-planning.md +++ b/windows/application-management/app-v/appv-capacity-planning.md @@ -1,6 +1,6 @@ --- title: App-V Capacity Planning (Windows 10) -description: App-V Capacity Planning +description: Use these recommendations as a baseline to help determine capacity planning information that is appropriate to your organization’s App-V infrastructure. author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-client-configuration-settings.md b/windows/application-management/app-v/appv-client-configuration-settings.md index 693a058d7e..f641b232d6 100644 --- a/windows/application-management/app-v/appv-client-configuration-settings.md +++ b/windows/application-management/app-v/appv-client-configuration-settings.md @@ -1,6 +1,6 @@ --- title: About Client Configuration Settings (Windows 10) -description: About Client Configuration Settings +description: Learn about the App-V client configuration settings and how to use Windows PowerShell to modify the client configuration settings. author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md index ae887fc389..52632f558e 100644 --- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md +++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md @@ -1,6 +1,6 @@ --- title: How to make a connection group ignore the package version (Windows 10) -description: How to make a connection group ignore the package version. +description: Learn how to make a connection group ignore the package version with the App-V Server Management Console. author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md index f878e5f7a4..dd38c101dd 100644 --- a/windows/application-management/app-v/appv-connect-to-the-management-console.md +++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to connect to the Management Console (Windows 10) -description: How to Connect to the App-V Management Console. -author: lomayor +description: In this article, learn the procedure for connecting to the App-V Management Console through your web browser. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md index ed2d425dc4..743c824815 100644 --- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md +++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md @@ -1,7 +1,7 @@ --- title: About the connection group virtual environment (Windows 10) -description: Overview of how the connection group virtual environment works. -author: lomayor +description: Learn how the connection group virtual environment works and how package priority is determined. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md index 794615f010..36691ab472 100644 --- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md +++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md @@ -1,7 +1,7 @@ --- title: How to convert a package created in a previous version of App-V (Windows 10) -description: How to convert a package created in a previous version of App-V. -author: lomayor +description: Use the package converter utility to convert a virtual application package created in a previous version of App-V. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md index 312adeb09b..62787b9a7c 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md +++ b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md @@ -1,7 +1,7 @@ --- title: How to create a connection croup with user-published and globally published packages (Windows 10) description: How to create a connection croup with user-published and globally published packages. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md index 9f08b25b41..509167b5f4 100644 --- a/windows/application-management/app-v/appv-create-a-connection-group.md +++ b/windows/application-management/app-v/appv-create-a-connection-group.md @@ -1,7 +1,7 @@ --- title: How to create a connection group (Windows 10) -description: How to create a connection group with the App-V Management Console. -author: lomayor +description: Learn how to create a connection group with the App-V Management Console and where to find information about managing connection groups. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md index 273b520a59..42081976ef 100644 --- a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md +++ b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to create a custom configuration file by using the App-V Management Console (Windows 10) description: How to create a custom configuration file by using the App-V Management Console. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md index fb72cbc762..d6a62ddf52 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to create a package accelerator by using Windows PowerShell (Windows 10) -description: How to create a package accelerator with Windows PowerShell. -author: lomayor +description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md index db4fe23b68..d2c69c8afb 100644 --- a/windows/application-management/app-v/appv-create-a-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md @@ -1,7 +1,7 @@ --- title: How to create a package accelerator (Windows 10) description: Learn how to create App-V Package Accelerators to automatically generate new virtual application packages. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md index c6983aab02..200f0481e4 100644 --- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md +++ b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md @@ -1,7 +1,7 @@ --- title: How to create a virtual application package using an App-V Package Accelerator (Windows 10) description: How to create a virtual application package using an App-V Package Accelerator. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md index 54aa412604..0af67b340d 100644 --- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md +++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md @@ -1,7 +1,7 @@ --- title: Create and apply an App-V project template to a sequenced App-V package (Windows 10) description: Steps for how to create and apply an App-V project template (.appvt) to a sequenced App-V package. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md index 29d79221c5..30debd58c4 100644 --- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md +++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md @@ -1,7 +1,7 @@ --- title: Creating and managing App-V virtualized applications (Windows 10) -description: Creating and managing App-V virtualized applications -author: lomayor +description: Create and manage App-V virtualized applications to monitor and record the installation process for an application to be run as a virtualized application. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md index aae5ad7d4c..ebbdf508c3 100644 --- a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md +++ b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to customize virtual application extensions for a specific AD group by using the Management Console (Windows 10) description: How to customize virtual application extensions for a specific AD group by using the Management Console. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md index 9747e3066d..60a5518fe9 100644 --- a/windows/application-management/app-v/appv-delete-a-connection-group.md +++ b/windows/application-management/app-v/appv-delete-a-connection-group.md @@ -1,7 +1,7 @@ --- title: How to delete a connection group (Windows 10) -description: How to delete a connection group. -author: lomayor +description: Learn how to delete an existing App-V connection group in the App-V Management Console and where to find information about managing connection groups. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md index 3b5027c30b..27a1adeb35 100644 --- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md @@ -1,7 +1,7 @@ --- title: How to delete a package in the Management Console (Windows 10) -description: How to delete a package in the Management Console. -author: lomayor +description: Learn how to delete a package in the App-V Management Console and where to find information about operations for App-V. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md index e866c21b92..f7ccc22f58 100644 --- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md +++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md @@ -1,7 +1,7 @@ --- title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10) -description: These instructions can be used to deploy App-V databases by using SQL scripts. -author: lomayor +description: Learn how to use SQL scripts to install the App-V databases and upgrade the App-V databases to a later version. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md index 0c013faf96..29719a0f8c 100644 --- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md @@ -1,7 +1,7 @@ --- title: How to deploy App-V packages using electronic software distribution (Windows 10) -description: How to deploy App-V packages using electronic software distribution. -author: lomayor +description: Learn how use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md index 728f4943a1..f2c8cc0af3 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md @@ -1,7 +1,7 @@ --- title: How to Deploy the App-V Server Using a Script (Windows 10) -description: Information, lists, and tables that can help you deploy the App-V server using a script -author: lomayor +description: 'Learn how to deploy the App-V server by using a script (appv_server_setup.exe) from the command line.' +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md index 837d0e6a32..ec7bcac622 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md @@ -1,7 +1,7 @@ --- title: How to Deploy the App-V Server (Windows 10) -description: Use these instructions to deploy the App-V Server in App-V for Windows 10. -author: lomayor +description: Use these instructions to deploy the Application Virtualization (App-V) Server in App-V for Windows 10. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md index 14493f0b25..5061447ca8 100644 --- a/windows/application-management/app-v/appv-deploying-appv.md +++ b/windows/application-management/app-v/appv-deploying-appv.md @@ -1,7 +1,7 @@ --- title: Deploying App-V (Windows 10) description: App-V supports several different deployment options. Learn how to complete App-V deployment at different stages in your App-V deployment. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md index b125e5282e..143b808f76 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md @@ -1,7 +1,7 @@ --- title: Deploying Microsoft Office 2010 by Using App-V (Windows 10) -description: See the methods for creating Microsoft Office 2010 packages by Using App-V. -author: lomayor +description: Create Office 2010 packages for Microsoft Application Virtualization (App-V) using the App-V Sequencer or the App-V Package Accelerator. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md index 4379625ee0..d4567acef0 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md @@ -1,7 +1,7 @@ --- title: Deploying Microsoft Office 2013 by Using App-V (Windows 10) -description: Deploying Microsoft Office 2013 by Using App-V -author: lomayor +description: Use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md index ba7107286e..5a7bb4a95a 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md @@ -1,7 +1,7 @@ --- title: Deploying Microsoft Office 2016 by using App-V (Windows 10) description: Use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md index 37adcaae5e..5e3c484a69 100644 --- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md @@ -1,7 +1,7 @@ --- title: Deploying App-V packages by using electronic software distribution (ESD) description: Deploying App-V packages by using electronic software distribution (ESD) -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md index 4edf732dd1..15f8f520d4 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md @@ -1,7 +1,7 @@ --- title: Deploying the App-V Sequencer and configuring the client (Windows 10) -description: Deploying the App-V Sequencer and configuring the client -author: lomayor +description: Learn how to deploy the App-V Sequencer and configure the client by using the ADMX template and Group Policy. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md index 576764fb91..fad40ca584 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md @@ -1,7 +1,7 @@ --- title: Deploying the App-V Server (Windows 10) -description: Deploying the App-V Server in App-V for Windows 10 -author: lomayor +description: Learn how to deploy the Application Virtualization (App-V) Server in App-V for Windows 10 by using different deployment configurations described in this article. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md index bb97e27472..e64dfcb45c 100644 --- a/windows/application-management/app-v/appv-deployment-checklist.md +++ b/windows/application-management/app-v/appv-deployment-checklist.md @@ -1,7 +1,7 @@ --- title: App-V Deployment Checklist (Windows 10) -description: App-V Deployment Checklist -author: lomayor +description: Use the App-V deployment checklist to understand the recommended steps and items to consider when deploying App-V features. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md index 13a82055b6..fac027c816 100644 --- a/windows/application-management/app-v/appv-dynamic-configuration.md +++ b/windows/application-management/app-v/appv-dynamic-configuration.md @@ -1,7 +1,7 @@ --- title: About App-V Dynamic Configuration (Windows 10) -description: About App-V Dynamic Configuration -author: lomayor +description: Learn how to create or edit an existing Application Virtualization (App-V) dynamic configuration file. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md index 656f0264ce..013c9bf60d 100644 --- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md @@ -1,7 +1,7 @@ --- title: How to Enable Only Administrators to Publish Packages by Using an ESD (Windows 10) -description: How to Enable Only Administrators to Publish Packages by Using an ESD -author: lomayor +description: Learn how to enable only administrators to publish packages by bsing an electronic software delivery (ESD). +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md index 39a072c558..ba86d9400f 100644 --- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md +++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to Enable Reporting on the App-V Client by Using Windows PowerShell (Windows 10) description: How to Enable Reporting on the App-V Client by Using Windows PowerShell -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md index d9644226fb..e9352f15ee 100644 --- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md +++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md @@ -1,7 +1,7 @@ --- title: Enable the App-V in-box client (Windows 10) -description: How to enable the App-V in-box client installed with Windows 10. -author: lomayor +description: Learn how to enable the Microsoft Application Virtualization (App-V) in-box client installed with Windows 10. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md index 9eb57e8521..c5d8ac6964 100644 --- a/windows/application-management/app-v/appv-evaluating-appv.md +++ b/windows/application-management/app-v/appv-evaluating-appv.md @@ -1,7 +1,7 @@ --- title: Evaluating App-V (Windows 10) description: Learn how to evaluate App-V for Windows 10 in a lab environment before deploying into a production environment. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md index bec88a55bf..d089cb3371 100644 --- a/windows/application-management/app-v/appv-for-windows.md +++ b/windows/application-management/app-v/appv-for-windows.md @@ -1,7 +1,7 @@ --- title: Application Virtualization (App-V) (Windows 10) description: See various topics that can help you administer Application Virtualization (App-V) and its components. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md index 2e1556cb8a..8fc9117868 100644 --- a/windows/application-management/app-v/appv-getting-started.md +++ b/windows/application-management/app-v/appv-getting-started.md @@ -1,7 +1,7 @@ --- title: Getting Started with App-V (Windows 10) -description: Get started with Microsoft Application Virtualization (App-V) for Windows 10. -author: lomayor +description: Get started with Microsoft Application Virtualization (App-V) for Windows 10. App-V for Windows 10 delivers Win32 applications to users as virtual applications. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md index ab25607096..cf81569563 100644 --- a/windows/application-management/app-v/appv-high-level-architecture.md +++ b/windows/application-management/app-v/appv-high-level-architecture.md @@ -1,7 +1,7 @@ --- title: High-level architecture for App-V (Windows 10) -description: High-level Architecture for App-V. -author: lomayor +description: Use the information in this article to simplify your Microsoft Application Virtualization (App-V) deployment. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md index 82b6545be6..fed3c5c9ec 100644 --- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md +++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell (Windows 10) description: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md index ffffedff20..2b99c85da9 100644 --- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md +++ b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md @@ -1,7 +1,7 @@ --- title: How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services (Windows 10) description: How to install the Management and Reporting Databases on separate computers from the Management and Reporting Services. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md index 44e1be2801..f8c387ecb8 100644 --- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md @@ -1,7 +1,7 @@ --- title: How to install the Management Server on a Standalone Computer and Connect it to the Database (Windows 10) description: How to install the Management Server on a Standalone Computer and Connect it to the Database -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md index f08f5dfe4d..df6dc6c726 100644 --- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md +++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md @@ -1,7 +1,7 @@ --- title: Install the Publishing Server on a Remote Computer (Windows 10) description: Use the procedures in this article to install the Microsoft Application Virtualization (App-V) publishing server on a separate computer. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md index d476fda616..17251170f3 100644 --- a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md @@ -1,7 +1,7 @@ --- title: How to install the Reporting Server on a standalone computer and connect it to the database (Windows 10) description: How to install the App-V Reporting Server on a Standalone Computer and Connect it to the Database -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md index 93180520e7..0c3ae2e9a0 100644 --- a/windows/application-management/app-v/appv-install-the-sequencer.md +++ b/windows/application-management/app-v/appv-install-the-sequencer.md @@ -1,7 +1,7 @@ --- title: Install the App-V Sequencer (Windows 10) -description: Install the App-V Sequencer -author: lomayor +description: Learn how to install the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md index bc8cd9361e..4c3530ae6b 100644 --- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md +++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md @@ -1,7 +1,7 @@ --- title: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help (Windows 10) description: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md index e03e524b5a..ca2c8811c9 100644 --- a/windows/application-management/app-v/appv-maintaining-appv.md +++ b/windows/application-management/app-v/appv-maintaining-appv.md @@ -1,7 +1,7 @@ --- title: Maintaining App-V (Windows 10) description: After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md index c7f1214405..78190c4689 100644 --- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell (Windows 10) description: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell. -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md index d4e01266f8..d6e03d17a6 100644 --- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell (Windows 10) description: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md index 5a94cbc421..f308ee42da 100644 --- a/windows/application-management/app-v/appv-managing-connection-groups.md +++ b/windows/application-management/app-v/appv-managing-connection-groups.md @@ -1,7 +1,7 @@ --- title: Managing Connection Groups (Windows 10) -description: Managing Connection Groups -author: lomayor +description: Connection groups can allow administrators to manage packages independently and avoid having to add the same application multiple times to a client computer. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md index dff030f470..63e362cc4c 100644 --- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md +++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md @@ -1,7 +1,7 @@ --- title: Migrating to App-V from a Previous Version (Windows 10) -description: Migrating to App-V for Windows 10 from a previous version -author: lomayor +description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10 from a previous version. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md index e2cb4eca48..6a6da20d55 100644 --- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md +++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md @@ -1,7 +1,7 @@ --- title: How to Modify an Existing Virtual Application Package (Windows 10) -description: How to Modify an Existing Virtual Application Package -author: lomayor +description: Learn how to modify an existing virtual application package and add a new application to an existing virtual application package. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md index 7fe2f3896f..9b7fa5dc90 100644 --- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md +++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md @@ -1,7 +1,7 @@ --- title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10) -description: How to Modify Client Configuration by Using Windows PowerShell -author: lomayor +description: Learn how to modify the Application Virtualization (App-V) client configuration by using Windows PowerShell. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md index 5305207fe6..8d46833f6d 100644 --- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md +++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md @@ -1,7 +1,7 @@ --- title: How to Move the App-V Server to Another Computer (Windows 10) -description: How to Move the App-V Server to Another Computer -author: lomayor +description: Learn how to create a new management server console in your environment and learn how to connect it to the App-V database. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md index c45c9ab9cf..a916d38776 100644 --- a/windows/application-management/app-v/appv-operations.md +++ b/windows/application-management/app-v/appv-operations.md @@ -1,7 +1,7 @@ --- title: Operations for App-V (Windows 10) -description: Operations for App-V -author: lomayor +description: Learn about the various types of App-V administration and operating tasks that are typically performed by an administrator. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md index 65ccf02292..d7c8078b33 100644 --- a/windows/application-management/app-v/appv-performance-guidance.md +++ b/windows/application-management/app-v/appv-performance-guidance.md @@ -1,7 +1,7 @@ --- title: Performance Guidance for Application Virtualization (Windows 10) -description: Performance Guidance for Application Virtualization -author: lomayor +description: Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md index edaf668a89..e2d9776c2c 100644 --- a/windows/application-management/app-v/appv-planning-checklist.md +++ b/windows/application-management/app-v/appv-planning-checklist.md @@ -1,7 +1,7 @@ --- title: App-V Planning Checklist (Windows 10) -description: App-V Planning Checklist -author: lomayor +description: Learn about the recommended steps and items to consider when planning an Application Virtualization (App-V) deployment. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md index c9c570009a..0b9b995319 100644 --- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md +++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md @@ -1,7 +1,7 @@ --- title: Planning to Use Folder Redirection with App-V (Windows 10) -description: Planning to Use Folder Redirection with App-V -author: lomayor +description: Learn about folder redirection with App-V. Folder redirection enables users and administrators to redirect the path of a folder to a new location. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md index eaf7729f22..94b436fd53 100644 --- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md @@ -1,7 +1,7 @@ --- title: Planning for the App-V Server Deployment (Windows 10) -description: Planning for the App-V 5.1 Server Deployment -author: lomayor +description: Learn what you need to know so you can plan for the Microsoft Application Virtualization (App-V) 5.1 server deployment. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md index d54d848a2c..39d5199ea8 100644 --- a/windows/application-management/app-v/appv-planning-for-appv.md +++ b/windows/application-management/app-v/appv-planning-for-appv.md @@ -1,7 +1,7 @@ --- title: Planning for App-V (Windows 10) -description: Planning for App-V -author: lomayor +description: Use the information in this article to plan to deploy App-V without disrupting your existing network or user experience. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md index af66e545e4..9f01735aab 100644 --- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md +++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md @@ -1,7 +1,7 @@ --- title: Planning for High Availability with App-V Server -description: Planning for High Availability with App-V Server -author: lomayor +description: Learn what you need to know so you can plan for high availability with Application Virtualization (App-V) server. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +18,7 @@ ms.topic: article Microsoft Application Virtualization (App-V) system configurations can take advantage of options that maintain a high available service level. -The following sections will he following sections to help you understand the options to deploy App-V in a highly available configuration. +The following sections will help you understand the options to deploy App-V in a highly available configuration. ## Support for Microsoft SQL Server clustering diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md index 4fa3630f7f..52019b0496 100644 --- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md +++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md @@ -1,7 +1,7 @@ --- title: Planning for the App-V Sequencer and Client Deployment (Windows 10) -description: Planning for the App-V Sequencer and Client Deployment -author: lomayor +description: Learn what you need to do to plan for the App-V Sequencer and Client deployment, and where to find additional information about the deployment process. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md index da919b1dbf..32b20fa1e6 100644 --- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md +++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md @@ -1,7 +1,7 @@ --- title: Planning for Deploying App-V with Office (Windows 10) -description: Planning for Using App-V with Office -author: lomayor +description: Use the information in this article to plan how to deploy Office within Microsoft Application Virtualization (App-V). +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md index 49e7266314..10fd13f4cc 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md @@ -1,7 +1,7 @@ --- title: Planning to Deploy App-V with an Electronic Software Distribution System (Windows 10) description: Planning to Deploy App-V with an Electronic Software Distribution System -author: lomayor +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md index ee9e0b73a9..f08a2b2b44 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md @@ -1,7 +1,7 @@ --- title: Planning to Deploy App-V (Windows 10) -description: Planning to Deploy App-V -author: lomayor +description: Learn about the different deployment configurations and requirements to consider before you deploy App-V for Windows 10. +author: dansimp ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/app-v/appv-prerequisites.md b/windows/application-management/app-v/appv-prerequisites.md index bc458a3f94..652eabd063 100644 --- a/windows/application-management/app-v/appv-prerequisites.md +++ b/windows/application-management/app-v/appv-prerequisites.md @@ -1,6 +1,6 @@ --- title: App-V Prerequisites (Windows 10) -description: App-V Prerequisites +description: Learn about the prerequisites you need before you begin installing Application Virtualization (App-V). author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md index 41d35e29a0..e48f4c43c6 100644 --- a/windows/application-management/app-v/appv-publish-a-connection-group.md +++ b/windows/application-management/app-v/appv-publish-a-connection-group.md @@ -1,6 +1,6 @@ --- title: How to Publish a Connection Group (Windows 10) -description: How to Publish a Connection Group +description: Learn how to publish a connection group to computers that run the Application Virtualization (App-V) client. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md index 57a4526ecf..41c995543f 100644 --- a/windows/application-management/app-v/appv-reporting.md +++ b/windows/application-management/app-v/appv-reporting.md @@ -1,6 +1,6 @@ --- title: About App-V Reporting (Windows 10) -description: About App-V Reporting +description: Learn how the App-V reporting feature collects information about computers running the App-V client and virtual application package usage. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md index b1a6caca2c..3138fa3ab3 100644 --- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md +++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md @@ -44,7 +44,7 @@ Each method accomplishes essentially the same task, but some methods may be bett To add a locally installed application to a package or to a connection group’s virtual environment, you add a subkey to the `RunVirtual` registry key in the Registry Editor, as described in the following sections. -There is no Group Policy setting available to manage this registry key, so you have to use Microsoft Endpoint Configuration Manager or another electronic software distribution (ESD) system, or manually edit the registry. +There is no Group Policy setting available to manage this registry key, so you have to use Microsoft Endpoint Manager or another electronic software distribution (ESD) system, or manually edit the registry. Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages globally or to the user. diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md index ab6c1c4c32..d2dd484a97 100644 --- a/windows/application-management/app-v/appv-security-considerations.md +++ b/windows/application-management/app-v/appv-security-considerations.md @@ -1,6 +1,6 @@ --- title: App-V Security Considerations (Windows 10) -description: App-V Security Considerations +description: Learn about accounts and groups, log files, and other security-related considerations for Microsoft Application Virtualization (App-V). author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-sequence-a-new-application.md b/windows/application-management/app-v/appv-sequence-a-new-application.md index c3e16261db..2eb919d9b5 100644 --- a/windows/application-management/app-v/appv-sequence-a-new-application.md +++ b/windows/application-management/app-v/appv-sequence-a-new-application.md @@ -1,6 +1,6 @@ --- title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) -description: How to manually sequence a new app using the App-V Sequencer +description: Learn how to manually sequence a new app by using the App-V Sequencer that's included with the Windows ADK. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md index 349ead11a5..2a353b9121 100644 --- a/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md +++ b/windows/application-management/app-v/appv-sequence-a-package-with-powershell.md @@ -1,6 +1,6 @@ --- title: How to sequence a package by using Windows PowerShell (Windows 10) -description: How to sequence a package by using Windows PowerShell +description: Learn how to sequence a new Microsoft Application Virtualization (App-V) package by using Windows PowerShell. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md index e0f6e0f48d..8cd6653c77 100644 --- a/windows/application-management/app-v/appv-technical-reference.md +++ b/windows/application-management/app-v/appv-technical-reference.md @@ -1,6 +1,6 @@ --- title: Technical Reference for App-V (Windows 10) -description: Technical Reference for App-V +description: Learn strategy and context for a number of performance optimization practices in this techincal reference for Application Virtualization (App-V). author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-troubleshooting.md b/windows/application-management/app-v/appv-troubleshooting.md index fd794d1044..29240949b5 100644 --- a/windows/application-management/app-v/appv-troubleshooting.md +++ b/windows/application-management/app-v/appv-troubleshooting.md @@ -1,6 +1,6 @@ --- title: Troubleshooting App-V (Windows 10) -description: Troubleshooting App-V +description: Learn how to find information about troubleshooting Application Virtualization (App-V) and information about other App-V topics. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md index 4aedf60d24..8660d86846 100644 --- a/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md +++ b/windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md @@ -1,6 +1,6 @@ --- title: Upgrading to App-V for Windows 10 from an existing installation (Windows 10) -description: Upgrading to App-V for Windows 10 from an existing installation +description: Learn about upgrading to Application Virtualization (App-V) for Windows 10 from an existing installation. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-using-the-client-management-console.md b/windows/application-management/app-v/appv-using-the-client-management-console.md index b6691c2fc5..7dc0a15d0a 100644 --- a/windows/application-management/app-v/appv-using-the-client-management-console.md +++ b/windows/application-management/app-v/appv-using-the-client-management-console.md @@ -1,6 +1,6 @@ --- title: Using the App-V Client Management Console (Windows 10) -description: Using the App-V Client Management Console +description: Learn how to use the Application Virtualization (App-V) client management console to manage packages on the computer running the App-V client. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md index eac57684c6..acbd96ca6e 100644 --- a/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md +++ b/windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md @@ -1,6 +1,6 @@ --- title: Viewing App-V Server Publishing Metadata (Windows 10) -description: Viewing App-V Server Publishing Metadata +description: Use this procedure to view App-V Server publishing metadata, which can help you resolve publishing-related issues. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index c27ad32063..31da1afc51 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -39,53 +39,53 @@ You can list all provisioned Windows apps with this PowerShell command: Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName ``` -Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, and 1909. +Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, 1909, and 2004. -| Package name | App name | 1803 | 1809 | 1903 | 1909 | Uninstall through UI? | -|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:| -| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | Yes | -| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | Via Settings App | -| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.MicrosoftOfficeHub | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | | -| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No | -| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.VP9VideoExtensions | | | x | x | x | No | -| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | No | -| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Xbox.TCUI | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxApp | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxGameOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxGamingOverlay | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No | -| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No | +| Package name | App name | 1803 | 1809 | 1903 | 1909 | 2004 | Uninstall through UI? | +|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:----:|:---------------------:| +| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | | Yes | +| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | x | Yes | +| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | x | Via Settings App | +| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.MicrosoftOfficeHub | [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | x | Yes | +| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | x | Yes | +| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Office.OneNote | [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | x | Yes | +| Microsoft.OneConnect | [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | x | | +| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | x | No | +| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.VP9VideoExtensions | | | x | x | x | x | No | +| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | x | No | +| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Xbox.TCUI | [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxApp | [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxGameOverlay | [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxGamingOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | x | No | +| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | x | No | >[!NOTE] >The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 09bd474c3e..460b8ecfdd 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -32,6 +32,7 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", "audience": "ITPro", "ms.topic": "article", @@ -43,7 +44,17 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Windows Application Management" + "titleSuffix": "Windows Application Management", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], + "searchScope": ["Windows 10"] }, "fileMetadata": {}, "template": [], diff --git a/windows/application-management/index.md b/windows/application-management/index.md index fef303c216..f9a00fdc84 100644 --- a/windows/application-management/index.md +++ b/windows/application-management/index.md @@ -1,6 +1,6 @@ --- title: Windows 10 application management -description: Windows 10 application management +description: Learn about managing applications in Windows 10 and Windows 10 Mobile clients, including how to remove background task resource restrictions. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 082fa016f4..4414bb6e96 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -1,8 +1,8 @@ --- title: Enable or block Windows Mixed Reality apps in the enterprise (Windows 10) +description: Learn how to enable Windows Mixed Reality apps in WSUS or block the Windows Mixed Reality portal in enterprises. ms.reviewer: manager: dansimp -description: Learn how to enable or block Windows Mixed Reality apps. keyboards: ["mr", "mr portal", "mixed reality portal", "mixed reality"] ms.prod: w10 ms.mktglfcycl: manage @@ -38,11 +38,10 @@ Organizations that use Windows Server Update Services (WSUS) must take action to > [!NOTE] > You must download the FOD .cab file that matches your operating system version. - 1. Use `Add-Package` to add Windows Mixed Reality FOD to the image. + 1. Use `Dism` to add Windows Mixed Reality FOD to the image. ```powershell - Add-Package - Dism /Online /add-package /packagepath:(path) + Dism /Online /Add-Package /PackagePath:(path) ``` > [!NOTE] diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md index 91ef9b0c48..b1c60124ea 100644 --- a/windows/application-management/msix-app-packaging-tool.md +++ b/windows/application-management/msix-app-packaging-tool.md @@ -1,6 +1,6 @@ --- title: Repackage your existing win32 applications to the MSIX format. -description: Learn how to install and use the MSIX packaging tool. +description: Learn how to install and use the MSIX packaging tool to repackage your existing win32 applications to the MSIX format. keywords: ["MSIX", "application", "app", "win32", "packaging tool"] ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md index 2dc4591d51..7305ea48e2 100644 --- a/windows/application-management/sideload-apps-in-windows-10.md +++ b/windows/application-management/sideload-apps-in-windows-10.md @@ -1,6 +1,6 @@ --- title: Sideload LOB apps in Windows 10 (Windows 10) -description: Sideload line-of-business apps in Windows 10. +description: Learn how to sideload line-of-business (LOB) apps in Windows 10. When you sideload an app, you deploy a signed app package to a device. ms.assetid: C46B27D0-375B-4F7A-800E-21595CF1D53D ms.reviewer: manager: dansimp diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index b99a2d3ee4..aac950751a 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -1,5 +1,6 @@ # [Manage clients in Windows 10](index.md) ## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) +### [Use Quick Assist to help users](quick-assist.md) ## [Create mandatory user profiles](mandatory-user-profile.md) ## [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) ## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index 4af9868736..c27a78fa4c 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -17,17 +17,17 @@ ms.topic: troubleshooting ## Overview -This is a general troubleshooting of 802.1X wireless and wired clients. With 802.1X and wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make access points or switches, it won't be an end-to-end Microsoft solution. +This article includes general troubleshooting for 802.1X wireless and wired clients. While troubleshooting 802.1X and wireless, it's important to know how the flow of authentication works, and then figure out where it's breaking. It involves a lot of third-party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. We don't make access points or switches, so it's not an end-to-end Microsoft solution. ## Scenarios -This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 - 10 for clients, and Windows Server 2008 R2 - 2012 R2 for NPS. +This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 through Windows 10 for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS. -## Known Issues +## Known issues None -## Data Collection +## Data collection See [Advanced troubleshooting 802.1X authentication data collection](data-collection-for-802-authentication.md). @@ -35,11 +35,11 @@ See [Advanced troubleshooting 802.1X authentication data collection](data-collec Viewing [NPS authentication status events](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735320(v%3dws.10)) in the Windows Security [event log](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc722404(v%3dws.11)) is one of the most useful troubleshooting methods to obtain information about failed authentications. -NPS event log entries contain information on the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you are not seeing both success and failure events, see the section below on [NPS audit policy](#audit-policy). +NPS event log entries contain information about the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you don't see both success and failure events, see the [NPS audit policy](#audit-policy) section later in this article. -Check Windows Security Event log on the NPS Server for NPS events corresponding to rejected ([event ID 6273](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts. +Check Windows Security Event log on the NPS Server for NPS events that correspond to rejected ([event ID 6273](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts. -In the event message, scroll to the very bottom, and check the [Reason Code](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text associated with it. +In the event message, scroll to the very bottom, and then check the [Reason Code](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it. ![example of an audit failure](images/auditfailure.png) *Example: event ID 6273 (Audit Failure)*

    @@ -47,35 +47,35 @@ In the event message, scroll to the very bottom, and check the [Reason Code](htt ![example of an audit success](images/auditsuccess.png) *Example: event ID 6272 (Audit Success)*
    -‎The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, Wired AutoConfig operational log is equivalent one. +‎The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one. -On the client side, navigate to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, navigate to **..\Wired-AutoConfig/Operational**. See the following example: +On the client side, go to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, go to **..\Wired-AutoConfig/Operational**. See the following example: ![event viewer screenshot showing wired-autoconfig and WLAN autoconfig](images/eventviewer.png) -Most 802.1X authentication issues are due to problems with the certificate that is used for client or server authentication (e.g. invalid certificate, expiration, chain verification failure, revocation check failure, etc.). +Most 802.1X authentication issues are because of problems with the certificate that's used for client or server authentication. Examples include invalid certificate, expiration, chain verification failure, and revocation check failure. -First, validate the type of EAP method being used: +First, validate the type of EAP method that's used: ![eap authentication type comparison](images/comparisontable.png) -If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Right click on the policy and select **Properties**. In the pop-up window, go to the **Constraints** tab and select the **Authentication Methods** section. +If a certificate is used for its authentication method, check whether the certificate is valid. For the server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Select and hold (or right-click) the policy, and then select **Properties**. In the pop-up window, go to the **Constraints** tab, and then select the **Authentication Methods** section. ![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png) -The CAPI2 event log will be useful for troubleshooting certificate-related issues. -This log is not enabled by default. You can enable this log by expanding **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, right-clicking **Operational** and then clicking **Enable Log**. +The CAPI2 event log is useful for troubleshooting certificate-related issues. +By default, this log isn't enabled. To enable this log, expand **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, select and hold (or right-click) **Operational**, and then select **Enable Log**. ![screenshot of event viewer](images/capi.png) -The following article explains how to analyze CAPI2 event logs: +For information about how to analyze CAPI2 event logs, see [Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29). -When troubleshooting complex 802.1X authentication issues, it is important to understand the 802.1X authentication process. The following figure is an example of wireless connection process with 802.1X authentication: +When troubleshooting complex 802.1X authentication issues, it's important to understand the 802.1X authentication process. Here's an example of wireless connection process with 802.1X authentication: ![authenticator flow chart](images/authenticator_flow_chart.png) -If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter in for a client side capture, and **EAP** for an NPS side capture. See the following examples: +If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter for a client-side capture, and **EAP** for an NPS-side capture. See the following examples: ![client-side packet capture data](images/clientsidepacket_cap_data.png) *Client-side packet capture data*

    @@ -85,16 +85,16 @@ If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both ‎ > [!NOTE] -> If you have a wireless trace, you can also [view ETL files with network monitor](https://docs.microsoft.com/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. Follow the instructions under the **Help** menu in Network Monitor to load the reqired [parser](https://blogs.technet.microsoft.com/netmon/2010/06/04/parser-profiles-in-network-monitor-3-4/) if needed. See the example below. +> If you have a wireless trace, you can also [view ETL files with network monitor](https://docs.microsoft.com/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. If you need to load the required [parser](https://blogs.technet.microsoft.com/netmon/2010/06/04/parser-profiles-in-network-monitor-3-4/), see the instructions under the **Help** menu in Network Monitor. Here's an example: ![ETL parse](images/etl.png) ## Audit policy -NPS audit policy (event logging) for connection success and failure is enabled by default. If you find that one or both types of logging are disabled, use the following steps to troubleshoot. +By default, NPS audit policy (event logging) for connection success and failure is enabled. If you find that one or both types of logging are disabled, use the following steps to troubleshoot. View the current audit policy settings by running the following command on the NPS server: -``` +```console auditpol /get /subcategory:"Network Policy Server" ``` @@ -106,13 +106,12 @@ Logon/Logoff Network Policy Server Success and Failure -If it shows ‘No auditing’, you can run this command to enable it: - -``` +If it says, "No auditing," you can run this command to enable it: +```console auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable ``` -Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing via Group Policy. The success/failure setting can be found under **Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff -> Audit Network Policy Server**. +Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing by using Group Policy. To get to the success/failure setting, select **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Advanced Audit Policy Configuration** > **Audit Policies** > **Logon/Logoff** > **Audit Network Policy Server**. ## Additional references diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index 5986263a1e..29e2d01d30 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -1,6 +1,6 @@ --- title: Advanced troubleshooting for Windows boot problems -description: Learn how to troubleshoot when Windows is unable to boot +description: Learn to troubleshoot when Windows can't boot. This article includes advanced troubleshooting techniques intended for use by support agents and IT professionals. ms.prod: w10 ms.sitesec: library author: dansimp @@ -220,6 +220,9 @@ If Windows cannot load the system registry hive into memory, you must restore th If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced. +> [!NOTE] +> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start). + ## Kernel Phase If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following: @@ -392,3 +395,6 @@ If the dump file shows an error that is related to a driver (for example, window 3. Navigate to C:\Windows\System32\Config\. 4. Rename the all five hives by appending ".old" to the name. 5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode. + +> [!NOTE] +> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](https://support.microsoft.com/en-us/help/4509719/the-system-registry-is-no-longer-backed-up-to-the-regback-folder-start). diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md index c04dae805a..ce50bd2b54 100644 --- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md +++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md @@ -2,7 +2,7 @@ title: Advanced Troubleshooting Wireless Network Connectivity ms.reviewer: manager: dansimp -description: Learn how troubleshooting of establishing Wi-Fi connections +description: Learn how to troubleshoot Wi-Fi connections. Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine. keywords: troubleshooting, wireless network connectivity, wireless, Wi-Fi ms.prod: w10 ms.mktglfcycl: diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md index ee8a044508..69fa51d4e4 100644 --- a/windows/client-management/change-default-removal-policy-external-storage-media.md +++ b/windows/client-management/change-default-removal-policy-external-storage-media.md @@ -4,10 +4,11 @@ description: In Windows 10, version 1809, the default removal policy for externa ms.prod: w10 author: Teresa-Motiv ms.author: v-tea -ms.date: 12/13/2019 +ms.date: 11/25/2020 ms.topic: article ms.custom: - CI 111493 +- CI 125140 - CSSTroubleshooting audience: ITPro ms.localizationpriority: medium @@ -44,6 +45,13 @@ To change the policy for an external storage device: ![In Disk Management, right-click the device and click Properties.](./images/change-def-rem-policy-1.png) -6. Select **Policies**, and then select the policy you want to use. +6. Select **Policies**. + + > [!NOTE] + > Some recent versions of Windows may use a different arrangement of tabs in the disk properties dialog box. + > + > If you do not see the **Policies** tab, select **Hardware**, select the removable drive from the **All disk drives** list, and then select **Properties**. The **Policies** tab should now be available. + +7. Select the policy that you want to use. ![Policy options for disk management](./images/change-def-rem-policy-2.png) diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md index fa3febbd0f..3c7c213761 100644 --- a/windows/client-management/change-history-for-client-management.md +++ b/windows/client-management/change-history-for-client-management.md @@ -1,6 +1,6 @@ --- title: Change history for Client management (Windows 10) -description: View changes to documentation for client management in Windows 10. +description: Learn about new and updated topics in the Client management documentation for Windows 10 and Windows 10 Mobile. keywords: ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 9478b21555..3e360929de 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -22,76 +22,65 @@ ms.topic: article - Windows 10 -From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup). +From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). ![Remote Desktop Connection client](images/rdp.png) -> [!TIP] -> Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session.](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics) - ## Set up - Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported. -- Your local PC (where you are connecting from) must be either Azure AD joined or Hybrid Azure AD joined. Remote connections to an Azure AD joined PC from an unjoined device or a non-Windows 10 device are not supported. +- Your local PC (where you are connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device are not supported. +- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests are not supported for Remote desktop. Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC. - On the PC you want to connect to: + 1. Open system properties for the remote PC. + 2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. - ![Allow remote connections to this computer](images/allow-rdp.png) + ![Allow remote connections to this computer](images/allow-rdp.png) - 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**. + 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies: + + - Adding users manually + + You can specify individual Azure AD accounts for remote connections by running the following PowerShell cmdlet: + ```powershell + net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user" + ``` + where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD. - > [!NOTE] - > You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once, and then running the following PowerShell cmdlet: - > ```PowerShell - > net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user" - > ``` - > where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD. - > - > This command only works for AADJ device users already added to any of the local groups (administrators). - > Otherwise this command throws the below error. For example: - > - for cloud only user: "There is no such global user or group : *name*" - > - for synced user: "There is no such global user or group : *name*"
    - > - > In Windows 10, version 1709, the user does not have to sign in to the remote device first. - > - > In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. + This command only works for AADJ device users already added to any of the local groups (administrators). + Otherwise this command throws the below error. For example: + - for cloud only user: "There is no such global user or group : *name*" + - for synced user: "There is no such global user or group : *name*"
    - 4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC. + > [!NOTE] + > For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections. + > + > Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. - > [!TIP] - > When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant. + - Adding users using policy + + Starting in Windows 10, version 2004, you can add users or Azure AD groups to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](https://docs.microsoft.com/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview). -> [!Note] -> If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e). + > [!TIP] + > When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com. + + > [!NOTE] + > If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in this [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e). ## Supported configurations -In organizations using integrated Active Directory and Azure AD, you can connect from a Hybrid-joined PC to an Azure AD-joined PC by using any of the following: +The table below lists the supported configurations for remotely connecting to an Azure AD-joined PC: -- Password -- Smartcards -- Windows Hello for Business, if the domain is managed by Microsoft Endpoint Configuration Manager. +| Criteria | RDP from Azure AD registered device| RDP from Azure AD joined device| RDP from hybrid Azure AD joined device | +| - | - | - | - | +| **Client operating systems**| Windows 10, version 2004 and above| Windows 10, version 1607 and above | Windows 10, version 1607 and above | +| **Supported credentials**| Password, smartcard| Password, smartcard, Windows Hello for Business certificate trust | Password, smartcard, Windows Hello for Business certificate trust | -In organizations using integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network by using any of the following: - -- Password -- Smartcards -- Windows Hello for Business, if the organization has a mobile device management (MDM) subscription. - -In organizations using integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC by using any of the following: - -- Password -- Smartcards -- Windows Hello for Business, with or without an MDM subscription. - -In organizations using only Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC by using any of the following: - -- Password -- Windows Hello for Business, with or without an MDM subscription. > [!NOTE] > If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities). @@ -99,4 +88,3 @@ In organizations using only Azure AD, you can connect from an Azure AD-joined PC ## Related topics [How to use Remote Desktop](https://support.microsoft.com/instantanswers/ff521c86-2803-4bc0-a5da-7df445788eb9/how-to-use-remote-desktop) - diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index ffd1c9d266..694a7e8b07 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -32,6 +32,7 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", "audience": "ITPro", "ms.topic": "article", @@ -45,7 +46,17 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Windows Client Management" + "titleSuffix": "Windows Client Management", + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "jborsecnik", + "tiburd", + "garycentric" + ], + "searchScope": ["Windows 10"] }, "fileMetadata": {}, "template": [], diff --git a/windows/client-management/generate-kernel-or-complete-crash-dump.md b/windows/client-management/generate-kernel-or-complete-crash-dump.md index 52a10357c5..835007dc33 100644 --- a/windows/client-management/generate-kernel-or-complete-crash-dump.md +++ b/windows/client-management/generate-kernel-or-complete-crash-dump.md @@ -1,6 +1,6 @@ --- title: Generate a kernel or complete crash dump -description: Learn how to generate a kernel or complete crash dump. +description: Learn how to generate a kernel or complete crash dump, and then use the output to troubleshoot several issues. ms.prod: w10 ms.sitesec: library ms.topic: troubleshooting diff --git a/windows/client-management/images/quick-assist-flow.png b/windows/client-management/images/quick-assist-flow.png new file mode 100644 index 0000000000..5c1d83741f Binary files /dev/null and b/windows/client-management/images/quick-assist-flow.png differ diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md index dbcd186131..b1077e5be6 100644 --- a/windows/client-management/img-boot-sequence.md +++ b/windows/client-management/img-boot-sequence.md @@ -1,6 +1,6 @@ --- title: Boot sequence flowchart -description: A full-sized view of the boot sequence flowchart. +description: View a full-sized view of the boot sequence flowchart. Use the link to return to the Advanced troubleshooting for Windows boot problems article. ms.date: 11/16/2018 ms.reviewer: manager: dansimp diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md index 2f12bd900f..b1964db01a 100644 --- a/windows/client-management/introduction-page-file.md +++ b/windows/client-management/introduction-page-file.md @@ -1,6 +1,6 @@ --- title: Introduction to the page file -description: Learn about the page files in Windows. +description: Learn about the page files in Windows. A page file is an optional, hidden system file on a hard disk. ms.prod: w10 ms.sitesec: library ms.topic: troubleshooting diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md index 97ea145013..2950a6c6d9 100644 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ b/windows/client-management/manage-settings-app-with-group-policy.md @@ -1,6 +1,6 @@ --- title: Manage the Settings app with Group Policy (Windows 10) -description: Find out how to manage the Settings app with Group Policy. +description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -19,13 +19,13 @@ ms.topic: article - Windows 10, Windows Server 2016 -You can now manage the pages that are shown in the Settings app by using Group Policy. This lets you hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely. -To make use of the Settings App group polices on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. +You can now manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely. +To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. >[!Note] >Each server that you want to manage access to the Settings App must be patched. -To centrally manage the new policies copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) if your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management. +If your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management, to centrally manage the new policies, copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra). This policy is available for both User and Computer depending on the version of the OS. Windows Server 2016 with KB 4457127 applied will have both User and Computer policy. Windows 10, version 1703, added Computer policy for the Settings app. Windows 10, version 1809, added User policy for the Settings app. @@ -39,7 +39,7 @@ Policy paths: ## Configuring the Group Policy -The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon delimited list of URIs in **Settings Page Visiblity**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). +The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon-delimited list of URIs in **Settings Page Visibility**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). >[!NOTE] > When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string. diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 45de1ade9b..f4a048f445 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -53,7 +53,7 @@ As indicated in the diagram, Microsoft continues to provide support for deep man With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can: -- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](https://docs.microsoft.com/intune/understand-explore/introduction-to-microsoft-intune). +- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/). - Create self-contained provisioning packages built with the [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages). @@ -69,7 +69,7 @@ You can envision user and device management as falling into these two categories - **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices: - - For corporate devices, they can set up corporate access with [Azure AD Join](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-overview/). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://blogs.technet.microsoft.com/ad/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/), all from the cloud.
    Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources. + - For corporate devices, they can set up corporate access with [Azure AD Join](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-overview/). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.
    Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources. - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-windows10-devices/) to add their work account to Windows, then access work resources on the device. @@ -135,6 +135,6 @@ There are a variety of steps you can take to begin the process of modernizing de ## Related topics -- [What is Intune?](https://docs.microsoft.com/intune/introduction-intune) +- [What is Intune?](https://docs.microsoft.com//mem/intune/fundamentals/what-is-intune) - [Windows 10 Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) - [Windows 10 Configuration service Providers](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference) diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 476d73c694..3675333e76 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -1,5 +1,6 @@ # [Mobile device management](index.md) ## [What's new in MDM enrollment and management](new-in-windows-mdm-enrollment-management.md) +### [Change history for MDM documentation](change-history-for-mdm-documentation.md) ## [Mobile device enrollment](mobile-device-enrollment.md) ### [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md) #### [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md) @@ -159,18 +160,120 @@ #### [Personalization DDF file](personalization-ddf.md) ### [Policy CSP](policy-configuration-service-provider.md) #### [Policy DDF file](policy-ddf-file.md) -#### [Policy CSPs supported by Group Policy](policy-csps-supported-by-group-policy.md) -#### [ADMX-backed policy CSPs](policy-csps-admx-backed.md) -#### [Policy CSPs supported by HoloLens 2](policy-csps-supported-by-hololens2.md) -#### [Policy CSPs supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md) -#### [Policy CSPs supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md) -#### [Policy CSPs supported by Windows 10 IoT Enterprise](policy-csps-supported-by-iot-enterprise.md) -#### [Policy CSPs supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md) -#### [Policy CSPs supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md) +#### [Policies in Policy CSP supported by Group Policy](policy-csps-supported-by-group-policy.md) +#### [ADMX-backed policies in Policy CSP](policy-csps-admx-backed.md) +#### [Policies in Policy CSP supported by HoloLens 2](policy-csps-supported-by-hololens2.md) +#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md) +#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md) +#### [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policy-csps-supported-by-iot-enterprise.md) +#### [Policies in Policy CSP supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md) +#### [Policies in Policy CSP supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md) #### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policy-csps-that-can-be-set-using-eas.md) #### [AboveLock](policy-csp-abovelock.md) #### [Accounts](policy-csp-accounts.md) #### [ActiveXControls](policy-csp-activexcontrols.md) +#### [ADMX_ActiveXInstallService](policy-csp-admx-activexinstallservice.md) +#### [ADMX_AddRemovePrograms](policy-csp-admx-addremoveprograms.md) +#### [ADMX_AppCompat](policy-csp-admx-appcompat.md) +#### [ADMX_AppxPackageManager](policy-csp-admx-appxpackagemanager.md) +#### [ADMX_AppXRuntime](policy-csp-admx-appxruntime.md) +#### [ADMX_AttachmentManager](policy-csp-admx-attachmentmanager.md) +#### [ADMX_AuditSettings](policy-csp-admx-auditsettings.md) +#### [ADMX_Bits](policy-csp-admx-bits.md) +#### [ADMX_CipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md) +#### [ADMX_COM](policy-csp-admx-com.md) +#### [ADMX_ControlPanel](policy-csp-admx-controlpanel.md) +#### [ADMX_ControlPanelDisplay](policy-csp-admx-controlpaneldisplay.md) +#### [ADMX_Cpls](policy-csp-admx-cpls.md) +#### [ADMX_CredentialProviders](policy-csp-admx-credentialproviders.md) +#### [ADMX_CredSsp](policy-csp-admx-credssp.md) +#### [ADMX_CredUI](policy-csp-admx-credui.md) +#### [ADMX_CtrlAltDel](policy-csp-admx-ctrlaltdel.md) +#### [ADMX_DataCollection](policy-csp-admx-datacollection.md) +#### [ADMX_Desktop](policy-csp-admx-desktop.md) +#### [ADMX_DeviceInstallation](policy-csp-admx-deviceinstallation.md) +#### [ADMX_DeviceSetup](policy-csp-admx-devicesetup.md) +#### [ADMX_DigitalLocker](policy-csp-admx-digitallocker.md) +#### [ADMX_DnsClient](policy-csp-admx-dnsclient.md) +#### [ADMX_DWM](policy-csp-admx-dwm.md) +#### [ADMX_EAIME](policy-csp-admx-eaime.md) +#### [ADMX_EncryptFilesonMove](policy-csp-admx-encryptfilesonmove.md) +#### [ADMX_EnhancedStorage](policy-csp-admx-enhancedstorage.md) +#### [ADMX_ErrorReporting](policy-csp-admx-errorreporting.md) +#### [ADMX_EventForwarding](policy-csp-admx-eventforwarding.md) +#### [ADMX_EventLog](policy-csp-admx-eventlog.md) +#### [ADMX_Explorer](policy-csp-admx-explorer.md) +#### [ADMX_FileServerVSSProvider](policy-csp-admx-fileservervssprovider.md) +#### [ADMX_FileSys](policy-csp-admx-filesys.md) +#### [ADMX_FolderRedirection](policy-csp-admx-folderredirection.md) +#### [ADMX_Globalization](policy-csp-admx-globalization.md) +#### [ADMX_GroupPolicy](policy-csp-admx-grouppolicy.md) +#### [ADMX_Help](policy-csp-admx-help.md) +#### [ADMX_HelpAndSupport](policy-csp-admx-helpandsupport.md) +#### [ADMX_ICM](policy-csp-admx-icm.md) +#### [ADMX_kdc](policy-csp-admx-kdc.md) +#### [ADMX_Kerberos](policy-csp-admx-kerberos.md) +#### [ADMX_LanmanServer](policy-csp-admx-lanmanserver.md) +#### [ADMX_LanmanWorkstation](policy-csp-admx-lanmanworkstation.md) +#### [ADMX_LinkLayerTopologyDiscovery](policy-csp-admx-linklayertopologydiscovery.md) +#### [ADMX_Logon](policy-csp-admx-logon.md) +#### [ADMX_MicrosoftDefenderAntivirus](policy-csp-admx-microsoftdefenderantivirus.md) +#### [ADMX_MMC](policy-csp-admx-mmc.md) +#### [ADMX_MMCSnapins](policy-csp-admx-mmcsnapins.md) +#### [ADMX_MSAPolicy](policy-csp-admx-msapolicy.md) +#### [ADMX_msched](policy-csp-admx-msched.md) +#### [ADMX_MSDT](policy-csp-admx-msdt.md) +#### [ADMX_MSI](policy-csp-admx-msi.md) +#### [ADMX_nca](policy-csp-admx-nca.md) +#### [ADMX_NCSI](policy-csp-admx-ncsi.md) +#### [ADMX_Netlogon](policy-csp-admx-netlogon.md) +#### [ADMX_NetworkConnections](policy-csp-admx-networkconnections.md) +#### [ADMX_OfflineFiles](policy-csp-admx-offlinefiles.md) +#### [ADMX_PeerToPeerCaching](policy-csp-admx-peertopeercaching.md) +#### [ADMX_PerformanceDiagnostics](policy-csp-admx-performancediagnostics.md) +#### [ADMX_Power](policy-csp-admx-power.md) +#### [ADMX_PowerShellExecutionPolicy](policy-csp-admx-powershellexecutionpolicy.md) +#### [ADMX_Printing](policy-csp-admx-printing.md) +#### [ADMX_Printing2](policy-csp-admx-printing2.md) +#### [ADMX_Programs](policy-csp-admx-programs.md) +#### [ADMX_Reliability](policy-csp-admx-reliability.md) +#### [ADMX_RemoteAssistance](policy-csp-admx-remoteassistance.md) +#### [ADMX_RemovableStorage](policy-csp-admx-removablestorage.md) +#### [ADMX_RPC](policy-csp-admx-rpc.md) +#### [ADMX_Scripts](policy-csp-admx-scripts.md) +#### [ADMX_sdiageng](policy-csp-admx-sdiageng.md) +#### [ADMX_Securitycenter](policy-csp-admx-securitycenter.md) +#### [ADMX_Sensors](policy-csp-admx-sensors.md) +#### [ADMX_Servicing](policy-csp-admx-servicing.md) +#### [ADMX_SettingSync](policy-csp-admx-settingsync.md) +#### [ADMX_SharedFolders](policy-csp-admx-sharedfolders.md) +#### [ADMX_Sharing](policy-csp-admx-sharing.md) +#### [ADMX_ShellCommandPromptRegEditTools](policy-csp-admx-shellcommandpromptregedittools.md) +#### [ADMX_SkyDrive](policy-csp-admx-skydrive.md) +#### [ADMX_Smartcard](policy-csp-admx-smartcard.md) +#### [ADMX_Snmp](policy-csp-admx-snmp.md) +#### [ADMX_StartMenu](policy-csp-admx-startmenu.md) +#### [ADMX_SystemRestore](policy-csp-admx-systemrestore.md) +#### [ADMX_Taskbar](policy-csp-admx-taskbar.md) +#### [ADMX_tcpip](policy-csp-admx-tcpip.md) +#### [ADMX_Thumbnails](policy-csp-admx-thumbnails.md) +#### [ADMX_TPM](policy-csp-admx-tpm.md) +#### [ADMX_UserExperienceVirtualization](policy-csp-admx-userexperiencevirtualization.md) +#### [ADMX_UserProfiles](policy-csp-admx-userprofiles.md) +#### [ADMX_W32Time](policy-csp-admx-w32time.md) +#### [ADMX_WCM](policy-csp-admx-wcm.md) +#### [ADMX_WinCal](policy-csp-admx-wincal.md) +#### [ADMX_WindowsAnytimeUpgrade](policy-csp-admx-windowsanytimeupgrade.md) +#### [ADMX_WindowsConnectNow](policy-csp-admx-windowsconnectnow.md) +#### [ADMX_WindowsExplorer](policy-csp-admx-windowsexplorer.md) +#### [ADMX_WindowsMediaDRM](policy-csp-admx-windowsmediadrm.md) +#### [ADMX_WindowsMediaPlayer](policy-csp-admx-windowsmediaplayer.md) +#### [ADMX_WindowsRemoteManagement](policy-csp-admx-windowsremotemanagement.md) +#### [ADMX_WindowsStore](policy-csp-admx-windowsstore.md) +#### [ADMX_WinInit](policy-csp-admx-wininit.md) +#### [ADMX_WinLogon](policy-csp-admx-winlogon.md) +#### [ADMX_wlansvc](policy-csp-admx-wlansvc.md) +#### [ADMX_WPN](policy-csp-admx-wpn.md) #### [ApplicationDefaults](policy-csp-applicationdefaults.md) #### [ApplicationManagement](policy-csp-applicationmanagement.md) #### [AppRuntime](policy-csp-appruntime.md) @@ -179,7 +282,7 @@ #### [Audit](policy-csp-audit.md) #### [Authentication](policy-csp-authentication.md) #### [Autoplay](policy-csp-autoplay.md) -#### [Bitlocker](policy-csp-bitlocker.md) +#### [BitLocker](policy-csp-bitlocker.md) #### [BITS](policy-csp-bits.md) #### [Bluetooth](policy-csp-bluetooth.md) #### [Browser](policy-csp-browser.md) @@ -217,11 +320,14 @@ #### [LanmanWorkstation](policy-csp-lanmanworkstation.md) #### [Licensing](policy-csp-licensing.md) #### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md) +#### [LocalUsersAndGroups](policy-csp-localusersandgroups.md) #### [LockDown](policy-csp-lockdown.md) #### [Maps](policy-csp-maps.md) #### [Messaging](policy-csp-messaging.md) +#### [MixedReality](policy-csp-mixedreality.md) #### [MSSecurityGuide](policy-csp-mssecurityguide.md) #### [MSSLegacy](policy-csp-msslegacy.md) +#### [Multitasking](policy-csp-multitasking.md) #### [NetworkIsolation](policy-csp-networkisolation.md) #### [Notifications](policy-csp-notifications.md) #### [Power](policy-csp-power.md) @@ -256,6 +362,7 @@ #### [WindowsInkWorkspace](policy-csp-windowsinkworkspace.md) #### [WindowsLogon](policy-csp-windowslogon.md) #### [WindowsPowerShell](policy-csp-windowspowershell.md) +#### [WindowsSandbox](policy-csp-windowssandbox.md) #### [WirelessDisplay](policy-csp-wirelessdisplay.md) ### [PolicyManager CSP](policymanager-csp.md) ### [Provisioning CSP](provisioning-csp.md) diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 7a9545e09a..455f749b5b 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -52,6 +52,7 @@ This node specifies the username for a new local user account. This setting can This node specifies the password for a new local user account. This setting can be managed remotely. Supported operation is Add. +GET operation is not supported. This setting will report as failed when deployed from the Endpoint Manager. **Users/_UserName_/LocalUserGroup** This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md index c4a1538d53..c1b570d222 100644 --- a/windows/client-management/mdm/accounts-ddf-file.md +++ b/windows/client-management/mdm/accounts-ddf-file.md @@ -1,6 +1,6 @@ --- title: Accounts DDF file -description: XML file containing the device description framework for the Accounts configuration service provider. +description: XML file containing the device description framework (DDF) for the Accounts configuration service provider. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index e2f9441b9c..37f6157570 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -1,6 +1,6 @@ --- title: ActiveSync CSP -description: ActiveSync CSP +description: Learn how the ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. ms.assetid: c65093ef-bd36-4f32-9dab-edb7bcfb3188 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md index 6e4c1c5000..1b1ae61c78 100644 --- a/windows/client-management/mdm/activesync-ddf-file.md +++ b/windows/client-management/mdm/activesync-ddf-file.md @@ -1,6 +1,6 @@ --- title: ActiveSync DDF file -description: ActiveSync DDF file +description: Learn about the OMA DM device description framework (DDF) for the ActiveSync configuration service provider. ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md index 2c8cfbc647..4ad36bbd99 100644 --- a/windows/client-management/mdm/alljoynmanagement-ddf.md +++ b/windows/client-management/mdm/alljoynmanagement-ddf.md @@ -1,6 +1,6 @@ --- title: AllJoynManagement DDF -description: Learn the OMA DM device description framework (DDF) for the **AllJoynManagement** configuration service provider. +description: Learn the OMA DM device description framework (DDF) for the AllJoynManagement configuration service provider. ms.assetid: 540C2E60-A041-4749-A027-BBAF0BB046E4 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md index d4fe92e943..69a0b61ca3 100644 --- a/windows/client-management/mdm/application-csp.md +++ b/windows/client-management/mdm/application-csp.md @@ -1,6 +1,6 @@ --- title: APPLICATION configuration service provider -description: APPLICATION configuration service provider +description: Learn how the APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning. ms.assetid: 0705b5e9-a1e7-4d70-a73d-7f758ffd8099 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index ea0defab04..2c64c89cd9 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.technology: windows author: ManikaDhiman ms.reviewer: jsuther1974 -ms.date: 05/21/2019 +ms.date: 09/10/2020 --- # ApplicationControl CSP @@ -266,7 +266,7 @@ The following is an example of Delete command: ## PowerShell and WMI Bridge Usage Guidance -The ApplicationControl CSP can also be managed locally from PowerShell or via SCCM's task sequence scripting by leveraging the [WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). +The ApplicationControl CSP can also be managed locally from PowerShell or via Microsoft Endpoint Manager Configuration Manager's (MEMCM, formerly known as SCCM) task sequence scripting by leveraging the [WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). ### Setup for using the WMI Bridge diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 4fe03939a0..9904301173 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -1,6 +1,6 @@ --- title: AppLocker CSP -description: AppLocker CSP +description: Learn how the AppLocker configuration service provider is used to specify which applications are allowed or disallowed. ms.assetid: 32FEA2C9-3CAD-40C9-8E4F-E3C69637580F ms.reviewer: manager: dansimp @@ -35,7 +35,7 @@ Defines restrictions for applications. > Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node. > [!NOTE] -> Deploying policies via the AppLocker CSP will force a reboot during OOBE. +> The AppLocker CSP will schedule a reboot when a policy is applied or a deletion occurs using the AppLocker/ApplicationLaunchRestrictions/Grouping/CodeIntegrity/Policy URI. Additional information: @@ -484,7 +484,7 @@ The following list shows the apps that may be included in the inbox.
Colour profileColor profile b08997ca-60ab-4dce-b088-f92e9c7994f3
diff --git a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index 706b102207..61ff7e767b 100644 --- a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -1,24 +1,29 @@ --- title: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal -description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal +description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new portal ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows author: lomayor -ms.date: 01/17/2018 +ms.date: 12/18/2020 ms.reviewer: manager: dansimp --- # Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal -Go to your Azure AD Blade, select the Mobility (MDM and MAM) and there should be the Microsoft Intune "App" Visible, select the Microsoft Intune and configure the Blade +> [!NOTE] +> Microsoft Intune portal can be accessed at the following link: [https://endpoint.microsoft.com](https://endpoint.microsoft.com). + +1. Go to your Azure AD Blade. +2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app. +3. Select **Microsoft Intune** and configure the blade. ![How to get to the Blade](images/azure-mdm-intune.png) -Configure the Blade +Configure the blade ![Configure the Blade](images/azure-intune-configure-scope.png) -Select all for allow all users to enroll a Device and make it Intune ready, or Some, then you can add a Group of Users. +You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users). diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index b84c02e4e8..03a48da95f 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -1,6 +1,6 @@ --- title: BitLocker CSP -description: BitLocker CSP +description: Learn how the BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -300,6 +300,10 @@ If you disable or do not configure this setting, users can configure only basic > [!NOTE] > If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard. +> [!NOTE] +> Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern +> Standby devices will not be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN. + Sample value for this node to enable this policy is: ```xml @@ -1126,12 +1130,12 @@ Supported values: |-----|------------| | 0 |The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.| | 1 |The encryption method of the OS volume doesn't match the BitLocker policy.| -| 2 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.| +| 2 |The OS volume is unprotected.| | 3 |The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection isn't used.| | 4 |The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector isn't used.| | 5 |The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector isn't used.| | 6 |The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector isn't used.| -| 7 |The OS volume is unprotected.| +| 7 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.| | 8 |Recovery key backup failed.| | 9 |A fixed drive is unprotected.| | 10 |The encryption method of the fixed drive doesn't match the BitLocker policy.| diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index edf7ea7a4b..693a48b687 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -1,6 +1,6 @@ --- title: BitLocker DDF file -description: BitLocker DDF file +description: Learn about the OMA DM device description framework (DDF) for the BitLocker configuration service provider. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md index 00e4fe59b5..2381889266 100644 --- a/windows/client-management/mdm/bootstrap-csp.md +++ b/windows/client-management/mdm/bootstrap-csp.md @@ -1,6 +1,6 @@ --- title: BOOTSTRAP CSP -description: Use the BOOTSTRAP configuration service provider sets the Trusted Provisioning Server (TPS) for the device. +description: Use the BOOTSTRAP configuration service provider to set the Trusted Provisioning Server (TPS) for the device. ms.assetid: b8acbddc-347f-4543-a45b-ad2ffae3ffd0 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md index 9e1c5633df..908672c4ef 100644 --- a/windows/client-management/mdm/browserfavorite-csp.md +++ b/windows/client-management/mdm/browserfavorite-csp.md @@ -1,6 +1,6 @@ --- title: BrowserFavorite CSP -description: BrowserFavorite CSP +description: Learn how the BrowserFavorite configuration service provider is used to add and remove URLs from the favorites list on a device. ms.assetid: 5d2351ff-2d6a-4273-9b09-224623723cbf ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index 2818c2e55f..c0c9fdf44c 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -35,7 +35,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro > [!NOTE] > - Bulk-join is not supported in Azure Active Directory Join. > - Bulk enrollment does not work in Intune standalone environment. -> - Bulk enrollment works in Microsoft Endpoint Configuration Manager where the ppkg is generated from the Configuration Manager console. +> - Bulk enrollment works in Microsoft Endpoint Manager where the ppkg is generated from the Configuration Manager console. > - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**. ## What you need diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index edb5e3bdfa..953ddf78ae 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -1,6 +1,6 @@ --- title: CellularSettings CSP -description: CellularSettings CSP +description: Learn how the CellularSettings configuration service provider is used to configure cellular settings on a mobile device. ms.assetid: ce8b6f16-37ca-4aaf-98b0-306d12e326df ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/certificate-renewal-windows-mdm.md b/windows/client-management/mdm/certificate-renewal-windows-mdm.md index f6b0b2998b..0db0669275 100644 --- a/windows/client-management/mdm/certificate-renewal-windows-mdm.md +++ b/windows/client-management/mdm/certificate-renewal-windows-mdm.md @@ -1,6 +1,6 @@ --- title: Certificate Renewal -description: Find all the resources needed to provide continuous access to client certificates. +description: Learn how to find all the resources that you need to provide continuous access to client certificates. MS-HAID: - 'p\_phdevicemgmt.certificate\_renewal' - 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm' diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md new file mode 100644 index 0000000000..556ff58e7a --- /dev/null +++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md @@ -0,0 +1,1085 @@ +--- +title: Change history for MDM documentation +description: This article lists new and updated articles for Mobile Device Management. +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 10/19/2020 +--- + +# Change history for Mobile Device Management documentation + +This article lists new and updated articles for the Mobile Device Management (MDM) documentation. Updated articles are those that had content addition, removal, or corrections—minor fixes, such as correction of typos, style, or formatting issues are not listed. + +## November 2020 + +|New or updated article | Description| +|--- | ---| +| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policy:
- [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) | +| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
-Properties/SleepMode | + +## October 2020 + +|New or updated article | Description| +|--- | ---| +| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies
- [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent)
- [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)
- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
- [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)
- [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)
- [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)
- [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)
- [Update/DisableWUfBSafeguards](policy-csp-update.md#update-disablewufbsafeguards)
- [WindowsSandbox/AllowAudioInput](policy-csp-windowssandbox.md#windowssandbox-allowaudioinput)
- [WindowsSandbox/AllowClipboardRedirection](policy-csp-windowssandbox.md#windowssandbox-allowclipboardredirection)
- [WindowsSandbox/AllowNetworking](policy-csp-windowssandbox.md#windowssandbox-allownetworking)
- [WindowsSandbox/AllowPrinterRedirection](policy-csp-windowssandbox.md#windowssandbox-allowprinterredirection)
- [WindowsSandbox/AllowVGPU](policy-csp-windowssandbox.md#windowssandbox-allowvgpu)
- [WindowsSandbox/AllowVideoInput](policy-csp-windowssandbox.md#windowssandbox-allowvideoinput) | + +## September 2020 + +|New or updated article | Description| +|--- | ---| +|[NetworkQoSPolicy CSP](networkqospolicy-csp.md)|Updated support information of the NetworkQoSPolicy CSP.| +|[Policy CSP - LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)|Removed the following unsupported LocalPoliciesSecurityOptions policy settings from the documentation:
- RecoveryConsole_AllowAutomaticAdministrativeLogon
- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
- DomainMember_DisableMachineAccountPasswordChanges
- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
| + +## August 2020 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - System](policy-csp-system.md)|Removed the following policy settings:
- System/AllowDesktopAnalyticsProcessing
- System/AllowMicrosoftManagedDesktopProcessing
- System/AllowUpdateComplianceProcessing
- System/AllowWUfBCloudProcessing
| + +## July 2020 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - System](policy-csp-system.md)|Added the following new policy settings:
- System/AllowDesktopAnalyticsProcessing
- System/AllowMicrosoftManagedDesktopProcessing
- System/AllowUpdateComplianceProcessing
- System/AllowWUfBCloudProcessing


Updated the following policy setting:
- System/AllowCommercialDataPipeline
| + +## June 2020 + +|New or updated article | Description| +|--- | ---| +|[BitLocker CSP](bitlocker-csp.md)|Added SKU support table for **AllowStandardUserEncryption**.| +|[Policy CSP - NetworkIsolation](policy-csp-networkisolation.md)|Updated the description from Boolean to Integer for the following policy settings:
EnterpriseIPRangesAreAuthoritative, EnterpriseProxyServersAreAuthoritative.| + +## May 2020 + +|New or updated article | Description| +|--- | ---| +|[BitLocker CSP](bitlocker-csp.md)|Added the bitmask table for the Status/DeviceEncryptionStatus node.| +|[Policy CSP - RestrictedGroups](policy-csp-restrictedgroups.md)| Updated the topic with additional details. Added policy timeline table. + +## February 2020 + +|New or updated article | Description| +|--- | ---| +|[CertificateStore CSP](certificatestore-csp.md)
[ClientCertificateInstall CSP](clientcertificateinstall-csp.md)|Added details about SubjectName value.| + +## January 2020 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - Defender](policy-csp-defender.md)|Added descriptions for supported actions for Defender/ThreatSeverityDefaultAction.| + +## November 2019 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added option 5 in the supported values list for DeliveryOptimization/DOGroupIdSource.| +|[DiagnosticLog CSP](diagnosticlog-csp.md)|Added substantial updates to this CSP doc.| + +## October 2019 + +|New or updated article | Description| +|--- | ---| +|[BitLocker CSP](bitlocker-csp.md)|Added the following new nodes:
ConfigureRecoveryPasswordRotation, RotateRecoveryPasswords, RotateRecoveryPasswordsStatus, RotateRecoveryPasswordsRequestID.| +|[Defender CSP](defender-csp.md)|Added the following new nodes:
Health/TamperProtectionEnabled, Health/IsVirtualMachine, Configuration, Configuration/TamperProtection, Configuration/EnableFileHashComputation.| + +## September 2019 + +|New or updated article | Description| +|--- | ---| +|[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added the following new node:
IsStub.| +|[Policy CSP - Defender](policy-csp-defender.md)|Updated the supported value list for Defender/ScheduleScanDay policy.| +|[Policy CSP - DeviceInstallation](policy-csp-deviceinstallation.md)|Added the following new policies:
DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs, DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs.| + +## August 2019 + +|New or updated article | Description| +|--- | ---| +|[DiagnosticLog CSP](diagnosticlog-csp.md)
[DiagnosticLog DDF](diagnosticlog-ddf.md)|Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes:
Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelName/MaximumFileSize, Policy/Channels/ChannelName/SDDL, Policy/Channels/ChannelName/ActionWhenFull, Policy/Channels/ChannelName/Enabled, DiagnosticArchive, DiagnosticArchive/ArchiveDefinition, DiagnosticArchive/ArchiveResults.| +|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Enhanced the article to include additional reference links and the following two topics:
Verify auto-enrollment requirements and settings, Troubleshoot auto-enrollment of devices.| + +## July 2019 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP](policy-configuration-service-provider.md)|Added the following list:
Policies supported by HoloLens 2| +|[ApplicationControl CSP](applicationcontrol-csp.md)|Added new CSP in Windows 10, version 1903.| +|[PassportForWork CSP](passportforwork-csp.md)|Added the following new nodes in Windows 10, version 1903:
SecurityKey, SecurityKey/UseSecurityKeyForSignin| +|[Policy CSP - Privacy](policy-csp-privacy.md)|Added the following new policies:
LetAppsActivateWithVoice, LetAppsActivateWithVoiceAboveLock| +|Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs is not currently supported:
Create a custom configuration service provider
Design a custom configuration service provider
IConfigServiceProvider2
IConfigServiceProvider2::ConfigManagerNotification
IConfigServiceProvider2::GetNode
ICSPNode
ICSPNode::Add
ICSPNode::Clear
ICSPNode::Copy
ICSPNode::DeleteChild
ICSPNode::DeleteProperty
ICSPNode::Execute
ICSPNode::GetChildNodeNames
ICSPNode::GetProperty
ICSPNode::GetPropertyIdentifiers
ICSPNode::GetValue
ICSPNode::Move
ICSPNode::SetProperty
ICSPNode::SetValue
ICSPNodeTransactioning
ICSPValidate
Samples for writing a custom configuration service provider.| + +## June 2019 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - DeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md)|Added the following new policies:
AllowDeviceHealthMonitoring, ConfigDeviceHealthMonitoringScope, ConfigDeviceHealthMonitoringUploadDestination.| +|[Policy CSP - TimeLanguageSettings](policy-csp-timelanguagesettings.md)|Added the following new policy:
ConfigureTimeZone.| + +## May 2019 + +|New or updated article | Description| +|--- | ---| +|[DeviceStatus CSP](devicestatus-csp.md)|Updated description of the following nodes:
DeviceStatus/Antivirus/SignatureStatus, DeviceStatus/Antispyware/SignatureStatus.| +|[EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md)|Added new CSP in Windows 10, version 1903.| +|[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added the following new policies:
DODelayCacheServerFallbackBackground, DODelayCacheServerFallbackForeground.

Updated description of the following policies:
DOMinRAMAllowedToPeer, DOMinFileSizeToCache, DOMinDiskSizeAllowedToPeer.| +|[Policy CSP - Experience](policy-csp-experience.md)|Added the following new policy:
ShowLockOnUserTile.| +|[Policy CSP - InternetExplorer](policy-csp-internetexplorer.md)|Added the following new policies:
AllowEnhancedSuggestionsInAddressBar, DisableActiveXVersionListAutoDownload, DisableCompatView, DisableFeedsBackgroundSync, DisableGeolocation, DisableWebAddressAutoComplete, NewTabDefaultPage.| +|[Policy CSP - Power](policy-csp-power.md)|Added the following new policies:
EnergySaverBatteryThresholdOnBattery, EnergySaverBatteryThresholdPluggedIn, SelectLidCloseActionOnBattery, SelectLidCloseActionPluggedIn, SelectPowerButtonActionOnBattery, SelectPowerButtonActionPluggedIn, SelectSleepButtonActionOnBattery, SelectSleepButtonActionPluggedIn, TurnOffHybridSleepOnBattery, TurnOffHybridSleepPluggedIn, UnattendedSleepTimeoutOnBattery, UnattendedSleepTimeoutPluggedIn.| +|[Policy CSP - Search](policy-csp-search.md)|Added the following new policy:
AllowFindMyFiles.| +|[Policy CSP - ServiceControlManager](policy-csp-servicecontrolmanager.md)|Added the following new policy:
SvchostProcessMitigation.| +|[Policy CSP - System](policy-csp-system.md)|Added the following new policies:
AllowCommercialDataPipeline, TurnOffFileHistory.| +|[Policy CSP - Troubleshooting](policy-csp-troubleshooting.md)|Added the following new policy:
AllowRecommendations.| +|[Policy CSP - Update](policy-csp-update.md)|Added the following new policies:
AutomaticMaintenanceWakeUp, ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod, ConfigureDeadlineNoAutoReboot.| +|[Policy CSP - WindowsLogon](policy-csp-windowslogon.md)|Added the following new policies:
AllowAutomaticRestartSignOn, ConfigAutomaticRestartSignOn, EnableFirstLogonAnimation.

Removed the following policy:
SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart. This policy is replaced by AllowAutomaticRestartSignOn.| + +## April 2019 + +| New or updated article | Description | +|-------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) | Added the following warning at the end of the Overview section:
Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. | +| [Policy CSP - UserRights](policy-csp-userrights.md) | Added a note stating if you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag () to wrap the data fields. | + +## March 2019 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - Storage](policy-csp-storage.md)|Updated ADMX Info of the following policies:
AllowStorageSenseGlobal, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseCloudContentDehydrationThreshold, ConfigStorageSenseDownloadsCleanupThreshold, ConfigStorageSenseGlobalCadence, ConfigStorageSenseRecycleBinCleanupThreshold.

Updated description of ConfigStorageSenseDownloadsCleanupThreshold.| + +## February 2019 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP](policy-configuration-service-provider.md)|Updated supported policies for Holographic.| + +## January 2019 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - Storage](policy-csp-storage.md)|Added the following new policies: AllowStorageSenseGlobal, ConfigStorageSenseGlobalCadence, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseRecycleBinCleanupThreshold, ConfigStorageSenseDownloadsCleanupThreshold, and ConfigStorageSenseCloudContentCleanupThreshold.| +|[SharedPC CSP](sharedpc-csp.md)|Updated values and supported operations.| +|[Mobile device management](index.md)|Updated information about MDM Security Baseline.| + +## December 2018 + +|New or updated article | Description| +|--- | ---| +|[BitLocker CSP](bitlocker-csp.md)|Updated AllowWarningForOtherDiskEncryption policy description to describe silent and non-silent encryption scenarios, as well as where and how the recovery key is backed up for each scenario.| + +## September 2018 + +|New or updated article | Description| +|--- | ---| +|[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT).| +|[Policy CSP - DeviceGuard](policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.| + +## August 2018 + +
++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
BitLocker CSP

Added support for Windows 10 Pro starting in the version 1809.

+
Office CSP

Added FinalStatus setting in Windows 10, version 1809.

+
RemoteWipe CSP

Added new settings in Windows 10, version 1809.

+
TenantLockdown CSP

Added new CSP in Windows 10, version 1809.

+
WindowsDefenderApplicationGuard CSP

Added new settings in Windows 10, version 1809.

+
Policy DDF file

Posted an updated version of the Policy DDF for Windows 10, version 1809.

+
Policy CSP

Added the following new policies in Windows 10, version 1809:

+
    +
  • Browser/AllowFullScreenMode
    • +
  • Browser/AllowPrelaunch
    • +
  • Browser/AllowPrinting
    • +
  • Browser/AllowSavingHistory
    • +
  • Browser/AllowSideloadingOfExtensions
    • +
  • Browser/AllowTabPreloading
    • +
  • Browser/AllowWebContentOnNewTabPage
    • +
  • Browser/ConfigureFavoritesBar
    • +
  • Browser/ConfigureHomeButton
    • +
  • Browser/ConfigureKioskMode
    • +
  • Browser/ConfigureKioskResetAfterIdleTimeout
    • +
  • Browser/ConfigureOpenMicrosoftEdgeWith
    • +
  • Browser/ConfigureTelemetryForMicrosoft365Analytics
    • +
  • Browser/PreventCertErrorOverrides
    • +
  • Browser/SetHomeButtonURL
    • +
  • Browser/SetNewTabPageURL
    • +
  • Browser/UnlockHomeButton
    • +
  • Experience/DoNotSyncBrowserSettings
    • +
  • Experience/PreventUsersFromTurningOnBrowserSyncing
    • +
  • Kerberos/UPNNameHints
    • +
  • Privacy/AllowCrossDeviceClipboard
    • +
  • Privacy/DisablePrivacyExperience
    • +
  • Privacy/UploadUserActivities
    • +
  • System/AllowDeviceNameInDiagnosticData
    • +
  • System/ConfigureMicrosoft365UploadEndpoint
    • +
  • System/DisableDeviceDelete
    • +
  • System/DisableDiagnosticDataViewer
    • +
  • Storage/RemovableDiskDenyWriteAccess
    • +
  • Update/UpdateNotificationLevel
    • +
+

Start/DisableContextMenus - added in Windows 10, version 1803.

+

RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.

+
+ +## July 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
AssignedAccess CSP

Added the following note:

+
    +
  • You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
    • +
+
PassportForWork CSP

Added new settings in Windows 10, version 1809.

+
EnterpriseModernAppManagement CSP

Added NonRemovable setting under AppManagement node in Windows 10, version 1809.

+
Win32CompatibilityAppraiser CSP

Added new configuration service provider in Windows 10, version 1809.

+
WindowsLicensing CSP

Added S mode settings and SyncML examples in Windows 10, version 1809.

+
SUPL CSP

Added 3 new certificate nodes in Windows 10, version 1809.

+
Defender CSP

Added a new node Health/ProductStatus in Windows 10, version 1809.

+
BitLocker CSP

Added a new node AllowStandardUserEncryption in Windows 10, version 1809.

+
DevDetail CSP

Added a new node SMBIOSSerialNumber in Windows 10, version 1809.

+
Policy CSP

Added the following new policies in Windows 10, version 1809:

+
    +
  • ApplicationManagement/LaunchAppAfterLogOn
    • +
  • ApplicationManagement/ScheduleForceRestartForUpdateFailures
    • +
  • Authentication/EnableFastFirstSignIn (Preview mode only)
    • +
  • Authentication/EnableWebSignIn (Preview mode only)
    • +
  • Authentication/PreferredAadTenantDomainName
    • +
  • Defender/CheckForSignaturesBeforeRunningScan
    • +
  • Defender/DisableCatchupFullScan
    • +
  • Defender/DisableCatchupQuickScan
    • +
  • Defender/EnableLowCPUPriority
    • +
  • Defender/SignatureUpdateFallbackOrder
    • +
  • Defender/SignatureUpdateFileSharesSources
    • +
  • DeviceGuard/ConfigureSystemGuardLaunch
    • +
  • DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
    • +
  • DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
    • +
  • DeviceInstallation/PreventDeviceMetadataFromNetwork
    • +
  • DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
    • +
  • DmaGuard/DeviceEnumerationPolicy
    • +
  • Experience/AllowClipboardHistory
    • +
  • Security/RecoveryEnvironmentAuthentication
    • +
  • TaskManager/AllowEndTask
    • +
  • WindowsDefenderSecurityCenter/DisableClearTpmButton
    • +
  • WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
    • +
  • WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
    • +
  • WindowsLogon/DontDisplayNetworkSelectionUI
    • +
+

Recent changes:

+
    +
  • DataUsage/SetCost3G - deprecated in Windows 10, version 1809.
    • +
+
+ +## June 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
Wifi CSP

Added a new node WifiCost in Windows 10, version 1809.

+
Diagnose MDM failures in Windows 10

Recent changes:

+
    +
  • Added procedure for collecting logs remotely from Windows 10 Holographic.
    • +
  • Added procedure for downloading the MDM Diagnostic Information log.
    • +
+
BitLocker CSP

Added new node AllowStandardUserEncryption in Windows 10, version 1809.

+
Policy CSP

Recent changes:

+
    +
  • AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration - removed from docs. Not supported.
    • +
  • AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold - removed from docs. Not supported.
    • +
  • AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter - removed from docs. Not supported.
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers - removed from docs. Not supported.
    • +
  • System/AllowFontProviders is not supported in HoloLens (1st gen) Commercial Suite.
    • +
  • Security/RequireDeviceEncryption is supported in the Home SKU.
    • +
  • Start/StartLayout - added a table of SKU support information.
    • +
  • Start/ImportEdgeAssets - added a table of SKU support information.
    • +
+

Added the following new policies in Windows 10, version 1809:

+
    +
  • Update/EngagedRestartDeadlineForFeatureUpdates
    • +
  • Update/EngagedRestartSnoozeScheduleForFeatureUpdates
    • +
  • Update/EngagedRestartTransitionScheduleForFeatureUpdates
    • +
  • Update/SetDisablePauseUXAccess
    • +
  • Update/SetDisableUXWUAccess
    • +
+
WiredNetwork CSPNew CSP added in Windows 10, version 1809. +
+ +## May 2018 + + ++++ + + + + + + + + + + + +
New or updated articleDescription
Policy DDF file

Updated the DDF files in the Windows 10 version 1703 and 1709.

+ +
+ +## April 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
WindowsDefenderApplicationGuard CSP

Added the following node in Windows 10, version 1803:

+
    +
  • Settings/AllowVirtualGPU
    • +
  • Settings/SaveFilesToHost
    • +
+
NetworkProxy CSP

Added the following node in Windows 10, version 1803:

+
    +
  • ProxySettingsPerUser
    • +
+
Accounts CSP

Added a new CSP in Windows 10, version 1803.

+
MDM Migration Analysis Tool (MMAT)

Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.

+
CSP DDF files download

Added the DDF download of Windows 10, version 1803 configuration service providers.

+
Policy CSP

Added the following new policies for Windows 10, version 1803:

+
    +
  • Bluetooth/AllowPromptedProximalConnections
    • +
  • KioskBrowser/EnableEndSessionButton
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers
    • +
+
+ +## March 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
eUICCs CSP

Added the following node in Windows 10, version 1803:

+
    +
  • IsEnabled
    • +
+
DeviceStatus CSP

Added the following node in Windows 10, version 1803:

+
    +
  • OS/Mode
    • +
+
Understanding ADMX-backed policies

Added the following videos:

+ +
AccountManagement CSP

Added a new CSP in Windows 10, version 1803.

+
RootCATrustedCertificates CSP

Added the following node in Windows 10, version 1803:

+
    +
  • UntrustedCertificates
    • +
+
Policy CSP

Added the following new policies for Windows 10, version 1803:

+
    +
  • ApplicationDefaults/EnableAppUriHandlers
    • +
  • ApplicationManagement/MSIAllowUserControlOverInstall
    • +
  • ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
    • +
  • Connectivity/AllowPhonePCLinking
    • +
  • Notifications/DisallowCloudNotification
    • +
  • Notifications/DisallowTileNotification
    • +
  • RestrictedGroups/ConfigureGroupMembership
    • +
+

The following existing policies were updated:

+
    +
  • Browser/AllowCookies - updated the supported values. There are 3 values - 0, 1, 2.
    • +
  • InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML
    • +
  • TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.
    • +
+

Added a new section:

+ +
Policy CSP - Bluetooth

Added new section ServicesAllowedList usage guide.

+
MultiSIM CSP

Added SyncML examples and updated the settings descriptions.

+
RemoteWipe CSP

Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.

+
+ +## February 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
Policy CSP

Added the following new policies for Windows 10, version 1803:

+
    +
  • Display/DisablePerProcessDpiForApps
    • +
  • Display/EnablePerProcessDpi
    • +
  • Display/EnablePerProcessDpiForApps
    • +
  • Experience/AllowWindowsSpotlightOnSettings
    • +
  • TextInput/ForceTouchKeyboardDockedState
    • +
  • TextInput/TouchKeyboardDictationButtonAvailability
    • +
  • TextInput/TouchKeyboardEmojiButtonAvailability
    • +
  • TextInput/TouchKeyboardFullModeAvailability
    • +
  • TextInput/TouchKeyboardHandwritingModeAvailability
    • +
  • TextInput/TouchKeyboardNarrowModeAvailability
    • +
  • TextInput/TouchKeyboardSplitModeAvailability
    • +
  • TextInput/TouchKeyboardWideModeAvailability
    • +
      +
VPNv2 ProfileXML XSD

Updated the XSD and Plug-in profile example for VPNv2 CSP.

+
AssignedAccess CSP

Added the following nodes in Windows 10, version 1803:

+
    +
  • Status
    • +
  • ShellLauncher
    • +
  • StatusConfiguration
    • +
+

Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite.

+
MultiSIM CSP

Added a new CSP in Windows 10, version 1803.

+
EnterpriseModernAppManagement CSP

Added the following node in Windows 10, version 1803:

+
    +
  • MaintainProcessorArchitectureOnUpdate
    • +
+
+ +## January 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
Policy CSP

Added the following new policies for Windows 10, version 1803:

+
    +
  • Browser/AllowConfigurationUpdateForBooksLibrary
    • +
  • Browser/AlwaysEnableBooksLibrary
    • +
  • Browser/EnableExtendedBooksTelemetry
    • +
  • Browser/UseSharedFolderForBooks
    • +
  • DeliveryOptimization/DODelayBackgroundDownloadFromHttp
    • +
  • DeliveryOptimization/DODelayForegroundDownloadFromHttp
    • +
  • DeliveryOptimization/DOGroupIdSource
    • +
  • DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth
    • +
  • DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth
    • +
  • DeliveryOptimization/DORestrictPeerSelectionBy
    • +
  • DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth
    • +
  • DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth
    • +
  • KioskBrowser/BlockedUrlExceptions
    • +
  • KioskBrowser/BlockedUrls
    • +
  • KioskBrowser/DefaultURL
    • +
  • KioskBrowser/EnableHomeButton
    • +
  • KioskBrowser/EnableNavigationButtons
    • +
  • KioskBrowser/RestartOnIdleTime
    • +
  • LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
    • +
  • LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
    • +
  • LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
    • +
  • LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
    • +
  • LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
    • +
  • RestrictedGroups/ConfigureGroupMembership
    • +
  • Search/AllowCortanaInAAD
    • +
  • Search/DoNotUseWebResults
    • +
  • Security/ConfigureWindowsPasswords
    • +
  • System/FeedbackHubAlwaysSaveDiagnosticsLocally
    • +
  • SystemServices/ConfigureHomeGroupListenerServiceStartupMode
    • +
  • SystemServices/ConfigureHomeGroupProviderServiceStartupMode
    • +
  • SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode
    • +
  • SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode
    • +
  • SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode
    • +
  • SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode
    • +
  • TaskScheduler/EnableXboxGameSaveTask
    • +
  • TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode
    • +
  • Update/ConfigureFeatureUpdateUninstallPeriod
    • +
  • UserRights/AccessCredentialManagerAsTrustedCaller
    • +
  • UserRights/AccessFromNetwork
    • +
  • UserRights/ActAsPartOfTheOperatingSystem
    • +
  • UserRights/AllowLocalLogOn
    • +
  • UserRights/BackupFilesAndDirectories
    • +
  • UserRights/ChangeSystemTime
    • +
  • UserRights/CreateGlobalObjects
    • +
  • UserRights/CreatePageFile
    • +
  • UserRights/CreatePermanentSharedObjects
    • +
  • UserRights/CreateSymbolicLinks
    • +
  • UserRights/CreateToken
    • +
  • UserRights/DebugPrograms
    • +
  • UserRights/DenyAccessFromNetwork
    • +
  • UserRights/DenyLocalLogOn
    • +
  • UserRights/DenyRemoteDesktopServicesLogOn
    • +
  • UserRights/EnableDelegation
    • +
  • UserRights/GenerateSecurityAudits
    • +
  • UserRights/ImpersonateClient
    • +
  • UserRights/IncreaseSchedulingPriority
    • +
  • UserRights/LoadUnloadDeviceDrivers
    • +
  • UserRights/LockMemory
    • +
  • UserRights/ManageAuditingAndSecurityLog
    • +
  • UserRights/ManageVolume
    • +
  • UserRights/ModifyFirmwareEnvironment
    • +
  • UserRights/ModifyObjectLabel
    • +
  • UserRights/ProfileSingleProcess
    • +
  • UserRights/RemoteShutdown
    • +
  • UserRights/RestoreFilesAndDirectories
    • +
  • UserRights/TakeOwnership
    • +
  • WindowsDefenderSecurityCenter/DisableAccountProtectionUI
    • +
  • WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
    • +
  • WindowsDefenderSecurityCenter/HideRansomwareDataRecovery
    • +
  • WindowsDefenderSecurityCenter/HideSecureBoot
    • +
  • WindowsDefenderSecurityCenter/HideTPMTroubleshooting
    • +
+

Added the following policies the were added in Windows 10, version 1709

+
    +
  • DeviceLock/MinimumPasswordAge
    • +
  • Settings/AllowOnlineTips
    • +
  • System/DisableEnterpriseAuthProxy
    • +
+

Security/RequireDeviceEncryption - updated to show it is supported in desktop.

+
BitLocker CSP

Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.

+
EnterpriseModernAppManagement CSP

Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.

+
DMClient CSP

Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:

+
    +
  • AADSendDeviceToken
    • +
  • BlockInStatusPage
    • +
  • AllowCollectLogsButton
    • +
  • CustomErrorText
    • +
  • SkipDeviceStatusPage
    • +
  • SkipUserStatusPage
    • +
+
Defender CSP

Added new node (OfflineScan) in Windows 10, version 1803.

+
UEFI CSP

Added a new CSP in Windows 10, version 1803.

+
Update CSP

Added the following nodes in Windows 10, version 1803:

+
    +
  • Rollback
    • +
  • Rollback/FeatureUpdate
    • +
  • Rollback/QualityUpdateStatus
    • +
  • Rollback/FeatureUpdateStatus
    • +
+
+ +## December 2017 + + ++++ + + + + + + + + + + + +
New or updated articleDescription
Configuration service provider reference

Added new section CSP DDF files download

+
+ +## November 2017 + + ++++ + + + + + + + + + + + +
New or updated articleDescription
Policy CSP

Added the following policies for Windows 10, version 1709:

+
    +
  • Authentication/AllowFidoDeviceSignon
    • +
  • Cellular/LetAppsAccessCellularData
    • +
  • Cellular/LetAppsAccessCellularData_ForceAllowTheseApps
    • +
  • Cellular/LetAppsAccessCellularData_ForceDenyTheseApps
    • +
  • Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps
    • +
  • Start/HidePeopleBar
    • +
  • Storage/EnhancedStorageDevices
    • +
  • Update/ManagePreviewBuilds
    • +
  • WirelessDisplay/AllowMdnsAdvertisement
    • +
  • WirelessDisplay/AllowMdnsDiscovery
    • +
+

Added missing policies from previous releases:

+
    +
  • Connectivity/DisallowNetworkConnectivityActiveTest
    • +
  • Search/AllowWindowsIndexer
    • +
+
+ +## October 2017 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
Policy DDF file

Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.

+
Policy CSP

Updated the following policies:

+
    +
  • Defender/ControlledFolderAccessAllowedApplications - string separator is |.
    • +
  • Defender/ControlledFolderAccessProtectedFolders - string separator is |.
    • +
+
eUICCs CSP

Added new CSP in Windows 10, version 1709.

+
AssignedAccess CSP

Added SyncML examples for the new Configuration node.

+
DMClient CSP

Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.

+
+ +## September 2017 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
Policy CSP

Added the following new policies for Windows 10, version 1709:

+
    +
  • Authentication/AllowAadPasswordReset
    • +
  • Handwriting/PanelDefaultModeDocked
    • +
  • Search/AllowCloudSearch
    • +
  • System/LimitEnhancedDiagnosticDataWindowsAnalytics
    • +
+

Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.

+
AssignedAccess CSP

Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.

+
Microsoft Store for Business and Microsoft Store

Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.

+
The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2

The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:

+
    +
  • UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
    • +
  • ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
    • +
  • DomainName - fully qualified domain name if the device is domain-joined.
    • +
+

For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.

+
EnterpriseAPN CSP

Added a SyncML example.

+
VPNv2 CSP

Added RegisterDNS setting in Windows 10, version 1709.

+
Enroll a Windows 10 device automatically using Group Policy

Added new topic to introduce a new Group Policy for automatic MDM enrollment.

+
MDM enrollment of Windows-based devices

New features in the Settings app:

+
    +
  • User sees installation progress of critical policies during MDM enrollment.
    • +
  • User knows what policies, profiles, apps MDM has configured
    • +
  • IT helpdesk can get detailed MDM diagnostic information using client tools
    • +
+

For details, see Managing connections and Collecting diagnostic logs

+
+ +## August 2017 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
Enable ADMX-backed policies in MDM

Added new step-by-step guide to enable ADMX-backed policies.

+
Mobile device enrollment

Added the following statement:

+
    +
  • Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
    • +
+
CM_CellularEntries CSP

Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.

+
EnterpriseDataProtection CSP

Updated the Settings/EDPEnforcementLevel values to the following:

+
    +
  • 0 (default) – Off / No protection (decrypts previously protected data).
    • +
  • 1 – Silent mode (encrypt and audit only).
    • +
  • 2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
    • +
  • 3 – Hides overrides (encrypt, prompt but hide overrides, and audit).
    • +
+
AppLocker CSP

Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in Allow list examples.

+
DeviceManageability CSP

Added the following settings in Windows 10, version 1709:

+
    +
  • Provider/ProviderID/ConfigInfo
    • +
  • Provider/ProviderID/EnrollmentInfo
    • +
+
Office CSP

Added the following setting in Windows 10, version 1709:

+
    +
  • Installation/CurrentStatus
    • +
+
BitLocker CSPAdded information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709. +
Firewall CSPUpdated the CSP and DDF topics. Here are the changes: +
    +
  • Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.
    • +
  • Changed some data types from integer to bool.
    • +
  • Updated the list of supported operations for some settings.
    • +
  • Added default values.
    • +
+
Policy DDF fileAdded another Policy DDF file download for the 8C release of Windows 10, version 1607, which added the following policies: +
    +
  • Browser/AllowMicrosoftCompatibilityList
    • +
  • Update/DisableDualScan
    • +
  • Update/FillEmptyContentUrls
    • +
+
Policy CSP

Added the following new policies for Windows 10, version 1709:

+
    +
  • Browser/ProvisionFavorites
    • +
  • Browser/LockdownFavorites
    • +
  • ExploitGuard/ExploitProtectionSettings
    • +
  • Games/AllowAdvancedGamingServices
    • +
  • LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
    • +
  • LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
    • +
  • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
    • +
  • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
    • +
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
    • +
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
    • +
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
    • +
  • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
    • +
  • Privacy/EnableActivityFeed
    • +
  • Privacy/PublishUserActivities
    • +
  • Update/DisableDualScan
    • +
  • Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork
    • +
+

Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.

+

Changed the names of the following policies:

+
    +
  • Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications
    • +
  • Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders
    • +
  • Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess
    • +
+

Added links to the additional ADMX-backed BitLocker policies.

+

There were issues reported with the previous release of the following policies. These issues were fixed in Window 10, version 1709:

+
    +
  • Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts
    • +
  • Start/HideAppList
    • +
+
diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md index 8601f82b20..ed787a3b0f 100644 --- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -1,6 +1,6 @@ --- title: ClientCertificateInstall DDF file -description: ClientCertificateInstall DDF file +description: Learn about the OMA DM device description framework (DDF) for the ClientCertificateInstall configuration service provider. ms.assetid: 7F65D045-A750-4CDE-A1CE-7D152AA060CA ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 02f2910d16..5063181c3f 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -1,6 +1,6 @@ --- title: CM\_CellularEntries CSP -description: Configure the General Packet Radio Service (GPRS) entries using the CM\_CellularEntries CSP. +description: Learn how to configure the General Packet Radio Service (GPRS) entries using the CM\_CellularEntries CSP. ms.assetid: f8dac9ef-b709-4b76-b6f5-34c2e6a3c847 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/cm-proxyentries-csp.md b/windows/client-management/mdm/cm-proxyentries-csp.md index 828700b85a..816b5c188b 100644 --- a/windows/client-management/mdm/cm-proxyentries-csp.md +++ b/windows/client-management/mdm/cm-proxyentries-csp.md @@ -1,6 +1,6 @@ --- title: CM\_ProxyEntries CSP -description: Configure proxy connections on mobile devices using CM\_ProxyEntries CSP. +description: Learn how the CM\_ProxyEntries configuration service provider is used to configure proxy connections on the mobile device. ms.assetid: f4c3dc71-c85a-4c68-9ce9-19f408ff7a0a ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md index 08d0040594..df773dcb43 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-csp.md +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -1,6 +1,6 @@ --- title: CMPolicyEnterprise CSP -description: CMPolicyEnterprise CSP +description: Learn how the CMPolicyEnterprise CSP is used to define rules that the Connection Manager uses to identify the correct connection for a connection request. ms.assetid: A0BE3458-ABED-4F80-B467-F842157B94BF ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md index 1eb4a02627..5c1c136c23 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md +++ b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md @@ -1,6 +1,6 @@ --- title: CMPolicyEnterprise DDF file -description: CMPolicyEnterprise DDF file +description: Learn about the OMA DM device description framework (DDF) for the CMPolicyEnterprise configuration service provider. ms.assetid: 065EF07A-0CF3-4EE5-B620-3464A75B7EED ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index fb69460ed8..dcf8eec173 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -9,7 +9,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 06/03/2020 +ms.date: 09/18/2020 --- # Configuration service provider reference @@ -1108,7 +1108,8 @@ Additional lists: Mobile Enterprise - check mark + check mark +Only for mobile application management (MAM) check mark check mark @@ -1556,13 +1557,13 @@ Additional lists: Mobile Enterprise - cross mark - cross mark - cross mark - cross mark - cross mark - cross mark - cross mark + check mark + check mark + check mark + check mark + check mark + check mark + check mark @@ -2727,6 +2728,7 @@ The following list shows the CSPs supported in HoloLens devices: | [DiagnosticLog CSP](diagnosticlog-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [DMAcc CSP](dmacc-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [DMClient CSP](dmclient-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | | [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [NetworkProxy CSP](networkproxy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [NetworkQoSPolicy CSP](networkqospolicy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 8| @@ -2736,6 +2738,7 @@ The following list shows the CSPs supported in HoloLens devices: | [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | | [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 4 | ![check mark](images/checkmark.png) | | [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) 10 | | [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [VPNv2 CSP](vpnv2-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | | [WiFi CSP](wifi-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | @@ -2744,10 +2747,11 @@ The following list shows the CSPs supported in HoloLens devices: ## CSPs supported in Microsoft Surface Hub -- [Accounts CSP](accounts-csp.md)9 **Note:** Support in Surface Hub is limited to **Domain\ComputerName**. +- [Accounts CSP](accounts-csp.md)9 + > [!NOTE] + > Support in Surface Hub is limited to **Domain\ComputerName**. - [AccountManagement CSP](accountmanagement-csp.md) - [APPLICATION CSP](application-csp.md) -- [Bitlocker-CSP](bitlocker-csp.md)9 - [CertificateStore CSP](certificatestore-csp.md) - [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) - [Defender CSP](defender-csp.md) @@ -2813,3 +2817,4 @@ The following list shows the CSPs supported in HoloLens devices: - 7 - Added in Windows 10, version 1909. - 8 - Added in Windows 10, version 2004. - 9 - Added in Windows 10 Team 2020 Update +- 10 - Added in [Windows Holographic, version 20H2](https://docs.microsoft.com/hololens/hololens-release-notes#windows-holographic-version-20h2) diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md index 05add93e6a..17b165ed51 100644 --- a/windows/client-management/mdm/customdeviceui-csp.md +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -1,6 +1,6 @@ --- title: CustomDeviceUI CSP -description: CustomDeviceUI CSP +description: Learn how the CustomDeviceUI configuration service provider (CSP) allows OEMs to implement their custom foreground application. ms.assetid: 20ED1867-7B9E-4455-B397-53B8B15C95A3 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/customdeviceui-ddf.md b/windows/client-management/mdm/customdeviceui-ddf.md index 12b590ef8c..7623b155f2 100644 --- a/windows/client-management/mdm/customdeviceui-ddf.md +++ b/windows/client-management/mdm/customdeviceui-ddf.md @@ -1,6 +1,6 @@ --- title: CustomDeviceUI DDF -description: CustomDeviceUI DDF +description: Learn about the OMA DM device description framework (DDF) for the CustomDeviceUI configuration service provider. ms.assetid: E6D6B902-C57C-48A6-9654-CCBA3898455E ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index cb96fa1fb1..37205534c5 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -1,6 +1,6 @@ --- title: Defender CSP -description: See how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise. +description: Learn how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise. ms.assetid: 481AA74F-08B2-4A32-B95D-5A3FD05B335C ms.reviewer: manager: dansimp @@ -390,6 +390,26 @@ Intune tamper protection setting UX supports three states: When enabled or disabled exists on the client and admin moves the setting to not configured, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. +**Configuration/DisableLocalAdminMerge**
+This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusions. + +If you disable or do not configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, management settings will override preference settings. + +If you enable this setting, only items defined by management will be used in the resulting effective policy. Managed settings will override preference settings configured by the local administrator. + +> [!NOTE] +> Applying this setting will not remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in **Get-MpPreference**. + +Supported OS versions: Windows 10 + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +- 1 – Enable. +- 0 (default) – Disable. + **Configuration/EnableFileHashComputation** Enables or disables file hash computation feature. When this feature is enabled Windows defender will compute hashes for files it scans. diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index 508d2f5d0d..a63f4dec92 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -1,6 +1,6 @@ --- title: Defender DDF file -description: See how the OMA DM device description framework (DDF) for the **Defender** configuration service provider is used. +description: Learn how the OMA DM device description framework (DDF) for the Defender configuration service provider is used. ms.assetid: 39B9E6CF-4857-4199-B3C3-EC740A439F65 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index 285d96ddf8..11ab51bf9e 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -1,6 +1,6 @@ --- title: DevDetail CSP -description: DevDetail CSP +description: Learn how the DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server. ms.assetid: 719bbd2d-508d-439b-b175-0874c7e6c360 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index 0ab07220b6..25be11c21b 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -1,6 +1,6 @@ --- title: DevDetail DDF file -description: DevDetail DDF file +description: Learn about the OMA DM device description framework (DDF) for the DevDetail configuration service provider. ms.assetid: 645fc2b5-2d2c-43b1-9058-26bedbe9f00d ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md index 09d6af05e4..f24564545c 100644 --- a/windows/client-management/mdm/deviceinstanceservice-csp.md +++ b/windows/client-management/mdm/deviceinstanceservice-csp.md @@ -1,6 +1,6 @@ --- title: DeviceInstanceService CSP -description: DeviceInstanceService CSP +description: Learn how the DeviceInstanceService configuration service provider (CSP) provides some device inventory information that could be useful for an enterprise. ms.assetid: f113b6bb-6ce1-45ad-b725-1b6610721e2d ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md index 246408076e..cef65071ec 100644 --- a/windows/client-management/mdm/devicelock-csp.md +++ b/windows/client-management/mdm/devicelock-csp.md @@ -1,6 +1,6 @@ --- title: DeviceLock CSP -description: DeviceLock CSP +description: Learn how the DeviceLock configuration service provider (CSP) is used by the enterprise management server to configure device lock related policies. ms.assetid: 9a547efb-738e-4677-95d3-5506d350d8ab ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/devicelock-ddf-file.md b/windows/client-management/mdm/devicelock-ddf-file.md index 545ebcdb9b..eb63ef11fe 100644 --- a/windows/client-management/mdm/devicelock-ddf-file.md +++ b/windows/client-management/mdm/devicelock-ddf-file.md @@ -1,6 +1,6 @@ --- title: DeviceLock DDF file -description: DeviceLock DDF file +description: Learn about the OMA DM device description framework (DDF) for the DeviceLock configuration service provider (CSP). ms.assetid: 46a691b9-6350-4987-bfc7-f8b1eece3ad9 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index 06e4d21323..6ab35ba018 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -36,9 +36,8 @@ Supported operation is Get. **DeviceStatus/CellularIdentities** Required. Node for queries on the SIM cards. -> **Note**  Multiple SIMs are supported. - - +>[!NOTE] +>Multiple SIMs are supported. **DeviceStatus/CellularIdentities/***IMEI* The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device. @@ -107,7 +106,7 @@ Supported operation is Get. Node for the compliance query. **DeviceStatus/Compliance/EncryptionCompliance** -Boolean value that indicates compliance with the enterprise encryption policy. The value is one of the following: +Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following: - 0 - not encrypted - 1 - encrypted diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md index b81a21b82e..aec2b4cc91 100644 --- a/windows/client-management/mdm/devinfo-ddf-file.md +++ b/windows/client-management/mdm/devinfo-ddf-file.md @@ -1,6 +1,6 @@ --- title: DevInfo DDF file -description: DevInfo DDF file +description: Learn about the OMA DM device description framework (DDF) for the DevInfo configuration service provider (CSP). ms.assetid: beb07cc6-4133-4c0f-aa05-64db2b4a004f ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index 2f00912ad8..fb9c1a57d8 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -1,6 +1,6 @@ --- title: DiagnosticLog CSP -description: DiagnosticLog CSP +description: Learn about the feature areas of the DiagnosticLog configuration service provider (CSP), including the DiagnosticLog area and Policy area. ms.assetid: F76E0056-3ACD-48B2-BEA1-1048C96571C3 ms.reviewer: manager: dansimp @@ -199,8 +199,111 @@ A Get to the above URI will return the results of the data gathering for the las Each data gathering node is annotated with the HRESULT of the action and the collection is also annotated with an overall HRESULT. In this example, note that the mdmdiagnosticstool.exe command failed. -The zip file which is created also contains a results.xml file whose contents align to the Data section in the SyncML for ArchiveResults. Accordingly, an IT admin using the zip file for troubleshooting can determine the order and success of each directive without needing a permanent record of the SyncML value for DiagnosticArchive/ArchiveResults. +### Making use of the uploaded data +The zip archive which is created and uploaded by the CSP contains a folder structure like the following: +```powershell +PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z + + Directory: C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z + +Mode LastWriteTime Length Name +---- ------------- ------ ---- +la--- 1/4/2021 2:45 PM 1 +la--- 1/4/2021 2:45 PM 2 +la--- 12/2/2020 6:27 PM 2701 results.xml +``` +Each data gathering directive from the original `Collection` XML corresponds to a folder in the output. For example, if the first directive was HKLM\Software\Policies then folder `1` will contain the corresponding `export.reg` file. + +The `results.xml` file is the authoritative map to the output. It includes a status code for each directive. The order of the directives in the file corresponds to the order of the output folders. Using `results.xml` the administrator can see what data was gathered, what failures may have occurred, and which folders contain which output. For example, the following `results.xml` content indicates that registry export of HKLM\Software\Policies was successful and the data can be found in folder `1`. It also indicates that `netsh.exe wlan show profiles` command failed. + +```xml + + 268b3056-8c15-47c6-a1bd-4bc257aef7b2 + HKLM\Software\Policies + %windir%\system32\netsh.exe wlan show profiles + +``` + +Administrators can apply automation to 'results.xml' to create their own preferred views of the data. For example, the following PowerShell one-liner extracts from the XML an ordered list of the directives with status code and details. +```powershell +Select-XML -Path results.xml -XPath '//RegistryKey | //Command | //Events | //FoldersFiles' | Foreach-Object -Begin {$i=1} -Process { [pscustomobject]@{DirectiveNumber=$i; DirectiveHRESULT=$_.Node.HRESULT; DirectiveInput=$_.Node.('#text')} ; $i++} +``` +This example produces output similar to the following: +``` +DirectiveNumber DirectiveHRESULT DirectiveInput +--------------- ---------------- -------------- + 1 0 HKLM\Software\Policies + 2 0 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall + 3 0 HKLM\Software\Microsoft\IntuneManagementExtension + 4 0 HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall + 5 0 %windir%\system32\ipconfig.exe /all + 6 0 %windir%\system32\netsh.exe advfirewall show allprofiles + 7 0 %windir%\system32\netsh.exe advfirewall show global + 8 -2147024895 %windir%\system32\netsh.exe wlan show profiles +``` + +The next example extracts the zip archive into a customized flattened file structure. Each file name includes the directive number, HRESULT, and so on. This example could be customized to make different choices about what information to include in the file names and what formatting choices to make for special characters. + +```powershell +param( $DiagnosticArchiveZipPath = "C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z.zip" ) + +#region Formatting Choices +$flatFileNameTemplate = '({0:D2}) ({3}) (0x{2:X8})' +$maxLengthForInputTextPassedToOutput = 80 +#endregion + +#region Create Output Folders and Expand Zip +$diagnosticArchiveTempUnzippedPath = $DiagnosticArchiveZipPath + "_expanded" +if(-not (Test-Path $diagnosticArchiveTempUnzippedPath)){mkdir $diagnosticArchiveTempUnzippedPath} +$reformattedArchivePath = $DiagnosticArchiveZipPath + "_formatted" +if(-not (Test-Path $reformattedArchivePath)){mkdir $reformattedArchivePath} +Expand-Archive -Path $DiagnosticArchiveZipPath -DestinationPath $diagnosticArchiveTempUnzippedPath +#endregion + +#region Discover and Move/rename Files +$resultElements = ([xml](Get-Content -Path (Join-Path -Path $diagnosticArchiveTempUnzippedPath -ChildPath "results.xml"))).Collection.ChildNodes | Foreach-Object{ $_ } +$n = 0 +foreach( $element in $resultElements ) +{ + $directiveNumber = $n + $n++ + if($element.Name -eq 'ID'){ continue } + $directiveType = $element.Name + $directiveStatus = [int]$element.Attributes.ItemOf('HRESULT').psbase.Value + $directiveUserInputRaw = $element.InnerText + $directiveUserInputFileNameCompatible = $directiveUserInputRaw -replace '[\\|/\[\]<>\:"\?\*%\.\s]','_' + $directiveUserInputTrimmed = $directiveUserInputFileNameCompatible.substring(0, [System.Math]::Min($maxLengthForInputTextPassedToOutput, $directiveUserInputFileNameCompatible.Length)) + $directiveSummaryString = $flatFileNameTemplate -f $directiveNumber,$directiveType,$directiveStatus,$directiveUserInputTrimmed + $directiveOutputFolder = Join-Path -Path $diagnosticArchiveTempUnzippedPath -ChildPath $directiveNumber + $directiveOutputFiles = Get-ChildItem -Path $directiveOutputFolder -File + foreach( $file in $directiveOutputFiles) + { + $leafSummaryString = $directiveSummaryString,$file.Name -join ' ' + Copy-Item $file.FullName -Destination (Join-Path -Path $reformattedArchivePath -ChildPath $leafSummaryString) + } +} +#endregion +Remove-Item -Path $diagnosticArchiveTempUnzippedPath -Force -Recurse +``` +That example script produces a set of files similar to the following, which can be a useful view for an administrator interactively browsing the results without needing to navigate any sub-folders or refer to `results.xml` repeatedly: + +```powershell +PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z.zip_formatted | format-table Length,Name + + Length Name + ------ ---- + 46640 (01) (HKLM_Software_Policies) (0x00000000) export.reg + 203792 (02) (HKLM_Software_Microsoft_Windows_CurrentVersion_Uninstall) (0x00000000) export.reg + 214902 (03) (HKLM_Software_Microsoft_IntuneManagementExtension) (0x00000000) export.reg + 212278 (04) (HKLM_SOFTWARE_WOW6432Node_Microsoft_Windows_CurrentVersion_Uninstall) (0x00000000) export.reg + 2400 (05) (_windir__system32_ipconfig_exe__all) (0x00000000) output.log + 2147 (06) (_windir__system32_netsh_exe_advfirewall_show_allprofiles) (0x00000000) output.log + 1043 (07) (_windir__system32_netsh_exe_advfirewall_show_global) (0x00000000) output.log + 59 (08) (_windir__system32_netsh_exe_wlan_show_profiles) (0x80070001) output.log + 1591 (09) (_windir__system32_ping_exe_-n_50_localhost) (0x00000000) output.log + 5192 (10) (_windir__system32_Dsregcmd_exe__status) (0x00000000) output.log +``` ## Policy area diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md index 8bedac1205..f635ed44c6 100644 --- a/windows/client-management/mdm/diagnosticlog-ddf.md +++ b/windows/client-management/mdm/diagnosticlog-ddf.md @@ -1,6 +1,6 @@ --- title: DiagnosticLog DDF -description: DiagnosticLog DDF +description: Learn about the the OMA DM device description framework (DDF) for the DiagnosticLog configuration service provider (CSP). ms.assetid: 9DD75EDA-5913-45B4-9BED-20E30CDEBE16 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index 3cb1682333..35fe6568b0 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -44,7 +44,8 @@ In Windows, after the user confirms the account deletion command and before the This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work. -> **Note**  The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526). +> [!NOTE] +> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/).   The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**. @@ -157,4 +158,3 @@ When the disconnection is completed, the user is notified that the device has be - diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md index aa61f9d50b..4a45bf4eb2 100644 --- a/windows/client-management/mdm/dmacc-csp.md +++ b/windows/client-management/mdm/dmacc-csp.md @@ -1,6 +1,6 @@ --- title: DMAcc CSP -description: DMAcc CSP +description: Learn how the DMAcc configuration service provider (CSP) allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects. ms.assetid: 43e73d8a-6617-44e7-8459-5c96f4422e63 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md index 232f5672cd..b10dcad38a 100644 --- a/windows/client-management/mdm/dmacc-ddf-file.md +++ b/windows/client-management/mdm/dmacc-ddf-file.md @@ -1,6 +1,6 @@ --- title: DMAcc DDF file -description: DMAcc DDF file +description: Learn about the OMA DM device description framework (DDF) for the DMAcc configuration service provider (CSP). ms.assetid: 44dc99aa-2a85-498b-8f52-a81863765606 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index 9469f12408..6ed30e55f1 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -21,11 +21,15 @@ The following diagram shows the DMClient CSP in tree format. ![dmclient csp](images/provisioning-csp-dmclient-th2.png) + +**./Vendor/MSFT** +All the nodes in this CSP are supported in the device context, except for the **ExchangeID** node, which is supported in the user context. For the device context, use the **./Device/Vendor/MSFT** path and for the user context, use the **./User/Vendor/MSFT** path. + **DMClient** Root node for the CSP. **UpdateManagementServiceAddress** -For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node. +For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node. **HWDevID** Added in Windows 10, version 1703. Returns the hardware device ID. @@ -221,7 +225,7 @@ Added in Windows 10, version 1607. Returns the hardware device ID. Supported operation is Get. **Provider/*ProviderID*/CommercialID** -Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization.. +Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization. Supported operations are Add, Get, Replace, and Delete. @@ -265,7 +269,7 @@ Supported operations are Add, Delete, Get, and Replace. Value type is integer. **Provider/*ProviderID*/AADSendDeviceToken** -Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token can not be obtained. +Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token cannot be obtained. Supported operations are Add, Delete, Get, and Replace. Value type is bool. diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index 44ff431b60..c5ba87da90 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -1,6 +1,6 @@ --- title: DMClient DDF file -description: DMClient DDF file +description: Learn about the OMA DM device description framework (DDF) for the DMClient configuration service provider (CSP). ms.assetid: A21B33AF-DB76-4059-8170-FADF2CB898A0 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md index 2e1b590d91..b9ed5780d0 100644 --- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md +++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md @@ -1,6 +1,6 @@ --- title: DMProcessConfigXMLFiltered function -description: Configures phone settings by using OMA Client Provisioning XML. +description: Learn how the DMProcessConfigXMLFiltered function configures phone settings by using OMA Client Provisioning XML. Search.Refinement.TopicID: 184 ms.assetid: 31D79901-6206-454C-AE78-9B85A3B3487F ms.reviewer: diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md index b395c7c3ba..65aeb1a961 100644 --- a/windows/client-management/mdm/dmsessionactions-csp.md +++ b/windows/client-management/mdm/dmsessionactions-csp.md @@ -1,6 +1,6 @@ --- title: DMSessionActions CSP -description: DMSessionActions CSP +description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low power state. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/dmsessionactions-ddf.md b/windows/client-management/mdm/dmsessionactions-ddf.md index aef1210842..61b4b4754a 100644 --- a/windows/client-management/mdm/dmsessionactions-ddf.md +++ b/windows/client-management/mdm/dmsessionactions-ddf.md @@ -1,6 +1,6 @@ --- title: DMSessionActions DDF file -description: DMSessionActions DDF file +description: Learn about the OMA DM device description framework (DDF) for the DMSessionActions configuration service provider (CSP). ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index e7d55aedc0..b6fe50d931 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -1,6 +1,6 @@ --- title: DynamicManagement CSP -description: DynamicManagement CSP +description: Learn how the Dynamic Management configuration service provider (CSP) enables configuration of policies that change how the device is managed. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/dynamicmanagement-ddf.md b/windows/client-management/mdm/dynamicmanagement-ddf.md index 3439bf646a..2690fa4e23 100644 --- a/windows/client-management/mdm/dynamicmanagement-ddf.md +++ b/windows/client-management/mdm/dynamicmanagement-ddf.md @@ -1,6 +1,6 @@ --- title: DynamicManagement DDF file -description: DynamicManagement DDF file +description: Learn about the OMA DM device description framework (DDF) for the DynamicManagement configuration service provider (CSP). ms.assetid: 7e266db0-2fd9-4412-b428-4550f41a1738 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md index ddb14a8d3f..844fc1be39 100644 --- a/windows/client-management/mdm/email2-csp.md +++ b/windows/client-management/mdm/email2-csp.md @@ -1,6 +1,6 @@ --- title: EMAIL2 CSP -description: EMAIL2 CSP +description: Learn how the EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts. ms.assetid: bcfc9d98-bc2e-42c6-9b81-0b5bf65ce2b8 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md index f24a64e3e3..4f11b5b64d 100644 --- a/windows/client-management/mdm/email2-ddf-file.md +++ b/windows/client-management/mdm/email2-ddf-file.md @@ -1,6 +1,6 @@ --- title: EMAIL2 DDF file -description: EMAIL2 DDF file +description: Learn how the OMA DM device description framework (DDF) for the EMAIL2 configuration service provider (CSP). ms.assetid: 7e266db0-2fd9-4412-b428-4550f41a1738 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index 1f420a71c4..d79b428c0e 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -1,6 +1,6 @@ --- title: Enable ADMX-backed policies in MDM -description: Use this is a step-by-step guide to configuring ADMX-backed policies in MDM. +description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX-backed policies) in Mobile Device Management (MDM). ms.author: dansimp ms.topic: article ms.prod: w10 @@ -33,7 +33,7 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune]( ## Enable a policy > [!NOTE] -> See [Understanding ADMX-backed policy CSPs](https://docs.microsoft.com/windows/client-management/mdm/understanding-admx-backed-policies). +> See [Understanding ADMX-backed policies in Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/understanding-admx-backed-policies). 1. Find the policy from the list [ADMX-backed policies](policy-csps-admx-backed.md). You need the following information listed in the policy description. - GP English name diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md index 7ef806784f..f4c951af17 100644 --- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md +++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md @@ -138,10 +138,11 @@ There are two ways to retrieve this file from the device; one pre-GDR1 and one p 2. Set a baseline for this configuration item with a “dummy” value (such as zzz), and ensure that you do not remediate it. The dummy value is not set; it is only used for comparison. -3. After the report XML is sent to the device, Microsoft Endpoint Configuration Manager displays a compliance log that contains the report information. The log can contain significant amount of data. +3. After the report XML is sent to the device, Microsoft Endpoint Manager displays a compliance log that contains the report information. The log can contain significant amount of data. 4. Parse this log for the report XML content. -For a step-by-step walkthrough, see [Retrieve a device update report using Microsoft Endpoint Configuration Manager logs](#retrieve-a-device-update-report-using-microsoft-endpoint-configuration-manager-logs). +For a step-by-step walkthrough, see [Retrieve a device update report using Microsoft Endpoint Manager logs](#retrieve-a-device-update-report-using-microsoft-endpoint-manager-logs). + **Post-GDR1: Retrieve the report xml file using an SD card** @@ -460,7 +461,7 @@ DownloadFiles $inputFile $downloadCache $localCacheURL ``` -## Retrieve a device update report using Microsoft Endpoint Configuration Manager logs +## Retrieve a device update report using Microsoft Endpoint Manager logs **For pre-GDR1 devices** Use this procedure for pre-GDR1 devices: diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index f45e20d377..08073b46d6 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -1,28 +1,28 @@ --- title: Enroll a Windows 10 device automatically using Group Policy -description: Enroll a Windows 10 device automatically using Group Policy +description: Learn how to use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman ms.date: -ms.reviewer: +ms.reviewer: manager: dansimp --- # Enroll a Windows 10 device automatically using Group Policy -Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. +Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account. Requirements: - AD-joined PC running Windows 10, version 1709 or later -- The enterprise has configured a mobile device management (MDM) service -- The enterprise AD must be [registered with Azure Active Directory (Azure AD)](azure-active-directory-integration-with-mdm.md) +- The enterprise has configured a mobile device management (MDM) service +- The on-premises AD must be [integrated with Azure AD (via Azure AD Connect)](https://docs.microsoft.com/azure/architecture/reference-architectures/identity/azure-ad) - The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`) -- The minimum Windows Server version requirement is based on the Hybrid AAD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) for more information. +- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) for more information. > [!TIP] > For additional information, see the following topics: @@ -30,10 +30,10 @@ Requirements: > - [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) > - [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm) -The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered. +The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD–registered. > [!NOTE] -> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. +> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. @@ -42,13 +42,13 @@ In Windows 10, version 1709 or later, when the same policy is configured in GP a For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices. ## Verify auto-enrollment requirements and settings -To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. +To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. The following steps demonstrate required settings using the Intune service: 1. Verify that the user who is going to enroll the device has a valid Intune license. ![Intune license verification](images/auto-enrollment-intune-license-verification.png) -2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](https://docs.microsoft.com/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal). +2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](https://docs.microsoft.com/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal). ![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png) @@ -80,7 +80,7 @@ The following steps demonstrate required settings using the Intune service: ![Mobility setting MDM intune](images/auto-enrollment-microsoft-intune-setting.png) -7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune. +7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully. 8. Verify that the device is not enrolled with the old Intune client used on the Intune Silverlight Portal (this is the Intune portal used before the Azure portal). @@ -95,32 +95,35 @@ This procedure is only for illustration purposes to show how the new auto-enroll Requirements: - AD-joined PC running Windows 10, version 1709 or later -- Enterprise has MDM service already configured +- Enterprise has MDM service already configured - Enterprise AD must be registered with Azure AD 1. Run GPEdit.msc - Click Start, then in the text box type gpedit. + Click Start, then in the text box type gpedit. ![GPEdit desktop app search result](images/autoenrollment-gpedit.png) 2. Under **Best match**, click **Edit group policy** to launch it. -3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**. +3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**. - ![MDM policies](images/autoenrollment-mdm-policies.png) + ![MDM policies](images/autoenrollment-mdm-policies.png) -4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** (support for Device Credential is coming) as the Selected Credential Type to use. User Credential enrolls Windows 10, version 1709 and later once an Intune licensed user logs into the device. Device Credential will enroll the device and then assign a user later, once support for this is available. +4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use. - ![MDM autoenrollment policy](images/autoenrollment-policy.png) + > [!NOTE] + > **Device Credential** Credential Type may work, however, it is not yet supported by Intune. We don't recommend using this option until it's supported. + ![MDM autoenrollment policy](images/autoenrollment-policy.png) 5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**. > [!NOTE] - > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. + > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. > The default behavior for older releases is to revert to **User Credential**. + > **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device. - When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." + When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). @@ -149,11 +152,11 @@ Requirements: 2. Under **Best match**, click **Task Scheduler** to launch it. -3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**. +3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**. ![Auto-enrollment scheduled task](images/autoenrollment-scheduled-task.png) - To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab. + To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab. If the device enrollment is blocked, your IT admin may have enabled the **Disable MDM Enrollment** policy. Note that the GPEdit console does not reflect the status of policies set by your IT admin on your device. It is only used by the user to set policies. @@ -161,37 +164,49 @@ Requirements: Requirements: - AD-joined PC running Windows 10, version 1709 or later -- Enterprise has MDM service already configured (with Intune or a third party service provider) +- Enterprise has MDM service already configured (with Intune or a third-party service provider) - Enterprise AD must be integrated with Azure AD. - Ensure that PCs belong to same computer group. > [!IMPORTANT] > If you do not see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible. -1. Download: - - - 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) - - - 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) - - - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all) - +1. Download: + + - 1803 --> [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) + + - 1809 --> [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) + + - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) + + - 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591) + + - 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445) + + - 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) + 2. Install the package on the Domain Controller. - + 3. Navigate, depending on the version to the folder: - + - 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2** - + - 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2** - + - 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3** - + + - 1909 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)** + + - 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)** + + - 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)** + 4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**. - -5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. - + +5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. + If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain. - + 6. Restart the Domain Controller for the policy to be available. This procedure will work for any future version as well. @@ -205,7 +220,7 @@ This procedure will work for any future version as well. 4. Filter using Security Groups. ## Troubleshoot auto-enrollment of devices -Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. +Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. To collect Event Viewer logs: @@ -241,13 +256,13 @@ To collect Event Viewer logs: Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment. - If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required. + If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required. One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen: ![Outdated enrollment entries](images/auto-enrollment-outdated-enrollment-entries.png) - By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016. - A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display less entries as shown in the following screenshot: + By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016. + A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot: ![Manually deleted entries](images/auto-enrollment-activation-verification-less-entries.png) diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md index e70eed0ce5..98739efcb1 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md @@ -1,6 +1,6 @@ --- title: EnrollmentStatusTracking DDF -description: View the OMA DM device description framework (DDF) for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML. +description: View the OMA DM DDF for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/enterpriseapn-ddf.md b/windows/client-management/mdm/enterpriseapn-ddf.md index 319356f336..5e7af9b60d 100644 --- a/windows/client-management/mdm/enterpriseapn-ddf.md +++ b/windows/client-management/mdm/enterpriseapn-ddf.md @@ -1,6 +1,6 @@ --- title: EnterpriseAPN DDF -description: EnterpriseAPN DDF +description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAPN configuration service provider (CSP). ms.assetid: A953ADEF-4523-425F-926C-48DA62EB9E21 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index 22445122ec..272f60f44f 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -1,6 +1,6 @@ --- title: EnterpriseAppVManagement CSP -description: Examine the tree format for EnterpriseAppVManagement configuration service provider (CSP) to manage virtual applications in Windows 10 PCs.(Enterprise and Education editions). +description: Examine the tree format for EnterpriseAppVManagement CSP to manage virtual applications in Windows 10 PCs.(Enterprise and Education editions). ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md index 626981e0ff..8cf951cf55 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md @@ -1,6 +1,6 @@ --- title: EnterpriseAppVManagement DDF file -description: EnterpriseAppVManagement DDF file +description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAppVManagement configuration service provider (CSP). ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md index 2df97c9bf4..45d11904d5 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md @@ -1,6 +1,6 @@ --- title: EnterpriseAssignedAccess CSP -description: Use the EnterpriseAssignedAccess CSP to configure custom layouts on a device. +description: Use the EnterpriseAssignedAccess configuration service provider (CSP) to configure custom layouts on a device. ms.assetid: 5F88E567-77AA-4822-A0BC-3B31100639AA ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/enterpriseext-csp.md b/windows/client-management/mdm/enterpriseext-csp.md index 782bc735ed..24cadf3270 100644 --- a/windows/client-management/mdm/enterpriseext-csp.md +++ b/windows/client-management/mdm/enterpriseext-csp.md @@ -1,6 +1,6 @@ --- title: EnterpriseExt CSP -description: EnterpriseExt CSP +description: Learn how the EnterpriseExt CSP allows OEMs to set their own unique ID for their devices, set display brightness values, and set the LED behavior. ms.assetid: ACA5CD79-BBD5-4DD1-86DA-0285B93982BD ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/enterpriseext-ddf.md b/windows/client-management/mdm/enterpriseext-ddf.md index e30ceeb37f..4b3d4b0afd 100644 --- a/windows/client-management/mdm/enterpriseext-ddf.md +++ b/windows/client-management/mdm/enterpriseext-ddf.md @@ -1,6 +1,6 @@ --- title: EnterpriseExt DDF -description: EnterpriseExt DDF +description: Learn about the OMA DM device description framework (DDF) for the EnterpriseExt configuration service provider (CSP). ms.assetid: 71BF81D4-FBEC-4B03-BF99-F7A5EDD4F91B ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/enterpriseextfilesystem-ddf.md b/windows/client-management/mdm/enterpriseextfilesystem-ddf.md index 997493aee9..7efb54af20 100644 --- a/windows/client-management/mdm/enterpriseextfilesystem-ddf.md +++ b/windows/client-management/mdm/enterpriseextfilesystem-ddf.md @@ -1,6 +1,6 @@ --- title: EnterpriseExtFileSystem DDF -description: EnterpriseExtFileSystem DDF +description: Learn about the OMA DM device description framework (DDF) for the EnterpriseExtFileSystem configuration service provider (CSP). ms.assetid: 2D292E4B-15EE-4AEB-8884-6FEE8B92D2D1 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 5384ce0168..77b6e72ff9 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -1,6 +1,6 @@ --- title: EnterpriseModernAppManagement CSP -description: EnterpriseModernAppManagement CSP +description: Learn how the EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. ms.assetid: 9DD0741A-A229-41A0-A85A-93E185207C42 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md index aa2cdb680b..237000b2f0 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -1,6 +1,6 @@ --- title: EnterpriseModernAppManagement DDF -description: EnterpriseModernAppManagement DDF +description: Learn about the OMA DM device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider (CSP). ms.assetid: ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md index f7544b10a4..f8b15504cc 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md @@ -1,6 +1,6 @@ --- title: EnterpriseModernAppManagement XSD -description: Use the EnterpriseModernAppManagement XSD for set application parameters. +description: In this article, view the EnterpriseModernAppManagement XSD example so you can set application parameters. ms.assetid: D393D094-25E5-4E66-A60F-B59CC312BF57 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md index 9251f6a755..4f516e8c19 100644 --- a/windows/client-management/mdm/esim-enterprise-management.md +++ b/windows/client-management/mdm/esim-enterprise-management.md @@ -1,6 +1,6 @@ --- title: eSIM Enterprise Management -description: Managing eSIM devices in an enterprise +description: Learn how Mobile Device Management (MDM) Providers support the eSIM Profile Management Solution on Windows. keywords: eSIM enterprise management ms.prod: w10 ms.mktglfcycl: @@ -12,15 +12,17 @@ ms.topic: conceptual --- # How Mobile Device Management Providers support eSIM Management on Windows -The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to leverage an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will leverage the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and installation happens on the background and not impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. - If you are a Mobile Device Management (MDM) Provider and would like to support eSIM Management on Windows, you should do the following: +The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. + If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps: - Onboard to Azure Active Directory -- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, please contact them and learn more about their onboarding. If you would like to support multiple mobile operators, [orchestrator providers]( https://www.idemia.com/esim-management-facilitation) are there to act as a proxy that will handle MDM onboarding as well as mobile operator onboarding. Their main [role]( https://www.idemia.com/smart-connect-hub) is to enable the process to be as painless but scalable to all parties. +- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding as well as mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include: + - [HPE’s Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html) + - [IDEMIA’s The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub) - Assess solution type that you would like to provide your customers - Batch/offline solution - IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices. -- Operator does not have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to +- Operator doesn't have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to - Real-time solution - MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via sim vendor solution component. IT Admin can view subscription pool and provision eSIM in real time. - Operator is notified of the status of each eSIM profile and has visibility on which devices are being used -**Note:** The solution type is not noticeable to the end-user. The choice between the two is made between the MDM and the Mobile Operator. +**Note:** End users don't notice the solution type. The choice between the two is made between the MDM and the Mobile Operator. diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index 43626310a0..1f42e3e43d 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -1,6 +1,6 @@ --- title: eUICCs CSP -description: eUICCs CSP +description: Learn how the eUICCs CSP is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, re-assign, remove) subscriptions to employees. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md index 3f3e71df8d..38bb8e5f6f 100644 --- a/windows/client-management/mdm/euiccs-ddf-file.md +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -1,6 +1,6 @@ --- title: eUICCs DDF file -description: eUICCs DDF file +description: Learn about the OMA DM device description framework (DDF) for the eUICCs configuration service provider (CSP). ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md index 653b03b527..12547591ba 100644 --- a/windows/client-management/mdm/filesystem-csp.md +++ b/windows/client-management/mdm/filesystem-csp.md @@ -1,6 +1,6 @@ --- title: FileSystem CSP -description: FileSystem CSP +description: Learn how the FileSystem CSP is used to query, add, modify, and delete files, file directories, and file attributes on the mobile device. ms.assetid: 9117ee16-ca7a-4efa-9270-c9ac8547e541 ms.reviewer: manager: dansimp @@ -14,41 +14,38 @@ ms.date: 06/26/2017 # FileSystem CSP - The FileSystem configuration service provider is used to query, add, modify, and delete files, file directories, and file attributes on the mobile device. It can retrieve information about or manage files in ROM, files in persistent store and files on any removable storage card that is present in the device. It works for files that are hidden from the user as well as those that are visible to the user. -> **Note**  FileSystem CSP is only supported in Windows 10 Mobile. -> -> -> -> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application. +> [!NOTE] +> FileSystem CSP is only supported in Windows 10 Mobile. - +> [!NOTE] +> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application. The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider. ![filesystem csp (dm)](images/provisioning-csp-filesystem-dm.png) -**FileSystem** +**FileSystem** Required. Defines the root of the file system management object. It functions as the root directory for file system queries. Recursive queries or deletes are not supported for this element. Add commands will add a new file or directory under the root path. The following properties are supported for the root node: -- `Name`: The root node name. The Get command is the only supported command. +- `Name`: The root node name. The Get command is the only supported command. -- `Type`: The MIME type of the file, which is com.microsoft/windowsmobile/1.1/FileSystemMO. The Get command is the only supported command. +- `Type`: The MIME type of the file, which is com.microsoft/windowsmobile/1.1/FileSystemMO. The Get command is the only supported command. -- `Format`: The format, which is `node`. The Get command is the only supported command. +- `Format`: The format, which is `node`. The Get command is the only supported command. -- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. +- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. -- `Size`: Not supported. +- `Size`: Not supported. -- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. +- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. -***file directory*** +***file directory*** Optional. Returns the name of a directory in the device file system. Any *file directory* element can contain directories and files as child elements. The Get command returns the name of the file directory. The Get command with `?List=Struct` will recursively return all child element names (including sub-directory names). The Get command with `?list=StructData` query is not supported and returns a 406 error code. @@ -61,19 +58,19 @@ The Delete command is used to delete all files and subfolders under this *file d The following properties are supported for file directories: -- `Name`: The file directory name. The Get command is the only supported command. +- `Name`: The file directory name. The Get command is the only supported command. -- `Type`: The MIME type of the file, which an empty string for directories that are not the root node. The Get command is the only supported command. +- `Type`: The MIME type of the file, which is an empty string for directories that are not the root node. The Get command is the only supported command. -- `Format`: The format, which is `node`. The Get command is the only supported command. +- `Format`: The format, which is `node`. The Get command is the only supported command. -- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. +- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. -- `Size`: Not supported. +- `Size`: Not supported. -- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. +- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file `winnt.h`. This supports the Get command and the Replace command. -***file name*** +***file name*** Optional. Return a file in binary format. If the file is too large for the configuration service to return, it returns error code 413 (Request entity too large) instead. The Delete command deletes the file. @@ -86,29 +83,18 @@ The Get command is not supported on a *file name* element, only on the propertie The following properties are supported for files: -- `Name`: The file name. The Get command is the only supported command. +- `Name`: The file name. The Get command is the only supported command. -- `Type`: The MIME type of the file. This value is always set to the generic MIME type: `application/octet-stream`. The Get command is the only supported command. +- `Type`: The MIME type of the file. This value is always set to the generic MIME type: `application/octet-stream`. The Get command is the only supported command. -- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over wbxml. The Get command is the only supported command. +- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over WBXML. The Get command is the only supported command. -- `TStamp`: A standard OMA property that indicates the last time the file was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. +- `TStamp`: A standard OMA property that indicates the last time the file was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. -- `Size`: The unencoded file content size in bytes. The Get command is the only supported command. +- `Size`: The unencoded file content size in bytes. The Get command is the only supported command. -- `msft:SystemAttributes`: A custom property that contains file attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. +- `msft:SystemAttributes`: A custom property that contains file attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - - - diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 1fae08c646..bf8a5ea5ad 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -248,10 +248,10 @@ Sample syncxml to provision the firewall settings to evaluate

Value type is string. Supported operations are Add, Get, Replace, and Delete.

**FirewallRules/*FirewallRuleName*/LocalAddressRanges** -

Comma separated list of local addresses covered by the rule. The default value is "". Valid tokens include:

+

Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:

 -

AES Val#4902

+

AES validation number 4902

Microsoft Surface Hub BitLocker(R) Cryptographic Implementations #4896

Version 10.0.15063.674

@@ -2543,9 +2690,9 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Tag Lengths: 128 (bits)
  • IV Lengths: 96 (bits)
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • +
  • Additional authenticated data length: 0-65536
    • -

    AES Val#4901

    +

    AES validation number 4901

    Windows 10 Mobile (version 1709) BitLocker(R) Cryptographic Implementations #4895

    Version 10.0.15254

    @@ -2556,291 +2703,291 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Tag Lengths: 128 (bits)
  • IV Lengths: 96 (bits)
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • +
  • Additional authenticated data length: 0-65536
    • -

    AES Val#4897

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894

    +

    AES validation number 4897

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894

    Version 10.0.16299

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB128 ( e/d; 128 , 192 , 256 );

    -

    OFB ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB128 (e/d; 128, 192, 256);

    +

    OFB (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #4627

    Version 10.0.15063

    -

    KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

    -

    AES Val#4624

    +

    KW (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)

    +

    AES validation number 4624

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626

    Version 10.0.15063

    -

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    -

    AES Val#4624

    +

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    +

    AES validation number 4624

     

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625

    Version 10.0.15063

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    -

    CFB128 ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    -

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    -

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )

    -

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

    -

    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

    -

    IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; 96BitIV_Supported

    -

    GMAC_Supported

    -

    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

    +

    CFB128 (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    +

    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

    +

    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16)

    +

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)

    +

    (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)

    +

    IV Generated: (External); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); 96 bit IV supported

    +

    GMAC supported

    +

    XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624

    Version 10.0.15063

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434

    Version 7.00.2872

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433

    Version 8.00.6246

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431

    Version 7.00.2872

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430

    Version 8.00.6246

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB128 ( e/d; 128 , 192 , 256 );

    -

    OFB ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB128 (e/d; 128, 192, 256);

    +

    OFB (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074

    Version 10.0.14393

    -

    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

    -

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    -

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

    -

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
    -(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
    -IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
    -GMAC_Supported

    -

    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

    +

    ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); CFB128 (e/d; 128, 192, 256); CTR (int only; 128, 192, 256)

    +

    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

    +

    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

    +

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    +(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    +IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported
    +GMAC supported

    +

    XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064

    Version 10.0.14393

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

     

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
    Version 10.0.14393 -

    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )

    -

    AES Val#4064

    +

    KW  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 192, 256, 320, 2048)

    +

    AES validation number 4064

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062

    Version 10.0.14393

    -

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    -

    AES Val#4064

    +

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    +

    AES validation number 4064

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061

    Version 10.0.14393

    -

    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

    -

    AES Val#3629

    +

    KW  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)

    +

    AES validation number 3629

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652

    Version 10.0.10586

    -

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    -

    AES Val#3629

    +

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    +

    AES validation number 3629

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653

    Version 10.0.10586

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

     

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
    Version 10.0.10586 -

    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

    -

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    -

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

    -

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
    -(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
    -IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
    -GMAC_Supported

    -

    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

    +

    ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); CFB128 (e/d; 128, 192, 256); CTR (int only; 128, 192, 256)

    +

    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

    +

    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

    +

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    +(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    +IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported
    +GMAC supported

    +

    XTS((KS: XTS_128((e/d) (f)) KS: XTS_256((e/d) (f))

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629

    Version 10.0.10586

    -

    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

    -

    AES Val#3497

    +

    KW  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)

    +

    AES validation number 3497

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507

    Version 10.0.10240

    -

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    -

    AES Val#3497

    +

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    +

    AES validation number 3497

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498

    Version 10.0.10240

    -

    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

    -

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    -

    CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

    -

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
    -(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
    -IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
    -GMAC_Supported

    -

    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

    +

    ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); CFB128 (e/d; 128, 192, 256); CTR (int only; 128, 192, 256)

    +

    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

    +

    CMAC(Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

    +

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    +(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    +IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested:  (0, 0); 96 bit IV supported
    +GMAC supported

    +

    XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
    Version 10.0.10240 -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

     

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
    Version 10.0.10240 -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

     

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853

    Version 6.3.9600

    -

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    -

    AES Val#2832

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848

    +

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    +

    AES validation number 2832

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BitLocker Cryptographic Implementations #2848

    Version 6.3.9600

    -

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    -

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

    -

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

    -

    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

    -

    IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 8 , 1024 ) ; 96BitIV_Supported ;
    -OtherIVLen_Supported
    -GMAC_Supported

    -

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832

    +

    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 0 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

    +

    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

    +

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)

    +

    (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)

    +

    IV Generated:  (Externally); PT Lengths Tested:  (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested:  (0, 128, 1024, 8, 1016); IV Lengths Tested:  (8, 1024); 96 bit IV supported;
    +OtherIVLen_Supported
    +GMAC supported

    +

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832

    Version 6.3.9600

    -

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
    -AES Val#2197

    -

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
    -AES Val#2197

    -

    GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
    -(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
    -IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
    -GMAC_Supported

    +

    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)
    +AES validation number 2197

    +

    CMAC (Generation/Verification) (KS: 128; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 192; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 256; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16)
    +AES validation number 2197

    +

    GCM(KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    +(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    +IV Generated: (Externally); PT Lengths Tested: (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 128, 1024, 8, 1016); IV Lengths Tested: (8, 1024); 96 bit IV supported
    +GMAC supported

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216 -

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    -

    AES Val#2196

    +

    CCM (KS: 256) (Assoc. Data Len Range: 0 - 0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    +

    AES validation number 2196

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198 -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    -

    CFB128 ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

    +

    CFB128 (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197 -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

     

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196 -CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
    -AES Val#1168 +CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 – 0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)
    +AES validation number 1168

    Windows Server 2008 R2 and SP1 CNG algorithms #1187

    Windows 7 Ultimate and SP1 CNG algorithms #1178

    -CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
    -AES Val#1168 +CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16)
    +AES validation number 1168 Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177 -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

     

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 -

    GCM

    -

    GMAC

    -Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 , vendor-affirmed +

    GCM

    +

    GMAC

    +Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168, vendor-affirmed -CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) +CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16) Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760 -CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) +CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 - 0, 2^16) (Payload Length Range: 1 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

    Windows Server 2008 CNG algorithms #757

    Windows Vista Ultimate SP1 CNG algorithms #756

    -

    CBC ( e/d; 128 , 256 );

    -

    CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )

    +

    CBC (e/d; 128, 256);

    +

    CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16)

    Windows Vista Ultimate BitLocker Drive Encryption #715

    Windows Vista Ultimate BitLocker Drive Encryption #424

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

    Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation #739

    Windows Vista Symmetric Algorithm Implementation #553

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #2023 -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #2024

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #818

    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #781

    @@ -2856,7 +3003,7 @@ AES -Modes / States / Key Sizes -Algorithm Implementation and Certificate # +Modes / States / Key Sizes +Algorithm Implementation and Certificate #

    Prerequisite: AES #4903

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733

    Version 10.0.16299

    @@ -2930,78 +3077,78 @@ Deterministic Random Bit Generator (DRBG)

    Prerequisite: AES #4897

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730

    Version 10.0.16299

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ] +CTR_DRBG: [Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4627)]

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556

    Version 10.0.15063

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 4624)]

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555

    Version 10.0.15063

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4434)]

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433

    Version 7.00.2872

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4433)]

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432

    Version 8.00.6246

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4431)]

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430

    Version 7.00.2872

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4430)]

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429

    Version 8.00.6246

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ] -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222

    +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4074)] +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222

    Version 10.0.14393

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 4064)]

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217

    Version 10.0.14393

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 3629)]

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955

    Version 10.0.10586

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 3497)]

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868

    Version 10.0.10240

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ] -

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489

    +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 2832)] +

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489

    Version 6.3.9600

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 2197)] Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258 -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 2023)] Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193 -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 1168)] Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23 -DRBG (SP 800–90) +DRBG (SP 800–90) Windows Vista Ultimate SP1, vendor-affirmed @@ -3017,8 +3164,8 @@ Deterministic Random Bit Generator (DRBG) -Modes / States / Key Sizes -Algorithm Implementation and Certificate # +Modes / States / Key Sizes +Algorithm Implementation and Certificate #

    Prerequisite: SHS #4009, DRBG #1730

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301

    Version 10.0.16299

    -

    FIPS186-4:

    -

    PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]

    -

    PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    -

    KeyPairGen:   [ (2048,256) ; (3072,256) ]

    -

    SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]

    -

    SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    -

    SHS: Val#3790

    -

    DRBG: Val# 1555

    +

    FIPS186-4:

    +

    PQG(gen)PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)]

    +

    PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    +

    KeyPairGen:   [(2048,256); (3072,256)]

    +

    SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    +

    SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    +

    SHS: validation number 3790

    +

    DRBG: validation number 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223

    Version 10.0.15063

    -FIPS186-4:
    -PQG(ver)PARMS TESTED:       [ (1024,160) SHA( 1 ); ]
    -SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
    -SHS: Val# 3649 +FIPS186-4:
    +PQG(ver)PARMS TESTED:       [(1024,160) SHA(1)]
    +SIG(ver)PARMS TESTED:   [(1024,160) SHA(1)]
    +SHS: validation number 3649

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188

    Version 7.00.2872

    -FIPS186-4:
    -PQG(ver)PARMS TESTED:       [ (1024,160) SHA( 1 ); ]
    -SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
    -SHS: Val#3648 +FIPS186-4:
    +PQG(ver)PARMS TESTED:       [(1024,160) SHA(1)]
    +SIG(ver)PARMS TESTED:   [(1024,160) SHA(1)]
    +SHS: validation number 3648

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187

    Version 8.00.6246

    -

    FIPS186-4:
    -PQG(gen)    PARMS TESTED: [
    -(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
    -PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
    -KeyPairGen:    [ (2048,256) ; (3072,256) ]
    -SIG(gen)PARMS TESTED:   [ (2048,256)
    -SHA( 256 ); (3072,256) SHA( 256 ); ]
    -SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    -

    SHS: Val# 3347
    -DRBG: Val# 1217

    +

    FIPS186-4:
    +PQG(gen)    PARMS TESTED: [
    +(2048,256)SHA(256); (3072,256) SHA(256)]
    +PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    +KeyPairGen:    [(2048,256); (3072,256)]
    +SIG(gen)PARMS TESTED:   [(2048,256)
    +SHA(256); (3072,256) SHA(256)]
    +SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    +

    SHS: validation number 3347
    +DRBG: validation number 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098

    Version 10.0.14393

    -

    FIPS186-4:
    -PQG(gen)    PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
    -KeyPairGen:    [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
    -SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    -

    SHS: Val# 3047
    -DRBG: Val# 955

    +

    FIPS186-4:
    +PQG(gen)    PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)] PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    +KeyPairGen:    [(2048,256); (3072,256)] SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    +SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    +

    SHS: validation number 3047
    +DRBG: validation number 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024

    Version 10.0.10586

    -

    FIPS186-4:
    -PQG(gen)    PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
    -PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
    -KeyPairGen:    [ (2048,256) ; (3072,256) ]
    -SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    -

    SHS: Val# 2886
    -DRBG: Val# 868

    +

    FIPS186-4:
    +PQG(gen)    PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)]
    +PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    +KeyPairGen:    [(2048,256); (3072,256)]
    +SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)] SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    +

    SHS: validation number 2886
    +DRBG: validation number 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983

    Version 10.0.10240

    -

    FIPS186-4:
    -PQG(gen)    PARMS TESTED:   [
    -(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
    -PQG(ver)PARMS TESTED:   [ (2048,256)
    -SHA( 256 ); (3072,256) SHA( 256 ) ]
    -KeyPairGen:    [ (2048,256) ; (3072,256) ]
    -SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
    -SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    -

    SHS: Val# 2373
    -DRBG: Val# 489

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855

    +

    FIPS186-4:
    +PQG(gen)    PARMS TESTED:   [
    +(2048,256)SHA(256); (3072,256) SHA(256)]
    +PQG(ver)PARMS TESTED:   [(2048,256)
    +SHA(256); (3072,256) SHA(256)]
    +KeyPairGen:    [(2048,256); (3072,256)]
    +SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    +SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    +

    SHS: validation number 2373
    +DRBG: validation number 489

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855

    Version 6.3.9600

    -

    FIPS186-2:
    -PQG(ver) MOD(1024);
    -SIG(ver) MOD(1024);
    +

    FIPS186-2:
    +PQG(ver) MOD(1024);
    +SIG(ver) MOD(1024);
    SHS: #1903
    DRBG: #258

    -

    FIPS186-4:
    -PQG(gen)PARMS TESTED    : [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
    -PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
    -SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
    -SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
    +

    FIPS186-4:
    +PQG(gen)PARMS TESTED    : [(2048,256)SHA(256); (3072,256) SHA(256)]
    +PQG(ver)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
    +SIG(gen)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
    +SIG(ver)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
    SHS: #1903
    DRBG: #258
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687.

    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 687.

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687 -FIPS186-2:
    -PQG(ver)     MOD(1024);
    -SIG(ver) MOD(1024);
    +FIPS186-2:
    +PQG(ver)     MOD(1024);
    +SIG(ver) MOD(1024);
    SHS: #1902
    DRBG: #258
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686. +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 686. Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686 -FIPS186-2:
    -SIG(ver)     MOD(1024);
    -SHS: Val# 1773
    -DRBG: Val# 193
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645. +FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: validation number 1773
    +DRBG: validation number 193
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 645. Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645 -FIPS186-2:
    -SIG(ver)     MOD(1024);
    -SHS: Val# 1081
    -DRBG: Val# 23
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386. +FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: validation number 1081
    +DRBG: validation number 23
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 391. See Historical DSA List validation number 386.

    Windows Server 2008 R2 and SP1 CNG algorithms #391

    Windows 7 Ultimate and SP1 CNG algorithms #386

    -FIPS186-2:
    -SIG(ver)     MOD(1024);
    -SHS: Val# 1081
    -RNG: Val# 649
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385. +FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: validation number 1081
    +RNG: validation number 649
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 390. See Historical DSA List validation number 385.

    Windows Server 2008 R2 and SP1 Enhanced DSS (DSSENH) #390

    Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385

    -FIPS186-2:
    -SIG(ver)     MOD(1024);
    -SHS: Val# 753
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283. +FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: validation number 753
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 284. See Historical DSA List validation number 283.

    Windows Server 2008 CNG algorithms #284

    Windows Vista Ultimate SP1 CNG algorithms #283

    -FIPS186-2:
    -SIG(ver)     MOD(1024);
    -SHS: Val# 753
    -RNG: Val# 435
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281. +FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: validation number 753
    +RNG: validation number 435
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 282. See Historical DSA List validation number 281.

    Windows Server 2008 Enhanced DSS (DSSENH) #282

    Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281

    -FIPS186-2:
    -SIG(ver)     MOD(1024);
    -SHS: Val# 618
    -RNG: Val# 321
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226. +FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: validation number 618
    +RNG: validation number 321
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 227. See Historical DSA List validation number 226.

    Windows Vista CNG algorithms #227

    Windows Vista Enhanced DSS (DSSENH) #226

    -FIPS186-2:
    -SIG(ver)     MOD(1024);
    -SHS: Val# 784
    -RNG: Val# 448
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292. +FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: validation number 784
    +RNG: validation number 448
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 292. Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292 -FIPS186-2:
    -SIG(ver)     MOD(1024);
    -SHS: Val# 783
    -RNG: Val# 447
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291. +FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: validation number 783
    +RNG: validation number 447
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 291. Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291 -FIPS186-2:
    -PQG(gen)     MOD(1024);
    -PQG(ver) MOD(1024);
    -KEYGEN(Y) MOD(1024);
    -SIG(gen) MOD(1024);
    -SIG(ver) MOD(1024);
    -SHS: Val# 611
    -RNG: Val# 314 +FIPS186-2:
    +PQG(gen)     MOD(1024);
    +PQG(ver) MOD(1024);
    +KEYGEN(Y) MOD(1024);
    +SIG(gen) MOD(1024);
    +SIG(ver) MOD(1024);
    +SHS: validation number 611
    +RNG: validation number 314 Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221 -FIPS186-2:
    -PQG(gen)     MOD(1024);
    -PQG(ver) MOD(1024);
    -KEYGEN(Y) MOD(1024);
    -SIG(gen) MOD(1024);
    -SIG(ver) MOD(1024);
    -SHS: Val# 385 +FIPS186-2:
    +PQG(gen)     MOD(1024);
    +PQG(ver) MOD(1024);
    +KEYGEN(Y) MOD(1024);
    +SIG(gen) MOD(1024);
    +SIG(ver) MOD(1024);
    +SHS: validation number 385 Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146 -FIPS186-2:
    -PQG(ver)     MOD(1024);
    -KEYGEN(Y) MOD(1024);
    -SIG(gen) MOD(1024);
    -SIG(ver) MOD(1024);
    -SHS: Val# 181
    +FIPS186-2:
    +PQG(ver)     MOD(1024);
    +KEYGEN(Y) MOD(1024);
    +SIG(gen) MOD(1024);
    +SIG(ver) MOD(1024);
    +SHS: validation number 181

    Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95 -FIPS186-2:
    -PQG(gen)     MOD(1024);
    -PQG(ver) MOD(1024);
    -KEYGEN(Y) MOD(1024);
    -SIG(gen) MOD(1024);
    +FIPS186-2:
    +PQG(gen)     MOD(1024);
    +PQG(ver) MOD(1024);
    +KEYGEN(Y) MOD(1024);
    +SIG(gen) MOD(1024);
    SHS: SHA-1 (BYTE)
    -SIG(ver) MOD(1024);
    +SIG(ver) MOD(1024);
    SHS: SHA-1 (BYTE)

    Windows 2000 DSSENH.DLL #29

    Windows 2000 DSSBASE.DLL #28

    @@ -3353,12 +3500,12 @@ SHS: SHA-1 (BYTE)

    Windows NT 4 SP6 DSSBASE.DLL #25

    -

    FIPS186-2: PRIME;
    -FIPS186-2:

    -

    KEYGEN(Y):
    +

    FIPS186-2: PRIME;
    +FIPS186-2:

    +

    KEYGEN(Y):
    SHS: SHA-1 (BYTE)

    -

    SIG(gen):
    -SIG(ver)     MOD(1024);
    +

    SIG(gen):
    +SIG(ver)     MOD(1024);
    SHS: SHA-1 (BYTE)

    Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider #17 @@ -3375,8 +3522,8 @@ SHS: SHA-1 (BYTE)

    -Modes / States / Key Sizes -Algorithm Implementation and Certificate # +Modes / States / Key Sizes +Algorithm Implementation and Certificate #

    Prerequisite: SHS #2373, DRBG #489

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263

    Version 6.3.9600

    @@ -3445,7 +3592,7 @@ SHS: SHA-1 (BYTE)

    Prerequisite: SHS #4009, DRBG #1733

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252

    Version 10.0.16299

    @@ -3615,7 +3762,7 @@ SHS: SHA-1 (BYTE)

    Prerequisite: SHS #4009, DRBG #1730

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247

    Version 10.0.16299

    @@ -3649,178 +3796,178 @@ SHS: SHA-1 (BYTE)

    Prerequisite: SHS #4009, DRBG #1730

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246

    Version 10.0.16299

    -FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 TestingCandidates )
    -SHS: Val#3790
    -DRBG: Val# 1555 +FIPS186-4:
    +PKG: CURVES    (P-256 P-384 TestingCandidates)
    +SHS: validation number 3790
    +DRBG: validation number 1555

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136

    Version 10.0.15063

    -FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -PKV: CURVES( P-256 P-384 P-521 )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
    -SHS: Val#3790
    -DRBG: Val# 1555 +FIPS186-4:
    +PKG: CURVES    (P-256 P-384 P-521 ExtraRandomBits)
    +PKV: CURVES(P-256 P-384 P-521)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    +SHS: validation number 3790
    +DRBG: validation number 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135

    Version 10.0.15063

    -FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -PKV: CURVES( P-256 P-384 P-521 )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
    -SHS: Val#3790
    -DRBG: Val# 1555 +FIPS186-4:
    +PKG: CURVES    (P-256 P-384 P-521 ExtraRandomBits)
    +PKV: CURVES(P-256 P-384 P-521)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    +SHS: validation number 3790
    +DRBG: validation number 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133

    Version 10.0.15063

    -FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -PKV: CURVES( P-256 P-384 P-521 )
    -SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
    -SHS:Val# 3649
    -DRBG:Val# 1430 +FIPS186-4:
    +PKG: CURVES    (P-256 P-384 P-521 ExtraRandomBits)
    +PKV: CURVES(P-256 P-384 P-521)
    +SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))
    +SHS:validation number 3649
    +DRBG:validation number 1430

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073

    Version 7.00.2872

    -FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -PKV: CURVES( P-256 P-384 P-521 )
    -SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
    -SHS:Val#3648
    -DRBG:Val# 1429 +FIPS186-4:
    +PKG: CURVES    (P-256 P-384 P-521 ExtraRandomBits)
    +PKV: CURVES(P-256 P-384 P-521)
    +SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))
    +SHS:validation number 3648
    +DRBG:validation number 1429

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072

    Version 8.00.6246

    -

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 TestingCandidates )
    -PKV: CURVES( P-256 P-384 )
    -SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )

    -

    SHS: Val# 3347
    -DRBG: Val# 1222

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920

    +

    FIPS186-4:
    +PKG: CURVES    (P-256 P-384 TestingCandidates)
    +PKV: CURVES(P-256 P-384)
    +SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384))

    +

    SHS: validation number 3347
    +DRBG: validation number 1222

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920

    Version 10.0.14393

    -

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -PKV: CURVES( P-256 P-384 P-521 )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

    -

    SHS: Val# 3347
    -DRBG: Val# 1217

    +

    FIPS186-4:
    +PKG: CURVES    (P-256 P-384 P-521 ExtraRandomBits)
    +PKV: CURVES(P-256 P-384 P-521)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))

    +

    SHS: validation number 3347
    +DRBG: validation number 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911

    Version 10.0.14393

    -

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

    -

    SHS: Val# 3047
    -DRBG: Val# 955

    +

    FIPS186-4:
    +PKG: CURVES    (P-256 P-384 P-521 ExtraRandomBits)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))

    +

    SHS: validation number 3047
    +DRBG: validation number 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760

    Version 10.0.10586

    -

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

    -

    SHS: Val# 2886
    -DRBG: Val# 868

    +

    FIPS186-4:
    +PKG: CURVES    (P-256 P-384 P-521 ExtraRandomBits)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))

    +

    SHS: validation number 2886
    +DRBG: validation number 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706

    Version 10.0.10240

    -

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

    -

    SHS: Val#2373
    -DRBG: Val# 489

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505

    +

    FIPS186-4:
    +PKG: CURVES    (P-256 P-384 P-521 ExtraRandomBits)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))

    +

    SHS: validation number 2373
    +DRBG: validation number 489

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505

    Version 6.3.9600

    -

    FIPS186-2:
    -PKG: CURVES    ( P-256 P-384 P-521 )
    -SHS: #1903
    -DRBG: #258
    -SIG(ver):CURVES( P-256 P-384 P-521 )
    -SHS: #1903
    -DRBG: #258

    -

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
    -SHS: #1903
    -DRBG: #258
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341.

    +

    FIPS186-2:
    +PKG: CURVES    (P-256 P-384 P-521)
    +SHS: #1903
    +DRBG: #258
    +SIG(ver): CURVES(P-256 P-384 P-521)
    +SHS: #1903
    +DRBG: #258

    +

    FIPS186-4:
    +PKG: CURVES    (P-256 P-384 P-521 ExtraRandomBits)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    +SHS: #1903
    +DRBG: #258
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 341.

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341 -

    FIPS186-2:
    -PKG: CURVES    ( P-256 P-384 P-521 )
    -SHS: Val#1773
    -DRBG: Val# 193
    -SIG(ver): CURVES( P-256 P-384 P-521 )
    -SHS: Val#1773
    -DRBG: Val# 193

    -

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
    -SHS: Val#1773
    -DRBG: Val# 193
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295.

    +

    FIPS186-2:
    +PKG: CURVES    (P-256 P-384 P-521)
    +SHS: validation number 1773
    +DRBG: validation number 193
    +SIG(ver): CURVES(P-256 P-384 P-521)
    +SHS: validation number 1773
    +DRBG: validation number 193

    +

    FIPS186-4:
    +PKG: CURVES    (P-256 P-384 P-521 ExtraRandomBits)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    +SHS: validation number 1773
    +DRBG: validation number 193
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 295.

    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295 -FIPS186-2:
    -PKG: CURVES    ( P-256 P-384 P-521 )
    -SHS: Val#1081
    -DRBG: Val# 23
    -SIG(ver): CURVES( P-256 P-384 P-521 )
    -SHS: Val#1081
    -DRBG: Val# 23
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141. +FIPS186-2:
    +PKG: CURVES    (P-256 P-384 P-521)
    +SHS: validation number 1081
    +DRBG: validation number 23
    +SIG(ver): CURVES(P-256 P-384 P-521)
    +SHS: validation number 1081
    +DRBG: validation number 23
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 142. See Historical ECDSA List validation number 141.

    Windows Server 2008 R2 and SP1 CNG algorithms #142

    Windows 7 Ultimate and SP1 CNG algorithms #141

    -FIPS186-2:
    -PKG: CURVES    ( P-256 P-384 P-521 )
    -SHS: Val#753
    -SIG(ver): CURVES( P-256 P-384 P-521 )
    -SHS: Val#753
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82. +FIPS186-2:
    +PKG: CURVES    (P-256 P-384 P-521)
    +SHS: validation number 753
    +SIG(ver): CURVES(P-256 P-384 P-521)
    +SHS: validation number 753
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 83. See Historical ECDSA List validation number 82.

    Windows Server 2008 CNG algorithms #83

    Windows Vista Ultimate SP1 CNG algorithms #82

    -FIPS186-2:
    -PKG: CURVES    ( P-256 P-384 P-521 )
    -SHS: Val#618
    -RNG: Val# 321
    -SIG(ver): CURVES( P-256 P-384 P-521 )
    -SHS: Val#618
    -RNG: Val# 321
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60. +FIPS186-2:
    +PKG: CURVES    (P-256 P-384 P-521)
    +SHS: validation number 618
    +RNG: validation number 321
    +SIG(ver): CURVES(P-256 P-384 P-521)
    +SHS: validation number 618
    +RNG: validation number 321
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 60. Windows Vista CNG algorithms #60 @@ -3836,8 +3983,8 @@ Some of the previously validated components for this validation have been remove -Modes / States / Key Sizes -Algorithm Implementation and Certificate # +Modes / States / Key Sizes +Algorithm Implementation and Certificate #

    Prerequisite: SHS #4009

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270

    Version 10.0.16299

    @@ -3979,269 +4126,269 @@ Some of the previously validated components for this validation have been remove

    Prerequisite: SHS #4009

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267

    Version 10.0.16299

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3790

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3790

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3790

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062

    Version 10.0.15063

    -

    HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    +

    HMAC-SHA1(Key Sizes Ranges Tested: KSBS) SHS validation number 3790

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3790

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3790

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS validation number 3790

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061

    Version 10.0.15063

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3652

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3652

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3652

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3652

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946

    Version 7.00.2872

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3651

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3651

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3651

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3651

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945

    Version 8.00.6246

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3649

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3649

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3649

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3649

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943

    Version 7.00.2872

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3648

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3648

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3648

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3648

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942

    Version 8.00.6246

    -

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
    -SHS Val# 3347

    -

    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
    -SHS Val# 3347

    -

    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
    -SHS Val# 3347

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661

    +

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    +SHS validation number 3347

    +

    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    +SHS validation number 3347

    +

    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    +SHS validation number 3347

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661

    Version 10.0.14393

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3347

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3347

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3347

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS validation number 3347

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651

    Version 10.0.14393

    -

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
    -SHS Val# 3047

    -

    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
    -SHS Val# 3047

    -

    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
    -SHS Val# 3047

    -

    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
    -SHS Val# 3047

    +

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    +SHS validation number 3047

    +

    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    +SHS validation number 3047

    +

    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    +SHS validation number 3047

    +

    HMAC-SHA512 (Key Size Ranges Tested:  KSBS)
    +SHS validation number 3047

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381

    Version 10.0.10586

    -

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
    -SHSVal# 2886

    -

    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
    -SHSVal# 2886

    -

    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
    - SHSVal# 2886

    -

    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
    -SHSVal# 2886

    +

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    +SHSvalidation number 2886

    +

    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    +SHSvalidation number 2886

    +

    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    + SHSvalidation number 2886

    +

    HMAC-SHA512 (Key Size Ranges Tested:  KSBS)
    +SHSvalidation number 2886

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233

    Version 10.0.10240

    -

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
    -SHS Val#2373

    -

    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
    -SHS Val#2373

    -

    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
    -SHS Val#2373

    -

    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
    -SHS Val#2373

    -

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773

    +

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    +SHS validation number 2373

    +

    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    +SHS validation number 2373

    +

    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    +SHS validation number 2373

    +

    HMAC-SHA512 (Key Size Ranges Tested:  KSBS)
    +SHS validation number 2373

    +

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773

    Version 6.3.9600

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 2764

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 2764

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 2764

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS validation number 2764

    Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122

    Version 5.2.29344

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KS#1902

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902

    +

    HMAC-SHA256 (Key Size Ranges Tested: KS#1902

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS#1902

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS#1902

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS#1902

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS#1902

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )

    -

    SHS#1903

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS )

    -

    SHS#1903

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS )

    -

    SHS#1903

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS )

    -

    SHS#1903

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)

    +

    SHS#1903

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS)

    +

    SHS#1903

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS)

    +

    SHS#1903

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS)

    +

    SHS#1903

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

    -

    Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 1773

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 1773

    +

    Tinker HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 1773

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 1773

    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 1774

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 1774

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 1774

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 1774

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 1081

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 1081

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 1081

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 1081

    Windows Server 2008 R2 and SP1 CNG algorithms #686

    Windows 7 and SP1 CNG algorithms #677

    Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687

    Windows 7 Enhanced Cryptographic Provider (RSAENH) #673

    -

    HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081

    +

    HMAC-SHA1(Key Sizes Ranges Tested: KSvalidation number 1081

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 1081

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 816

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 816

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 816

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 816

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSvalidation number 753

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 753

    Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS)SHS validation number 753

    Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408

    Windows Vista Enhanced Cryptographic Provider (RSAENH) #407

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)SHSvalidation number 618

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    Windows Vista Enhanced Cryptographic Provider (RSAENH) #297 -HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785 +HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 785

    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429

    Windows XP, vendor-affirmed

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 783

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 783

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 783

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 783

    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 613

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 613

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 613

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 613

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289 -HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610 +HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 610 Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 753

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 753

    Windows Server 2008 CNG algorithms #413

    Windows Vista Ultimate SP1 CNG algorithms #412

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSvalidation number 737

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 737

    Windows Vista Ultimate BitLocker Drive Encryption #386 -

    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 618

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 618

    Windows Vista CNG algorithms #298 -

    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 589

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS)SHSvalidation number 589

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 589

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 589

    Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267 -

    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 578

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 578

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 578

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 578

    Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSvalidation number 495

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 495

    Windows Vista BitLocker Drive Encryption #199 -HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364 +HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 364

    Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99

    Windows XP, vendor-affirmed

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 305

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 305

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 305

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 305

    Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31 @@ -4257,8 +4404,8 @@ SHS -Modes / States / Key Sizes -Algorithm Implementation and Certificate # +Modes / States / Key Sizes +Algorithm Implementation and Certificate # -
  • One Pass DH:
    • +
  • One-Pass DH:

  • Prerequisite: SHS #4009, DSA #1301, DRBG #1730

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146

    Version 10.0.16299

    -

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ]

    -

    SHS Val#3790
    -DSA Val#1135
    -DRBG Val#1556

    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration) SCHEMES [FullUnified (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC)]

    +

    SHS validation number 3790
    +DSA validation number 1135
    +DRBG validation number 1556

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #128

    Version 10.0.15063

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
    -SHS Val#3790
    -DSA Val#1223
    -DRBG Val#1555

    -

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES [dhEphem (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (FB: SHA256) (FC: SHA256)] [dhStatic (No_KC &lt; KARole(s): Initiator / Responder&gt;) (FB: SHA256 HMAC) (FC: SHA256   HMAC)]
    +SHS validation number 3790
    +DSA validation number 1223
    +DRBG validation number 1555

    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES [EphemeralUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]

    -SHS Val#3790
    -ECDSA Val#1133
    -DRBG Val#1555

    +SHS validation number 3790
    +ECDSA validation number 1133
    +DRBG validation number 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #127

    Version 10.0.15063

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
    -SHS Val# 3649
    -DSA Val#1188
    -DRBG Val#1430

    -

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES [dhEphem (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (KARole(s): Initiator / Responder) (FB: SHA256) (FC: SHA256)] [dhStatic (No_KC &lt; KARole(s): Initiator / Responder&gt;) (FB: SHA256 HMAC) (FC: SHA256   HMAC)]
    +SHS validation number 3649
    +DSA validation number 1188
    +DRBG validation number 1430

    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES [EphemeralUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #115

    Version 7.00.2872

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhHybridOneFlow ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
    -[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
    -SHS Val#3648
    -DSA Val#1187
    -DRBG Val#1429

    -

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES [dhEphem (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhHybridOneFlow (No_KC &lt; KARole(s): Initiator / Responder&gt;) (FB:SHA256 HMAC) (FC: SHA256   HMAC)]
    +[dhStatic (No_KC &lt; KARole(s): Initiator / Responder&gt;) (FB:SHA256 HMAC) (FC: SHA256   HMAC)]
    +SHS validation number 3648
    +DSA validation number 1187
    +DRBG validation number 1429

    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES [EphemeralUnified (No_KC) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]

    -SHS Val#3648
    -ECDSA Val#1072
    -DRBG Val#1429

    +SHS validation number 3648
    +ECDSA validation number 1072
    +DRBG validation number 1429

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #114

    Version 8.00.6246

    -

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration )
    -SCHEMES  [ FullUnified  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; &lt; KDF: CONCAT &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ]

    -

    SHS Val# 3347 ECDSA Val#920 DRBG Val#1222

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration)
    +SCHEMES  [FullUnified  (No_KC  &lt; KARole(s): Initiator / Responder &gt; &lt; KDF: CONCAT &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC)]

    +

    SHS validation number 3347 ECDSA validation number 920 DRBG validation number 1222

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93

    Version 10.0.14393

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation )
    -SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

    -

    SHS Val# 3347 DSA Val#1098 DRBG Val#1217

    -

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    -

    SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651

    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation)
    +SCHEMES  [dhEphem  (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (KARole(s): Initiator / Responder) (FB:  SHA256) (FC:  SHA256)] [dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (FB:  SHA256 HMAC) (FC:  SHA256   HMAC)]

    +

    SHS validation number 3347 DSA validation number 1098 DRBG validation number 1217

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH  (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]

    +

    SHS validation number 3347 DSA validation number 1098 ECDSA validation number 911 DRBG validation number 1217 HMAC validation number 2651

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #92

    Version 10.0.14393

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

    -

    SHS Val# 3047 DSA Val#1024 DRBG Val#955

    -

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    -

    SHS Val# 3047 ECDSA Val#760 DRBG Val#955

    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES  [dhEphem  (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (KARole(s): Initiator / Responder) (FB:  SHA256) (FC:  SHA256)] [dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (FB:  SHA256 HMAC) (FC:  SHA256   HMAC)]

    +

    SHS validation number 3047 DSA validation number 1024 DRBG validation number 955

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH  (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]

    +

    SHS validation number 3047 ECDSA validation number 760 DRBG validation number 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #72

    Version 10.0.10586

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

    -

    SHS Val# 2886 DSA Val#983 DRBG Val#868

    -

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    -

    SHS Val# 2886 ECDSA Val#706 DRBG Val#868

    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES  [dhEphem  (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (KARole(s): Initiator / Responder) (FB:  SHA256) (FC:  SHA256)] [dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (FB:  SHA256 HMAC) (FC:  SHA256   HMAC)]

    +

    SHS validation number 2886 DSA validation number 983 DRBG validation number 868

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH  (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]

    +

    SHS validation number 2886 ECDSA validation number 706 DRBG validation number 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #64

    Version 10.0.10240

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

    -

    SHS Val#2373 DSA Val#855 DRBG Val#489

    -

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    -

    SHS Val#2373 ECDSA Val#505 DRBG Val#489

    -

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47

    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES  [dhEphem  (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (KARole(s): Initiator / Responder) (FB:  SHA256) (FC:  SHA256)] [dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (FB:  SHA256 HMAC) (FC:  SHA256   HMAC)]

    +

    SHS validation number 2373 DSA validation number 855 DRBG validation number 489

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH  (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC  &lt; KARole(s): Initiator / Responder &gt;) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]

    +

    SHS validation number 2373 ECDSA validation number 505 DRBG validation number 489

    +

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47

    Version 6.3.9600

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
    -( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
    -SHS #1903 DSA Val#687 DRBG #258

    -

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
    -[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation) SCHEMES [dhEphem (KARole(s): Initiator / Responder)
    +(FA: SHA256) (FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (KARole(s): Initiator / Responder) (FA: SHA256) (FB: SHA256) (FC: SHA256)]
    +[dhStatic (No_KC &lt; KARole(s): Initiator / Responder&gt;) (FA: SHA256 HMAC) (FB: SHA256 HMAC) (FC: SHA256 HMAC)]
    +SHS #1903 DSA validation number 687 DRBG #258

    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration) SCHEMES [EphemeralUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH(No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256 SHA256) (ED: P-384 SHA384) (EE: P-521 (SHA512, HMAC_SHA512)))]
    +[StaticUnified (No_KC &lt; KARole(s): Initiator / Responder&gt;) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512))]

    -SHS #1903 ECDSA Val#341 DRBG #258

    +SHS #1903 ECDSA validation number 341 DRBG #258

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36 -

    KAS (SP 800–56A)

    +

    KAS (SP 800–56A)

    key agreement

    -

    key establishment methodology provides 80 to 256 bits of encryption strength

    +

    key establishment methodology provides 80 bits to 256 bits of encryption strength

    Windows 7 and SP1, vendor-affirmed

    Windows Server 2008 R2 and SP1, vendor-affirmed

    @@ -4922,8 +5069,8 @@ SP 800-108 Key-Based Key Derivation Functions (KBKDF) - - + + - @@ -5017,61 +5164,61 @@ SP 800-108 Key-Based Key Derivation Functions (KBKDF)

    K prerequisite: KAS #146

    - - +KAS validation number 128
    +DRBG validation number 1556
    +MAC validation number 3062 - +KAS validation number 127
    +AES validation number 4624
    +DRBG validation number 1555
    +MAC validation number 3061 - - + - + - + - + - - + - + @@ -5087,34 +5234,34 @@ Random Number Generator (RNG) - - + + - + - + - + - + - + @@ -5140,8 +5287,8 @@ Random Number Generator (RNG) - - + + - @@ -5263,7 +5410,7 @@ Random Number Generator (RNG)

    Prerequisite: SHS #4009, DRBG #1730

    - @@ -5637,7 +5784,7 @@ Random Number Generator (RNG)

    Prerequisite: SHS #4009, DRBG #1730

    - @@ -5707,424 +5854,424 @@ Random Number Generator (RNG)

    Prerequisite: SHS #4009, DRBG #1730

    - - + - + - + - +PGM(ProbRandom: (2048, 3072) PPTT:(C.2)
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
    +SHA validation number 3790 - + - + - + - + - - + - + - + - + - + - + - + - + - + - + - + - + - + - - + - + - - + - - + - +

    Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1134.

    - - + - + - + - + - + - + - + - +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 816, SHA-384validation number 816, SHA-512validation number 816,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 816, SHA-256validation number 816, SHA-384validation number 816, SHA-512validation number 816,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 395. - + - + - + - + - + - + - + - + - + - + - + - + - - - + + - - + - + - + - + - + - + - + - + - + - + - + - + - - + - - + - + - + - + - + - + - + - +

    Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #176

    - + - + - - + +
  • Keying Option: 1
    • - - + - + - + - + - + - + - + - + - - + - + - + - + - + - + - + - +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
      @@ -4960,7 +5107,7 @@ SP 800-108 Key-Based Key Derivation Functions (KBKDF)

    K prerequisite: DRBG #1733, KAS #149

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160

    Version 10.0.16299

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157

    Version 10.0.16299
    CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
    +    		CTR_Mode: (Llength(Min0 Max0) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA384]) LocationCounter([BeforeFixedData]) rlength([32]))

    -KAS Val#128
    -DRBG Val#1556
    -MAC Val#3062

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #141

    Version 10.0.15063
    CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
    +    		CTR_Mode: (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

    -KAS Val#127
    -AES Val#4624
    -DRBG Val#1555
    -MAC Val#3061

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #140

    Version 10.0.15063

    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    -

    KAS Val#93 DRBG Val#1222 MAC Val#2661

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102

    +

    CTR_Mode:  (Llength(Min20 Max64) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA384]) LocationCounter([BeforeFixedData]) rlength([32]))

    +

    KAS validation number 93 DRBG validation number 1222 MAC validation number 2661

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102

    Version 10.0.14393

    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    -

    KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651

    CTR_Mode:  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

    +

    KAS validation number 92 AES validation number 4064 DRBG validation number 1217 MAC validation number 2651

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101

    Version 10.0.14393

    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    -

    KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381

    CTR_Mode:  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

    +

    KAS validation number 72 AES validation number 3629 DRBG validation number 955 MAC validation number 2381

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72

    Version 10.0.10586

    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    -

    KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233

    CTR_Mode:  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

    +

    KAS validation number 64 AES validation number 3497 RBG validation number 868 MAC validation number 2233

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66

    Version 10.0.10240

    CTR_Mode:  ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    -

    DRBG Val#489 MAC Val#1773

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30

    +

    CTR_Mode:  (Llength(Min0 Max0) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

    +

    DRBG validation number 489 MAC validation number 1773

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30

    Version 6.3.9600

    CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    -

    DRBG #258 HMAC Val#1345

    CTR_Mode: (Llength(Min0 Max4) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

    +

    DRBG #258 HMAC validation number 1345

    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3
    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #

    FIPS 186-2 General Purpose

    -

    [ (x-Original); (SHA-1) ]

    FIPS 186-2 General Purpose

    +

    [(x-Original); (SHA-1)]

    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110
    FIPS 186-2
    -[ (x-Original); (SHA-1) ]    		FIPS 186-2
    +[(x-Original); (SHA-1)]

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060

    Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292

    Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286

    Windows CE 5.00 and Window CE 5.01 Enhanced Cryptographic Provider (RSAENH) #66

    FIPS 186-2
    -[ (x-Change Notice); (SHA-1) ]

    -

    FIPS 186-2 General Purpose
    -[ (x-Change Notice); (SHA-1) ]

    FIPS 186-2
    +[(x-Change Notice); (SHA-1)]

    +

    FIPS 186-2 General Purpose
    +[(x-Change Notice); (SHA-1)]

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649

    Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435

    Windows Vista RNG implementation #321
    FIPS 186-2 General Purpose
    -[ (x-Change Notice); (SHA-1) ]    		FIPS 186-2 General Purpose
    +[(x-Change Notice); (SHA-1)]

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #470

    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #449

    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #447

    @@ -5122,8 +5269,8 @@ Random Number Generator (RNG)

    Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #313
    FIPS 186-2
    -[ (x-Change Notice); (SHA-1) ]    		FIPS 186-2
    +[(x-Change Notice); (SHA-1)]

    Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #448

    Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #314
    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #

    RSA:

    @@ -5228,7 +5375,7 @@ Random Number Generator (RNG)

    Prerequisite: SHS #4009, DRBG #1733

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676

    Version 10.0.16299

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674

    Version 10.0.16299

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668

    Version 10.0.16299

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667

    Version 10.0.16299
    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
    -SHA Val#3790    		FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA(1, 256, 384)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384)) (2048 SHA(1, 256, 384))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48)))
    +SHA validation number 3790

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524

    Version 10.0.15063
    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    -SHA Val#3790    		FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    +SHA validation number 3790

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523

    Version 10.0.15063
    FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e ( 10001 ) ;
    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    -SHA Val#3790
    -DRBG: Val# 1555    		FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e (10001);
    +PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
    +SHA validation number 3790
    +DRBG: validation number 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522

    Version 10.0.15063
    FIPS186-4:
    +    		FIPS186-4:
    186-4KEY(gen):
    -PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    -SHA Val#3790

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521

    Version 10.0.15063

    FIPS186-2:
    -ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652

    -

    FIPS186-4:
    -ALG[ANSIX9.31]     Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
    -SIG(gen) with SHA-1 affirmed for use with protocols only.     Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    -SHA Val#3652

    FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3652
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256validation number 3652, SHA-384validation number 3652, SHA-512validation number 3652
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3652, SHA-256validation number 3652, SHA-384validation number 3652, SHA-512validation number 3652

    +

    FIPS186-4:
    +ALG[ANSIX9.31]     Sig(Gen): (2048 SHA(1)) (3072 SHA(1))
    +SIG(gen) with SHA-1 affirmed for use with protocols only.     Sig(Ver): (1024 SHA(1)) (2048 SHA(1)) (3072 SHA(1))
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    +SHA validation number 3652

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415

    Version 7.00.2872

    FIPS186-2:
    -ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651

    -

    FIPS186-4:
    -ALG[ANSIX9.31]     Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
    -SIG(gen) with SHA-1 affirmed for use with protocols only.     Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    -SHA Val#3651

    FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3651
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256validation number 3651, SHA-384validation number 3651, SHA-512validation number 3651
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3651, SHA-256validation number 3651, SHA-384validation number 3651, SHA-512validation number 3651

    +

    FIPS186-4:
    +ALG[ANSIX9.31]     Sig(Gen): (2048 SHA(1)) (3072 SHA(1))
    +SIG(gen) with SHA-1 affirmed for use with protocols only.     Sig(Ver): (1024 SHA(1)) (2048 SHA(1)) (3072 SHA(1))
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    +SHA validation number 3651

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414

    Version 8.00.6246

    FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649

    -

    FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e (10001) ;
    -PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    -SHA Val# 3649
    -DRBG: Val# 1430

    FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 4096, SHS: SHA-256validation number 3649, SHA-384validation number 3649, SHA-512validation number 3649
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3649, SHA-256validation number 3649, SHA-384validation number 3649, SHA-512validation number 3649

    +

    FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e (10001);
    +PGM(ProbRandom: (2048, 3072) PPTT:(C.2)
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    +SHA validation number 3649
    +DRBG: validation number 1430

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412

    Version 7.00.2872

    FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648

    -

    FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e (10001) ;
    -PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    -SHA Val#3648
    -DRBG: Val# 1429

    FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 4096, SHS: SHA-256validation number 3648, SHA-384validation number 3648, SHA-512validation number 3648
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3648, SHA-256validation number 3648, SHA-384validation number 3648, SHA-512validation number 3648

    +

    FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e (10001);
    +PGM(ProbRandom: (2048, 3072) PPTT:(C.2)
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    +SHA validation number 3648
    +DRBG: validation number 1429

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411

    Version 8.00.6246

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))

    -

    SHA Val# 3347

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206

    +

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA(1, 256, 384)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +SIG(Ver) (1024 SHA(1, 256, 384)) (2048 SHA(1, 256, 384))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48)))

    +

    SHA validation number 3347

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206

    Version 10.0.14393

    FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e ( 10001 ) ;
    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

    -

    SHA Val# 3347 DRBG: Val# 1217

    FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e (10001);
    +PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)

    +

    SHA validation number 3347 DRBG: validation number 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195

    Version 10.0.14393

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    -

    SHA Val#3346

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    +

    SHA validation number 3346

    soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194

    Version 10.0.14393

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
    -SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    -

    SHA Val# 3347 DRBG: Val# 1217

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
    +SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    +

    SHA validation number 3347 DRBG: validation number 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193

    Version 10.0.14393

    FIPS186-4:
    -[RSASSA-PSS]: Sig(Gen):     (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    -

    Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    -

    SHA Val# 3347 DRBG: Val# 1217

    FIPS186-4:
    +[RSASSA-PSS]: Sig(Gen):     (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

    +

    Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

    +

    SHA validation number 3347 DRBG: validation number 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192

    Version 10.0.14393

    FIPS186-4:
    -186-4KEY(gen)    :  FIPS186-4_Fixed_e ( 10001 ) ;
    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

    -

    SHA Val# 3047 DRBG: Val# 955

    FIPS186-4:
    +186-4KEY(gen)    :  FIPS186-4_Fixed_e (10001);
    +PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)

    +

    SHA validation number 3047 DRBG: validation number 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889

    Version 10.0.10586

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    -

    SHA Val#3048

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    +

    SHA validation number 3048

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871

    Version 10.0.10586

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
    -SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    -

    SHA Val# 3047

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
    +SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    +

    SHA validation number 3047

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888

    Version 10.0.10586

    FIPS186-4:
    -[RSASSA-PSS]: Sig(Gen)    : (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    -Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    -

    SHA Val# 3047

    FIPS186-4:
    +[RSASSA-PSS]: Sig(Gen)    : (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
    +Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

    +

    SHA validation number 3047

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887

    Version 10.0.10586

    FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e ( 10001 ) ;
    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

    -

    SHA Val# 2886 DRBG: Val# 868

    FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e (10001);
    +PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)

    +

    SHA validation number 2886 DRBG: validation number 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798

    Version 10.0.10240

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    -

    SHA Val#2871

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    +

    SHA validation number 2871

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784

    Version 10.0.10240

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    -

    SHA Val#2871

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    +

    SHA validation number 2871

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783

    Version 10.0.10240

    FIPS186-4:
    -[RSASSA-PSS]:     Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    -Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    -

    SHA Val# 2886

    FIPS186-4:
    +[RSASSA-PSS]:     Sig(Gen): (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
    +Sig(Ver): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

    +

    SHA validation number 2886

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802

    Version 10.0.10240

    FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e ;
    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

    -

    SHA Val#2373 DRBG: Val# 489

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487

    +

    FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e;
    +PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)

    +

    SHA validation number 2373 DRBG: validation number 489

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487

    Version 6.3.9600

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    -

    SHA Val#2373

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    +

    SHA validation number 2373

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494

    Version 6.3.9600

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5    ] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
    -SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    -

    SHA Val#2373

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493

    +

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5    ] SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
    +SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    +

    SHA validation number 2373

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493

    Version 6.3.9600

    FIPS186-4:
    -[RSASSA-PSS]:     Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    - Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    -

    SHA Val#2373

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519

    +

    FIPS186-4:
    +[RSASSA-PSS]:     Sig(Gen): (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
    + Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

    +

    SHA validation number 2373

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519

    Version 6.3.9600

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
    -SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA( 1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-256 ))
    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
    -Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
    +

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA(256, 384, 512-256)) (3072 SHA(256, 384, 512-256))
    +SIG(Ver) (1024 SHA(1, 256, 384, 512-256)) (2048 SHA(1, 256, 384, 512-256)) (3072 SHA(1, 256, 384, 512-256))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
    +Sig(Ver): (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512, 512))
    SHA #1903

    -

    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134.

    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134
    FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
    +    		FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e, FIPS186-4_Fixed_e_Value
    +PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)
    SHA #1903 DRBG: #258    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133
    FIPS186-2:
    -ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132.    		FIPS186-2:
    +ALG[ANSIX9.31]:     Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: #258
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1132.    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132
    FIPS186-2:
    -ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052.    		FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1774
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1774, SHA-384validation number 1774, SHA-512validation number 1774,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1774, SHA-256validation number 1774, SHA-384validation number 1774, SHA-512validation number 1774,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1052.    		 Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052
    FIPS186-2:
    -ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051.    		FIPS186-2:
    +ALG[ANSIX9.31]:     Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: validation number 193
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1773, SHA-384validation number 1773, SHA-512validation number 1773,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1773, SHA-256validation number 1773, SHA-384validation number 1773, SHA-512validation number 1773,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1051.    		 Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051
    FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568.    		FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1081, SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 568.    		 Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568
    FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    -ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560.    		FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1081, SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
    +ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1081, SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 567. See Historical RSA List validation number 560.

    Windows Server 2008 R2 and SP1 CNG algorithms #567

    Windows 7 and SP1 CNG algorithms #560
    FIPS186-2:
    -ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559.    		FIPS186-2:
    +ALG[ANSIX9.31]:     Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: validation number 23
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 559.    		 Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559
    FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557.    		FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1081, SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 557.    		 Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557
    FIPS186-2:
    +    		FIPS186-2:
    ALG[ANSIX9.31]:
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395.    		 Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395
    FIPS186-2:
    -ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371.    		FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 783
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 783, SHA-384validation number 783, SHA-512validation number 783,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 371.    		 Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371
    FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    -ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357.    		FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 753, SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753,
    +ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 753, SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 358. See Historical RSA List validation number 357.

    Windows Server 2008 CNG algorithms #358

    Windows Vista SP1 CNG algorithms #357
    FIPS186-2:
    -ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354.    		FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 753
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 753, SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 355. See Historical RSA List validation number 354.

    Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355

    Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354
    FIPS186-2:
    -ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353.    		FIPS186-2:
    +ALG[ANSIX9.31]:     Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 353.    		 Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353
    FIPS186-2:
    -ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258.    		FIPS186-2:
    +ALG[ANSIX9.31]:     Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 RNG: validation number 321
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 258.    		 Windows Vista RSA key generation implementation #258
    FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    -ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257.    		FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 618, SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618,
    +ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 618, SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 257.    		 Windows Vista CNG algorithms #257
    FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255.    		FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 618, SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 255.    		 Windows Vista Enhanced Cryptographic Provider (RSAENH) #255
    FIPS186-2:
    -ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245.    		FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 613
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 613, SHA-384validation number 613, SHA-512validation number 613,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 613, SHA-256validation number 613, SHA-384validation number 613, SHA-512validation number 613,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 245.    		 Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245
    FIPS186-2:
    -ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230.    		FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 589
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 589, SHA-384validation number 589, SHA-512validation number 589,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 589, SHA-256validation number 589, SHA-384validation number 589, SHA-512validation number 589,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 230.    		 Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230
    FIPS186-2:
    -ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222.    		FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 578
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 578, SHA-384validation number 578, SHA-512validation number 578,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 578, SHA-256validation number 578, SHA-384validation number 578, SHA-512validation number 578,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 222.    		 Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222
    FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81.    		FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 364
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 81.    		 Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81
    FIPS186-2:
    -ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
    -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52.    		FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 305
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 305, SHA-384validation number 305, SHA-512validation number 305,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 305, SHA-256validation number 305, SHA-384validation number 305, SHA-512validation number 305,
    +Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 52.    		 Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52

    FIPS186-2:

    -

    – PKCS#1 v1.5, signature generation and verification

    +

    FIPS186-2:

    +

    – PKCS#1 v1.5, signature generation, and verification

    – Mod sizes: 1024, 1536, 2048, 3072, 4096

    – SHS: SHA–1/256/384/512

    Windows XP, vendor-affirmed

    @@ -6143,8 +6290,8 @@ Some of the previously validated components for this validation have been remove
    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
      @@ -6209,174 +6356,174 @@ Some of the previously validated components for this validation have been remove
    • Supports Empty Message

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009

    Version 10.0.16299
    SHA-1      (BYTE-only)
    -SHA-256  (BYTE-only)
    -SHA-384  (BYTE-only)
    -SHA-512  (BYTE-only)    		SHA-1      (BYTE-only)
    +SHA-256  (BYTE-only)
    +SHA-384  (BYTE-only)
    +SHA-512  (BYTE-only)

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3790

    Version 10.0.15063
    SHA-1      (BYTE-only)
    -SHA-256  (BYTE-only)
    -SHA-384  (BYTE-only)
    -SHA-512  (BYTE-only)    		SHA-1      (BYTE-only)
    +SHA-256  (BYTE-only)
    +SHA-384  (BYTE-only)
    +SHA-512  (BYTE-only)

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3652

    Version 7.00.2872
    SHA-1      (BYTE-only)
    -SHA-256  (BYTE-only)
    -SHA-384  (BYTE-only)
    -SHA-512  (BYTE-only)    		SHA-1      (BYTE-only)
    +SHA-256  (BYTE-only)
    +SHA-384  (BYTE-only)
    +SHA-512  (BYTE-only)

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3651

    Version 8.00.6246
    SHA-1      (BYTE-only)
    -SHA-256  (BYTE-only)
    -SHA-384  (BYTE-only)
    -SHA-512  (BYTE-only)    		SHA-1      (BYTE-only)
    +SHA-256  (BYTE-only)
    +SHA-384  (BYTE-only)
    +SHA-512  (BYTE-only)

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3649

    Version 7.00.2872
    SHA-1      (BYTE-only)
    -SHA-256  (BYTE-only)
    -SHA-384  (BYTE-only)
    -SHA-512  (BYTE-only)    		SHA-1      (BYTE-only)
    +SHA-256  (BYTE-only)
    +SHA-384  (BYTE-only)
    +SHA-512  (BYTE-only)

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3648

    Version 8.00.6246
    SHA-1 (BYTE-only)
    -SHA-256 (BYTE-only)
    -SHA-384 (BYTE-only)
    -SHA-512 (BYTE-only)    		SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #3347
    Version 10.0.14393
    SHA-1 (BYTE-only)
    -SHA-256 (BYTE-only)
    -SHA-384 (BYTE-only)
    -SHA-512 (BYTE-only)    		SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #3346
    Version 10.0.14393
    SHA-1 (BYTE-only)
    -SHA-256 (BYTE-only)
    -SHA-384 (BYTE-only)
    -SHA-512 (BYTE-only)    		SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		 Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #3048
    Version 10.0.10586
    SHA-1 (BYTE-only)
    -SHA-256 (BYTE-only)
    -SHA-384 (BYTE-only)
    -SHA-512 (BYTE-only)    		SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		 Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #3047
    Version 10.0.10586
    SHA-1 (BYTE-only)
    -SHA-256 (BYTE-only)
    -SHA-384 (BYTE-only)
    -SHA-512 (BYTE-only)    		SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2886
    Version 10.0.10240
    SHA-1 (BYTE-only)
    -SHA-256 (BYTE-only)
    -SHA-384 (BYTE-only)
    -SHA-512 (BYTE-only)    		SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #2871
    Version 10.0.10240
    SHA-1 (BYTE-only)
    -SHA-256 (BYTE-only)
    -SHA-384 (BYTE-only)
    -SHA-512 (BYTE-only)    		SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		 Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2396
    Version 6.3.9600
    SHA-1 (BYTE-only)
    -SHA-256 (BYTE-only)
    -SHA-384 (BYTE-only)
    -SHA-512 (BYTE-only)    		Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
    +    		SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
    Version 6.3.9600

    SHA-1 (BYTE-only)

    -

    SHA-256 (BYTE-only)

    -

    SHA-384 (BYTE-only)

    -

    SHA-512 (BYTE-only)

    +

    SHA-1 (BYTE-only)

    +

    SHA-256 (BYTE-only)

    +

    SHA-384 (BYTE-only)

    +

    SHA-512 (BYTE-only)

    Implementation does not support zero-length (null) messages.

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1903

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1902
    SHA-1 (BYTE-only)
    -SHA-256 (BYTE-only)
    -SHA-384 (BYTE-only)
    -SHA-512 (BYTE-only)    		SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1774

    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1773
    SHA-1 (BYTE-only)
    -SHA-256 (BYTE-only)
    -SHA-384 (BYTE-only)
    -SHA-512 (BYTE-only)    		SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1081

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #816
    SHA-1 (BYTE-only)SHA-1 (BYTE-only)

    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #785

    Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #784
    SHA-1 (BYTE-only)
    -SHA-256 (BYTE-only)
    -SHA-384 (BYTE-only)
    -SHA-512 (BYTE-only)    		SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		 Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #783
    SHA-1 (BYTE-only)
    -SHA-256 (BYTE-only)
    -SHA-384 (BYTE-only)
    -SHA-512 (BYTE-only)    		SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)

    Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #753

    Windows Vista Symmetric Algorithm Implementation #618
    SHA-1 (BYTE-only)
    -SHA-256 (BYTE-only)    		SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)

    Windows Vista BitLocker Drive Encryption #737

    Windows Vista Beta 2 BitLocker Drive Encryption #495
    SHA-1 (BYTE-only)
    -SHA-256 (BYTE-only)
    -SHA-384 (BYTE-only)
    -SHA-512 (BYTE-only)    		SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #613

    Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #364
    SHA-1 (BYTE-only)SHA-1 (BYTE-only)

    Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #611

    Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #610

    Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #385

    @@ -6386,16 +6533,16 @@ Version 6.3.9600
    SHA-1 (BYTE-only)
    -SHA-256 (BYTE-only)
    -SHA-384 (BYTE-only)
    -SHA-512 (BYTE-only)    		SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)

    Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #589

    Windows CE and Windows Mobile 6 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #578

    Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #305
    SHA-1 (BYTE-only)SHA-1 (BYTE-only)

    Windows XP Microsoft Enhanced Cryptographic Provider #83

    Crypto Driver for Windows 2000 (fips.sys) #35

    Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #32

    @@ -6417,8 +6564,8 @@ Version 6.3.9600
    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
      @@ -6495,116 +6642,116 @@ Version 6.3.9600

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556

    Version 10.0.16299
    TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, )TECB(KO 1 e/d); TCBC(KO 1 e/d); TCFB8(KO 1 e/d); TCFB64(KO 1 e/d)

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459

    Version 10.0.15063

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, )

    TECB(KO 1 e/d);

    +

    TCBC(KO 1 e/d)

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384

    Version 8.00.6246

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, )

    TECB(KO 1 e/d);

    +

    TCBC(KO 1 e/d)

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383

    Version 8.00.6246

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, ) ;

    -

    CTR ( int only )

    TECB(KO 1 e/d);

    +

    TCBC(KO 1 e/d);

    +

    CTR (int only)

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382

    Version 7.00.2872

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, )

    TECB(KO 1 e/d);

    +

    TCBC(KO 1 e/d)

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381

    Version 8.00.6246

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, ) ;

    -

    TCFB8( KO 1 e/d, ) ;

    -

    TCFB64( KO 1 e/d, )

    TECB(KO 1 e/d);

    +

    TCBC(KO 1 e/d);

    +

    TCFB8(KO 1 e/d);

    +

    TCFB64(KO 1 e/d)

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227

    Version 10.0.14393

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, ) ;

    -

    TCFB8( KO 1 e/d, ) ;

    -

    TCFB64( KO 1 e/d, )

    TECB(KO 1 e/d);

    +

    TCBC(KO 1 e/d);

    +

    TCFB8(KO 1 e/d);

    +

    TCFB64(KO 1 e/d)

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024

    Version 10.0.10586

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, ) ;

    -

    TCFB8( KO 1 e/d, ) ;

    -

    TCFB64( KO 1 e/d, )

    TECB(KO 1 e/d);

    +

    TCBC(KO 1 e/d);

    +

    TCFB8(KO 1 e/d);

    +

    TCFB64(KO 1 e/d)

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969

    Version 10.0.10240

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, ) ;

    -

    TCFB8( KO 1 e/d, ) ;

    -

    TCFB64( KO 1 e/d, )

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692

    +

    TECB(KO 1 e/d);

    +

    TCBC(KO 1 e/d);

    +

    TCFB8(KO 1 e/d);

    +

    TCFB64(KO 1 e/d)

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692

    Version 6.3.9600

    TECB( e/d; KO 1,2 ) ;

    -

    TCBC( e/d; KO 1,2 ) ;

    -

    TCFB8( e/d; KO 1,2 ) ;

    -

    TCFB64( e/d; KO 1,2 )

    TECB(e/d; KO 1, 2);

    +

    TCBC(e/d; KO 1, 2);

    +

    TCFB8(e/d; KO 1, 2);

    +

    TCFB64(e/d; KO 1, 2)

    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387

    TECB( e/d; KO 1,2 ) ;

    -

    TCBC( e/d; KO 1,2 ) ;

    -

    TCFB8( e/d; KO 1,2 )

    TECB(e/d; KO 1, 2);

    +

    TCBC(e/d; KO 1, 2);

    +

    TCFB8(e/d; KO 1, 2)

    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386

    TECB( e/d; KO 1,2 ) ;

    -

    TCBC( e/d; KO 1,2 ) ;

    -

    TCFB8( e/d; KO 1,2 )

    TECB(e/d; KO 1, 2);

    +

    TCBC(e/d; KO 1, 2);

    +

    TCFB8(e/d; KO 1, 2)

    		 Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846

    TECB( e/d; KO 1,2 ) ;

    -

    TCBC( e/d; KO 1,2 ) ;

    -

    TCFB8( e/d; KO 1,2 )

    TECB(e/d; KO 1, 2);

    +

    TCBC(e/d; KO 1, 2);

    +

    TCFB8(e/d; KO 1, 2)

    		 Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656

    TECB( e/d; KO 1,2 ) ;

    -

    TCBC( e/d; KO 1,2 ) ;

    -

    TCFB8( e/d; KO 1,2 )

    TECB(e/d; KO 1, 2);

    +

    TCBC(e/d; KO 1, 2);

    +

    TCFB8(e/d; KO 1, 2)

    		 Windows Vista Symmetric Algorithm Implementation #549
    Triple DES MACTriple DES MAC

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 #1386, vendor-affirmed

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed

    TECB( e/d; KO 1,2 ) ;

    -

    TCBC( e/d; KO 1,2 )

    TECB(e/d; KO 1, 2);

    +

    TCBC(e/d; KO 1, 2)

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308

    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691

    @@ -6631,20 +6778,20 @@ Version 6.3.9600
    -#### SP 800-132 Password Based Key Derivation Function (PBKDF) +#### SP 800-132 Password-Based Key Derivation Function (PBKDF) + PBKDF (vendor affirmed) + PBKDF (vendor affirmed) - - + +

    Prerequisite: DRBG #489

    - @@ -6707,7 +6854,7 @@ Version 6.3.9600
  • Padding Algorithms: PKCS 1.5
    • - @@ -6717,7 +6864,7 @@ Version 6.3.9600
  • Modulus Size: 2048 (bits)
    • - @@ -6988,7 +7135,7 @@ Version 6.3.9600

    Prerequisite: DRBG #1730

    - @@ -6998,7 +7145,7 @@ Version 6.3.9600
  • Modulus Size: 2048 (bits)
    • - @@ -7009,7 +7156,7 @@ Version 6.3.9600
  • Padding Algorithms: PKCS 1.5
    • - @@ -7022,7 +7169,7 @@ Version 6.3.9600

    Prerequisite: DRBG #1730

    - @@ -7032,7 +7179,7 @@ Version 6.3.9600
  • Modulus Size: 2048 (bits)
    • - @@ -7044,7 +7191,7 @@ Version 6.3.9600
  • Padding Algorithms: PKCS 1.5
    • - @@ -7110,23 +7257,23 @@ Version 6.3.9600

    Prerequisite: SHS #4009, HMAC #3267

    - +

    ECDSA SigGen Component: CURVES(P-256 P-384 P-521)

    @@ -7139,11 +7286,11 @@ Version 10.0.15063

    Version 10.0.15063

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1280
    Version 10.0.15063

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893
    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893
    Version 10.0.14393

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #888
    Version 10.0.14393

    -

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
    +

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
    Version 10.0.10586

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #572
    Version  10.0.10240

    @@ -7158,7 +7305,7 @@ Version 6.3.9600

    Version 10.0.15063

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1281
    Version 10.0.15063

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895
    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895
    Version 10.0.14393

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #887
    Version 10.0.14393

    @@ -7170,7 +7317,7 @@ Version  10.0.10240

    - @@ -7196,10 +7343,7 @@ fips@microsoft.com ## References -\[[FIPS 140](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)\] - FIPS 140-2, Security Requirements for Cryptographic Modules - -\[[FIPS FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)\] - Cryptographic Module Validation Program (CMVP) FAQ - -\[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\] - Recommendation for Key Management – Part 1: General (Revised) - -\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths +* [FIPS 140-2, Security Requirements for Cryptographic Modules](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)) +* [Cryptographic Module Validation Program (CMVP) FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf) +* [SP 800-57 - Recommendation for Key Management – Part 1: General (Revised)](https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final) +* [SP 800-131A - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf) diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md index 81f5a796f3..c6c0883e58 100644 --- a/windows/security/threat-protection/get-support-for-security-baselines.md +++ b/windows/security/threat-protection/get-support-for-security-baselines.md @@ -2,7 +2,7 @@ title: Get support description: Frequently asked question about how to get support for Windows baselines, the Security Compliance Toolkit (SCT), and related topics in your organization. keywords: virtualization, security, malware -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: dansimp @@ -13,6 +13,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 06/25/2018 ms.reviewer: +ms.technology: mde --- # Get Support @@ -40,7 +41,7 @@ The toolkit supports formats created by the Windows GPO backup feature (.pol, .i Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features. -**Does SCT support the creation of Microsoft Endpoint Configuration Manager DCM packs?** +**Does SCT support the creation of Microsoft Endpoint Manager DCM packs?** No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement). diff --git a/windows/security/threat-protection/images/linux-mdatp-1.png b/windows/security/threat-protection/images/linux-mdatp-1.png new file mode 100644 index 0000000000..f8c9c07b16 Binary files /dev/null and b/windows/security/threat-protection/images/linux-mdatp-1.png differ diff --git a/windows/security/threat-protection/images/linux-mdatp.png b/windows/security/threat-protection/images/linux-mdatp.png new file mode 100644 index 0000000000..f8c9c07b16 Binary files /dev/null and b/windows/security/threat-protection/images/linux-mdatp.png differ diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 7e2cc61fe3..cfcd3b4102 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -1,9 +1,9 @@ --- title: Threat Protection (Windows 10) -description: Learn how Microsoft Defender ATP helps protect against threats. +description: Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,30 +14,34 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Threat Protection -[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture. +[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture. ->[!TIP] +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +> [!TIP] > Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/). -

    Microsoft Defender ATP

    +

    Microsoft Defender for Endpoint

    - Modes / States / Key Sizes + Modes / States / Key Sizes - Algorithm Implementation and Certificate # + Algorithm Implementation and Certificate #
    - PBKDF (vendor affirmed)

     Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2937
    (Software Version: 10.0.14393)

    Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
    (Software Version: 10.0.14393)

    @@ -6654,7 +6801,7 @@ Version 6.3.9600
    - PBKDF (vendor affirmed)

    Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
    (Software Version: 10.0.14393)

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed

    @@ -6672,8 +6819,8 @@ Version 6.3.9600
    Publication / Component Validated / DescriptionImplementation and Certificate #Publication / Component Validated / DescriptionImplementation and Certificate #
      @@ -6685,7 +6832,7 @@ Version 6.3.9600

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540

    Version 6.3.9600

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518

    Version 10.0.16299

    Microsoft Surface Hub MsBignum Cryptographic Implementations #1517

    +

    Microsoft Surface Hub MsBignum Cryptographic Implementations #1517

    Version 10.0.15063.674

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503

    Version 10.0.16299

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502

    Version 10.0.16299

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501

    Version 10.0.16299

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499

    Version 10.0.16299

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498

    Version 10.0.16299

     

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1497

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1497

    Version 10.0.16299

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

    Version 10.0.16299

    FIPS186-4 ECDSA

    Signature Generation of hash sized messages

    -

    ECDSA SigGen Component: CURVES( P-256 P-384 P-521 )

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1284
    Version 10.0. 15063

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1279
    Version 10.0. 15063

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #922
    Version 10.0.14393

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
    Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #666
    Version 10.0.10586

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
    Version 6.3.9600

    SP800-135

    Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

    Version 10.0.16299

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1278
    Version 10.0.15063

    @@ -7184,7 +7331,7 @@ Version 10.0.14393

    Version 10.0.10586

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp #575
    Version  10.0.10240

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323
    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323
    Version 6.3.9600
    - - - - - - + + + + + + - +

    Threat & Vulnerability Management

    Attack surface reduction

    Next-generation protection

    Endpoint detection and response

    Automated investigation and remediation

    Microsoft Threat Experts
    threat and vulnerability icon
    Threat & vulnerability management
    attack surface reduction icon
    Attack surface reduction
    next generation protection icon
    Next-generation protection
    endpoint detection and response icon
    Endpoint detection and response
    automated investigation and remediation icon
    Automated investigation and remediation
    microsoft threat experts icon
    Microsoft Threat Experts
    Centralized configuration and administration, APIs
    Microsoft Threat Protection
    Microsoft 365 Defender

    @@ -47,19 +51,14 @@ ms.topic: conceptual >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq] -**[Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**
    +**[Threat & vulnerability management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**
    This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. -- [Risk-based Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md) -- [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md) -- [Exposure score](microsoft-defender-atp/tvm-exposure-score.md) -- [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md) -- [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md) -- [Remediation](microsoft-defender-atp/tvm-remediation.md) -- [Software inventory](microsoft-defender-atp/tvm-software-inventory.md) -- [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md) -- [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md) +- [Threat & vulnerability management overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) +- [Get started](microsoft-defender-atp/tvm-prerequisites.md) +- [Access your security posture](microsoft-defender-atp/tvm-dashboard-insights.md) +- [Improve your security posture and reduce risk](microsoft-defender-atp/tvm-security-recommendation.md) +- [Understand vulnerabilities on your devices](microsoft-defender-atp/tvm-software-inventory.md) @@ -78,7 +77,7 @@ The attack surface reduction set of capabilities provide the first line of defen **[Next-generation protection](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)**
    -To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next-generation protection designed to catch all types of emerging threats. +To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats. - [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) - [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus) @@ -103,50 +102,44 @@ Endpoint detection and response capabilities are put in place to detect, investi **[Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)**
    -In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. +In addition to quickly responding to advanced attacks, Microsoft Defender for Endpoint offers automated investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. -- [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md) -- [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md) -- [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md) - - - -**[Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)**
    - -Microsoft Defender ATP includes a Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. - -- [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md) -- [Threat analytics](microsoft-defender-atp/threat-analytics.md) +- [Get an overview of automated investigation and remediation](microsoft-defender-atp/automated-investigations.md) +- [Learn about automation levels](microsoft-defender-atp/automation-levels.md) +- [Configure automated investigation and remediation in Defender for Endpoint](microsoft-defender-atp/configure-automated-investigations-remediation.md) +- [Visit the Action center to see remediation actions](microsoft-defender-atp/auto-investigation-action-center.md) +- [Review remediation actions following an automated investigation](microsoft-defender-atp/manage-auto-investigation.md) +- [View the details and results of an automated investigation](microsoft-defender-atp/autoir-investigation-results.md) **[Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)**
    -Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. +Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. - [Targeted attack notification](microsoft-defender-atp/microsoft-threat-experts.md) - [Experts-on-demand](microsoft-defender-atp/microsoft-threat-experts.md) -- [Configure your Microsoft Threat Protection managed hunting service](microsoft-defender-atp/configure-microsoft-threat-experts.md) +- [Configure your Microsoft 365 Defender managed hunting service](microsoft-defender-atp/configure-microsoft-threat-experts.md) **[Centralized configuration and administration, APIs](microsoft-defender-atp/management-apis.md)**
    -Integrate Microsoft Defender Advanced Threat Protection into your existing workflows. +Integrate Microsoft Defender for Endpoint into your existing workflows. - [Onboarding](microsoft-defender-atp/onboard-configure.md) - [API and SIEM integration](microsoft-defender-atp/configure-siem.md) - [Exposed APIs](microsoft-defender-atp/apis-intro.md) - [Role-based access control (RBAC)](microsoft-defender-atp/rbac.md) -- [Reporting and trends](microsoft-defender-atp/powerbi-reports.md) +- [Reporting and trends](microsoft-defender-atp/threat-protection-reports.md) **[Integration with Microsoft solutions](microsoft-defender-atp/threat-protection-integration.md)**
    - Microsoft Defender ATP directly integrates with various Microsoft solutions, including: + Microsoft Defender for Endpoint directly integrates with various Microsoft solutions, including: - Intune -- Office 365 ATP -- Azure ATP -- Azure Security Center +- Microsoft Defender for Office 365 +- Microsoft Defender for Identity +- Azure Defender - Skype for Business - Microsoft Cloud App Security -**[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
    - With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks. +**[Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
    + With Microsoft 365 Defender, Microsoft Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks. diff --git a/windows/security/threat-protection/intelligence/TOC.md b/windows/security/threat-protection/intelligence/TOC.md index 48c382b306..9919f7d8d2 100644 --- a/windows/security/threat-protection/intelligence/TOC.md +++ b/windows/security/threat-protection/intelligence/TOC.md @@ -10,7 +10,9 @@ ### [Macro malware](macro-malware.md) -### [Phishing](phishing.md) +### [Phishing attacks](phishing.md) + +#### [Phishing trends and techniques](phishing-trends.md) ### [Ransomware](ransomware-malware.md) @@ -46,7 +48,7 @@ ### [Coordinated malware eradication](coordinated-malware-eradication.md) -## [Information for developers](developer-info.md) +## [Information for developers]() ### [Software developer FAQ](developer-faq.md) diff --git a/windows/security/threat-protection/intelligence/coinminer-malware.md b/windows/security/threat-protection/intelligence/coinminer-malware.md index 52771c8630..aa36031971 100644 --- a/windows/security/threat-protection/intelligence/coinminer-malware.md +++ b/windows/security/threat-protection/intelligence/coinminer-malware.md @@ -3,7 +3,7 @@ title: Coin miners ms.reviewer: description: Learn about coin miners, how they can infect devices, and what you can do to protect yourself. keywords: security, malware, coin miners, protection, cryptocurrencies -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Coin miners @@ -31,7 +32,7 @@ Many infections start with: Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger. This process generates coins but requires significant computing resources. -Coin miners are not inherently malicious. Some individuals and organizations invest in hardware and electric power for legitimate coin mining operations. However, others look for alternative sources of computing power and try to find their way into corporate networks. These coin miners are not wanted in enterprise environments because they eat up precious computing resources. +Coin miners aren't inherently malicious. Some individuals and organizations invest in hardware and electric power for legitimate coin mining operations. However, others look for alternative sources of computing power and try to find their way into corporate networks. These coin miners aren't wanted in enterprise environments because they eat up precious computing resources. Cybercriminals see an opportunity to make money by running malware campaigns that distribute, install, and run trojanized miners at the expense of other people’s computing resources. @@ -41,12 +42,12 @@ DDE exploits, which have been known to distribute ransomware, are now delivering For example, a sample of the malware detected as Trojan:Win32/Coinminer (SHA-256: 7213cbbb1a634d780f9bb861418eb262f58954e6e5dca09ca50c1e1324451293) is installed by Exploit:O97M/DDEDownloader.PA, a Word document that contains the DDE exploit. -The exploit launches a cmdlet that executes a malicious PowerShell script (Trojan:PowerShell/Maponeir.A), which then downloads the trojanized miner: a modified version of the miner XMRig, which mines Monero cryptocurrency. +The exploit launches a cmdlet that executes a malicious PowerShell script (Trojan:PowerShell/Maponeir.A). It downloads the trojanized miner, a modified version of the miner XMRig, which then mines Monero cryptocurrency. ## How to protect against coin miners -**Enable PUA detection**: Some coin mining tools are not considered malware but are detected as potentially unwanted applications (PUA). Many applications detected as PUA can negatively impact machine performance and employee productivity. In enterprise environments, you can stop adware, torrent downloaders, and coin mining by enabling PUA detection. +**Enable potentially unwanted applications (PUA) detection**. Some coin mining tools aren't considered malware but are detected as PUA. Many applications detected as PUA can negatively impact machine performance and employee productivity. In enterprise environments, you can stop adware, torrent downloaders, and coin mining by enabling PUA detection. -Since coin miners is becoming a popular payload in many different kinds of attacks, see general tips on how to [prevent malware infection](prevent-malware-infection.md). +Since coin miners are becoming a popular payload in many different kinds of attacks, see general tips on how to [prevent malware infection](prevent-malware-infection.md). For more information on coin miners, see the blog post [Invisible resource thieves: The increasing threat of cryptocurrency miners](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/13/invisible-resource-thieves-the-increasing-threat-of-cryptocurrency-miners/). diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md index fef7da884b..47e4ffb819 100644 --- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md +++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md @@ -3,7 +3,7 @@ title: Coordinated Malware Eradication ms.reviewer: description: The Coordinated Malware Eradication program aims to unite security organizations to disrupt the malware ecosystem. keywords: security, malware, malware eradication, Microsoft Malware Protection Center, MMPC -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,8 +11,9 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Coordinated Malware Eradication @@ -20,20 +21,20 @@ ms.topic: article Coordinated Malware Eradication (CME) aims to bring organizations in cybersecurity and in other industries together to change the game against malware. While the cybersecurity industry today is effective at disrupting malware families through individual efforts, those disruptions rarely lead to eradication since malware authors quickly adapt their tactics to survive. -CME calls for organizations to pool their tools, information and actions to drive coordinated campaigns against malware. The ultimate goal is to drive efficient and long lasting results for better protection of our collective communities, customers, and businesses. +CME calls for organizations to pool their tools, information, and actions to drive coordinated campaigns against malware. The goal is to drive efficient and long-lasting results to better protect our communities, customers, and businesses. ## Combining our tools, information, and actions -Diversity of participation across industries and disciplines, extending beyond cybersecurity, makes eradication campaigns even stronger across the malware lifecycle. For instance, while security vendors, computer emergency response/readiness teams (CERTs), and Internet service providers (ISPs) can contribute with malware telemetry, online businesses can identify fraudulent behavior and law enforcement agencies can drive legal action. +Diversity of participation across industries and disciplines, extending beyond cybersecurity, makes eradication campaigns even stronger across the malware lifecycle. Security vendors, computer emergency response/readiness teams (CERTs), and Internet service providers (ISPs) can contribute with malware telemetry. Online businesses can identify fraudulent behavior and law enforcement agencies can drive legal action. -In addition to telemetry and analysis data, Microsoft is planning to contribute cloud-based scalable storage and computing horsepower with the necessary big data analysis tools built-in to these campaigns. +Microsoft is planning to contribute telemetry and analysis data to these campaigns. It will also provide cloud-based scalable storage and computing horsepower with the necessary big data analysis tools built-in. ## Coordinated campaigns for lasting results -Organizations participating in the CME effort work together to help eradicate selected malware families by contributing their own telemetry data, expertise, tools, and other resources. These organizations operate under a campaign umbrella with clearly defined end goals and metrics. Any organization or member can initiate a campaign and invite others to join it. The members then have the option to accept or decline the invitations they receive. +Organizations participating in the CME effort work together to help eradicate selected malware families by contributing their own telemetry data, expertise, tools, and other resources. These organizations operate under a campaign umbrella with clearly defined end goals and metrics. Any organization or member can start a campaign and invite others to join it. The members can then accept or decline the invitations they receive. ## Join the effort -Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). It ensures that everyone agrees to use the information and tools available for campaigns for their intended purpose (that is, the eradication of malware). +Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). Everyone agrees to use the available information and tools for their intended purpose (that is, the eradication of malware). -If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). +If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For any questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md index 74c19eb50f..869519e673 100644 --- a/windows/security/threat-protection/intelligence/criteria.md +++ b/windows/security/threat-protection/intelligence/criteria.md @@ -1,9 +1,9 @@ --- title: How Microsoft identifies malware and potentially unwanted applications ms.reviewer: -description: Learn how Microsoft reviews software for privacy violations and other negative behavior, to determine if it is malware or a potentially unwanted application. +description: Learn how Microsoft reviews software for privacy violations and other negative behavior, to determine if it's malware or a potentially unwanted application. keywords: security, malware, virus research threats, research malware, device protection, computer infection, virus infection, descriptions, remediation, latest threats, MMdevice, Microsoft Malware Protection Center, PUA, potentially unwanted applications -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,14 +11,15 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # How Microsoft identifies malware and potentially unwanted applications -Microsoft aims to provide a delightful and productive Windows experience by working to ensure you are safe and in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. When you download, install, and run software, we check the reputation of downloaded programs and ensure you are protected against known threats and warned about software that is unknown to us. +Microsoft aims to provide a delightful and productive Windows experience by working to ensure you're safe and in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. When you download, install, and run software, we check the reputation of downloaded programs and ensure you're protected against known threats. You are also warned about software that is unknown to us. You can assist Microsoft by [submitting unknown or suspicious software for analysis](https://www.microsoft.com/wdsi/filesubmission/). This will help ensure that unknown or suspicious software is scanned by our system to start establishing reputation. [Learn more about submitting files for analysis](submission-guide.md) @@ -29,9 +30,9 @@ The next sections provide an overview of the classifications we use for applicat ## Unknown – Unrecognized software -No antivirus or protection technology is perfect. It takes time to identify and block malicious sites and applications, or trust newly released programs and certificates.  With almost 2 billion websites on the internet and software continuously being updated and released, it's impossible to have information about every single site and program. +No antivirus or protection technology is perfect. It takes time to identify and block malicious sites and applications, or trust newly released programs and certificates.  With almost 2 billion websites on the internet and software continuously updated and released, it's impossible to have information about every single site and program. -You can think of Unknown/Uncommonly downloaded warnings as an early warning system for potentially undetected malware, as there is generally a delay from the time new malware is released until it is identified. Not all uncommon programs are malicious, but the risk in the unknown category is significantly higher for the typical user. Warnings for unknown software are not blocks, and users can choose to download and run the application normally if they wish to. +Think of Unknown/Uncommonly downloaded warnings as an early warning system for potentially undetected malware. There's generally a delay from the time new malware is released until it's identified. Not all uncommon programs are malicious, but the risk in the unknown category is much higher for the typical user. Warnings for unknown software aren't blocks. Users can choose to download and run the application normally if they wish to. Once enough data is gathered, Microsoft's security solutions can make a determination. Either no threats are found, or an application or software is categorized as malware or potentially unwanted software. @@ -61,11 +62,11 @@ Microsoft classifies most malicious software into one of the following categorie * **Password stealer:** A type of malware that gathers your personal information, such as usernames and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit. -* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note which states you must pay money, complete surveys, or perform other actions before you can use your device again. [See more information about ransomware](ransomware-malware.md). +* **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note that states you must pay money or perform other actions before you can use your device again. [See more information about ransomware](ransomware-malware.md). * **Rogue security software:** Malware that pretends to be security software but doesn't provide any protection. This type of malware usually displays alerts about nonexistent threats on your device. It also tries to convince you to pay for its services. -* **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead, it tries to look legitimate and tricks users into downloading and installing it. Once installed, trojans perform various malicious activities such as stealing personal information, downloading other malware, or giving attackers access to your device. +* **Trojan:** A type of malware that attempts to appear harmless. Unlike a virus or a worm, a trojan doesn't spread by itself. Instead, it tries to look legitimate to tricks users into downloading and installing it. Once installed, trojans perform various malicious activities such as stealing personal information, downloading other malware, or giving attackers access to your device. * **Trojan clicker:** A type of trojan that automatically clicks buttons or similar controls on websites or applications. Attackers can use this trojan to click on online advertisements. These clicks can skew online polls or other tracking systems and can even install applications on your device. @@ -73,17 +74,17 @@ Microsoft classifies most malicious software into one of the following categorie ### Unwanted software -Microsoft believes that you should have control over your Windows experience. Software running on Windows should keep you in control of your device through informed choices and accessible controls. Microsoft identifies software behaviors that ensure you stay in control. We classify software that does not fully demonstrate these behaviors as "unwanted software". +Microsoft believes that you should have control over your Windows experience. Software running on Windows should keep you in control of your device through informed choices and accessible controls. Microsoft identifies software behaviors that ensure you stay in control. We classify software that doesn't fully demonstrate these behaviors as "unwanted software". #### Lack of choice -You must be notified about what is happening on your device, including what software does and whether it is active. +You must be notified about what is happening on your device, including what software does and whether it's active. Software that exhibits lack of choice might: * Fail to provide prominent notice about the behavior of the software and its purpose and intent. -* Fail to clearly indicate when the software is active and might also attempt to hide or disguise its presence. +* Fail to clearly indicate when the software is active. It might also attempt to hide or disguise its presence. * Install, reinstall, or remove software without your permission, interaction, or consent. @@ -93,7 +94,7 @@ Software that exhibits lack of choice might: * Falsely claim to be software from Microsoft. -Software must not mislead or coerce you into making decisions about your device. This is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might: +Software must not mislead or coerce you into making decisions about your device. It is considered behavior that limits your choices. In addition to the previous list, software that exhibits lack of choice might: * Display exaggerated claims about your device's health. @@ -103,7 +104,7 @@ Software must not mislead or coerce you into making decisions about your device. Software that stores or transmits your activities or data must: -* Give you notice and get consent to do so. Software should not include an option that configures it to hide activities associated with storing or transmitting your data. +* Give you notice and get consent to do so. Software shouldn't include an option that configures it to hide activities associated with storing or transmitting your data. #### Lack of control @@ -119,7 +120,7 @@ Software that exhibits lack of control might: * Modify or manipulate webpage content without your consent. -Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that do not provide supported extensibility models are considered non-extensible and should not be modified. +Software that changes your browsing experience must only use the browser's supported extensibility model for installation, execution, disabling, or removal. Browsers that don't provide supported extensibility models are considered non-extensible and shouldn't be modified. #### Installation and removal diff --git a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md index 1a57f85019..fec4892d00 100644 --- a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md +++ b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md @@ -3,7 +3,7 @@ title: Industry collaboration programs ms.reviewer: description: Microsoft industry-wide antimalware collaboration programs - Virus Information Alliance (VIA), Microsoft Virus Initiative (MVI), and Coordinated Malware Eradication (CME) keywords: security, malware, antivirus industry, antimalware Industry, collaboration programs, alliances, Virus Information Alliance, Microsoft Virus Initiative, Coordinated Malware Eradication, WDSI, MMPC, Microsoft Malware Protection Center, partnerships -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,8 +11,9 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Industry collaboration programs @@ -38,6 +39,6 @@ Go to the [MVI program page](virus-initiative-criteria.md) for more information. CME is open to organizations who are involved in cybersecurity and antimalware or interested in fighting cybercrime. -The program aims to bring organizations in cybersecurity and other industries together to pool tools, information and actions to drive coordinated campaigns against malware. The ultimate goal is to create efficient and long-lasting results for better protection of our collective communities, customers, and businesses. +The program aims to bring organizations in cybersecurity and other industries together to pool tools, information, and actions to drive coordinated campaigns against malware. The ultimate goal is to create efficient and long-lasting results for better protection of our communities, customers, and businesses. Go to the [CME program page](coordinated-malware-eradication.md) for more information. diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md index e3d47a044c..5f91ef4a1f 100644 --- a/windows/security/threat-protection/intelligence/developer-faq.md +++ b/windows/security/threat-protection/intelligence/developer-faq.md @@ -4,7 +4,7 @@ ms.reviewer: description: This page provides answers to common questions we receive from software developers keywords: wdsi, software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Software developer FAQ @@ -23,19 +24,19 @@ This page provides answers to common questions we receive from software develope ## Does Microsoft accept files for a known list or false-positive prevention program? -No. We do not accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list or, far less frequently, in adding your digital certificate to a list of trusted publishers. +No. We don't accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list. Far less frequently, in will add your digital certificate to a list of trusted publishers. ## How do I dispute the detection of my program? Submit the file in question as a software developer. Wait until your submission has a final determination. -If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We will use the information you provide to investigate further if necessary. +If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We'll use the information you provide to investigate further if necessary. We encourage all software vendors and developers to read about [how Microsoft identifies malware and Potentially Unwanted Applications (PUA)](criteria.md). ## Why is Microsoft asking for a copy of my program? -This can help us with our analysis. Participants of the [Microsoft Active Protection Service (MAPS)](https://www.microsoft.com/msrc/mapp) may occasionally receive these requests. The requests will stop once our systems have received and processed the file. +Providing copies can help us with our analysis. Participants of the [Microsoft Active Protection Service (MAPS)](https://www.microsoft.com/msrc/mapp) may occasionally receive these requests. The requests will stop once our systems have received and processed the file. ## Why does Microsoft classify my installer as a software bundler? @@ -43,8 +44,8 @@ It contains instructions to offer a program classified as unwanted software. You ## Why is the Windows Defender Firewall blocking my program? -This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security). +Firewall blocks aren't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security). -## Why does the Microsoft Defender SmartScreen say my program is not commonly downloaded? +## Why does the Microsoft Defender Windows Defender SmartScreen say my program isn't commonly downloaded? -This is not related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) +This isn't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender Windows Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) diff --git a/windows/security/threat-protection/intelligence/developer-info.md b/windows/security/threat-protection/intelligence/developer-info.md deleted file mode 100644 index 19d1a76072..0000000000 --- a/windows/security/threat-protection/intelligence/developer-info.md +++ /dev/null @@ -1,29 +0,0 @@ ---- -title: Information for developers -ms.reviewer: -description: This page provides answers to common questions we receive from software developers and other useful resources -keywords: software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: ellevin -author: levinec -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Information for developers - -Learn about the common questions we receive from software developers and get other developer resources such as detection criteria and file submissions. - -## In this section - -Topic | Description -:---|:--- -[Software developer FAQ](developer-faq.md) | Provides answers to common questions we receive from software developers. -[Developer resources](developer-resources.md) | Provides information about how to submit files, detection criteria, and how to check your software against the latest security intelligence and cloud protection from Microsoft. diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md index b413cea906..9c99065431 100644 --- a/windows/security/threat-protection/intelligence/developer-resources.md +++ b/windows/security/threat-protection/intelligence/developer-resources.md @@ -4,7 +4,7 @@ ms.reviewer: description: This page provides information for developers such as detection criteria, developer questions, and how to check your software against Security intelligence. keywords: wdsi, software, developer, resources, detection, criteria, questions, scan, software, definitions, cloud, protection, security intelligence search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: medium @@ -13,8 +13,9 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Software developer resources diff --git a/windows/security/threat-protection/intelligence/exploits-malware.md b/windows/security/threat-protection/intelligence/exploits-malware.md index beff687643..c7a418d55c 100644 --- a/windows/security/threat-protection/intelligence/exploits-malware.md +++ b/windows/security/threat-protection/intelligence/exploits-malware.md @@ -1,9 +1,9 @@ --- title: Exploits and exploit kits ms.reviewer: -description: Learn about how exploits use vulnerabilities in common software to give an attackers access to your computer and to install other malware. +description: Learn about how exploits use vulnerabilities in common software to give attackers access to your computer and install other malware. keywords: security, malware, exploits, exploit kits, prevention, vulnerabilities, Microsoft, Exploit malware family, exploits, java, flash, adobe, update software, prevent exploits, exploit pack, vulnerability, 0-day, holes, weaknesses, attack, Flash, Adobe, out-of-date software, out of date software, update, update software, reinfection, Java cache, reinfected, won't remove, won't clean, still detects, full scan, MSE, Defender, WDSI, MMPC, Microsoft Malware Protection Center -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Exploits and exploit kits @@ -21,27 +22,27 @@ Exploits take advantage of vulnerabilities in software. A vulnerability is like ## How exploits and exploit kits work -Exploits are often the first part of a larger attack. Hackers scan for outdated systems that contain critical vulnerabilities, which they then exploit by deploying targeted malware. Exploits often include what's called "shellcode". This is a small malware payload that's used to download additional malware from attacker-controlled networks. This allows hackers to infect devices and infiltrate organizations. +Exploits are often the first part of a larger attack. Hackers scan for outdated systems that contain critical vulnerabilities, which they then exploit by deploying targeted malware. Exploits often include shellcode, which is a small malware payload used to download additional malware from attacker-controlled networks. Shellcode allows hackers to infect devices and infiltrate organizations. -Exploit kits are more comprehensive tools that contain a collection of exploits. These kits scan devices for different kinds of software vulnerabilities and, if any are detected, deploys additional malware to further infect a device. Kits can use exploits targeting a variety of software, including Adobe Flash Player, Adobe Reader, Internet Explorer, Oracle Java and Sun Java. +Exploit kits are more comprehensive tools that contain a collection of exploits. These kits scan devices for different kinds of software vulnerabilities and, if any are detected, deploy additional malware to further infect a device. Kits can use exploits targeting a variety of software, including Adobe Flash Player, Adobe Reader, Internet Explorer, Oracle Java, and Sun Java. The most common method used by attackers to distribute exploits and exploit kits is through webpages, but exploits can also arrive in emails. Some websites unknowingly and unwillingly host malicious code and exploits in their ads. -The infographic below shows how an exploit kit might attempt to exploit a device when a compromised webpage is visited. +The infographic below shows how an exploit kit might attempt to exploit a device after you visit a compromised webpage. -![example of how exploit kits work](./images/ExploitKit.png) +![example of how exploit kits work.](./images/ExploitKit.png) -*Figure 1. Example of how exploit kits work* +*Figure 1. Example of how to exploit kits work* Several notable threats, including Wannacry, exploit the Server Message Block (SMB) vulnerability CVE-2017-0144 to launch malware. Examples of exploit kits: -- Angler / [Axpergle](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=JS%2fAxpergle) +- Angler / [Axpergle](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/Axpergle) -- [Neutrino](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=JS%2fNeutrino) +- [Neutrino](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/NeutrinoEK) -- [Nuclear](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Exploit:JS/Neclu) +- [Nuclear](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/Neclu) To learn more about exploits, read this blog post on [taking apart a double zero-day sample discovered in joint hunt with ESET.](https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset/) @@ -56,6 +57,6 @@ You can read more on the [CVE website](https://cve.mitre.org/). ## How to protect against exploits -The best prevention for exploits is to keep your organization's [software up to date](https://portal.msrc.microsoft.com/). Software vendors provide updates for many known vulnerabilities and making sure these updates are applied to all devices is an important step to prevent malware. +The best prevention for exploits is to keep your organization's [software up to date](https://portal.msrc.microsoft.com/). Software vendors provide updates for many known vulnerabilities, so make sure these updates are applied to all devices. For more general tips, see [prevent malware infection](prevent-malware-infection.md). diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index 747950168f..a120169e13 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -1,9 +1,9 @@ --- title: Fileless threats ms.reviewer: -description: Learn about the categories of fileless threats and malware that "live off the land" +description: Learn about the categories of fileless threats and malware that live off the land keywords: fileless, fileless malware, living off the land, lolbins, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP, next-generation protection -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,16 +11,17 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Fileless threats -What exactly are fileless threats? The term "fileless" suggests that a threat does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition for fileless malware. The term is used broadly; it's also used to describe malware families that do rely on files to operate. +What exactly are fileless threats? The term "fileless" suggests that a threat doesn't come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no one definition for fileless malware. The term is used broadly, and sometimes to describe malware families that do rely on files to operate. -Given that attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, or information theft, some parts of the attack chain may be fileless, while others may involve the filesystem in some form. +Attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, or information theft. Some parts of the attack chain may be fileless, while others may involve the file system in some form. For clarity, fileless threats are grouped into different categories. @@ -29,42 +30,42 @@ For clarity, fileless threats are grouped into different categories. Fileless threats can be classified by their entry point, which indicates how fileless malware can arrive on a machine. They can arrive via an exploit, through compromised hardware, or via regular execution of applications and scripts. -Next, list the form of entry point. For example, exploits can be based on files or network data, PCI peripherals are a type of hardware vector, and scripts and executables are sub-categories of the execution vector. +Next, list the form of entry point. For example, exploits can be based on files or network data, PCI peripherals are a type of hardware vector, and scripts and executables are subcategories of the execution vector. -Finally, classify the host of the infection. For example, a Flash application that may contain an exploit, a simple executable, malicious firmware from a hardware device, or an infected MBR, which could bootstrap the execution of a malware before the operating system even loads. +Finally, classify the host of the infection. For example, a Flash application may contain a variety of threats such as an exploit, a simple executable, and malicious firmware from a hardware device. -This helps you divide and categorize the various kinds of fileless threats. Clearly, the categories are not all the same: some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced. +Classifying helps you divide and categorize the various kinds of fileless threats. Some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced. From this categorization, you can glean three main types of fileless threats based on how much fingerprint they may leave on infected machines. ## Type I: No file activity performed -A completely fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? An example scenario could be a target machine receiving malicious network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file. +A fully fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? One example is where a target machine receives malicious network packets that exploit the EternalBlue vulnerability. The vulnerability allows the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there's no file or any data written on a file. -Another scenario could involve compromised devices, where malicious code could be hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or even in the firmware of a network card. All these examples do not require a file on the disk to run and can theoretically live only in memory, surviving even reboots, disk reformats, and OS reinstalls. +A compromised device may also have malicious code hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or in the firmware of a network card. All these examples don't require a file on the disk to run, and can theoretically live only in memory. The malicious code would survive reboots, disk reformats, and OS reinstalls. -Infections of this type can be extra difficult to detect and remediate. Antivirus products usually don’t have the capability to access firmware for inspection; even if they did, it would be extremely challenging to detect and remediate threats at this level. Because this type of fileless malware requires high levels of sophistication and often depend on particular hardware or software configuration, it’s not an attack vector that can be exploited easily and reliably. For this reason, while extremely dangerous, threats of this type tend to be very uncommon and not practical for most attacks. +Infections of this type can be particularly difficult to detect because most antivirus products don’t have the capability to inspect firmware. In cases where a product does have the ability to inspect and detect malicious firmware, there are still significant challenges associated with remediation of threats at this level. This type of fileless malware requires high levels of sophistication and often depends on particular hardware or software configuration. It’s not an attack vector that can be exploited easily and reliably. While dangerous, threats of this type are uncommon and not practical for most attacks. ## Type II: Indirect file activity -There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type doesn't directly write files on the file system, but they can end up using files indirectly. This is the case for [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html). Attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run such command periodically. +There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type doesn't directly write files on the file system, but they can end up using files indirectly. For example, with the [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run the command periodically. -It’s possible to carry out such installation via command line without requiring the presence of the backdoor to be on a file in the first place. The malware can thus be installed and theoretically run without ever touching the file system. However, the WMI repository is stored on a physical file that is a central storage area managed by the CIM Object Manager and usually contains legitimate data. Therefore, while the infection chain does technically use a physical file, for practical purposes it’s considered a fileless attack given that the WMI repository is a multi-purpose data container that cannot be simply detected and removed. +It’s possible to carry out such installation via command line without requiring a backdoor to already be on the file. The malware can be installed and theoretically run without ever touching the file system. However, the WMI repository is stored on a physical file in a central storage area managed by the CIM Object Manager, and usually contains legitimate data. Even though the infection chain does technically use a physical file, it’s considered a fileless attack because the WMI repository is a multi-purpose data container that can't be detected and removed. ## Type III: Files required to operate -Some malware can have some sort of fileless persistence but not without using files to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. This action means that opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe. +Some malware can have a sort of fileless persistence, but not without using files to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. Opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe. ![Image of Kovter's registry key](images/kovter-reg-key.png)
    *Figure 2. Kovter’s registry key* -When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-run key configured to open such file when the machine starts. +When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an autorun key configured to open such file when the machine starts. -Kovter is considered a fileless threat because the file system is of no practical use: the files with random extension contain junk data that is not usable in verifying the presence of the threat, and the files that store the registry are containers that cannot be detected and deleted if malicious content is present. +Kovter is considered a fileless threat because the file system is of no practical use. The files with random extensions contain junk data that isn't usable in verifying the presence of the threat. The files that store the registry are containers that can't be detected and deleted if malicious content is present. ## Categorizing fileless threats by infection host -Having described the broad categories, we can now dig into the details and provide a breakdown of the infection hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure malware does not get the upper hand in the arms race. +Having described the broad categories, we can now dig into the details and provide a breakdown of the infection hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure malware doesn't get the upper hand in the arms race. ### Exploits @@ -76,26 +77,28 @@ Having described the broad categories, we can now dig into the details and provi **Device-based** (Type I: network card, hard disk): Devices like hard disks and network cards require chipsets and dedicated software to function. Software residing and running in the chipset of a device is called firmware. Although a complex task, the firmware can be infected by malware, as the [Equation espionage group has been caught doing](https://www.kaspersky.com/blog/equation-hdd-malware/7623/). -**CPU-based** (Type I): Modern CPUs are extremely complex and may include subsystems running firmware for management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code that would hence operate from within the CPU. In December 2017, two researchers reported a vulnerability that can allow attackers to execute code inside the [Management Engine (ME)](https://en.wikipedia.org/wiki/Intel_Management_Engine) present in any modern CPU from Intel. Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's [Active Management Technology (AMT)](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology) to perform [invisible network communications](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/) bypassing the installed operating system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a very low level. Because these technologies’ purpose is to provide remote manageability, they have direct access to hardware, are independent of the operating system, and can run even if the computer is turned off. Besides being vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware circuitry. This attack has been [researched and proved possible](https://www.emsec.rub.de/media/crypto/veroeffentlichungen/2015/03/19/beckerStealthyExtended.pdf) in the past. Just recently it has been reported that certain models of x86 processors contain a secondary embedded RISC-like CPU core that can [effectively provide a backdoor](https://www.theregister.co.uk/2018/08/10/via_c3_x86_processor_backdoor/) through which regular applications can gain privileged execution. +**CPU-based** (Type I): Modern CPUs are complex and may include subsystems running firmware for management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code that would operate from within the CPU. In December 2017, two researchers reported a vulnerability that can allow attackers to execute code inside the [Management Engine (ME)](https://en.wikipedia.org/wiki/Intel_Management_Engine) present in any modern CPU from Intel. Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's [Active Management Technology (AMT)](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology) to perform [invisible network communications](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/), bypassing the installed operating system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a very low level. Because these technologies’ purpose is to provide remote manageability, they have direct access to hardware, are independent of the operating system, and can run even if the computer is turned off. -**USB-based** (Type I): USB devices of all kinds can be reprogrammed with malicious firmware capable of interacting with the operating system in nefarious ways. This is the case of the [BadUSB technique](https://arstechnica.com/information-technology/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/), demonstrated few years ago, which allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via keystrokes, or as a network card that can redirect traffic at will. +Besides being vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware circuitry. This attack has been [researched and proved possible](https://www.emsec.rub.de/media/crypto/veroeffentlichungen/2015/03/19/beckerStealthyExtended.pdf) in the past. It has been reported that certain models of x86 processors contain a secondary embedded RISC-like CPU core that can [effectively provide a backdoor](https://www.theregister.co.uk/2018/08/10/via_c3_x86_processor_backdoor/) through which regular applications can gain privileged execution. -**BIOS-based** (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on, initializes the hardware, and then transfers control to the boot sector. It’s a very important component that operates at a very low level and executes before the boot sector. It’s possible to reprogram the BIOS firmware with malicious code, as has happened in the past with the [Mebromi rootkit](https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/). +**USB-based** (Type I): USB devices of all kinds can be reprogrammed with malicious firmware capable of interacting with the operating system in nefarious ways. For example, the [BadUSB technique](https://arstechnica.com/information-technology/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/) allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via keystrokes, or as a network card that can redirect traffic at will. -**Hypervisor-based** (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits [have been observed](http://seclists.org/fulldisclosure/2017/Jun/29), although very few are known to date. +**BIOS-based** (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on, initializes the hardware, and then transfers control to the boot sector. The BIOS is an important component that operates at a low level and executes before the boot sector. It’s possible to reprogram the BIOS firmware with malicious code, as has happened in the past with the [Mebromi rootkit](https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/). + +**Hypervisor-based** (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits [have been observed](http://seclists.org/fulldisclosure/2017/Jun/29), although few are known to date. ### Execution and injection -**File-based** (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple executable can be launched as a first-stage malware to run an additional payload in memory or inject it into other legitimate running processes. +**File-based** (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple executable can be launched as a first-stage malware to run an additional payload in memory, or injected into other legitimate running processes. -**Macro-based** (Type III: Office documents): The [VBA language](https://msdn.microsoft.com/vba/office-shared-vba/articles/getting-started-with-vba-in-office) is a flexible and powerful tool designed to automate editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire ransomware, like in [the case of qkG](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/). Macros are executed within the context of an Office process (e.g., Winword.exe), and they’re implemented in a scripting language, so there is no binary executable that an antivirus can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers use social engineering techniques to trick users into allowing macros to execute. +**Macro-based** (Type III: Office documents): The [VBA language](https://msdn.microsoft.com/vba/office-shared-vba/articles/getting-started-with-vba-in-office) is a flexible and powerful tool designed to automate editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire ransomware, like in [the case of qkG](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/). Macros are executed within the context of an Office process (e.g., Winword.exe) and implemented in a scripting language. There's no binary executable that an antivirus can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers use social engineering techniques to trick users into allowing macros to execute. -**Script-based** (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting languages are available by default on Windows platforms. Scripts have the same advantages as macros: they are textual files (not binary executables) and run within the context of the interpreter (e.g., wscript.exe, powershell.exe, etc.), which is a clean and legitimate component. Scripts are very versatile; they can be run from a file (e.g., by double-clicking them) or, in some cases, executed directly on the command line of an interpreter. Being able to run on the command line can allow malware to encode malicious command-line scripts as auto-start services inside [autorun registry keys](https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file) as [WMI event subscriptions](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) from the WMI repo. Furthermore, an attacker who has gained access to an infected machine may input the script on the command prompt. +**Script-based** (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting languages are available by default on Windows platforms. Scripts have the same advantages as macros, they are textual files (not binary executables) and run within the context of the interpreter (like wscript.exe, powershell.exe), which is a clean and legitimate component. Scripts are versatile and can be run from a file (by double-clicking them) or executed directly on the command line of an interpreter. Running on the command line allows malware to encode malicious scripts as autostart services inside [autorun registry keys](https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file) as [WMI event subscriptions](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) from the WMI repo. Furthermore, an attacker who has gained access to an infected machine may input the script on the command prompt. -**Disk-based** (Type II: Boot Record): The [Boot Record](https://en.wikipedia.org/wiki/Boot_sector) is the first sector of a disk or volume and contains executable code required to start the boot process of the operating system. Threats like [Petya](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc) are capable of infecting the Boot Record by overwriting it with malicious code, so that when the machine is booted the malware immediately gains control (and in the case of Petya, with disastrous consequences). The Boot Record resides outside the file system, but it’s accessible by the operating system, and modern antivirus products have the capability to scan and restore it. +**Disk-based** (Type II: Boot Record): The Boot Record is the first sector of a disk or volume, and contains executable code required to start the boot process of the operating system. Threats like [Petya](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc) are capable of infecting the Boot Record by overwriting it with malicious code. When the machine is booted, the malware immediately gains control. The Boot Record resides outside the file system, but it’s accessible by the operating system. Modern antivirus products have the capability to scan and restore it. ## Defeating fileless malware -At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender Advanced Threat Protection [(Microsoft Defender ATP)](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. +At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender for Endpoint](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) diff --git a/windows/security/threat-protection/intelligence/index.md b/windows/security/threat-protection/intelligence/index.md index a8950a6977..819ce7f08a 100644 --- a/windows/security/threat-protection/intelligence/index.md +++ b/windows/security/threat-protection/intelligence/index.md @@ -1,8 +1,8 @@ --- title: Security intelligence -description: Safety tips about malware and how you can protect your organization +description: Learn about different types of malware, safety tips on how you can protect your organization, and resources for industry collaboration programs. keywords: security, malware -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -10,8 +10,9 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Security intelligence diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md index ec97b244a7..6faec90f87 100644 --- a/windows/security/threat-protection/intelligence/macro-malware.md +++ b/windows/security/threat-protection/intelligence/macro-malware.md @@ -3,7 +3,7 @@ title: Macro malware ms.reviewer: description: Learn about macro viruses and malware, which are embedded in documents and are used to drop malicious payloads and distribute other threats. keywords: security, malware, macro, protection, WDSI, MMPC, Microsoft Malware Protection Center, macro virus, macro malware, documents, viruses in Office, viruses in Word -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Macro malware @@ -21,18 +22,18 @@ Macros are a powerful way to automate common tasks in Microsoft Office and can m ## How macro malware works -Macro malware hides in Microsoft Office files and are delivered as email attachments or inside ZIP files. These files use names that are intended to entice or scare people into opening them. They often look like invoices, receipts, legal documents, and more. +Macro malware hides in Microsoft Office files and is delivered as email attachments or inside ZIP files. These files use names that are intended to entice or scare people into opening them. They often look like invoices, receipts, legal documents, and more. -Macro malware was fairly common several years ago because macros ran automatically whenever a document was opened. However, in recent versions of Microsoft Office, macros are disabled by default. This means malware authors need to convince users to turn on macros so that their malware can run. They do this by showing fake warnings when a malicious document is opened. +Macro malware was fairly common several years ago because macros ran automatically whenever a document was opened. In recent versions of Microsoft Office, macros are disabled by default. Now, malware authors need to convince users to turn on macros so that their malware can run. They try to scare users by showing fake warnings when a malicious document is opened. We've seen macro malware download threats from the following families: -* [Ransom:MSIL/Swappa](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Swappa.A) -* [Ransom:Win32/Teerac](Ransom:Win32/Teerac) -* [TrojanDownloader:Win32/Chanitor](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A) -* [TrojanSpy:Win32/Ursnif](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif) -* [Win32/Fynloski](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski) -* [Worm:Win32/Gamarue](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue) +* [Ransom:MSIL/Swappa](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Swappa.A) +* [Ransom:Win32/Teerac](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Teerac&threatId=-2147277789) +* [TrojanDownloader:Win32/Chanitor](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A) +* [TrojanSpy:Win32/Ursnif](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif) +* [Win32/Fynloski](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski) +* [Worm:Win32/Gamarue](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue) ## How to protect against macro malware @@ -43,8 +44,8 @@ We've seen macro malware download threats from the following families: * Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads. -* Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#enable-and-audit-attack-surface-reduction-rules) +* Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction) -For more tips on protecting yourself from suspicious emails, see [phishing](phishing.md). +For more tips on protecting yourself from suspicious emails, see [phishing](phishing.md). -For more general tips, see [prevent malware infection](prevent-malware-infection.md). +For more general tips, see [prevent malware infection](prevent-malware-infection.md). diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md index 001d356c59..abd3753a03 100644 --- a/windows/security/threat-protection/intelligence/malware-naming.md +++ b/windows/security/threat-protection/intelligence/malware-naming.md @@ -3,7 +3,7 @@ title: Malware names ms.reviewer: description: Understand the malware naming convention used by Microsoft Defender Antivirus and other Microsoft antimalware. keywords: security, malware, names, Microsoft, MMPC, Microsoft Malware Protection Center, WDSI, malware name, malware prefix, malware type, virus name -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Malware names @@ -21,7 +22,7 @@ We name the malware and unwanted software that we detect according to the Comput ![coordinated-malware-eradication](images/NamingMalware1.png) -When our analysts research a particular threat, they will determine what each of the components of the name will be. +When our analysts research a particular threat, they'll determine what each of the components of the name will be. ## Type @@ -61,7 +62,7 @@ Describes what the malware does on your computer. Worms, viruses, trojans, backd ## Platforms -Indicates the operating system (such as Windows, Mac OS X, and Android) that the malware is designed to work on. The platform is also used to indicate programming languages and file formats. +Platforms indicate the operating system (such as Windows, masOS X, and Android) the malware is designed to work on. The platform is also used to indicate programming languages and file formats. ### Operating systems @@ -71,8 +72,8 @@ Indicates the operating system (such as Windows, Mac OS X, and Android) that the * FreeBSD: FreeBSD platform * iPhoneOS: iPhone operating system * Linux: Linux platform -* MacOS: MAC 9.x platform or earlier -* MacOS_X: MacOS X or later +* macOS: MAC 9.x platform or earlier +* macOS_X: MacOS X or later * OS2: OS2 platform * Palm: Palm operating system * Solaris: System V-based Unix platforms @@ -105,11 +106,11 @@ Indicates the operating system (such as Windows, Mac OS X, and Android) that the * INF: Install scripts * IRC: mIRC/pIRC scripts * Java: Java binaries (classes) -* JS: Javascript scripts +* JS: JavaScript scripts * LOGO: LOGO scripts * MPB: MapBasic scripts * MSH: Monad shell scripts -* MSIL: .Net intermediate language scripts +* MSIL: .NET intermediate language scripts * Perl: Perl scripts * PHP: Hypertext Preprocessor scripts * Python: Python scripts @@ -125,7 +126,7 @@ Indicates the operating system (such as Windows, Mac OS X, and Android) that the * A97M: Access 97, 2000, XP, 2003, 2007, and 2010 macros * HE: macro scripting -* O97M: Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and Powerpoint +* O97M: Office 97, 2000, XP, 2003, 2007, and 2010 macros - those that affect Word, Excel, and PowerPoint * PP97M: PowerPoint 97, 2000, XP, 2003, 2007, and 2010 macros * V5M: Visio5 macros * W1M: Word1Macro diff --git a/windows/security/threat-protection/intelligence/phishing-trends.md b/windows/security/threat-protection/intelligence/phishing-trends.md new file mode 100644 index 0000000000..d8cd025a74 --- /dev/null +++ b/windows/security/threat-protection/intelligence/phishing-trends.md @@ -0,0 +1,70 @@ +--- +title: Phishing trends and techniques +ms.reviewer: +description: Learn about how to spot phishing techniques +keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack, spear phishing, whaling +ms.prod: m365-security +ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium +ms.author: ellevin +author: levinec +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +search.appverid: met150 +ms.technology: mde +--- + +# Phishing trends and techniques + +Phishing attacks are scams that often use social engineering bait or lure content. Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics sign in pages that require users to input credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information. + +Below are some of the most common phishing techniques attackers will employ to try to steal information or gain access to your devices. + +## Invoice phishing + +In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a known vendor or company. They then provide a link for you to access and pay your invoice. When you access the site, the attacker is poised to steal your personal information and funds. + +## Payment/delivery scam + +You're asked to provide a credit card or other personal information so that your payment information can be updated with a commonly known vendor or supplier. The update is requested so that you can take delivery of your ordered goods. Generally, you may be familiar with the company and have likely done business with them in the past. However, you aren't aware of any items you have recently purchased from them. + +## Tax-themed phishing scams + +A common IRS phishing scam is receiving an urgent email letter indicating that you owe money to the IRS. Often the email threatens legal action if you don't access the site in a timely manner and pay your taxes. When you access the site, the attackers can steal your personal credit card or bank information and drain your accounts. + +## Downloads + +An attacker sends a fraudulent email requesting you to open or download a document attachment, such as a PDF. The attachment often contains a message asking you to sign in to another site, such as email or file sharing websites, to open the document. When you access these phishing sites using your sign-in credentials, the attacker now has access to your information and can gain additional personal information about you. + +## Phishing emails that deliver other threats + +Phishing emails are often effective, so attackers sometimes use them to distribute [ransomware](ransomware-malware.md) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files. + +We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites. These websites use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems. + +## Spear phishing + +Spear phishing is a targeted phishing attack that involves highly customized lure content. Attackers will typically do reconnaissance work by surveying social media and other information sources about their intended target. + +Spear phishing may involve tricking you into logging into fake sites and divulging credentials. I may also lure you into opening documents by clicking on links that automatically install malware. With this malware in place, attackers can remotely manipulate the infected computer. + +The implanted malware serves as the point of entry for a more sophisticated attack, known as an advanced persistent threat (APT). APTs are designed to establish control and steal data over extended periods. Attackers may try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks. + +## Whaling + +Whaling is a form of phishing directed at high-level or senior executives within specific companies to gain access to their credentials and/or bank information. The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can also lead to an APT attack within an organization. + +## Business email compromise + +Business email compromise (BEC) is a sophisticated scam that targets businesses who frequently work with foreign suppliers or do money wire transfers. One of the most common schemes used by BEC attackers involves gaining access to a company’s network through a spear phishing attack. The attacker creates a domain similar to the company they're targeting, or spoofs their email to scam users into releasing personal account information for money transfers. + +## More information about phishing attacks + +For information on the latest phishing attacks, techniques, and trends, you can read these entries on the [Microsoft Security blog](https://www.microsoft.com/security/blog/product/windows/): + +- [Phishers unleash simple but effective social engineering techniques using PDF attachments](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/?source=mmpc) +- [Tax themed phishing and malware attacks proliferate during the tax filing season](https://cloudblogs.microsoft.com/microsoftsecure/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/?source=mmpc) +- [Phishing like emails lead to tech support scam](https://cloudblogs.microsoft.com/microsoftsecure/2017/08/07/links-in-phishing-like-emails-lead-to-tech-support-scam/?source=mmpc) diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md index 4f5d3c7278..20bf7cc3fd 100644 --- a/windows/security/threat-protection/intelligence/phishing.md +++ b/windows/security/threat-protection/intelligence/phishing.md @@ -1,9 +1,9 @@ --- -title: Phishing +title: How to protect against phishing attacks ms.reviewer: description: Learn about how phishing work, deliver malware do your devices, and what you can do to protect yourself keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,135 +11,92 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- -# Phishing +# How to protect against phishing attacks -Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of electronic communication that often look to be official communication from legitimate companies or individuals. +Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of electronic communication. They try to look like official communication from legitimate companies or individuals. -The information that phishers (as the cybercriminals behind phishing attacks are called) attempt to steal can be user names and passwords, credit card details, bank account information, or other credentials. Attackers can then use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from bank accounts and credit cards. Phishers can also sell the information in cybercriminal underground marketplaces. - -## How phishing works - -Phishing attacks are scams that often use social engineering bait or lure content. For example, during tax season, bait content involves tax-filing announcements that attempt to lure you into providing your personal information such as your Social Security number or bank account information. - -Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics sign-in pages that require users to input login credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information. - -Another common phishing technique is the use of emails that direct you to open a malicious attachment, for example a PDF file. The attachment often contains a message asking you to provide login credentials to another site such as email or file sharing websites to open the document. When you access these phishing sites using your login credentials, the attacker now has access to your information and can gain additional personal information about you. - -## Phishing trends and techniques - -### Invoice phishing - -In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a known vendor or company and provides a link for you to access and pay your invoice. When you access the site, the attacker is poised to steal your personal information and funds. - -### Payment/delivery scam - -You are asked to provide a credit card or other personal information so that your payment information can be updated with a commonly known vendor or supplier. The update is requested so that you can take delivery of your ordered goods. Generally, you may be familiar with the company and have likely done business with them in the past, but you are not aware of any items you have recently purchased from them. - -### Tax-themed phishing scams - -A common IRS phishing scams is one in which an urgent email letter is sent indicating that you owe money to the IRS. Often the email threatens legal action if you do not access the site in a timely manner and pay your taxes. When you access the site, the attackers can steal your personal credit card or bank information and drain your accounts. - -### Downloads - -Another frequently-used phishing scam is one in which an attacker sends a fraudulent email requesting you to open or download a document, often one requiring you to sign in. - -### Phishing emails that deliver other threats - -Phishing emails can be very effective, and so attackers can using them to distribute [ransomware](ransomware-malware.md) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files. - -We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites, which use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems. - -## Targeted attacks against enterprises - -### Spear phishing - -Spear phishing is a targeted phishing attack that involves highly customized lure content. To perform spear phishing, attackers will typically do reconnaissance work, surveying social media and other information sources about their intended target. - -Spear phishing may involve tricking you into logging into fake sites and divulging credentials. Spear phishing may also be designed to lure you into opening documents by clicking on links that automatically install malware. With this malware in place, attackers can remotely manipulate the infected computer. - -The implanted malware serves as the point of entry for a more sophisticated attack known as an advanced persistent threat (APT). APTs are generally designed to establish control and steal data over extended periods. As part of the attack, attackers often try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks. - -### Whaling - -Whaling is a form of phishing in which the attack is directed at high-level or senior executives within specific companies with the direct goal of gaining access to their credentials and/or bank information. The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can also lead to an APT attack within an organization. When the links or attachment are opened, it can assist the attacker in accessing credentials and other personal information, or launch a malware that will lead to an APT. - -### Business email compromise - -Business email compromise (BEC) is a sophisticated scam that targets businesses often working with foreign suppliers and businesses that regularly perform wire transfer payments. One of the most common schemes used by BEC attackers involves gaining access to a company’s network through a spear phishing attack, where the attacker creates a domain similar to the company they are targeting or spoofs their email to scam users into releasing personal account information for money transfers. - -## How to protect against phishing attacks +Cybercriminals often attempt to steal usernames, passwords, credit card details, bank account information, or other credentials. They use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from bank accounts and credit cards. The information can also be sold in cybercriminal underground markets. Social engineering attacks are designed to take advantage of a user's possible lapse in decision-making. Be aware and never provide sensitive or personal information through email or unknown websites, or over the phone. Remember, phishing emails are designed to appear legitimate. -### Awareness +## Learn the signs of a phishing scam -The best protection is awareness and education. Don’t open attachments or click links in unsolicited emails, even if the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and verify the URL. +The best protection is awareness and education. Don’t open attachments or links in unsolicited emails, even if the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and verify the URL. -Enterprises should educate and train their employees to be wary of any communication that requests personal or financial information, and instruct them to report the threat to the company’s security operations team immediately. +Enterprises should educate and train their employees to be wary of any communication that requests personal or financial information. They should also instruct employees to report the threat to the company’s security operations team immediately. Here are several telltale signs of a phishing scam: -* The links or URLs provided in emails are **not pointing to the correct location** or are attempting to have you access a third-party site that is not affiliated with the sender of the email. For example, in the image below the URL provided does not match the URL that you will be taken to. +* The links or URLs provided in emails are **not pointing to the correct location** or are pointing to a third-party site not affiliated with the sender of the email. For example, in the image below the URL provided doesn't match the URL that you'll be taken to. ![example of how exploit kits work](./images/URLhover.png) -* There is a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email. +* There's a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email. -* **Items in the email address will be changed** so that it is similar enough to a legitimate email address but has added numbers or changed letters. +* **Items in the email address will be changed** so that it is similar enough to a legitimate email address, but has added numbers or changed letters. * The message is **unexpected and unsolicited**. If you suddenly receive an email from an entity or a person you rarely deal with, consider this email suspect. -* The message or the attachment asks you to **enable macros, adjust security settings, or install applications**. Normal emails will not ask you to do this. +* The message or the attachment asks you to **enable macros, adjust security settings, or install applications**. Normal emails won't ask you to do this. * The message contains **errors**. Legitimate corporate messages are less likely to have typographic or grammatical errors or contain wrong information. -* The **sender address does not match** the signature on the message itself. For example, an email is purported to be from Mary of Contoso Corp, but the sender address is john@example.com. +* The **sender address doesn't match the signature** on the message itself. For example, an email is purported to be from Mary of Contoso Corp, but the sender address is john@example.com. * There are **multiple recipients** in the “To” field and they appear to be random addresses. Corporate messages are normally sent directly to individual recipients. -* The greeting on the message itself **does not personally address you**. Apart from messages that mistakenly address a different person, those that misuse your name or pull your name directly from your email address tend to be malicious. +* The greeting on the message itself **doesn't personally address you**. Apart from messages that mistakenly address a different person, greetings that misuse your name or pull your name directly from your email address tend to be malicious. -* The website looks familiar but there are **inconsistencies or things that are not quite right** such as outdated logos, typos, or ask users to give additional information that is not asked by legitimate sign-in websites. +* The website looks familiar but there are **inconsistencies or things that aren't quite right**. Warning signs include outdated logos, typos, or ask users to give additional information that is not asked by legitimate sign-in websites. -* The page that opens is **not a live page** but rather an image that is designed to look like the site you are familiar with. A pop-up may appear that requests credentials. +* The page that opens is **not a live page**, but rather an image that is designed to look like the site you are familiar with. A pop-up may appear that requests credentials. If in doubt, contact the business by known channels to verify if any suspicious emails are in fact legitimate. -For more information, download and read this Microsoft [e-book on preventing social engineering attacks](https://info.microsoft.com/Protectyourweakestlink.html?ls=social), especially in enterprise environments. +## Software solutions for organizations -### Software solutions for organizations - -* [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) and [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) offer protection from the increasing threat of targeted attacks using Microsoft's industry leading Hyper-V virtualization technology. If a browsed website is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby preventing access to your enterprise data. +* [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) and [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) offer protection from the increasing threat of targeted attacks using Microsoft's industry-leading Hyper-V virtualization technology. If a browsed website is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby preventing access to your enterprise data. * [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies. Using various layers of filtering, EOP can provide different controls for spam filtering, such as bulk mail controls and international spam, that will further enhance your protection services. -* Use [Office 365 Advanced Threat Protection (ATP)](https://products.office.com/exchange/online-email-threat-protection?ocid=cx-blog-mmpc) to help protect your email, files, and online storage against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection. +* Use [Microsoft Defender for Office 365](https://products.office.com/exchange/online-email-threat-protection?ocid=cx-blog-mmpc) to help protect your email, files, and online storage against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection. -For more tips and software solutions, see [prevent malware infection](prevent-malware-infection.md). +## What to do if you've been a victim of a phishing scam -## What do I do if I've already been a victim of a phishing scam? +If you feel you've been a victim of a phishing attack: -If you feel that you have been a victim of a phishing attack, contact your IT Admin. You should also immediately change all passwords associated with the accounts, and report any fraudulent activity to your bank, credit card company, etc. +1. Contact your IT admin if you are on a work computer +2. Immediately change all passwords associated with the accounts +3. Report any fraudulent activity to your bank and credit card company ### Reporting spam -Submit phishing scam emails to **Microsoft** by sending an email with the scam as an attachment to: phish@office365.microsoft.com. For more information on submitting messages to Microsoft, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis). +- **Outlook.com**: If you receive a suspicious email message that asks for personal information, select the check box next to the message in your Outlook inbox. Select the arrow next to **Junk**, and then select **Phishing**. -For Outlook and Outlook on the web users, use the **Report Message Add-in** for Microsoft Outlook. For information about how to install and use this tool, see [Enable the Report Message add-in](https://support.office.com/article/4250c4bc-6102-420b-9e0a-a95064837676). +- **Microsoft Office Outlook**: While in the suspicious message, select **Report message** from the ribbon, and then select **Phishing**. -Send an email with the phishing scam to **The Anti-Phishing Working Group**: reportphishing@apwg.org. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions and law enforcement agencies are involved. +- **Microsoft**: Create a new, blank email message with the one of the following recipients: + - Junk: junk@office365.microsoft.com + - Phishing: phish@office365.microsoft.com -## Where to find more information about phishing attacks + Drag and drop the junk or phishing message into the new message. This will save the junk or phishing message as an attachment in the new message. Don't copy and paste the content of the message or forward the message (we need the original message so we can inspect the message headers). For more information, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis). -For information on the latest phishing attacks, techniques, and trends, you can read these entries on the [Microsoft Security blog](https://www.microsoft.com/security/blog/product/windows/): +- **Anti-Phishing Working Group**: phishing-report@us-cert.gov. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions, and law enforcement agencies are involved. -* [Phishers unleash simple but effective social engineering techniques using PDF attachments](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/?source=mmpc) +### If you’re on a suspicious website -* [Tax themed phishing and malware attacks proliferate during the tax filing season](https://cloudblogs.microsoft.com/microsoftsecure/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/?source=mmpc) +- **Microsoft Edge**: While you’re on a suspicious site, select the **More (…) icon** > **Help and feedback** > **Report Unsafe site**. Follow the instructions on the webpage that displays to report the website. -* [Phishing like emails lead to tech support scam](https://cloudblogs.microsoft.com/microsoftsecure/2017/08/07/links-in-phishing-like-emails-lead-to-tech-support-scam/?source=mmpc) +- **Internet Explorer**: While you’re on a suspicious site, select the gear icon, point to **Safety**, and then select **Report Unsafe Website**. Follow the instructions on the webpage that displays to report the website. + +## More information about phishing attacks + +- [Protect yourself from phishing](https://support.microsoft.com/help/4033787/windows-protect-yourself-from-phishing) +- [Phishing trends](phishing-trends.md) +- [Microsoft e-book on preventing social engineering attacks](https://info.microsoft.com/Protectyourweakestlink.html?ls=social), especially in enterprise environments. diff --git a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md index df44f6142a..e84f8e37a8 100644 --- a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md +++ b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md @@ -3,7 +3,7 @@ title: Troubleshoot MSI portal errors caused by admin block description: Troubleshoot MSI portal errors ms.reviewer: keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesn’t detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesn’t detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI, security intelligence -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,28 +11,29 @@ ms.author: dansimp author: dansimp manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Troubleshooting malware submission errors caused by administrator block -In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this. +In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this problem. ## Review your settings Open your Azure [Enterprise application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/). Under **Enterprise Applications** > **Users can consent to apps accessing company data on their behalf**, check whether Yes or No is selected. -- If this is set to **No**, an AAD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with AAD, users might be able to submit a request right from the same dialog box. If there’s no option to ask for admin consent, users need to request for these permissions to be added to their AAD admin. Go to the following section for more information. +- If **No** is selected, an Azure AD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with Azure AD, users might be able to submit a request right from the same dialog box. If there’s no option to ask for admin consent, users need to request for these permissions to be added to their Azure AD admin. Go to the following section for more information. -- It this is set to **Yes**, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign-in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If this is set to **No** you'll need to request an AAD admin enable it. +- If **Yes** is selected, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If **No** is selected, you'll need to request an Azure AD admin enable it.   ## Implement Required Enterprise Application permissions This process requires a global or application admin in the tenant. 1. Open [Enterprise Application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). - 2. Click **Grant admin consent for organization**. - 3. If you're able to do so, Review the API permissions required for this application. This should be exactly the same as in the following image. Provide consent for the tenant. + 2. Select **Grant admin consent for organization**. + 3. If you're able to do so, review the API permissions required for this application, as the following image shows. Provide consent for the tenant. - ![grant consent image](images/msi-grant-admin-consent.jpg) + ![grant consent image](images/msi-grant-admin-consent.jpg) 4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds.   @@ -59,15 +60,15 @@ This process requires that global admins go through the Enterprise customer sign ![Consent sign in flow](images/msi-microsoft-permission-required.jpg) -Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and click **Accept**. +Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and then select **Accept**. All users in the tenant will now be able to use this application. -## Option 3: Delete and re-add app permissions +## Option 3: Delete and readd app permissions If neither of these options resolve the issue, try the following steps (as an admin): 1. Remove previous configurations for the application. Go to [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/982e94b2-fea9-4d1f-9fca-318cda92f90b) -and click **delete**. +and select **delete**. ![Delete app permissions](images/msi-properties.png) @@ -78,7 +79,7 @@ and click **delete**. ![Permissions needed](images/msi-microsoft-permission-requested-your-organization.png) -4. Review the permissions required by the application, and then click **Accept**. +4. Review the permissions required by the application, and then select **Accept**. 5. Confirm the permissions are applied in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/ce60a464-5fca-4819-8423-bcb46796b051). diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md index 3313e1d680..45f1877661 100644 --- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md +++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md @@ -3,7 +3,7 @@ title: Prevent malware infection ms.reviewer: description: Learn steps you can take to help prevent a malware or potentially unwanted software from infecting your computer. keywords: security, malware, prevention, infection, tips, Microsoft, MMPC, Microsoft Malware Protection Center, virus, trojan, worm, stop, prevent, full scan, infection, avoid malware, avoid trojan, avoid virus, infection, how, detection, security software, antivirus, updates, how malware works, how virus works, firewall, turn on, user privileges, limit, prevention, WDSI, MMPC, Microsoft Malware Protection Center -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Prevent malware infection @@ -103,11 +104,11 @@ Microsoft provides comprehensive security capabilities that help protect against * [Microsoft 365](https://docs.microsoft.com/microsoft-365/enterprise/) includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources power productivity while providing intelligent security across users, devices, and data. -* [Office 365 Advanced Threat Protection](https://docs.microsoft.com/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders. +* [Microsoft Defender for Office 365](https://docs.microsoft.com/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders. * [OneDrive for Business](https://support.office.com/article/restore-a-previous-version-of-a-file-in-onedrive-159cad6d-d76e-4981-88ef-de6e96c93893?ui=en-US&rs=en-US&ad=US) can back up files, which you would then use to restore files in the event of an infection. -* [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender ATP alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender ATP free of charge. +* [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender for Endpoint alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender for Endpoint free of charge. * [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication on your devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. It lets user authenticate to an Active Directory or Azure Active Directory account. @@ -117,6 +118,6 @@ Microsoft provides comprehensive security capabilities that help protect against ## What to do with a malware infection -Microsoft Defender ATP antivirus capabilities help reduce the chances of infection and will automatically remove threats that it detects. +Microsoft Defender for Endpoint antivirus capabilities help reduce the chances of infection and will automatically remove threats that it detects. In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware). diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md index b91211e7da..851d1f8c50 100644 --- a/windows/security/threat-protection/intelligence/ransomware-malware.md +++ b/windows/security/threat-protection/intelligence/ransomware-malware.md @@ -3,7 +3,7 @@ title: Ransomware ms.reviewer: description: Learn how to protect your computer and network from ransomware attacks, which can stop you from accessing your files. keywords: security, malware, ransomware, encryption, extortion, money, key, infection, prevention, tips, WDSI, MMPC, Microsoft Malware Protection Center, ransomware-as-a-service, ransom, ransomware downloader, protection, prevention, solution, exploit kits, backup, Cerber, Locky, WannaCry, WannaCrypt, Petya, Spora -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Ransomware @@ -31,7 +32,7 @@ Most ransomware infections start with: Once ransomware infects a device, it starts encrypting files, folders, entire hard drive partitions using encryption algorithms like RSA or RC4. -Ransomware is one of the most lucrative revenue channels for cybercriminals, so malware authors continually improve their malware code to better target enterprise environments. Ransomware-as-a-service is a cybercriminal business model in which malware creators sell their ransomware and other services to cybercriminals, who then operate the ransomware attacks. The business model also defines profit sharing between the malware creators, ransomware operators, and other parties that may be involved. For cybercriminals, ransomware is a big business, at the expense of individuals and businesses. +Ransomware is one of the most lucrative revenue channels for cybercriminals, so malware authors continually improve their malware code to better target enterprise environments. Ransomware-as-a-service is a cybercriminal business model where malware creators sell their ransomware and other services to cybercriminals, who then operate the ransomware attacks. The business model also defines profit sharing between the malware creators, ransomware operators, and other parties that may be involved. For cybercriminals, ransomware is big business at the expense of individuals and businesses. ### Examples @@ -43,9 +44,9 @@ Sophisticated ransomware like **Spora**, **WannaCrypt** (also known as WannaCry) * A Petya variant exploits the same vulnerability, in addition to CVE-2017-0145 (also known as EternalRomance), and uses stolen credentials to move laterally across networks. -Older ransomware like **Reveton** locks screens instead of encrypting files. They display a full screen image and then disable Task Manager. The files are safe, but they are effectively inaccessible. The image usually contains a message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal activities and fine needs to be paid. Because of this, Reveton is nicknamed "Police Trojan" or "Police ransomware". +Older ransomware like **Reveton** (nicknamed "Police Trojan" or "Police ransomware") locks screens instead of encrypting files. They display a full screen image and then disable Task Manager. The files are safe, but they're effectively inaccessible. The image usually contains a message claiming to be from law enforcement that says the computer has been used in illegal cybercriminal activities and a fine needs to be paid. -Ransomware like **Cerber** and **Locky** search for and encrypt specific file types, typically document and media files. When the encryption is complete, the malware leaves a ransom note using text, image, or an HTML file with instructions to pay a ransom to recover files. +Ransomware like **Cerber** and **Locky** search for and encrypt specific file types, typically document and media files. When the encryption is complete, the malware leaves a ransom note using text, image, or an HTML file with instructions to pay a ransom to recover files. **Bad Rabbit** ransomware was discovered attempting to spread across networks using hardcoded usernames and passwords in brute force attacks. diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md index ad80fad7fe..ab4fa996bd 100644 --- a/windows/security/threat-protection/intelligence/rootkits-malware.md +++ b/windows/security/threat-protection/intelligence/rootkits-malware.md @@ -3,7 +3,7 @@ title: Rootkits ms.reviewer: description: Rootkits may be used by malware authors to hide malicious code on your computer and make malware or potentially unwanted software harder to remove. keywords: security, malware, rootkit, hide, protection, hiding, WDSI, MMPC, Microsoft Malware Protection Center, rootkits, Sirefef, Rustock, Sinowal, Cutwail, malware, virus -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,21 +11,22 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Rootkits -Malware authors use rootkits to hide malware on your device, allowing malware to persist as long as possible. A successful rootkit can potentially remain in place for years if it is undetected. During this time it will steal information and resources. +Malware authors use rootkits to hide malware on your device, allowing malware to persist as long as possible. A successful rootkit can potentially remain in place for years if it's undetected. During this time, it will steal information and resources. ## How rootkits work Rootkits intercept and change standard operating system processes. After a rootkit infects a device, you can’t trust any information that device reports about itself. -For example, if you were to ask a device to list all of the programs that are running, the rootkit might stealthily remove any programs it doesn’t want you to know about. Rootkits are all about hiding things. They want to hide both themselves and their malicious activity on a device. +If you were to ask a device to list all of the programs that are running, the rootkit might stealthily remove any programs it doesn’t want you to know about. Rootkits are all about hiding things. They want to hide both themselves and their malicious activity on a device. -Many modern malware families use rootkits to try and avoid detection and removal, including: +Many modern malware families use rootkits to try to avoid detection and removal, including: * [Alureon](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fAlureon) @@ -53,12 +54,12 @@ For more general tips, see [prevent malware infection](prevent-malware-infection ### What if I think I have a rootkit on my device? -Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you might have a rootkit on your device and your antimalware software isn’t detecting it, you might need an extra tool that lets you boot to a known trusted environment. +Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you have a rootkit that your antimalware software isn’t detecting, you may need an extra tool that lets you boot to a known trusted environment. -[Microsoft Defender Offline](https://support.microsoft.com/help/17466/microsoft-defender-offline-help-protect-my-pc) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly due to a possible malware infection. +[Microsoft Defender Offline](https://support.microsoft.com/help/17466/microsoft-defender-offline-help-protect-my-pc) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. It’s designed to be used on devices that aren't working correctly because of a possible malware infection. [System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/) in Windows 10 protects against rootkits and threats that impact system integrity. ### What if I can’t remove a rootkit? -If the problem persists, we strongly recommend reinstalling the operating system and security software. You should then restore your data from a backup. +If the problem persists, we strongly recommend reinstalling the operating system and security software. Then restore your data from a backup. diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md index 96e45bc39b..a9c1588361 100644 --- a/windows/security/threat-protection/intelligence/safety-scanner-download.md +++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md @@ -3,7 +3,7 @@ title: Microsoft Safety Scanner Download ms.reviewer: description: Get the Microsoft Safety Scanner tool to find and remove malware from Windows computers. keywords: security, malware -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Microsoft Safety Scanner diff --git a/windows/security/threat-protection/intelligence/submission-guide.md b/windows/security/threat-protection/intelligence/submission-guide.md index 7b4028fb4a..87667989e4 100644 --- a/windows/security/threat-protection/intelligence/submission-guide.md +++ b/windows/security/threat-protection/intelligence/submission-guide.md @@ -3,7 +3,7 @@ title: Submit files for analysis by Microsoft description: Learn how to submit files to Microsoft for malware analysis, how to track your submissions, and dispute detections. ms.reviewer: keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesn’t detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesn’t detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI, security intelligence -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Submit files for analysis @@ -26,7 +27,7 @@ You can send us files that you think might be malware or files that have been in We receive a large number of samples from many sources. Our analysis is prioritized by the number of file detections and the type of submission. You can help us complete a quick analysis by providing detailed information about the product you were using and what you were doing when you found the file. -If you sign in before you submit a sample, you will be able to track your submissions. +After you sign in, you will be able to track your submissions. ## Can I send a sample by email? @@ -34,9 +35,7 @@ No, we only accept submissions through our [sample submission portal](https://ww ## Can I submit a sample without signing in? -Yes, you many submit a file as an anonymous home customer. You will get a link to a webpage where you can view the status of the submission. - -If you're an enterprise customer, you need to sign in so that we can prioritize your submission appropriately. If you are currently experiencing a virus outbreak or security-related incident, you should contact your designated Microsoft support professional or go to [Microsoft Support](https://support.microsoft.com/) for immediate assistance. +No. If you're an enterprise customer, you need to sign in so that we can prioritize your submission appropriately. If you are currently experiencing a virus outbreak or security-related incident, you should contact your designated Microsoft support professional or go to [Microsoft Support](https://support.microsoft.com/) for immediate assistance. ## What is the Software Assurance ID (SAID)? @@ -52,9 +51,7 @@ We encourage all software vendors and developers to read about [how Microsoft id ## How do I track or view past sample submissions? -You can track your submissions through the [submission history page](https://www.microsoft.com/wdsi/submissionhistory). Your submission will only appear on this page if you were signed in when you submitted it. - -If you’re not signed in when you submit a sample, you will be redirected to a tracking page. Bookmark this page if you want to come back and check on the status of your submission. +You can track your submissions through the [submission history page](https://www.microsoft.com/wdsi/submissionhistory). ## What does the submission status mean? @@ -66,7 +63,7 @@ Each submission is shown to be in one of the following status types: * Closed—a final determination has been given by an analyst -If you are signed in, you can see the status of any files you submit to us on the [submission history page](https://www.microsoft.com/wdsi/submissionhistory). +You can see the status of any files you submit to us on the [submission history page](https://www.microsoft.com/wdsi/submissionhistory). ## How does Microsoft prioritize submissions diff --git a/windows/security/threat-protection/intelligence/supply-chain-malware.md b/windows/security/threat-protection/intelligence/supply-chain-malware.md index 7530ec2c2e..fff7e3b7b3 100644 --- a/windows/security/threat-protection/intelligence/supply-chain-malware.md +++ b/windows/security/threat-protection/intelligence/supply-chain-malware.md @@ -3,7 +3,7 @@ title: Supply chain attacks ms.reviewer: description: Learn about how supply chain attacks work, deliver malware do your devices, and what you can do to protect yourself keywords: security, malware, protection, supply chain, hide, distribute, trust, compromised -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Supply chain attacks diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md index 8544b43d61..0cfb94aa8f 100644 --- a/windows/security/threat-protection/intelligence/support-scams.md +++ b/windows/security/threat-protection/intelligence/support-scams.md @@ -3,7 +3,7 @@ title: Tech Support Scams ms.reviewer: description: Microsoft security software can protect you from tech support scams that claims to scan for malware or viruses and then shows you fake detections and warnings. keywords: security, malware, tech support, scam, protection, trick, spoof, fake, error messages, report, rogue security software, fake, antivirus, fake software, rogue, threats, fee, removal fee, upgrade, pay for removal, install full version, trial, lots of threats, scanner, scan, clean, computer, security, program, XP home security, fake microsoft, activate, activate scan, activate antivirus, warnings, pop-ups, security warnings, security pop-ups tech support scams, fake Microsoft error notification, fake virus alert, fake product expiration, fake Windows activation, scam web pages, scam phone numbers, telephone numbers, MMPC, WDSI, Microsoft Malware Protection Center, tech support scam numbers -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Tech support scams @@ -63,6 +64,6 @@ It is also important to keep the following in mind: Help Microsoft stop scammers, whether they claim to be from Microsoft or from another tech company, by reporting tech support scams: -www.microsoft.com/reportascam +www.microsoft.com/reportascam You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/wdsi/support/report-unsafe-site) or using built in web browser functionality. diff --git a/windows/security/threat-protection/intelligence/trojans-malware.md b/windows/security/threat-protection/intelligence/trojans-malware.md index 2ed753b049..31228195f8 100644 --- a/windows/security/threat-protection/intelligence/trojans-malware.md +++ b/windows/security/threat-protection/intelligence/trojans-malware.md @@ -3,7 +3,7 @@ title: Trojan malware ms.reviewer: description: Trojans are a type of threat that can infect your device. This page tells you what they are and how to remove them. keywords: security, malware, protection, trojan, download, file, infection, trojans, virus, protection, cleanup, removal, antimalware, antivirus, WDSI, MMPC, Microsoft Malware Protection Center, malware types -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Trojans diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md index eb417b74dd..d7d82578fa 100644 --- a/windows/security/threat-protection/intelligence/understanding-malware.md +++ b/windows/security/threat-protection/intelligence/understanding-malware.md @@ -3,7 +3,7 @@ title: Understanding malware & other threats ms.reviewer: description: Learn about the most prevalent viruses, malware, and other threats. Understand how they infect systems, how they behave, and how to prevent and remove them. keywords: security, malware, virus, malware, threat, analysis, research, encyclopedia, dictionary, glossary, ransomware, support scams, unwanted software, computer infection, virus infection, descriptions, remediation, latest threats, mmpc, microsoft malware protection center, wdsi -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual search.appverid: met150 +ms.technology: mde --- # Understanding malware & other threats @@ -21,7 +22,7 @@ Malware is a term used to describe malicious applications and code that can caus Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims. -As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)), businesses can stay protected with next-generation protection and other security capabilities. +As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), businesses can stay protected with next-generation protection and other security capabilities. For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic. diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md index ab2471f894..31dc9dc196 100644 --- a/windows/security/threat-protection/intelligence/unwanted-software.md +++ b/windows/security/threat-protection/intelligence/unwanted-software.md @@ -3,7 +3,7 @@ title: Unwanted software ms.reviewer: description: Learn about how unwanted software changes your default settings without your consent and what you can do to protect yourself. keywords: security, malware, protection, unwanted, software, alter, infect, unwanted software, software bundlers, browser modifiers, privacy, security, computing experience, prevent infection, solution, WDSI, MMPC, Microsoft Malware Protection Center, virus research threats, research malware, pc protection, computer infection, virus infection, descriptions, remediation, latest threats -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Unwanted software diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md index 5aded1e416..a70ae6fe7e 100644 --- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md @@ -3,7 +3,7 @@ title: Virus Information Alliance ms.reviewer: description: The Microsoft Virus Information Alliance (VIA) is a collaborative antimalware program for organizations fighting cybercrime. keywords: security, malware, Microsoft, MMPC, Microsoft Malware Protection Center, partners, sharing, samples, vendor exchange, CSS, alliance, WDSI -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,28 +11,36 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Virus Information Alliance The Virus Information Alliance (VIA) is a public antimalware collaboration program for security software providers, security service providers, antimalware testing organizations, and other organizations involved in fighting cybercrime. -Members of the VIA program collaborate by exchanging technical information on malicious software with Microsoft, with the goal of improving protection for Microsoft customers. +Members of the VIA program collaborate by exchanging technical information on malicious software with Microsoft. The goal is to improve protection for Microsoft customers. ## Better protection for customers against malware -The VIA program gives members access to information that will help improve protection for Microsoft customers. For example, the program provides malware telemetry and samples to security product teams to identify gaps in their protection and prioritize new threat coverage. +The VIA program gives members access to information that will help them improve protection. For example, the program provides malware telemetry and samples to security teams so they can identify gaps and prioritize new threat coverage. -Malware prevalence data is provided to antimalware testers to assist them in selecting sample sets and setting scoring criteria that represent the real-world threat landscape. Service organizations, such as a CERT, can leverage our data to help assess the impact of policy changes or to help shut down malicious activity. +Malware prevalence data is provided to antimalware testers to assist them in selecting sample sets. The data also helps set scoring criteria that represent the real-world threat landscape. Service organizations, such as a CERT, can leverage our data to help assess the impact of policy changes or to help shut down malicious activity. Microsoft is committed to continuous improvement to help reduce the impact of malware on customers. By sharing malware-related information, Microsoft enables members of this community to work towards better protection for customers. ## Becoming a member of VIA -Microsoft has well-defined, objective, measurable, and tailored membership criteria for prospective members of the Virus Information Alliance (VIA). The criteria is designed to ensure that Microsoft is able to work with security software providers, security service providers, antimalware testing organizations, and other organizations involved in the fight against cybercrime to protect a broad range of customers. +Microsoft has well-defined, objective, measurable, and tailored membership criteria for prospective members of the Virus Information Alliance (VIA). -Members will receive information to facilitate effective malware detection, deterrence, and eradication. This includes technical information on malware as well as metadata on malicious activity. Information shared through VIA is governed by the VIA membership agreement and a Microsoft non-disclosure agreement, where applicable. +The criteria is designed to ensure that Microsoft can work with the following groups to protect a broad range of customers: + +- Security software providers +- Security service providers +- Antimalware testing organizations +- Other organizations involved in the fight against cybercrime + +Members will receive information to facilitate effective malware detection, deterrence, and eradication. This information includes technical information on malware as well as metadata on malicious activity. Information shared through VIA is governed by the VIA membership agreement and a Microsoft non-disclosure agreement, where applicable. VIA has an open enrollment for potential members. @@ -43,11 +51,12 @@ To be eligible for VIA your organization must: 1. Be willing to sign a non-disclosure agreement with Microsoft. 2. Fit into one of the following categories: - * Your organization develops antimalware technology that can run on Windows and your organization’s product is commercially available. - * Your organization provides security services to Microsoft customers or for Microsoft products. - * Your organization publishes antimalware testing reports on a regular basis. - * Your organization has a research or response team dedicated to fighting malware to protect your organization, your customers, or the general public. + + - Your organization develops antimalware technology that can run on Windows and your organization’s product is commercially available. + - Your organization provides security services to Microsoft customers or for Microsoft products. + - Your organization publishes antimalware testing reports on a regular basis. + - Your organization has a research or response team dedicated to fighting malware to protect your organization, your customers, or the general public. 3. Be willing to sign and adhere to the VIA membership agreement. -If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). +If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index a896140ce6..8512c8d267 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -3,7 +3,7 @@ title: Microsoft Virus Initiative ms.reviewer: description: The Microsoft Virus Initiative (MVI) helps organizations that make antivirus or antimalware products integrate with Windows and share telemetry with Microsoft. keywords: security, malware, MVI, Microsoft Malware Protection Center, MMPC, alliances, WDSI -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,21 +11,22 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Microsoft Virus Initiative The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with Windows. -MVI members receive access to Windows APIs and other technologies including IOAV, AMSI and Cloud files. Members also get malware telemetry and samples and invitations to security related events and conferences. +MVI members receive access to Windows APIs and other technologies including IOAV, AMSI, and Cloud files. Members also get malware telemetry and samples and invitations to security-related events and conferences. ## Become a member -A request for membership is made by an individual as a representative of an organization that develops and produces antimalware or antivirus technology. Your organization must meet the following eligibility requirements to qualify for the MVI program: +You can request membership if you're a representative for an organization that develops and produces antimalware or antivirus technology. Your organization must meet the following requirements to qualify for the MVI program: -1. Offer an antimalware or antivirus product that is one of the following: +1. Offer an antimalware or antivirus product that meets one of the following criteria: * Your organization's own creation. * Developed by using an SDK (engine and other components) from another MVI Partner company and your organization adds a custom UI and/or other functionality. @@ -34,7 +35,7 @@ A request for membership is made by an individual as a representative of an orga 3. Be active and have a positive reputation in the antimalware industry. - * Activity can include participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT or Gartner. + * Activity can include participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT, or Gartner. 4. Be willing to sign a non-disclosure agreement (NDA) with Microsoft. @@ -49,14 +50,14 @@ A request for membership is made by an individual as a representative of an orga Test Provider | Lab Test Type | Minimum Level / Score ------------- |---------------|---------------------- AV-Comparatives | Real-World Protection Test
    https://www.av-comparatives.org/testmethod/real-world-protection-tests/ |“Approved” rating from AV Comparatives -AV-Test | Must pass tests for Windows. Certifications for Mac and Linux are not accepted
    https://www.av-test.org/en/about-the-institute/certification/ | Achieve "AV-TEST Certified" (for home users) or "AV-TEST Approved” (for corporate users) +AV-Test | Must pass tests for Windows. Certifications for Mac and Linux aren't accepted
    https://www.av-test.org/en/about-the-institute/certification/ | Achieve "AV-TEST Certified" (for home users) or "AV-TEST Approved” (for corporate users) ICSA Labs | Endpoint Anti-Malware Detection
    https://www.icsalabs.com/technology-program/anti-virus/criteria |PASS/Certified NSS Labs | Advanced Endpoint Protection AEP 3.0, which covers automatic threat prevention and threat event reporting capabilities
    https://www.nsslabs.com/tested-technologies/advanced-endpoint-protection/ |“Neutral” rating from NSS -SKD Labs | Certification Requirements Product: Anti-virus or Antimalware
    http://www.skdlabs.com/html/english/
    http://www.skdlabs.com/cert/ |SKD Labs Star Check Certification Requirements Pass >= 98.5 % with On Demand, On Access and Total Detection tests +SKD Labs | Certification Requirements Product: Anti-virus or Antimalware
    http://www.skdlabs.com/html/english/
    http://www.skdlabs.com/cert/ |SKD Labs Star Check Certification Requirements Pass >= 98.5% with On Demand, On Access and Total Detection tests SE Labs | Protection A rating or Small Business EP A rating or Enterprise EP Protection A rating
    https://selabs.uk/en/reports/consumers |Home or Enterprise “A” rating VB 100 | VB100 Certification Test V1.1
    https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1/ | VB100 Certification West Coast Labs | Checkmark Certified
    http://www.checkmarkcertified.com/sme/ | “A” Rating on Product Security Performance ## Apply now -If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). +If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md index 04c8f8280f..99c3fafa1a 100644 --- a/windows/security/threat-protection/intelligence/worms-malware.md +++ b/windows/security/threat-protection/intelligence/worms-malware.md @@ -3,7 +3,7 @@ title: Worms ms.reviewer: description: Learn about how worms replicate and spread to other computers or networks. Read about the most popular worms and steps you can take to stop them. keywords: security, malware, protection, worm, vulnerabilities, infect, steal, Jenxcus, Gamarue, Bondat, WannaCrypt, WDSI, MMPC, Microsoft Malware Protection Center, worms, malware types, threat propagation, mass-mailing, IP scanning -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ ms.author: ellevin author: levinec manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article search.appverid: met150 +ms.technology: mde --- # Worms @@ -22,19 +23,19 @@ A worm is a type of malware that can copy itself and often spreads through a net ## How worms work -Worms represent a large category of malware. Different worms use different methods to infect devices. Depending on the variant, they can steal sensitive information, change security settings, send information to malicious hackers, stop users from accessing files, and other malicious activities. +Worms represent a large category of malware. Different worms use different methods to infect devices. Depending on the variant, they can steal sensitive information, change security settings, send information to malicious hackers, stop users from accessing files, and other malicious activities. -Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the top of the list of malware that infect users running Microsoft security software. Although these worms share some commonalities, it is interesting to note that they also have distinct characteristics. +Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the top of the list of malware that infects users running Microsoft software. Although these worms share some commonalities, it's interesting to note that they also have distinct characteristics. * **Jenxcus** has capabilities of not only infecting removable drives but can also act as a backdoor that connects back to its server. This threat typically gets into a device from a drive-by download attack, meaning it's installed when users just visit a compromised web page. -* **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as infostealers, spammers, clickers, downloaders, and rogues. +* **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as info stealers, spammers, clickers, downloaders, and rogues. * **Bondat** typically arrives through fictitious Nullsoft Scriptable Install System (NSIS), Java installers, and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server. -Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they are doing, they try to avoid detection by security software. +Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they're doing, they try to avoid detection by security software. -* [**WannaCrypt**](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WannaCrypt) also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (e.g. ransomware). +* [**WannaCrypt**](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WannaCrypt) also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (like ransomware). This image shows how a worm can quickly spread through a shared USB drive. diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index 771169d40b..09dc088c59 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -2,14 +2,14 @@ title: Guide to removing Microsoft Baseline Security Analyzer (MBSA) description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions. keywords: MBSA, security, removal -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: dansimp -author: dulcemontemayor -ms.date: 10/05/2018 +author: dansimp ms.reviewer: manager: dansimp +ms.technology: mde --- # What is Microsoft Baseline Security Analyzer and its uses? @@ -17,6 +17,9 @@ manager: dansimp Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these additional checks had not been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive. MBSA was largely used in situations where neither Microsoft Update nor a local WSUS or Configuration Manager server was available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016. + +> [!NOTE] +> In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file. ## The Solution A script can help you with an alternative to MBSA’s patch-compliance checking: diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md deleted file mode 100644 index a0e3d27f66..0000000000 --- a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md +++ /dev/null @@ -1,74 +0,0 @@ ---- -title: What to do with false positives/negatives in Microsoft Defender Antivirus -description: Did Microsoft Defender Antivirus miss or wrongly detect something? Find out what you can do. -keywords: Microsoft Defender Antivirus, false positives, false negatives, exclusions -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.custom: nextgen -ms.date: 06/08/2020 -ms.reviewer: shwetaj -manager: dansimp -audience: ITPro -ms.topic: article ---- - -# What to do with false positives/negatives in Microsoft Defender Antivirus - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Microsoft Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Microsoft Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware, and spyware across email, apps, the cloud, and the web. - -What if something gets detected wrongly as malware, or something is missed? We call these false positives and false negatives. Fortunately, there are some steps you can take to deal with these issues. You can: -- [Submit a file to Microsoft for analysis](#submit-a-file-to-microsoft-for-analysis) -- [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring) -- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned) - -## Submit a file to Microsoft for analysis - -1. Review the [submission guidelines](../intelligence/submission-guide.md). -2. [Submit your file or sample](https://www.microsoft.com/wdsi/filesubmission). - -> [!TIP] -> We recommend signing in at the submission portal so you can track the results of your submissions. - -## Create an "Allow" indicator to prevent a false positive from recurring - -If a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create an "Allow" indicator. This indicator tells Microsoft Defender Antivirus (and Microsoft Defender Advanced Threat Protection) that the item is safe. - -To set up your "Allow" indicator, follow the guidance in [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). - -## Define an exclusion on an individual Windows device to prevent an item from being scanned - -When you define an exclusion for Microsoft Defender Antivirus, you configure your antivirus to skip that item. - -1. On your Windows 10 device, open the Windows Security app. -2. Select **Virus & threat protection** > **Virus & threat protection settings**. -3. Under **Exclusions**, select **Add or remove exclusions**. -4. Select **+ Add an exclusion**, and specify its type (**File**, **Folder**, **File type**, or **Process**). - -The following table summarizes exclusion types, how they're defined, and what happens when they're in effect. - -|Exclusion type |Defined by |What happens | -|---------|---------|---------| -|**File** |Location
    Example: `c:\sample\sample.test` |The specified file is skipped by Microsoft Defender Antivirus. | -|**Folder** |Location
    Example: `c:\test\sample` |All items in the specified folder are skipped by Microsoft Defender Antivirus. | -|**File type** |File extension
    Example: `.test` |All files with the specified extension anywhere on your device are skipped by Microsoft Defender Antivirus. | -|**Process** |Executable file path
    Example: `c:\test\process.exe` |The specified process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. | - -To learn more, see: -- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus) -- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus) - -## Related articles - -[What is Microsoft Defender Advanced Threat Protection?](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) - -[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md index 072cc3c421..53cc0585bb 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md @@ -3,7 +3,7 @@ title: Collect diagnostic data for Update Compliance and Windows Defender Micros description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Microsoft Defender Antivirus Assessment add in keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,13 +14,17 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Collect Update Compliance diagnostic data for Microsoft Defender AV Assessment +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV Assessment section in the Update Compliance add-in. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md index 9c9ec19ea9..db2a7a7f8e 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md @@ -1,9 +1,9 @@ --- title: Collect diagnostic data of Microsoft Defender Antivirus description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus -keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av +keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av, group policy object, setting, diagnostic data search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,15 +14,19 @@ ms.custom: nextgen ms.date: 06/29/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Collect Microsoft Defender AV diagnostic data +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV. +This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you might encounter when using the Microsoft Defender AV. > [!NOTE] > As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices). @@ -51,7 +55,7 @@ On at least two devices that are experiencing the same issue, obtain the .cab di 4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`. > [!NOTE] -> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation `
    For more information see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share). +> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation `
    For more information, see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share). 5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us. @@ -75,7 +79,7 @@ mpcmdrun.exe -GetFiles -SupportLogLocation Copies the diagnostic data to the specified path. If the path is not specified, the diagnostic data will be copied to the location specified in the Support Log Location Configuration. -When the SupportLogLocation parameter is used, a folder structure as below will be created in the destination path: +When the SupportLogLocation parameter is used, a folder structure like as follows will be created in the destination path: ```Dos \\MpSupport--.cab @@ -83,13 +87,30 @@ When the SupportLogLocation parameter is used, a folder structure as below will | field | Description | |:----|:----| -| path | The path as specified on the commandline or retrieved from configuration -| MMDD | Month Day when the diagnostic data was collected (eg 0530) -| hostname | the hostname of the device on which the diagnostic data was collected. -| HHMM | Hours Minutes when the diagnostic data was collected (eg 1422) +| path | The path as specified on the command line or retrieved from configuration +| MMDD | Month and day when the diagnostic data was collected (for example, 0530) +| hostname | The hostname of the device on which the diagnostic data was collected +| HHMM | Hours and minutes when the diagnostic data was collected (for example, 1422) > [!NOTE] -> When using a File share please make sure that account used to collect the diagnostic package has write access to the share. +> When using a file share please make sure that account used to collect the diagnostic package has write access to the share. + +## Specify location where diagnostic data is created + +You can also specify where the diagnostic .cab file will be created using a Group Policy Object (GPO). + +1. Open the Local Group Policy Editor and find the SupportLogLocation GPO at: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SupportLogLocation` + +1. Select **Define the directory path to copy support log files**. + + ![Screenshot of local group policy editor](images/GPO1-SupportLogLocationDefender.png) + + ![Screenshot of define path for log files setting](images/GPO2-SupportLogLocationGPPage.png) +3. Inside the policy editor, select **Enabled**. + +4. Specify the directory path where you want to copy the support log files in the **Options** field. + ![Screenshot of Enabled directory path custom setting](images/GPO3-SupportLogLocationGPPageEnabledExample.png) +5. Select **OK** or **Apply**. ## See also diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md index dd65e257fb..04a84573cc 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md @@ -3,22 +3,27 @@ title: Use the command line to manage Microsoft Defender Antivirus description: Run Microsoft Defender Antivirus scans and configure next-generation protection with a dedicated command-line utility. keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.reviewer: ksarens +ms.reviewer: ksarens manager: dansimp +ms.date: 08/17/2020 +ms.technology: mde --- # Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt. @@ -29,11 +34,12 @@ You can perform various Microsoft Defender Antivirus functions with the dedicate The utility has the following commands: -```DOS +```console MpCmdRun.exe [command] [-options] ``` Here's an example: -``` + +```console MpCmdRun.exe -Scan -ScanType 2 ``` @@ -53,6 +59,22 @@ MpCmdRun.exe -Scan -ScanType 2 | `-ListAllDynamicSignatures` | Lists the loaded dynamic Security intelligence | | `-RemoveDynamicSignature [-SignatureSetID]` | Removes dynamic Security intelligence | | `-CheckExclusion -path ` | Checks whether a path is excluded | +| `-ValidateMapsConnection` | Verifies that your network can communicate with the Microsoft Defender Antivirus cloud service. This command will only work on Windows 10, version 1703 or higher.| + + +## Common errors in running commands via mpcmdrun.exe + +|Error message | Possible reason +|:----|:----| +| `ValidateMapsConnection failed (800106BA) or 0x800106BA` | The Microsoft Defender Antivirus service is disabled. Enable the service and try again.
    **Note:** In Windows 10 1909 or older, and Windows Server 2019 or older, the service used to be called "Windows Defender Antivirus" service.| +| `0x80070667` | You're running the `-ValidateMapsConnection` command from a computer that is Windows 10 version 1607 or older, or Windows Server 2016 or older. Run the command from a machine that is Windows 10 version 1703 or newer, or Windows Server 2019 or newer.| +| `'MpCmdRun' is not recognized as an internal or external command, operable program or batch file.` | The tool needs to be run from either: `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0` (where `2008.4-0` might differ since platform updates are monthly except for December)| +| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070005 httpcode=450)` | Not enough privileges. Use the command prompt (cmd.exe) as an administrator.| +| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070006 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. | +| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80004005 httpcode=450)` | Possible network-related issues, like name resolution problems| +| `ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80508015` | The firewall is blocking the connection or conducting SSL inspection. | +| `ValidateMapsConnection failed to establish a connection to MAPS (hr=800722F0D` | The firewall is blocking the connection or conducting SSL inspection. | +| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80072EE7 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. | ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md index 53d9dc6877..3108c5ea6b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Common mistakes to avoid when defining exclusions description: Avoid common mistakes when defining exclusions for Microsoft Defender Antivirus scans. keywords: exclusions, files, extension, file type, folder name, file name, scans search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,141 +13,47 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- # Common mistakes to avoid when defining exclusions + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable. -This topic describes some common mistake that you should avoid when defining exclusions. +This article describes some common mistake that you should avoid when defining exclusions. Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions). ## Excluding certain trusted items -There are certain files, file types, folders, or processes that you should not exclude from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning. -**Do not add exclusions for the following folder locations:** +Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious. -- %systemdrive% -- C: -- C:\ -- C:\* -- %ProgramFiles%\Java -- C:\Program Files\Java -- %ProgramFiles%\Contoso\ -- C:\Program Files\Contoso\ -- %ProgramFiles(x86)%\Contoso\ -- C:\Program Files (x86)\Contoso\ -- C:\Temp -- C:\Temp\ -- C:\Temp\* -- C:\Users\ -- C:\Users\* -- C:\Users\\AppData\Local\Temp\ -- C:\Users\\AppData\LocalLow\Temp\ -- C:\Users\\AppData\Roaming\Temp\ -- %Windir%\Prefetch -- C:\Windows\Prefetch -- C:\Windows\Prefetch\ -- C:\Windows\Prefetch\* -- %Windir%\System32\Spool -- C:\Windows\System32\Spool -- C:\Windows\System32\CatRoot2 -- %Windir%\Temp -- C:\Windows\Temp -- C:\Windows\Temp\ -- C:\Windows\Temp\* +Do not define exclusions for the folder locations, file extensions, and processes that are listed in the following table: -**Do not add exclusions for the following file extensions:** -- .7zip -- .bat -- .bin -- .cab -- .cmd -- .com -- .cpl -- .dll -- .exe -- .fla -- .gif -- .gz -- .hta -- .inf -- .java -- .jar -- .job -- .jpeg -- .jpg -- .js -- .ko -- .ko.gz -- .msi -- .ocx -- .png -- .ps1 -- .py -- .rar -- .reg -- .scr -- .sys -- .tar -- .tmp -- .url -- .vbe -- .vbs -- .wsf -- .zip +| Folder locations | File extensions | Processes | +|:--|:--|:--| +| `%systemdrive%`
    `C:`
    `C:\`
    `C:\*`
    `%ProgramFiles%\Java`
    `C:\Program Files\Java`
    `%ProgramFiles%\Contoso\`
    `C:\Program Files\Contoso\`
    `%ProgramFiles(x86)%\Contoso\`
    `C:\Program Files (x86)\Contoso\`
    `C:\Temp`
    `C:\Temp\`
    `C:\Temp\*`
    `C:\Users\`
    `C:\Users\*`
    `C:\Users\\AppData\Local\Temp\`
    `C:\Users\\AppData\LocalLow\Temp\`
    `C:\Users\\AppData\Roaming\Temp\`
    `%Windir%\Prefetch`
    `C:\Windows\Prefetch`
    `C:\Windows\Prefetch\`
    `C:\Windows\Prefetch\*`
    `%Windir%\System32\Spool`
    `C:\Windows\System32\Spool`
    `C:\Windows\System32\CatRoot2`
    `%Windir%\Temp`
    `C:\Windows\Temp`
    `C:\Windows\Temp\`
    `C:\Windows\Temp\*` | `.7zip`
    `.bat`
    `.bin`
    `.cab`
    `.cmd`
    `.com`
    `.cpl`
    `.dll`
    `.exe`
    `.fla`
    `.gif`
    `.gz`
    `.hta`
    `.inf`
    `.java`
    `.jar`
    `.job`
    `.jpeg`
    `.jpg`
    `.js`
    `.ko`
    `.ko.gz`
    `.msi`
    `.ocx`
    `.png`
    `.ps1`
    `.py`
    `.rar`
    `.reg`
    `.scr`
    `.sys`
    `.tar`
    `.tmp`
    `.url`
    `.vbe`
    `.vbs`
    `.wsf`
    `.zip` | `AcroRd32.exe`
    `bitsadmin.exe`
    `excel.exe`
    `iexplore.exe`
    `java.exe`
    `outlook.exe`
    `psexec.exe`
    `powerpnt.exe`
    `powershell.exe`
    `schtasks.exe`
    `svchost.exe`
    `wmic.exe`
    `winword.exe`
    `wuauclt.exe`
    `addinprocess.exe`
    `addinprocess32.exe`
    `addinutil.exe`
    `bash.exe`
    `bginfo.exe`[1]
    `cdb.exe`
    `csi.exe`
    `dbghost.exe`
    `dbgsvc.exe`
    `dnx.exe`
    `fsi.exe`
    `fsiAnyCpu.exe`
    `kd.exe`
    `ntkd.exe`
    `lxssmanager.dll`
    `msbuild.exe`[2]
    `mshta.exe`
    `ntsd.exe`
    `rcsi.exe`
    `system.management.automation.dll`
    `windbg.exe` | >[!NOTE] -> You can chose to exclude file types, such as .gif, .jpg, .jpeg, .png if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities. - -**Do not add exclusions for the following processes:** -- AcroRd32.exe -- bitsadmin.exe -- excel.exe -- iexplore.exe -- java.exe -- outlook.exe -- psexec.exe -- powerpnt.exe -- powershell.exe -- schtasks.exe -- svchost.exe -- wmic.exe -- winword.exe -- wuauclt.exe -- addinprocess.exe -- addinprocess32.exe -- addinutil.exe -- bash.exe -- bginfo.exe[1] -- cdb.exe -- csi.exe -- dbghost.exe -- dbgsvc.exe -- dnx.exe -- fsi.exe -- fsiAnyCpu.exe -- kd.exe -- ntkd.exe -- lxssmanager.dll -- msbuild.exe[2] -- mshta.exe -- ntsd.exe -- rcsi.exe -- system.management.automation.dll -- windbg.exe +> You can chose to exclude file types, such as `.gif`, `.jpg`, `.jpeg`, or `.png` if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities. ## Using just the file name in the exclusion list -A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude **Filename.exe** from scanning, use the complete path to the file, such as **C:\program files\contoso\Filename.exe**. + +A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude `Filename.exe` from scanning, use the complete path to the file, such as `C:\program files\contoso\Filename.exe`. ## Using a single exclusion list for multiple server workloads + Do not use a single exclusion list to define exclusions for multiple server workloads. Split the exclusions for different application or service workloads into multiple exclusion lists. For example, the exclusion list for your IIS Server workload must be different from the exclusion list for your SQL Server workload. ## Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists + Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system environment variables. + See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists. -## Related topics +## Related articles - [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) - [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md index ac38745a10..060cddd476 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md @@ -1,9 +1,9 @@ --- -title: Manage Windows Defender in your business +title: Manage Windows Defender in your business description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Microsoft Defender AV keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,34 +11,36 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 12/16/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Manage Microsoft Defender Antivirus in your business +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can manage and configure Microsoft Defender Antivirus with the following tools: -- Microsoft Intune -- Microsoft Endpoint Configuration Manager -- Group Policy -- PowerShell cmdlets -- Windows Management Instrumentation (WMI) -- The mpcmdrun.exe utility +- [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security-antivirus-policy) (now part of Microsoft Endpoint Manager) +- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) (now part of Microsoft Endpoint Manager) +- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) +- [PowerShell cmdlets](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus) +- [Windows Management Instrumentation (WMI)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus) +- The [Microsoft Malware Protection Command Line Utility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) (referred to as the *mpcmdrun.exe* utility -The articles in this section provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus. +The following articles provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus. -## In this section - -Article | Description ----|--- -[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus -[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates -[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters -[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties) -[Manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus +| Article | Description | +|:---|:---| +|[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus | +|[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates | +|[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters | +|[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties) | +|[Manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus | diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md index 9800bbf096..7782d63b95 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md @@ -4,7 +4,7 @@ description: You can configure Microsoft Defender AV to scan email storage files keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -13,22 +13,25 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp - +ms.technology: mde --- # Configure Microsoft Defender Antivirus scanning options +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Use Microsoft Intune to configure scanning options See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. -## Use Microsoft Endpoint Configuration Manager to configure scanning options +## Use Microsoft Endpoint Manager to configure scanning options -See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Manager (current branch). ## Use Group Policy to configure scanning options @@ -56,8 +59,8 @@ Specify the level of subfolders within an archive folder to scan | Scan > Specif Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available ->[!NOTE] ->If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. +> [!NOTE] +> If real-time protection is turned on, files are scanned before they are accessed and executed. The scanning scope includes all files, including files on mounted removable media, such as USB drives. If the device performing the scan has real-time protection or on-access protection turned on, the scan will also include network shares. ## Use PowerShell to configure scanning options diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md index 8a479654ed..801001d7ef 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md @@ -1,137 +1,115 @@ --- -title: Enable Block at First Sight to detect malware in seconds -description: Enable the Block at First sight feature to detect and block malware within seconds, and validate that it is configured correctly. +title: Enable block at first sight to detect malware in seconds +description: Turn on the block at first sight feature to detect and block malware within seconds. keywords: scan, BAFS, malware, first seen, first sight, cloud, defender search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: high author: denisebmsft ms.author: deniseb ms.reviewer: manager: dansimp ms.custom: nextgen +ms.date: 10/22/2020 +ms.technology: mde --- -# Enable block at first sight +# Turn on block at first sight + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention. +Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are enabled. These settings include cloud-delivered protection, a specified sample submission timeout (such as 50 seconds), and a file-blocking level of high. In most enterprise organizations, these settings are enabled by default with Microsoft Defender Antivirus deployments. -You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. +You can [specify how long a file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. >[!TIP] ->Visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. +>Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. ## How it works -When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean. +When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or not a threat. -Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). +Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, intelligent, and real-time protection. To learn more, see this blog: [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). ![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) -In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. +In Windows 10, version 1803 or later, block at first sight can block non-portable executable files (such as JS, VBS, or macros) as well as executable files. -Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file. +Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if the file is a previously undetected file. If the cloud backend is unable to make a determination, Microsoft Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe. In many cases, this process can reduce the response time for new malware from hours to seconds. -## Confirm and validate that block at first sight is enabled +## Turn on block at first sight with Microsoft Intune -Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Microsoft Defender Antivirus deployments. +> [!TIP] +> Microsoft Intune is now part of Microsoft Endpoint Manager. -### Confirm block at first sight is enabled with Intune +1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Devices** > **Configuration profiles**. -1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Microsoft Defender Antivirus**. +2. Select or create a profile using the **Device restrictions** profile type. - > [!NOTE] - > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type. +3. In the **Configuration settings** for the Device restrictions profile, set or confirm the following settings under **Microsoft Defender Antivirus**: -2. Verify these settings are configured as follows: - - - **Cloud-delivered protection**: **Enable** - - **File Blocking Level**: **High** - - **Time extension for file scanning by the cloud**: **50** - - **Prompt users before sample submission**: **Send all data without prompting** + - **Cloud-delivered protection**: Enabled + - **File Blocking Level**: High + - **Time extension for file scanning by the cloud**: 50 + - **Prompt users before sample submission**: Send all data without prompting ![Intune config](images/defender/intune-block-at-first-sight.png) - > [!WARNING] - > Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus). +4. Save your settings. -For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +> [!TIP] +> - Setting the file blocking level to **High** applies a strong level of detection. In the unlikely event that file blocking causes a false positive detection of legitimate files, you can [restore quarantined files](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus). +> - For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +> - For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus). -For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus). +## Turn on block at first sight with Microsoft Endpoint Manager -### Enable block at first sight with Microsoft Endpoint Configuration Manager +> [!TIP] +> If you're looking for Microsoft Endpoint Configuration Manager, it's now part of Microsoft Endpoint Manager. -1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**. +1. In Microsoft Endpoint Manager ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), go to **Endpoint security** > **Antivirus**. -2. Click **Home** > **Create Antimalware Policy**. +2. Select an existing policy, or create a new policy using the **Microsoft Defender Antivirus** profile type. -3. Enter a name and a description, and add these settings: - - **Real time protection** - - **Advanced** - - **Cloud Protection Service** +3. Set or confirm the following configuration settings: -4. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. - ![Enable real-time protection](images/defender/sccm-real-time-protection.png) + - **Turn on cloud-delivered protection**: Yes + - **Cloud-delivered protection level**: High + - **Defender Cloud Extended Timeout in Seconds**: 50 -5. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. - ![Enable Advanced settings](images/defender/sccm-advanced-settings.png) + :::image type="content" source="images/endpointmgr-antivirus-cloudprotection.png" alt-text="Block at first sight settings in Endpoint Manager"::: -6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking malicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds. - ![Enable Cloud Protection Service](images/defender/sccm-cloud-protection-service.png) +4. Apply the Microsoft Defender Antivirus profile to a group, such as **All users**, **All devices**, or **All users and devices**. -7. Click **OK** to create the policy. +## Turn on block at first sight with Group Policy +> [!NOTE] +> We recommend using Intune or Microsoft Endpoint Manager to turn on block at first sight. -### Confirm block at first sight is enabled with Group Policy +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +2. Using the **Group Policy Management Editor** go to **Computer configuration** > **Administrative templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +3. In the MAPS section, double-click **Configure the 'Block at First Sight' feature**, and set it to **Enabled**, and then select **OK**. -3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**: - - - Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. - - - Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**. - - > [!WARNING] + > [!IMPORTANT] > Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function. -4. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Real-time Protection**: +4. In the MAPS section, double-click **Send file samples when further analysis is required**, and set it to **Enabled**. Under **Send file samples when further analysis is required**, select **Send all samples**, and then click **OK**. - 1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**, and then click **OK**. +5. If you changed any settings, redeploy the Group Policy Object across your network to ensure all endpoints are covered. - 2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**, and then click **OK**. - -If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered. - -### Confirm block at first sight is enabled with Registry editor - -1. Start Registry Editor. - -2. Go to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet**, and make sure that - - 1. **SpynetReporting** key is set to **1** - - 2. **SubmitSamplesConsent** key is set to either **1** (Send safe samples) or **3** (Send all samples) - -3. Go to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection**, and make sure that - - 1. **DisableIOAVProtection** key is set to **0** - - 2. **DisableRealtimeMonitoring** key is set to **0** - -### Confirm Block at First Sight is enabled on individual clients +## Confirm block at first sight is enabled on individual clients You can confirm that block at first sight is enabled on individual clients using Windows security settings. @@ -146,33 +124,53 @@ Block at first sight is automatically enabled as long as **Cloud-delivered prote 3. Confirm that **Cloud-delivered protection** and **Automatic sample submission** are both turned on. > [!NOTE] -> If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. +> - If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. +> - Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. -### Validate block at first sight is working +## Validate block at first sight is working -You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud). +To validate that the feature is working, follow the guidance in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud). -## Disable block at first sight +## Turn off block at first sight -> [!WARNING] -> Disabling block at first sight will lower the protection state of the endpoint and your network. +> [!CAUTION] +> Turning off block at first sight will lower the protection state of your device(s) and your network. -You may choose to disable block at first sight if you want to retain the prerequisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network. +You might choose to disable block at first sight if you want to retain the prerequisite settings without actually using block at first sight protection. You might do temporarily turn block at first sight off if you are experiencing latency issues or you want to test the feature's impact on your network. However, we do not recommend disabling block at first sight protection permanently. -### Disable block at first sight with Group Policy +### Turn off block at first sight with Microsoft Endpoint Manager + +1. Go to Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. + +2. Go to **Endpoint security** > **Antivirus**, and then select your Microsoft Defender Antivirus policy. + +3. Under **Manage**, choose **Properties**. + +4. Next to **Configuration settings**, choose **Edit**. + +5. Change one or more of the following settings: + + - Set **Turn on cloud-delivered protection** to **No** or **Not configured**. + - Set **Cloud-delivered protection level** to **Not configured**. + - Clear the **Defender Cloud Extended Timeout In Seconds** box. + +6. Review and save your settings. + +### Turn off block at first sight with Group Policy 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and then click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. Using the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 3. Expand the tree through **Windows components** > **Microsoft Defender Antivirus** > **MAPS**. 4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**. > [!NOTE] - > Disabling block at first sight will not disable or alter the prerequisite group policies. + > Disabling block at first sight does not disable or alter the prerequisite group policies. -## Related topics +## See also - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) + - [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md index 3d86286bb7..fc9ab62d48 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Configure the Microsoft Defender AV cloud block timeout period description: You can configure how long Microsoft Defender Antivirus will block a file from running while waiting for a cloud determination. keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,13 +14,17 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure the cloud block timeout period +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md index 0c3ce33cac..91d207c1bc 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Configure how users can interact with Microsoft Defender AV description: Configure how end-users interact with Microsoft Defender AV, what notifications they see, and if they can override settings. keywords: endpoint, user, interaction, notifications, ui lockdown mode, headless mode, hide interface search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,13 +13,17 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure end-user interaction with Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can configure how users of the endpoints on your network can interact with Microsoft Defender Antivirus. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md index e7d0bb0417..beb6882a8b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md @@ -3,23 +3,26 @@ title: Set up exclusions for Microsoft Defender AV scans description: You can exclude files (including files modified by specified processes) and folders from being scanned by Microsoft Defender AV. Validate your exclusions with PowerShell. keywords: search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 03/12/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure and validate exclusions for Microsoft Defender Antivirus scans +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection. @@ -38,11 +41,14 @@ Defining exclusions lowers the protection offered by Microsoft Defender Antiviru The following is a list of recommendations that you should keep in mind when defining exclusions: - Exclusions are technically a protection gap—always consider additional mitigations when defining exclusions. Additional mitigations could be as simple as making sure the excluded location has the appropriate access-control lists (ACLs), audit policy, is processed by an up-to-date software, etc. + - Review the exclusions periodically. Re-check and re-enforce the mitigations as part of the review process. + - Ideally, avoid defining proactive exclusions. For instance, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues—mostly around performance, or sometimes around application compatibility that exclusions could mitigate. + - Audit the exclusion list changes. The security admin should preserve enough context around why a certain exclusion was added. You should be able to provide answer with specific reasoning as to why a certain path was excluded. ## Related articles - [Microsoft Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md) -- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md) \ No newline at end of file +- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md index d9e2707453..49091cb89b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Configure and validate exclusions based on extension, name, or location description: Exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location. keywords: exclusions, files, extension, file type, folder name, file name, scans search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,53 +12,54 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure and validate exclusions based on file extension and folder location +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) > [!IMPORTANT] -> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender ATP [custom indicators](../microsoft-defender-atp/manage-indicators.md). +> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender for Endpoint [custom indicators](../microsoft-defender-atp/manage-indicators.md). ## Exclusion lists -You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. +You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. > [!NOTE] > Automatic exclusions apply only to Windows Server 2016 and above. These exclusions are not visible in the Windows Security app and in PowerShell. This article describes how to configure exclusion lists for the files and folders. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. -Exclusion | Examples | Exclusion list ----|---|--- -Any file with a specific extension | All files with the specified extension, anywhere on the machine.
    Valid syntax: `.test` and `test` | Extension exclusions -Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions -A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions -A specific process | The executable file `c:\test\process.exe` | File and folder exclusions +| Exclusion | Examples | Exclusion list | +|:---|:---|:---| +|Any file with a specific extension | All files with the specified extension, anywhere on the machine.
    Valid syntax: `.test` and `test` | Extension exclusions | +|Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions | +| A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions | +| A specific process | The executable file `c:\test\process.exe` | File and folder exclusions | Exclusion lists have the following characteristics: - Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately. - File extensions apply to any file name with the defined extension if a path or folder is not defined. ->[!IMPORTANT] ->Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work. -> ->You cannot exclude mapped network drives. You must specify the actual network path. -> ->Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. +> [!IMPORTANT] +> - Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work. +> - You cannot exclude mapped network drives. You must specify the actual network path. +> - Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). The exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md). ->[!IMPORTANT] ->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). -> ->Changes made in the Windows Security app **will not show** in the Group Policy lists. +> [!IMPORTANT] +> Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). +> Changes made in the Windows Security app **will not show** in the Group Policy lists. By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence when there are conflicts. @@ -74,39 +75,37 @@ See the following articles: ### Use Configuration Manager to configure file name, folder, or file extension exclusions -See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Manager (current branch). ### Use Group Policy to configure folder or file extension exclusions >[!NOTE] >If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded. -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**. -3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**. +3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**. -4. Double-click the **Path Exclusions** setting and add the exclusions. +4. Open the **Path Exclusions** setting for editing, and add your exclusions. - Set the option to **Enabled**. - Under the **Options** section, click **Show...**. - Specify each folder on its own line under the **Value name** column. - If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. -5. Click **OK**. +5. Choose **OK**. ![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png) -6. Double-click the **Extension Exclusions** setting and add the exclusions. +6. Open the **Extension Exclusions** setting for editing and add your exclusions. - Set the option to **Enabled**. - - Under the **Options** section, click **Show...**. + - Under the **Options** section, select **Show...**. - Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column. -7. Click **OK**. - - ![The Group Policy setting for extension exclusions](images/defender/wdav-extension-exclusions.png) +7. Choose **OK**. @@ -122,21 +121,21 @@ The format for the cmdlets is as follows: The following are allowed as the ``: -Configuration action | PowerShell cmdlet ----|--- -Create or overwrite the list | `Set-MpPreference` -Add to the list | `Add-MpPreference` -Remove item from the list | `Remove-MpPreference` +| Configuration action | PowerShell cmdlet | +|:---|:---| +|Create or overwrite the list | `Set-MpPreference` | +|Add to the list | `Add-MpPreference` | +|Remove item from the list | `Remove-MpPreference` | The following are allowed as the ``: -Exclusion type | PowerShell parameter ----|--- -All files with a specified file extension | `-ExclusionExtension` -All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath` +| Exclusion type | PowerShell parameter | +|:---|:---| +| All files with a specified file extension | `-ExclusionExtension` | +| All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath` | ->[!IMPORTANT] ->If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. +> [!IMPORTANT] +> If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. For example, the following code snippet would cause Microsoft Defender AV scans to exclude any file with the `.test` file extension: @@ -171,29 +170,26 @@ See [Add exclusions in the Windows Security app](microsoft-defender-security-cen You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations. ->[!IMPORTANT] ->There are key limitations and usage scenarios for these wildcards: -> ->- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. ->- You cannot use a wildcard in place of a drive letter. ->- An asterisk `*` in a folder exclusion stands in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names. +> [!IMPORTANT] +> There are key limitations and usage scenarios for these wildcards: +> - Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. +> - You cannot use a wildcard in place of a drive letter. +> - An asterisk `*` in a folder exclusion stands in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names. The following table describes how the wildcards can be used and provides some examples. |Wildcard |Examples | -|---------|---------| +|:---------|:---------| |`*` (asterisk)

    In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument.

    In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`

    `C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders`

    `C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` | -|`?` (question mark)

    In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument.

    In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my` would include `C:\MyData\my1.zip`

    `C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders

    `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders | +|`?` (question mark)

    In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument.

    In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my?` would include `C:\MyData\my1.zip`

    `C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders

    `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders | |Environment variables

    The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` | ->[!IMPORTANT] ->If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders. -> ->For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`. -> ->This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`. +> [!IMPORTANT] +> If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders. +> For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`. +> This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`. @@ -201,273 +197,68 @@ The following table describes how the wildcards can be used and provides some ex The following table lists and describes the system account environment variables. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    System environment variablesWill redirect to:
    %APPDATA%C:\Users\UserName.DomainName\AppData\Roaming
    %APPDATA%\Microsoft\Internet Explorer\Quick LaunchC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
    %APPDATA%\Microsoft\Windows\Start MenuC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu
    %APPDATA%\Microsoft\Windows\Start Menu\ProgramsC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
    %LOCALAPPDATA% C:\Windows\System32\config\systemprofile\AppData\Local
    %ProgramData%C:\ProgramData
    %ProgramFiles%C:\Program Files
    %ProgramFiles%\Common Files C:\Program Files\Common Files
    %ProgramFiles%\Windows Sidebar\Gadgets C:\Program Files\Windows Sidebar\Gadgets
    %ProgramFiles%\Common FilesC:\Program Files\Common Files
    %ProgramFiles(x86)% C:\Program Files (x86)
    %ProgramFiles(x86)%\Common Files C:\Program Files (x86)\Common Files
    %SystemDrive%C:
    %SystemDrive%\Program FilesC:\Program Files
    %SystemDrive%\Program Files (x86) C:\Program Files (x86)
    %SystemDrive%\Users C:\Users
    %SystemDrive%\Users\PublicC:\Users\Public
    %SystemRoot% C:\Windows
    %windir%C:\Windows
    %windir%\FontsC:\Windows\Fonts
    %windir%\Resources C:\Windows\Resources
    %windir%\resources\0409C:\Windows\resources\0409
    %windir%\system32C:\Windows\System32
    %ALLUSERSPROFILE%C:\ProgramData
    %ALLUSERSPROFILE%\Application DataC:\ProgramData\Application Data
    %ALLUSERSPROFILE%\DocumentsC:\ProgramData\Documents
    %ALLUSERSPROFILE%\Documents\My Music\Sample Music -

    C:\ProgramData\Documents\My Music\Sample Music

    -

    .

    -
    %ALLUSERSPROFILE%\Documents\My Music C:\ProgramData\Documents\My Music
    %ALLUSERSPROFILE%\Documents\My Pictures -

    C:\ProgramData\Documents\My Pictures -

    -
    %ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures C:\ProgramData\Documents\My Pictures\Sample Pictures
    %ALLUSERSPROFILE%\Documents\My Videos C:\ProgramData\Documents\My Videos
    %ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore C:\ProgramData\Microsoft\Windows\DeviceMetadataStore
    %ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer C:\ProgramData\Microsoft\Windows\GameExplorer
    %ALLUSERSPROFILE%\Microsoft\Windows\Ringtones C:\ProgramData\Microsoft\Windows\Ringtones
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu C:\ProgramData\Microsoft\Windows\Start Menu
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs C:\ProgramData\Microsoft\Windows\Start Menu\Programs
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative ToolsC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
    %ALLUSERSPROFILE%\Microsoft\Windows\Templates C:\ProgramData\Microsoft\Windows\Templates
    %ALLUSERSPROFILE%\Start Menu C:\ProgramData\Start Menu
    %ALLUSERSPROFILE%\Start Menu\Programs C:\ProgramData\Start Menu\Programs
    %ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools C:\ProgramData\Start Menu\Programs\Administrative Tools
    %ALLUSERSPROFILE%\Templates C:\ProgramData\Templates
    %LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates
    %LOCALAPPDATA%\Microsoft\Windows\History C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History
    -

    -%PUBLIC%

    -    		C:\Users\Public
    %PUBLIC%\AccountPictures C:\Users\Public\AccountPictures
    %PUBLIC%\Desktop C:\Users\Public\Desktop
    %PUBLIC%\Documents C:\Users\Public\Documents
    %PUBLIC%\Downloads C:\Users\Public\Downloads
    %PUBLIC%\Music\Sample Music -

    C:\Users\Public\Music\Sample Music

    -

    .

    -
    %PUBLIC%\Music\Sample Playlists -

    C:\Users\Public\Music\Sample Playlists

    -

    .

    -
    %PUBLIC%\Pictures\Sample Pictures C:\Users\Public\Pictures\Sample Pictures
    %PUBLIC%\RecordedTV.library-msC:\Users\Public\RecordedTV.library-ms
    %PUBLIC%\VideosC:\Users\Public\Videos
    %PUBLIC%\Videos\Sample Videos -

    C:\Users\Public\Videos\Sample Videos

    -

    .

    -
    %USERPROFILE% C:\Windows\System32\config\systemprofile
    %USERPROFILE%\AppData\Local C:\Windows\System32\config\systemprofile\AppData\Local
    %USERPROFILE%\AppData\LocalLow C:\Windows\System32\config\systemprofile\AppData\LocalLow
    %USERPROFILE%\AppData\Roaming C:\Windows\System32\config\systemprofile\AppData\Roaming
    +| This system environment variable... | Redirects to this | +|:--|:--| +| `%APPDATA%`| `C:\Users\UserName.DomainName\AppData\Roaming` | +| `%APPDATA%\Microsoft\Internet Explorer\Quick Launch` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch` | +| `%APPDATA%\Microsoft\Windows\Start Menu` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu` | +| `%APPDATA%\Microsoft\Windows\Start Menu\Programs` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs` | +| `%LOCALAPPDATA%` | `C:\Windows\System32\config\systemprofile\AppData\Local` | +| `%ProgramData%` | `C:\ProgramData` | +| `%ProgramFiles%` | `C:\Program Files` | +| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` | +| `%ProgramFiles%\Windows Sidebar\Gadgets` | `C:\Program Files\Windows Sidebar\Gadgets` | +| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` | +| `%ProgramFiles(x86)%` | `C:\Program Files (x86)` | +| `%ProgramFiles(x86)%\Common Files` | `C:\Program Files (x86)\Common Files` | +| `%SystemDrive%` | `C:` | +| `%SystemDrive%\Program Files` | `C:\Program Files` | +| `%SystemDrive%\Program Files (x86)` | `C:\Program Files (x86)` | +| `%SystemDrive%\Users` | `C:\Users` | +| `%SystemDrive%\Users\Public` | `C:\Users\Public` | +| `%SystemRoot%` | `C:\Windows` | +| `%windir%` | `C:\Windows` | +| `%windir%\Fonts` | `C:\Windows\Fonts` | +| `%windir%\Resources` | `C:\Windows\Resources` | +| `%windir%\resources\0409` | `C:\Windows\resources\0409` | +| `%windir%\system32` | `C:\Windows\System32` | +| `%ALLUSERSPROFILE%` | `C:\ProgramData` | +| `%ALLUSERSPROFILE%\Application Data` | `C:\ProgramData\Application Data` | +| `%ALLUSERSPROFILE%\Documents` | `C:\ProgramData\Documents` | +| `%ALLUSERSPROFILE%\Documents\My Music\Sample Music` | `C:\ProgramData\Documents\My Music\Sample Music` | +| `%ALLUSERSPROFILE%\Documents\My Music` | `C:\ProgramData\Documents\My Music` | +| `%ALLUSERSPROFILE%\Documents\My Pictures` | `C:\ProgramData\Documents\My Pictures` | +| `%ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures` | `C:\ProgramData\Documents\My Pictures\Sample Pictures` | +| `%ALLUSERSPROFILE%\Documents\My Videos` | `C:\ProgramData\Documents\My Videos` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore` | `C:\ProgramData\Microsoft\Windows\DeviceMetadataStore` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer` | `C:\ProgramData\Microsoft\Windows\GameExplorer` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones` | `C:\ProgramData\Microsoft\Windows\Ringtones` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu` | `C:\ProgramData\Microsoft\Windows\Start Menu` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp` | +| `%ALLUSERSPROFILE%\Microsoft\Windows\Templates` | `C:\ProgramData\Microsoft\Windows\Templates` | +| `%ALLUSERSPROFILE%\Start Menu` | `C:\ProgramData\Start Menu` | +| `%ALLUSERSPROFILE%\Start Menu\Programs` | C:\ProgramData\Start Menu\Programs | +| `%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Start Menu\Programs\Administrative Tools` | +| `%ALLUSERSPROFILE%\Templates` | `C:\ProgramData\Templates` | +| `%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates` | +| `%LOCALAPPDATA%\Microsoft\Windows\History` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History` | +| `%PUBLIC%` | `C:\Users\Public` | +| `%PUBLIC%\AccountPictures` | `C:\Users\Public\AccountPictures` | +| `%PUBLIC%\Desktop` | `C:\Users\Public\Desktop` | +| `%PUBLIC%\Documents` | `C:\Users\Public\Documents` | +| `%PUBLIC%\Downloads` | `C:\Users\Public\Downloads` | +| `%PUBLIC%\Music\Sample Music` | `C:\Users\Public\Music\Sample Music` | +| `%PUBLIC%\Music\Sample Playlists` | `C:\Users\Public\Music\Sample Playlists` | +| `%PUBLIC%\Pictures\Sample Pictures` | `C:\Users\Public\Pictures\Sample Pictures` | +| `%PUBLIC%\RecordedTV.library-ms` | `C:\Users\Public\RecordedTV.library-ms` | +| `%PUBLIC%\Videos` | `C:\Users\Public\Videos` | +| `%PUBLIC%\Videos\Sample Videos` | `C:\Users\Public\Videos\Sample Videos` | +| `%USERPROFILE%` | `C:\Windows\System32\config\systemprofile` | +| `%USERPROFILE%\AppData\Local` | `C:\Windows\System32\config\systemprofile\AppData\Local` | +| `%USERPROFILE%\AppData\LocalLow` | `C:\Windows\System32\config\systemprofile\AppData\LocalLow` | +| `%USERPROFILE%\AppData\Roaming` | `C:\Windows\System32\config\systemprofile\AppData\Roaming` | ## Review the list of exclusions @@ -486,7 +277,7 @@ You can retrieve the items in the exclusion list using one of the following meth If you use PowerShell, you can retrieve the list in two ways: -- Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists are displayed on separate lines, but the items within each list are combined into the same line. +- Retrieve the status of all Microsoft Defender Antivirus preferences. Each list is displayed on separate lines, but the items within each list are combined into the same line. - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. ### Validate the exclusion list by using MpCmdRun diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md index e77c12eda2..4b69f181b0 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Configure local overrides for Microsoft Defender AV settings description: Enable or disable users from locally changing settings in Microsoft Defender AV. keywords: local override, local policy, group policy, gpo, lockdown,merge, lists search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,13 +14,17 @@ ms.custom: nextgen ms.date: 02/13/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) By default, Microsoft Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md index c705e4b465..6185228b0b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md @@ -3,7 +3,7 @@ title: Configure Microsoft Defender Antivirus features description: You can configure Microsoft Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell. keywords: Microsoft Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,16 +11,20 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 11/18/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure Microsoft Defender Antivirus features +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can configure Microsoft Defender Antivirus with a number of tools, including: @@ -34,15 +38,16 @@ The following broad categories of features can be configured: - Cloud-delivered protection - Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection -- How end-users interact with the client on individual endpoints +- How end users interact with the client on individual endpoints -The topics in this section describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools). +The following articles describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each article includes instructions for the applicable configuration tool (or tools). -You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help. +|Article |Description | +|---------|---------| +|[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Use cloud-delivered protection for advanced, fast, robust antivirus detection. | +|[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) |Enable behavior-based, heuristic, and real-time antivirus protection. | +|[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) | Configure how end users in your organization interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings. | + +> [!TIP] +> You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help. -## In this section -Topic | Description -:---|:--- -[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection -[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection -[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)|Configure how end-users interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md index 1901905edb..f00a35da1f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Configure and validate Microsoft Defender Antivirus network connections description: Configure and test your connection to the Microsoft Defender Antivirus cloud protection service. keywords: antivirus, Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,16 +11,20 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 07/08/2020 +ms.date: 12/28/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure and validate Microsoft Defender Antivirus network connections +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. @@ -29,7 +33,7 @@ This article lists the connections that must be allowed, such as by using firewa See the blog post [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) for some details about network connectivity. >[!TIP] ->You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: +>You can also visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: > >- Cloud-delivered protection >- Fast learning (including block at first sight) @@ -46,7 +50,7 @@ See [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defend After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints. -Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. +Because your protection is a cloud service, computers must have access to the internet and reach the Microsoft Defender for Office 365 machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication. @@ -57,9 +61,9 @@ The table below lists the services and their associated URLs. Make sure that the | Microsoft Update Service (MU)
    Windows Update Service (WU)| Security intelligence and product updates |`*.update.microsoft.com`
    `*.delivery.mp.microsoft.com`
    `*.windowsupdate.com`

    For details see [Connection endpoints for Windows Update](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints#windows-update)| |Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`
    `*.download.windowsupdate.com`
    `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`| | Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
    `ussus1westprod.blob.core.windows.net`
    `usseu1northprod.blob.core.windows.net`
    `usseu1westprod.blob.core.windows.net`
    `ussuk1southprod.blob.core.windows.net`
    `ussuk1westprod.blob.core.windows.net`
    `ussas1eastprod.blob.core.windows.net`
    `ussas1southeastprod.blob.core.windows.net`
    `ussau1eastprod.blob.core.windows.net`
    `ussau1southeastprod.blob.core.windows.net` | -| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/`
    `https://www.microsoft.com/pkiops/certs`
    `https://crl.microsoft.com/pki/crl/products`
    `https://www.microsoft.com/pki/certs` | +| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `http://www.microsoft.com/pkiops/crl/`
    `http://www.microsoft.com/pkiops/certs`
    `http://crl.microsoft.com/pki/crl/products`
    `http://www.microsoft.com/pki/certs` | | Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | -| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
    `settings-win.data.microsoft.com`| +| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses telemetry for product quality monitoring purposes | The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
    `settings-win.data.microsoft.com`| ## Validate connections between your network and the cloud @@ -82,8 +86,7 @@ For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun You can download a sample file that Microsoft Defender Antivirus will detect and block if you are properly connected to the cloud. -Download the file by visiting the following link: -- https://aka.ms/ioavtest +Download the file by visiting [https://aka.ms/ioavtest](https://aka.ms/ioavtest). >[!NOTE] >This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud. @@ -102,16 +105,16 @@ You will also see a detection under **Quarantined threats** in the **Scan histor 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label: +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label: ![Screenshot of the Scan history label in the Windows Security app](images/defender/wdav-history-wdsc.png) -3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware. +3. Under the **Quarantined threats** section, select **See full history** to see the detected fake malware. > [!NOTE] > Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md). - The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-microsoft-defender-antivirus.md). + The Windows event log will also show [Windows Defender client event ID 1116](troubleshoot-microsoft-defender-antivirus.md). ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md index 945265b8a3..1660b6284e 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md @@ -1,9 +1,9 @@ --- title: Configure Microsoft Defender Antivirus notifications -description: Configure and customize Microsoft Defender Antivirus notifications. +description: Learn how to configure and customize both standard and additional Microsoft Defender Antivirus notifications on endpoints. keywords: notifications, defender, antivirus, endpoint, management, admin search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,13 +14,17 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure the notifications that appear on endpoints +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise. @@ -73,7 +77,7 @@ You can use Group Policy to: Hiding notifications can be useful in situations where you can't hide the entire Microsoft Defender Antivirus interface. See [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) for more information. > [!NOTE] -> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). +> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). See [Customize the Windows Security app for your organization](../windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md index 31d62322c4..52641f673b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Configure exclusions for files opened by specific processes description: You can exclude files from scans if they have been opened by a specific process. keywords: Microsoft Defender Antivirus, process, exclusion, files, scans search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,25 +13,30 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure exclusions for files opened by processes +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. -This topic describes how to configure exclusion lists for the following: +This article describes how to configure exclusion lists. - +## Examples of exclusions + +|Exclusion | Example | +|---|---| +|Any file on the machine that is opened by any process with a specific file name | Specifying `test.exe` would exclude files opened by:
    `c:\sample\test.exe`
    `d:\internal\files\test.exe` | +|Any file on the machine that is opened by any process under a specific folder | Specifying `c:\test\sample\*` would exclude files opened by:
    `c:\test\sample\test.exe`
    `c:\test\sample\test2.exe`
    `c:\test\sample\utility.exe` | +|Any file on the machine that is opened by a specific process in a specific folder | Specifying `c:\test\process.exe` would exclude files only opened by `c:\test\process.exe` | -Exclusion | Example ----|--- -Any file on the machine that is opened by any process with a specific file name | Specifying "test.exe" would exclude files opened by:
    • c:\sample\test.exe
    • d:\internal\files\test.exe
    -Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:
    • c:\test\sample\test.exe
    • c:\test\sample\test2.exe
    • c:\test\sample\utility.exe
    -Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md). @@ -39,25 +44,23 @@ The exclusions only apply to [always-on real-time protection and monitoring](con Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists. -You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. +You can add, remove, and review the lists for exclusions in Group Policy, Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists. -You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists. +You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists. -By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. +By default, local changes made to the lists (by users with administrator privileges; changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. ## Configure the list of exclusions for files opened by specified processes - - ### Use Microsoft Intune to exclude files that have been opened by specified processes from scans See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. -### Use Microsoft Endpoint Configuration Manager to exclude files that have been opened by specified processes from scans +### Use Microsoft Endpoint Manager to exclude files that have been opened by specified processes from scans -See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Manager (current branch). ### Use Group Policy to exclude files that have been opened by specified processes from scans @@ -71,14 +74,10 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// 1. Set the option to **Enabled**. 2. Under the **Options** section, click **Show...**. - 3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes. + 3. Enter each process on its own line under the **Value name** column. See the example table for the different types of process exclusions. Enter **0** in the **Value** column for all processes. 5. Click **OK**. -![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png) - - - ### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender). @@ -91,11 +90,11 @@ The format for the cmdlets is: The following are allowed as the \: -Configuration action | PowerShell cmdlet ----|--- -Create or overwrite the list | `Set-MpPreference` -Add to the list | `Add-MpPreference` -Remove items from the list | `Remove-MpPreference` +|Configuration action | PowerShell cmdlet | +|---|---| +|Create or overwrite the list | `Set-MpPreference` | +|Add to the list | `Add-MpPreference` | +|Remove items from the list | `Remove-MpPreference` | >[!IMPORTANT] >If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. @@ -106,11 +105,11 @@ For example, the following code snippet would cause Microsoft Defender AV scans Add-MpPreference -ExclusionProcess "c:\internal\test.exe" ``` -See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Microsoft Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. +For more information on how to use PowerShell with Microsoft Defender Antivirus, see Manage antivirus with PowerShell cmdlets and [Microsoft Defender Antivirus cmdlets](https://docs.microsoft.com/powershell/module/defender). ### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans -Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://docs.microsoft.com/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties: ```WMI ExclusionProcess @@ -118,33 +117,24 @@ ExclusionProcess The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. -See the following for more information and allowed parameters: - -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) - - +For more information and allowed parameters, see [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal). ### Use the Windows Security app to exclude files that have been opened by specified processes from scans See [Add exclusions in the Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions) for instructions. - - ## Use wildcards in the process exclusion list The use of wildcards in the process exclusion list is different from their use in other exclusion lists. -In particular, you cannot use the question mark ? wildcard, and the asterisk \* wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list. +In particular, you cannot use the question mark (`?`) wildcard, and the asterisk (`*`) wildcard can only be used at the end of a complete path. You can still use environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the process exclusion list. The following table describes how the wildcards can be used in the process exclusion list: -Wildcard | Use | Example use | Example matches ----|---|---|--- -\* (asterisk) | Replaces any number of characters |
    • C:\MyData\\*
    |
    • Any file opened by C:\MyData\file.exe
    -? (question mark) | Not available | \- | \- -Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
    • %ALLUSERSPROFILE%\CustomLogFiles\file.exe
    |
    • Any file opened by C:\ProgramData\CustomLogFiles\file.exe
    - - +|Wildcard | Example use | Example matches | +|:---|:---|:---| +|`*` (asterisk)

    Replaces any number of characters | `C:\MyData\*` | Any file opened by `C:\MyData\file.exe` | +|Environment variables

    The defined variable is populated as a path when the exclusion is evaluated | `%ALLUSERSPROFILE%\CustomLogFiles\file.exe` | Any file opened by `C:\ProgramData\CustomLogFiles\file.exe` | ## Review the list of exclusions @@ -163,8 +153,8 @@ To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https:// MpCmdRun.exe -CheckExclusion -path ``` ->[!NOTE] ->Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. +> [!NOTE] +> Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. ### Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell @@ -175,7 +165,7 @@ Use the following cmdlet: Get-MpPreference ``` -See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender) for more information on how to use PowerShell with Microsoft Defender Antivirus. ### Retrieve a specific exclusions list by using PowerShell @@ -186,7 +176,7 @@ $WDAVprefs = Get-MpPreference $WDAVprefs.ExclusionProcess ``` -See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender) for more information on how to use PowerShell with Microsoft Defender Antivirus. ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md index 20f94ac46b..12fa08755b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Enable and configure Microsoft Defender Antivirus protection features description: Enable behavior-based, heuristic, and real-time protection in Microsoft Defender AV. keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, Microsoft Defender Antivirus, antimalware, security, defender search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,13 +14,17 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure behavioral, heuristic, and real-time protection +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender Antivirus uses several methods to provide threat protection: diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md index 6bcef11259..63abc5021b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Enable and configure Microsoft Defender Antivirus protection capabilities description: Enable and configure Microsoft Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,13 +14,17 @@ ms.date: 12/16/2019 ms.reviewer: manager: dansimp ms.custom: nextgen +ms.technology: mde --- # Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md index 8b66efba75..95cd08db31 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Remediate and resolve infections detected by Microsoft Defender Antivirus description: Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder keywords: remediation, fix, remove, threats, quarantine, scan, restore search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,16 +11,20 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 01/06/2021 ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure remediation for Microsoft Defender Antivirus scans +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) When Microsoft Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Microsoft Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. @@ -36,20 +40,20 @@ To configure these settings: 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below. -4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. +4. Select the policy **Setting** as specified in the table below, and set the option to your desired configuration. Select **OK**, and repeat for any other settings. -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled -Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days -Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) -Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed -Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable -Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable +|Location | Setting | Description | Default setting (if not configured) | +|:---|:---|:---|:---| +|Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled| +|Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days | +|Root | Turn off routine remediation | You can specify whether Microsoft Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) | +|Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed | +|Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Microsoft Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable | +|Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable | > [!IMPORTANT] > Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md index ab7fa39e3c..c04445eb32 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md @@ -1,11 +1,11 @@ --- -title: Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019 +title: Configure Microsoft Defender Antivirus exclusions on Windows Server ms.reviewer: manager: dansimp -description: Windows Servers 2016 and 2019 include automatic exclusions, based on server role. You can also add custom exclusions. +description: Windows Server includes automatic exclusions, based on server role. You can also add custom exclusions. keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,11 +13,19 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen +ms.technology: mde +ms.date: 02/10/2021 --- # Configure Microsoft Defender Antivirus exclusions on Windows Server -Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). > [!NOTE] > Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan. @@ -28,33 +36,29 @@ In addition to server role-defined automatic exclusions, you can add or remove c ## A few points to keep in mind +Keep the following important points in mind: + - Custom exclusions take precedence over automatic exclusions. - - Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan. - - Custom and duplicate exclusions do not conflict with automatic exclusions. - - Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer. ## Opt out of automatic exclusions -In Windows Server 2016 and 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. +In Windows Server 2016 and Windows Server 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. > [!WARNING] -> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. +> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and Windows Server 2019 roles. Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path that is *different from the original path*, you must add exclusions manually using the information [here](configure-extension-file-exclusions-microsoft-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) . You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI. -### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and 2019 +### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019 1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725752(v=ws.11)). Right-click the Group Policy Object you want to configure, and then click **Edit**. - 2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**. - 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**. - 4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then click **OK**. ### Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016 and 2019 @@ -65,11 +69,12 @@ Use the following cmdlets: Set-MpPreference -DisableAutoExclusions $true ``` -[Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md). +To learn more, see the following resources: -[Use PowerShell with Microsoft Defender Antivirus](https://docs.microsoft.com/powershell/module/defender/). +- [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md). +- [Use PowerShell with Microsoft Defender Antivirus](https://docs.microsoft.com/powershell/module/defender/). -### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and 2019 +### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019 Use the **Set** method of the [MSFT_MpPreference](https://docs.microsoft.com/previous-versions/windows/desktop/defender/msft-mppreference) class for the following properties: @@ -88,54 +93,42 @@ The following sections contain the exclusions that are delivered with automatic This section lists the default exclusions for all Windows Server 2016 and 2019 roles. +> [!NOTE] +> The default locations could be different than what's listed in this article. + #### Windows "temp.edb" files - `%windir%\SoftwareDistribution\Datastore\*\tmp.edb` - - `%ProgramData%\Microsoft\Search\Data\Applications\Windows\*\*.log` #### Windows Update files or Automatic Update files - `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb` - - `%windir%\SoftwareDistribution\Datastore\*\edb.chk` - - `%windir%\SoftwareDistribution\Datastore\*\edb\*.log` - - `%windir%\SoftwareDistribution\Datastore\*\Edb\*.jrs` - - `%windir%\SoftwareDistribution\Datastore\*\Res\*.log` #### Windows Security files - `%windir%\Security\database\*.chk` - - `%windir%\Security\database\*.edb` - - `%windir%\Security\database\*.jrs` - - `%windir%\Security\database\*.log` - - `%windir%\Security\database\*.sdb` #### Group Policy files - `%allusersprofile%\NTUser.pol` - - `%SystemRoot%\System32\GroupPolicy\Machine\registry.pol` - - `%SystemRoot%\System32\GroupPolicy\User\registry.pol` #### WINS files - `%systemroot%\System32\Wins\*\*.chk` - - `%systemroot%\System32\Wins\*\*.log` - - `%systemroot%\System32\Wins\*\*.mdb` - - `%systemroot%\System32\LogFiles\` - - `%systemroot%\SysWow64\LogFiles\` #### File Replication Service (FRS) exclusions @@ -143,9 +136,7 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r - Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory` - `%windir%\Ntfrs\jet\sys\*\edb.chk` - - `%windir%\Ntfrs\jet\*\Ntfrs.jdb` - - `%windir%\Ntfrs\jet\log\*\*.log` - FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ntfrs\Parameters\DB Log File Directory` @@ -154,7 +145,7 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r - The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage` - - `%systemroot%\Sysvol\*\Nntfrs_cmp*\` + - `%systemroot%\Sysvol\*\Ntfrs_cmp*\` - The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory` @@ -166,95 +157,44 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r > For custom locations, see [Opt out of automatic exclusions](#opt-out-of-automatic-exclusions). - `%systemdrive%\System Volume Information\DFSR\$db_normal$` - - `%systemdrive%\System Volume Information\DFSR\FileIDTable_*` - - `%systemdrive%\System Volume Information\DFSR\SimilarityTable_*` - - `%systemdrive%\System Volume Information\DFSR\*.XML` - - `%systemdrive%\System Volume Information\DFSR\$db_dirty$` - - `%systemdrive%\System Volume Information\DFSR\$db_clean$` - - `%systemdrive%\System Volume Information\DFSR\$db_lostl$` - - `%systemdrive%\System Volume Information\DFSR\Dfsr.db` - - `%systemdrive%\System Volume Information\DFSR\*.frx` - - `%systemdrive%\System Volume Information\DFSR\*.log` - - `%systemdrive%\System Volume Information\DFSR\Fsr*.jrs` - - `%systemdrive%\System Volume Information\DFSR\Tmp.edb` #### Process exclusions - `%systemroot%\System32\dfsr.exe` - - `%systemroot%\System32\dfsrs.exe` #### Hyper-V exclusions -This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role +The following table lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role. -- File type exclusions: - - - `*.vhd` - - - `*.vhdx` - - - `*.avhd` - - - `*.avhdx` - - - `*.vsv` - - - `*.iso` - - - `*.rct` - - - `*.vmcx` - - - `*.vmrs` - -- Folder exclusions: - - - `%ProgramData%\Microsoft\Windows\Hyper-V` - - - `%ProgramFiles%\Hyper-V` - - - `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots` - - - `%Public%\Documents\Hyper-V\Virtual Hard Disks` - -- Process exclusions: - - - `%systemroot%\System32\Vmms.exe` - - - `%systemroot%\System32\Vmwp.exe` +|File type exclusions |Folder exclusions | Process exclusions | +|:--|:--|:--| +| `*.vhd`
    `*.vhdx`
    `*.avhd`
    `*.avhdx`
    `*.vsv`
    `*.iso`
    `*.rct`
    `*.vmcx`
    `*.vmrs` | `%ProgramData%\Microsoft\Windows\Hyper-V`
    `%ProgramFiles%\Hyper-V`
    `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots`
    `%Public%\Documents\Hyper-V\Virtual Hard Disks` | `%systemroot%\System32\Vmms.exe`
    `%systemroot%\System32\Vmwp.exe` | #### SYSVOL files - `%systemroot%\Sysvol\Domain\*.adm` - - `%systemroot%\Sysvol\Domain\*.admx` - - `%systemroot%\Sysvol\Domain\*.adml` - - `%systemroot%\Sysvol\Domain\Registry.pol` - - `%systemroot%\Sysvol\Domain\*.aas` - - `%systemroot%\Sysvol\Domain\*.inf` - -- `%systemroot%\Sysvol\Domain\*.Scripts.ini` - +- `%systemroot%\Sysvol\Domain\*Scripts.ini` - `%systemroot%\Sysvol\Domain\*.ins` - - `%systemroot%\Sysvol\Domain\Oscfilter.ini` + ### Active Directory exclusions This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services. @@ -264,7 +204,6 @@ This section lists the exclusions that are delivered automatically when you inst The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File` - `%windir%\Ntds\ntds.dit` - - `%windir%\Ntds\ntds.pat` #### The AD DS transaction log files @@ -272,13 +211,9 @@ The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\ The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path` - `%windir%\Ntds\EDB*.log` - - `%windir%\Ntds\Res*.log` - - `%windir%\Ntds\Edb*.jrs` - - `%windir%\Ntds\Ntds*.pat` - - `%windir%\Ntds\TEMP.edb` #### The NTDS working folder @@ -286,13 +221,11 @@ The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\ This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory` - `%windir%\Ntds\Temp.edb` - - `%windir%\Ntds\Edb.chk` #### Process exclusions for AD DS and AD DS-related support files - `%systemroot%\System32\ntfrs.exe` - - `%systemroot%\System32\lsass.exe` ### DHCP Server exclusions @@ -300,13 +233,9 @@ This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentC This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters` - `%systemroot%\System32\DHCP\*\*.mdb` - - `%systemroot%\System32\DHCP\*\*.pat` - - `%systemroot%\System32\DHCP\*\*.log` - - `%systemroot%\System32\DHCP\*\*.chk` - - `%systemroot%\System32\DHCP\*\*.edb` ### DNS Server exclusions @@ -316,11 +245,8 @@ This section lists the file and folder exclusions and the process exclusions tha #### File and folder exclusions for the DNS Server role - `%systemroot%\System32\Dns\*\*.log` - - `%systemroot%\System32\Dns\*\*.dns` - - `%systemroot%\System32\Dns\*\*.scc` - - `%systemroot%\System32\Dns\*\BOOT` #### Process exclusions for the DNS Server role @@ -332,9 +258,7 @@ This section lists the file and folder exclusions and the process exclusions tha This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role. - `%SystemDrive%\ClusterStorage` - - `%clusterserviceaccount%\Local Settings\Temp` - - `%SystemDrive%\mscs` ### Print Server exclusions @@ -344,7 +268,6 @@ This section lists the file type exclusions, folder exclusions, and the process #### File type exclusions - `*.shd` - - `*.spl` #### Folder exclusions @@ -364,36 +287,49 @@ This section lists the folder exclusions and the process exclusions that are del #### Folder exclusions - `%SystemRoot%\IIS Temporary Compressed Files` - - `%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files` - - `%SystemDrive%\inetpub\temp\ASP Compiled Templates` - - `%systemDrive%\inetpub\logs` - - `%systemDrive%\inetpub\wwwroot` #### Process exclusions - `%SystemRoot%\system32\inetsrv\w3wp.exe` - - `%SystemRoot%\SysWOW64\inetsrv\w3wp.exe` - - `%SystemDrive%\PHP5433\php-cgi.exe` +#### Turning off scanning of files in the Sysvol\Sysvol folder or the SYSVOL_DFSR\Sysvol folder + +The current location of the `Sysvol\Sysvol` or `SYSVOL_DFSR\Sysvol` folder and all the subfolders is the file system reparse target of the replica set root. The `Sysvol\Sysvol` and `SYSVOL_DFSR\Sysvol` folders use the following locations by default: + +- `%systemroot%\Sysvol\Domain` +- `%systemroot%\Sysvol_DFSR\Domain` + +The path to the currently active `SYSVOL` is referenced by the NETLOGON share and can be determined by the SysVol value name in the following subkey: `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters` + +Exclude the following files from this folder and all its subfolders: + +- `*.adm` +- `*.admx` +- `*.adml` +- `Registry.pol` +- `Registry.tmp` +- `*.aas` +- `*.inf` +- `Scripts.ini` +- `*.ins` +- `Oscfilter.ini` + ### Windows Server Update Services exclusions This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup` - `%systemroot%\WSUS\WSUSContent` - - `%systemroot%\WSUS\UpdateServicesDBFiles` - - `%systemroot%\SoftwareDistribution\Datastore` - - `%systemroot%\SoftwareDistribution\Download` -## Related articles +## See also - [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md index 440b53b85c..10b6622a43 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Run and customize scheduled and on-demand scans description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network. keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,13 +14,17 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md index 440b53b85c..a2a610032c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md @@ -3,7 +3,7 @@ title: Run and customize scheduled and on-demand scans description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network. keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,23 +14,27 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- -# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation +# Customize, initiate, and review the results of Microsoft Defender Antivirus scans & remediation + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans. ## In this section -Topic | Description ----|--- -[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning -[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning -[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder -[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans -[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app -[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app +| Article | Description | +|:---|:---| +|[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning | +|[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning | +|[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder | +|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans | +|[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app | +|[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app | diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md index 0036dd3c81..01a88d64d7 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Deploy, manage, and report on Microsoft Defender Antivirus description: You can deploy and manage Microsoft Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI keywords: deploy, manage, update, protection, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,19 +14,23 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Deploy, manage, and report on Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can deploy, manage, and report on Microsoft Defender Antivirus in a number of ways. Because the Microsoft Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply. -However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Azure Security Center, or Group Policy Objects, which is described in the following table. +However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Azure Defender, or Group Policy Objects, which is described in the following table. You'll also see additional links for: @@ -39,13 +43,13 @@ You'll also see additional links for: Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options ---|---|---|--- Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/intune/device-management) -Microsoft Endpoint Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] +Microsoft Endpoint Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Microsoft Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Microsoft Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][] Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] -Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Microsoft Defender Antivirus events][] and add that tool as an app in AAD. +Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Defender*](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Microsoft Defender Antivirus events][] and add that tool as an app in AAD. -1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Configuration Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) +1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Manager (Current Branch). See [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) 2. In Windows 10, Microsoft Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](microsoft-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Microsoft Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md index 56d1a243c9..c27135a1f6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md @@ -1,9 +1,9 @@ --- -title: Deploy and enable Microsoft Defender Antivirus +title: Deploy and enable Microsoft Defender Antivirus description: Deploy Microsoft Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI. keywords: deploy, enable, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,26 +11,30 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 01/06/2021 ms.reviewer: manager: dansimp +ms.technology: mde --- # Deploy and enable Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Depending on the management tool you are using, you may need to specifically enable or configure Microsoft Defender Antivirus protection. See the table in [Deploy, manage, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI). -Some scenarios require additional guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments. +Some scenarios require more guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments. -The remaining topic in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md). +The remaining article in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md). -## Related topics +## Related articles - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - [Deploy, manage updates, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index c2f2824510..ef143bfe39 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -3,29 +3,33 @@ title: Microsoft Defender Antivirus Virtual Desktop Infrastructure deployment gu description: Learn how to deploy Microsoft Defender Antivirus in a virtual desktop environment for the best balance between protection and performance. keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 01/31/2020 -ms.reviewer: +ms.date: 12/28/2020 +ms.reviewer: jesquive manager: dansimp +ms.technology: mde --- # Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) In addition to standard on-premises or hardware configurations, you can also use Microsoft Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment. See [Windows Virtual Desktop Documentation](https://docs.microsoft.com/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support. -For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection) topic. +For Azure-based virtual machines, see [Install Endpoint Protection in Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection). With the ability to easily deploy updates to VMs running in VDIs, we've shortened this guide to focus on how you can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a periodic basis, as updates are expanded into their component bits on the host server and then downloaded directly to the VM when it's turned on. @@ -44,69 +48,11 @@ You can also download the whitepaper [Microsoft Defender Antivirus on Virtual De > [!IMPORTANT] > Although the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
    There are performance and feature improvements to the way in which Microsoft Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607. -### Set up a dedicated VDI file share +## Set up a dedicated VDI file share -In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine - thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), Group Policy, or PowerShell. +In Windows 10, version 1903, we introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machine—thus saving previous CPU, disk, and memory resources on individual machines. This feature has been backported and now works in Windows 10 version 1703 and above. You can set this feature with a Group Policy, or PowerShell. -> [!TIP] -> If you don't already have Intune, [try it for free](https://docs.microsoft.com/intune/fundamentals/free-trial-sign-up)! - -Open the Intune Management Portal either by searching for Intune on [https://portal.azure.com](https://portal.azure.com) or going to [https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com) and logging in. - -#### To create a group with only the devices or users you specify - -1. Go to **Groups** > **New group**. - -2. Specify the following values: - - Group type: **Security** - - Group name: **VDI test VMs** - - Group description: *Optional* - - Membership type: **Assigned** - -3. Add the devices or users you want to be a part of this test and then click **Create** to save the group. - -It’s a good idea to create a couple of groups, one with VMs running the latest Insider Preview build and with the shared security intelligence update feature enabled, and another with VMs that are running Windows 10 1809 or earlier versions. This will help when you create dashboards to test the performance changes. - -#### To create a group that will include any machine in your tenant that is a VM, even when they are newly created - -1. Go to **Groups** > **New group**. - -2. Specify the following values: - - Group type: **Security** - - Group name: **VDI test VMs** - - Group description: *Optional* - - Membership type: **Dynamic Device** - -3. Click **Simple rule**, and select **deviceModel**, **Equals**, and enter **Virtual Machine**. - -4. Click **Add query** and then **Create** to save the group. - -5. Go to **Device configuration**, then **Profiles**. You can modify an existing custom profile or create a new one. - -#### Create a new device configuration profile - -In this example, we create a new device configuration profile by clicking **Create profile**. - -1. Name it, choose **Windows 10 and later** as the Platform and – most importantly – select **Custom** as the profile type. - -2. The **Custom OMA-URI Settings** blade is opened automatically. Click **Add** then enter the following values: - - Name: **VDI shared sig location** - - Description: *Optional* - - OMA-URI: **./Vendor/MSFT/Defender/SharedSignatureRoot** - - Data type: **String** - - `\\\wdav-update\` (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be) - -3. Click **Ok** to close the details blade, then **OK** again to close the **Custom OMA-URI Settings** blade. - -4. Click **Create** to save the new profile. The profile details page now appears. - -5. Click **Assignments**. The **Include** tab is automatically selected. In the drop-down menu, select **Selected Groups**, then click **Select groups to include**. Click the **VDI test VMs** group and then **Select**. - -6. Click **Evaluate** to see how many users/devices will be impacted. If the number makes sense, click **Save**. If the number doesn’t make sense, go back to the groups blade and confirm the group contains the right users or devices. - -The profile will now be deployed to the impacted devices. This may take some time. - -#### Use Group Policy to enable the shared security intelligence feature: +### Use Group Policy to enable the shared security intelligence feature: 1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and then click **Edit**. @@ -118,148 +64,175 @@ The profile will now be deployed to the impacted devices. This may take some tim 5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears. -6. Enter `\\\wdav-update` (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be). +6. Enter `\\\wdav-update` (for help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates)). 7. Click **OK**. 8. Deploy the GPO to the VMs you want to test. -#### Use PowerShell to enable the shared security intelligence feature +### Use PowerShell to enable the shared security intelligence feature Use the following cmdlet to enable the feature. You’ll need to then push this as you normally would push PowerShell-based configuration policies onto the VMs: - + ```PowerShell Set-MpPreference -SharedSignaturesPath \\\wdav-update ``` See the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what the \ will be. -### Download and unpackage the latest updates +## Download and unpackage the latest updates -Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those). +Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those scripts). ```PowerShell -$vdmpathbase = 'c:\wdav-update\{00000000-0000-0000-0000-' +$vdmpathbase = "$env:systemdrive\wdav-update\{00000000-0000-0000-0000-" $vdmpathtime = Get-Date -format "yMMddHHmmss" $vdmpath = $vdmpathbase + $vdmpathtime + '}' $vdmpackage = $vdmpath + '\mpam-fe.exe' -$args = @("/x") New-Item -ItemType Directory -Force -Path $vdmpath | Out-Null Invoke-WebRequest -Uri 'https://go.microsoft.com/fwlink/?LinkID=121721&arch=x64' -OutFile $vdmpackage -cmd /c "cd $vdmpath & c: & mpam-fe.exe /x" +cmd /c "cd $vdmpath & c: & mpam-fe.exe /x" ``` You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs will receive the new update. -We suggest starting with once a day – but you should experiment with increasing or decreasing the frequency to understand the impact. +We suggest starting with once a day—but you should experiment with increasing or decreasing the frequency to understand the impact. Security intelligence packages are typically published once every three to four hours. Setting a frequency shorter than four hours isn’t advised because it will increase the network overhead on your management machine for no benefit. -#### Set a scheduled task to run the powershell script +### Set a scheduled task to run the PowerShell script 1. On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task…** on the side panel. -2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Click **New…** Select **Daily** and click **OK**. +2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Select **New…** > **Daily**, and select **OK**. -3. Go to the **Actions** tab. Click **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Click **OK**. +3. Go to the **Actions** tab. Select **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Select **OK**. -4. You can choose to configure additional settings if you wish. +4. You can choose to configure additional settings if you wish. -5. Click **OK** to save the scheduled task. +5. Select **OK** to save the scheduled task. - You can initiate the update manually by right-clicking on the task and clicking **Run**. -#### Download and unpackage manually +### Download and unpackage manually -If you would prefer to do everything manually, this what you would need to do to replicate the script’s behavior: +If you would prefer to do everything manually, here's what to do to replicate the script’s behavior: 1. Create a new folder on the system root called `wdav_update` to store intelligence updates, for example, create the folder `c:\wdav_update`. -2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`; for example `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`. +2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}` - Note: In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time. +Here's an example: `c:\wdav_update\{00000000-0000-0000-0000-000000000000}` + + > [!NOTE] + > In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time. 3. Download a security intelligence package from [https://www.microsoft.com/wdsi/definitions](https://www.microsoft.com/wdsi/definitions) into the GUID folder. The file should be named `mpam-fe.exe`. 4. Open a cmd prompt window and navigate to the GUID folder you created. Use the **/X** extraction command to extract the files, for example `mpam-fe.exe /X`. - Note: The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package. + > [!NOTE] + > The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package. -### Randomize scheduled scans +## Randomize scheduled scans Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-microsoft-defender-antivirus.md). -The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime, ScheduleQuickScanTime. Randomization will cause Microsoft Defender AV to start a scan on each machine within a 4 hour window from the time set for the scheduled scan. +The start time of the scan itself is still based on the scheduled scan policy (**ScheduleDay**, **ScheduleTime**, and **ScheduleQuickScanTime**). Randomization will cause Microsoft Defender Antivirus to start a scan on each machine within a 4-hour window from the time set for the scheduled scan. See [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) for other configuration options available for scheduled scans. -### Use quick scans +## Use quick scans -You can specify the type of scan that should be performed during a scheduled scan. -Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. +You can specify the type of scan that should be performed during a scheduled scan. Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. The following procedure describes how to set up quick scans using Group Policy. -1. Expand the tree to **Windows components > Windows Defender > Scan**. +1. In your Group Policy Editor, go to **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus** > **Scan**. -2. Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**. +2. Select **Specify the scan type to use for a scheduled scan** and then edit the policy setting. -3. Click **OK**. +3. Set the policy to **Enabled**, and then under **Options**, select **Quick scan**. -### Prevent notifications +4. Select **OK**. -Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Microsoft Defender Antivirus user interface. +5. Deploy your Group Policy object as you usually do. -1. Expand the tree to **Windows components > Windows Defender > Client Interface**. +## Prevent notifications -2. Double-click **Suppress all notifications** and set the option to **Enabled**. +Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can lock down the Microsoft Defender Antivirus user interface. The following procedure describes how to suppress notifications with Group Policy. -3. Click **OK**. +1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**. -This prevents notifications from Microsoft Defender AV appearing in the action center on Windows 10 when scans or remediation is performed. +2. Select **Suppress all notifications** and then edit the policy settings. -### Disable scans after an update +3. Set the policy to **Enabled**, and then select **OK**. -This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as you've already scanned it when you created the base image). +4. Deploy your Group Policy object as you usually do. + +Suppressing notifications prevents notifications from Microsoft Defender Antivirus from showing up in the Action Center on Windows 10 when scans are done or remediation actions are taken. However, your security operations team will see the results of the scan in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). + +> [!TIP] +> To open the Action Center on Windows 10, take one of the following steps: +> - On the right end of the taskbar, select the Action Center icon. +> - Press the Windows logo key button + A. +> - On a touchscreen device, swipe in from the right edge of the screen. + +## Disable scans after an update + +Disabling a scan after an update will prevent a scan from occurring after receiving an update. You can apply this setting when creating the base image if you have also run a quick scan. This way, you can prevent the newly updated VM from performing a scan again (as you've already scanned it when you created the base image). > [!IMPORTANT] > Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image. -1. Expand the tree to **Windows components > Windows Defender > Signature Updates**. +1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**. -2. Double-click **Turn on scan after signature update** and set the option to **Disabled**. +2. Select **Turn on scan after security intelligence update** and then edit the policy setting. -3. Click **OK**. +3. Set the policy to **Disabled**. -This prevents a scan from running immediately after an update. +4. Select **OK**. -### Scan VMs that have been offline +5. Deploy your Group Policy object as you usually do. -1. Expand the tree to **Windows components > Windows Defender > Scan**. +This policy prevents a scan from running immediately after an update. -2. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. +## Scan VMs that have been offline -3. Click **OK**. +1. In your Group Policy Editor, go to to **Windows components** > **Microsoft Defender Antivirus** > **Scan**. -This forces a scan if the VM has missed two or more consecutive scheduled scans. +2. Select **Turn on catch-up quick scan** and then edit the policy setting. +3. Set the policy to **Enabled**. -### Enable headless UI mode +4. Select **OK**. -1. Double-click **Enable headless UI mode** and set the option to **Enabled**. +5. Deploy your Group Policy Object as you usually do. -2. Click **OK**. +This policy forces a scan if the VM has missed two or more consecutive scheduled scans. -This hides the entire Microsoft Defender AV user interface from users. +## Enable headless UI mode -### Exclusions +1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**. -On Windows Server 2016, Microsoft Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus). +2. Select **Enable headless UI mode** and edit the policy. +3. Set the policy to **Enabled**. + +4. Click **OK**. + +5. Deploy your Group Policy Object as you usually do. + +This policy hides the entire Microsoft Defender Antivirus user interface from end users in your organization. + +## Exclusions + +Exclusions can be added, removed, or customized to suit your needs. + +For more information, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-exclusions-microsoft-defender-antivirus.md). ## Additional resources -- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( https://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s) +- [Tech Community Blog: Configuring Microsoft Defender Antivirus for non-persistent VDI machines](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/configuring-microsoft-defender-antivirus-for-non-persistent-vdi/ba-p/1489633) - [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS) - [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index f996b8c772..f56820cf7f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Block potentially unwanted applications with Microsoft Defender Antivirus description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware. keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: detect ms.sitesec: library ms.localizationpriority: medium @@ -11,153 +11,176 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen audience: ITPro -ms.date: +ms.date: 02/03/2021 ms.reviewer: manager: dansimp +ms.technology: mde --- # Detect and block potentially unwanted applications +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge) > [!NOTE] -> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might not be be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. +> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. -Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. +Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender for Endpoint, due to certain kinds of undesirable behavior. -For example: +Here are some examples: -* **Advertising software**: Software that displays advertisements or promotions, including software that inserts advertisements to webpages. -* **Bundling software**: Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. -* **Evasion software**: Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. +- **Advertising software** that displays advertisements or promotions, including software that inserts advertisements to webpages. +- **Bundling software** that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. +- **Evasion software** that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. -For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md). +> [!TIP] +> For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md). Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. -## How it works +PUA protection is supported on Windows 10, Windows Server 2019, and Windows Server 2016. -### Microsoft Edge +## Microsoft Edge -The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md). +The [new Microsoft Edge](https://support.microsoft.com/microsoft-edge/get-to-know-microsoft-edge-3f4bb0ff-58de-2188-55c0-f560b7e20bea), which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md). -#### Enable PUA protection in Chromium-based Microsoft Edge +### Enable PUA protection in Chromium-based Microsoft Edge Although potentially unwanted application protection in Microsoft Edge (Chromium-based, version 80.0.361.50) is turned off by default, it can easily be turned on from within the browser. 1. Select the ellipses, and then choose **Settings**. -2. Select **Privacy and services**. -3. Under the **Services** section, turn on **Block potentially unwanted apps**. +2. Select **Privacy, search, and services**. +3. Under the **Security** section, turn on **Block potentially unwanted apps**. > [!TIP] -> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen [demo pages](https://demo.smartscreen.msft.net/). +> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our [Microsoft Defender SmartScreen demo pages](https://demo.smartscreen.msft.net/). -#### Blocking URLs with Windows Defender SmartScreen +### Blocking URLs with Microsoft Defender SmartScreen -In Chromium-based Edge with PUA protection turned on, Windows Defender SmartScreen will protect you from PUA-associated URLs. +In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen protects you from PUA-associated URLs. -Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Windows Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several group policy [settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Windows +Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can -[configure Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Windows Defender SmartScreen on or off. +[configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off. -Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender ATP portal, Windows Defender SmartScreen will respect the new settings. +Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings. -### Microsoft Defender Antivirus +## Microsoft Defender Antivirus The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUAs on endpoints in your network. > [!NOTE] -> This feature is only available in Windows 10. +> This feature is available in Windows 10, Windows Server 2019, and Windows Server 2016. Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. -When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. +When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md)) in the same format as other threat detections. The notification is prefaced with `PUA:` to indicate its content. The notification appears in the usual [quarantine list within the Windows Security app](microsoft-defender-security-center-antivirus.md#detection-history). -#### Configure PUA protection in Microsoft Defender Antivirus +### Configure PUA protection in Microsoft Defender Antivirus -You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, or via PowerShell cmdlets. +You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve-view=true). -You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log. +You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections are captured in the Windows event log. > [!TIP] -> You can visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. +> Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. -PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. +PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. -##### Use Intune to configure PUA protection +#### Use Intune to configure PUA protection See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. -##### Use Configuration Manager to configure PUA protection +#### Use Configuration Manager to configure PUA protection -PUA protection is enabled by default in the Microsoft Endpoint Configuration Manager (Current Branch). +PUA protection is enabled by default in the Microsoft Endpoint Manager (Current Branch). -See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Configuration Manager (Current Branch). +See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Manager (Current Branch). For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). > [!NOTE] > PUA events blocked by Microsoft Defender Antivirus are reported in the Windows Event Viewer and not in Microsoft Endpoint Configuration Manager. -##### Use Group Policy to configure PUA protection +#### Use Group Policy to configure PUA protection -1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure, and select **Edit**. +1. Download and install [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) +2. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). +3. Select the Group Policy Object you want to configure, and then choose **Edit**. +4. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. +5. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**. +6. Double-click **Configure detection for potentially unwanted applications**. +7. Select **Enabled** to enable PUA protection. +8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting works in your environment. Select **OK**. +9. Deploy your Group Policy object as you usually do. -2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. +#### Use PowerShell cmdlets to configure PUA protection -3. Expand the tree to **Windows components > Microsoft Defender Antivirus**. - -4. Double-click **Configure protection for potentially unwanted applications**. - -5. Select **Enabled** to enable PUA protection. - -6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. - -##### Use PowerShell cmdlets to configure PUA protection - -###### To enable PUA protection +##### To enable PUA protection ```PowerShell -Set-MpPreference -PUAProtection enable +Set-MpPreference -PUAProtection Enabled ``` -Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. -###### To set PUA protection to audit mode +Setting the value for this cmdlet to `Enabled` turns the feature on if it has been disabled. + +##### To set PUA protection to audit mode ```PowerShell -Set-MpPreference -PUAProtection auditmode +Set-MpPreference -PUAProtection AuditMode ``` -Setting `AuditMode` will detect PUAs without blocking them. -###### To disable PUA protection +Setting `AuditMode` detects PUAs without blocking them. + +##### To disable PUA protection We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet: ```PowerShell -Set-MpPreference -PUAProtection disable +Set-MpPreference -PUAProtection Disabled ``` -Setting the value for this cmdlet to `Disabled` will turn the feature off if it has been enabled. + +Setting the value for this cmdlet to `Disabled` turns the feature off if it has been enabled. See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. -#### View PUA events +### View PUA events -PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Configuration Manager or in Intune. +PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. You can also use the `Get-MpThreat` cmdlet to view threats that Microsoft Defender Antivirus handled. Here's an example: + +```console +CategoryID : 27 +DidThreatExecute : False +IsActive : False +Resources : {webfile:_q:\Builds\Dalton_Download_Manager_3223905758.exe|http://d18yzm5yb8map8.cloudfront.net/ + fo4yue@kxqdw/Dalton_Download_Manager.exe|pid:14196,ProcessStart:132378130057195714} +RollupStatus : 33 +SchemaVersion : 1.0.0.0 +SeverityID : 1 +ThreatID : 213927 +ThreatName : PUA:Win32/InstallCore +TypeID : 0 +PSComputerName : +``` You can turn on email notifications to receive mail about PUA detections. See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID **1160**. -#### Allow-listing apps +### Allow-listing apps -Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Microsoft Defender Antivirus. +Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. -## Related articles +For more information, see [Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients](https://docs.microsoft.com/troubleshoot/mem/configmgr/recommended-antivirus-exclusions#exclusions). + +## See also - [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md) - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md index dbd8db2df4..483ca94393 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md @@ -1,80 +1,89 @@ --- -title: Enable cloud-delivered protection in Microsoft Defender Antivirus -description: Enable cloud-delivered protection to benefit from fast and advanced protection features. +title: Turn on cloud-delivered protection in Microsoft Defender Antivirus +description: Turn on cloud-delivered protection to benefit from fast and advanced protection features. keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb +ms.date: 11/13/2020 ms.reviewer: manager: dansimp ms.custom: nextgen +ms.technology: mde --- -# Enable cloud-delivered protection +# Turn on cloud-delivered protection + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) > [!NOTE] > The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. -Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). +Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). ![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) -You can enable or disable Microsoft Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. +You can turn Microsoft Defender Antivirus cloud-delivered protection on or off in several ways: + +- Microsoft Intune +- Microsoft Endpoint Configuration Manager +- Group Policy +- PowerShell cmdlets. + + You can also turn it on or off in individual clients with the Windows Security app. See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for an overview of Microsoft Defender Antivirus cloud-delivered protection. -There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md) for more details. +For more information about the specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service, see [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md). > [!NOTE] -> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect. +> In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. For more information on what we collect, see the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839). -## Use Intune to enable cloud-delivered protection +## Use Intune to turn on cloud-delivered protection -1. Sign in to the [Azure portal](https://portal.azure.com). -2. Select **All services > Intune**. -3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). -4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**. +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in. +2. On the **Home** pane, select **Device configuration > Profiles**. +3. Select the **Device restrictions** profile type you want to configure. If you need to create a new **Device restrictions** profile type, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +4. Select **Properties** > **Configuration settings: Edit** > **Microsoft Defender Antivirus**. 5. On the **Cloud-delivered protection** switch, select **Enable**. -6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. -7. In the **Submit samples consent** dropdown, select one of the following: - - - **Send safe samples automatically** - - **Send all samples automatically** - - >[!NOTE] - > The **Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. - - > [!WARNING] - > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work. - -8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. +6. In the **Prompt users before sample submission** dropdown, select **Send all data automatically**. For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) -## Use Configuration Manager to enable cloud-delivered protection +## Use Microsoft Endpoint Manager to turn on cloud-delivered protection -See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in. +2. Choose **Endpoint security** > **Antivirus**. +3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +4. Select **Properties**. Then, next to **Configuration settings**, choose **Edit**. +5. Expand **Cloud protection**, and then in the **Cloud-delivered protection level** list, select one of the following: + 1. **High**: Applies a strong level of detection. + 2. **High plus**: Uses the **High** level and applies additional protection measures (may impact client performance). + 3. **Zero tolerance**: Blocks all unknown executables. +6. Select **Review + save**, then choose **Save**. -## Use Group Policy to enable cloud-delivered protection +For more information about configuring Microsoft Endpoint Configuration Manager, see [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service). -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +## Use Group Policy to turn on cloud-delivered protection -2. In the **Group Policy Management Editor** go to **Computer configuration**. +1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. + +2. In the **Group Policy Management Editor**, go to **Computer configuration**. 3. Select **Administrative templates**. 4. Expand the tree to **Windows components > Microsoft Defender Antivirus > MAPS** -5. Double-click **Join Microsoft MAPS**. Ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**. +5. Double-click **Join Microsoft MAPS**. Ensure the option is turned on and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**. -6. Double-click **Send file samples when further analysis is required**. Ensure that the option is set to **Enabled** and that the other options are either of the following: +6. Double-click **Send file samples when further analysis is required**. Ensure that the first option is set to **Enabled** and that the other options are set to either: 1. **Send safe samples** (1) 2. **Send all samples** (3) @@ -83,28 +92,28 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht > The **Send safe samples** (1) option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. > [!WARNING] - > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work. + > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work. -7. Click **OK**. +7. Select **OK**. -## Use PowerShell cmdlets to enable cloud-delivered protection +## Use PowerShell cmdlets to turn on cloud-delivered protection -Use the following cmdlets to enable cloud-delivered protection: +The following cmdlets can turn on cloud-delivered protection: ```PowerShell Set-MpPreference -MAPSReporting Advanced Set-MpPreference -SubmitSamplesConsent SendAllSamples ``` -See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Microsoft Defender Antivirus. [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). +For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx). [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent). >[!NOTE] > You can also set **-SubmitSamplesConsent** to `SendSafeSamples` (the default setting), `NeverSend`, or `AlwaysPrompt`. The `SendSafeSamples` setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. >[!WARNING] -> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work. +> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work. -## Use Windows Management Instruction (WMI) to enable cloud-delivered protection +## Use Windows Management Instruction (WMI) to turn on cloud-delivered protection Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn439474(v=vs.85).aspx) class for the following properties: @@ -113,33 +122,31 @@ MAPSReporting SubmitSamplesConsent ``` -See the following for more information and allowed parameters: +For more information about allowed parameters, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) - -## Enable cloud-delivered protection on individual clients with the Windows Security app +## Turn on cloud-delivered protection on individual clients with the Windows Security app > [!NOTE] > If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by selecting the shield icon in the task bar, or by searching the start menu for **Defender**. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) 3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. ->[!NOTE] ->If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable. +> [!NOTE] +> If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable. -## Related topics +## Related articles - [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) - [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) - [Use PowerShell cmdlets to manage Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) - [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)] - [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) -- [Utilize Microsoft cloud-delivered protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) +- [Use Microsoft cloud-delivered protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) - [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md index f6fcbbbeda..e56c78b8f3 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Evaluate Microsoft Defender Antivirus description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Microsoft Defender Antivirus in Windows 10. keywords: Microsoft Defender Antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -13,18 +13,22 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Evaluate Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Use this guide to determine how well Microsoft Defender Antivirus protects you from viruses, malware, and potentially unwanted applications. >[!TIP] ->You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work: +>You can also visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work: >- Cloud-delivered protection >- Fast learning (including Block at first sight) >- Potentially unwanted application blocking diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO-diagpath.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO-diagpath.png new file mode 100644 index 0000000000..7f5019db43 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO-diagpath.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO1-SupportLogLocationDefender.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO1-SupportLogLocationDefender.png new file mode 100644 index 0000000000..f93b4ad4dc Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO1-SupportLogLocationDefender.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO2-SupportLogLocationGPPage.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO2-SupportLogLocationGPPage.png new file mode 100644 index 0000000000..bf839465f9 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO2-SupportLogLocationGPPage.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO3-SupportLogLocationGPPageEnabledExample.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO3-SupportLogLocationGPPageEnabledExample.png new file mode 100644 index 0000000000..6d5d59ee31 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/GPO3-SupportLogLocationGPPageEnabledExample.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/endpointmgr-antivirus-cloudprotection.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/endpointmgr-antivirus-cloudprotection.png new file mode 100644 index 0000000000..d9751a4953 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/endpointmgr-antivirus-cloudprotection.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/mem-antivirus-scan-on-demand.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mem-antivirus-scan-on-demand.png new file mode 100644 index 0000000000..5a8def8136 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/mem-antivirus-scan-on-demand.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-MEM.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-MEM.png new file mode 100644 index 0000000000..0b0516183a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/turnontamperprotect-MEM.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/win-security- exp-policy-endpt-security.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/win-security- exp-policy-endpt-security.png new file mode 100644 index 0000000000..e4b306fd92 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/win-security- exp-policy-endpt-security.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md index 75c974ae9b..0e6a552e4c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Enable the limited periodic Microsoft Defender Antivirus scanning feature description: Limited periodic scanning lets you use Microsoft Defender Antivirus in addition to your other installed AV providers keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -13,15 +13,19 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Use limited periodic scanning in Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md index 8b91ba2fde..8dc17adfac 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Apply Microsoft Defender Antivirus updates after certain events description: Manage how Microsoft Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports. keywords: updates, protection, force updates, events, startup, check for latest, notifications search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,16 +11,20 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: +ms.date: 09/17/2018 +ms.reviewer: pahuijbr manager: dansimp +ms.technology: mde --- # Manage event-based forced updates +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service. @@ -30,7 +34,7 @@ You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell c ### Use Configuration Manager to check for protection updates before running a scan -1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Scheduled scans** section and set **Check for the latest security intelligence updates before running a scan** to **Yes**. @@ -82,7 +86,7 @@ You can use Group Policy to force Microsoft Defender Antivirus to check and down 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**. 5. Double-click **Check for the latest virus and spyware definitions on startup** and set the option to **Enabled**. @@ -140,16 +144,16 @@ If you have enabled cloud-delivered protection, Microsoft Defender AV will send 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**. 5. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**. 6. **Allow notifications to disable definitions-based reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**. > [!NOTE] -> "Allow notifications to disable definitions based reports" enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work. +> **Allow notifications to disable definitions based reports** enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work. -## Related articles +## See also - [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) - [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md index 690a9eee6a..668830b824 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Apply Microsoft Defender AV protection updates to out of date endpoints description: Define when and how updates should be applied for endpoints that have not updated in a while. keywords: updates, protection, out-of-date, outdated, old, catch-up search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,13 +14,17 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Manage Microsoft Defender Antivirus updates and scans for endpoints that are out of date +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis. @@ -34,7 +38,7 @@ If Microsoft Defender Antivirus did not download protection updates for a specif ### Use Configuration Manager to configure catch-up protection updates -1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Security intelligence updates** section and configure the following settings: @@ -163,7 +167,7 @@ See the following for more information and allowed parameters: ### Use Configuration Manager to configure catch-up scans -1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Scheduled scans** section and **Force a scan of the selected scan type if client computer is offline...** to **Yes**. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md index b626c962ef..494811e6e8 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md @@ -1,9 +1,9 @@ --- title: Schedule Microsoft Defender Antivirus protection updates -description: Schedule the day, time, and interval for when protection updates should be downloaded +description: Schedule the day, time, and interval for when protection updates should be downloaded keywords: updates, security baselines, schedule updates search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security search.appverid: met150 ms.mktglfcycl: manage ms.sitesec: library @@ -12,16 +12,19 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: +ms.reviewer: pahuijbr manager: dansimp +ms.technology: mde --- # Manage the schedule for when protection updates should be downloaded and applied +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender Antivirus lets you determine when it should look for and download updates. @@ -35,7 +38,7 @@ You can also randomize the times when each endpoint checks and downloads protect ## Use Configuration Manager to schedule protection updates -1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Security intelligence updates** section. @@ -58,10 +61,10 @@ You can also randomize the times when each endpoint checks and downloads protect 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following settings: +5. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Intelligence Updates** and configure the following settings: - 1. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**. - 2. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**. + 1. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**. + 2. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**. 3. Double-click the **Specify the time to check for security intelligence updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**. @@ -100,8 +103,3 @@ See the following for more information and allowed parameters: - [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - - - - - diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md index 38a6d28737..acd96cc68b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md @@ -1,25 +1,29 @@ --- -title: Manage how and where Microsoft Defender AV receives updates +title: Manage how and where Microsoft Defender Antivirus receives updates description: Manage the fallback order for how Microsoft Defender Antivirus receives protection updates. keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.reviewer: +ms.reviewer: pahuijbr manager: dansimp ms.custom: nextgen +ms.technology: mde --- # Manage the sources for Microsoft Defender Antivirus protection updates +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=22146631) @@ -68,7 +72,7 @@ Each source has typical scenarios that depend on how your network is configured, |Windows Server Update Service | You are using Windows Server Update Service to manage updates for your network.| |Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use Windows Server Update Service to manage your updates.| |File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.| -|Microsoft Endpoint Configuration Manager | You are using Microsoft Endpoint Configuration Manager to update your endpoints.| +|Microsoft Endpoint Manager | You are using Microsoft Endpoint Manager to update your endpoints.| |Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively.
    Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-microsoft-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).| You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI. @@ -108,7 +112,7 @@ The procedures in this article first describe how to set the order, and then how ## Use Configuration Manager to manage the update location -See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Manager (current branch). ## Use PowerShell cmdlets to manage the update location @@ -167,7 +171,7 @@ Set up a network file share (UNC/mapped drive) to download security intelligence MD C:\Temp\TempSigs\x86 ``` -3. Download the Powershell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4). +3. Download the PowerShell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4). 4. Click **Manual Download**. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index 6f73b79b2b..e95120c0b6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Manage Microsoft Defender Antivirus updates and apply baselines description: Manage how Microsoft Defender Antivirus receives protection and product updates. keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,52 +11,204 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.reviewer: +ms.reviewer: pahuijbr manager: dansimp +ms.date: 02/12/2021 +ms.technology: mde --- # Manage Microsoft Defender Antivirus updates and apply baselines +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) There are two types of updates related to keeping Microsoft Defender Antivirus up to date: - - Security intelligence updates - - Product updates +- Security intelligence updates +- Product updates > [!IMPORTANT] > Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. -> This also applies to devices where Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). +> Make sure to update your antivirus protection even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). +> +> To see the most current engine, platform, and signature date, visit the [Microsoft security encyclopedia](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info). ## Security intelligence updates -Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection. +Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection. -The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the security intelligence updates occur on a scheduled cadence (configurable via policy). See the [Utilize Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. +> [!NOTE] +> Updates are released under the below KB numbers: +> Microsoft Defender Antivirus: KB2267602 +> System Center Endpoint Protection: KB2461484 -Engine updates are included with the security intelligence updates and are released on a monthly cadence. +Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). + +For a list of recent security intelligence updates, see [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/wdsi/definitions/antimalware-definition-release-notes). + +Engine updates are included with security intelligence updates and are released on a monthly cadence. ## Product updates -Microsoft Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases. +Microsoft Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as *platform updates*), and will receive major feature updates alongside Windows 10 releases. + +You can manage the distribution of updates through one of the following methods: + +- [Windows Server Update Service (WSUS)](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus) +- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction) +- The usual method you use to deploy Microsoft and Windows updates to endpoints in your network. -You can manage the distribution of updates through [Windows Server Update Service (WSUS)](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus). > [!NOTE] -> We release these monthly updates in phases. This results in multiple packages showing up in your WSUS server. +> Monthly updates are released in phases, resulting in multiple packages visible in your [Window Server Update Services](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). ## Monthly platform and engine versions -For information how to update or how to install the platform update, please see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform). +For information how to update or install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform). -All our updates contain: -* performance improvements -* serviceability improvements -* integration improvements (Cloud, MTP) +All our updates contain +- performance improvements; +- serviceability improvements; and +- integration improvements (Cloud, Microsoft 365 Defender). +

    + +
    + January-2021 (Platform: 4.18.2101.9 | Engine: 1.1.17800.5) + + Security intelligence update version: **1.327.1854.0** + Released: **February 2, 2021** + Platform: **4.18.2101.9** + Engine: **1.1.17800.5** + Support phase: **Security and Critical Updates** + +### What's new + +- Additional failed tampering attempt event generation when [Tamper Protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled +- Shellcode exploit detection improvements +- Increased visibility for credential stealing attempts +- Improvements in antitampering features in Microsoft Defender Antivirus services +- Improved support for ARM x64 emulation +- Fix: EDR Block notification remains in threat history after real-time protection performed initial detection + +### Known Issues +No known issues
    +
    + November-2020 (Platform: 4.18.2011.6 | Engine: 1.1.17700.4) + + Security intelligence update version: **1.327.1854.0** + Released: **December 03, 2020** + Platform: **4.18.2011.6** + Engine: **1.1.17700.4** + Support phase: **Security and Critical Updates** + +### What's new + +- Improved [SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) status support logging + +### Known Issues +No known issues +
    +
    + October-2020 (Platform: 4.18.2010.7 | Engine: 1.1.17600.5) + + Security intelligence update version: **1.327.7.0** + Released: **October 29, 2020** + Platform: **4.18.2010.7** + Engine: **1.1.17600.5** + Support phase: **Security and Critical Updates** + +### What's new + +- New descriptions for special threat categories +- Improved emulation capabilities +- Improved host address allow/block capabilities +- New option in Defender CSP to Ignore merging of local user exclusions + +### Known Issues + +No known issues +
    +
    + +### Previous version updates: Technical upgrade support only + +After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only. +

    +
    + September-2020 (Platform: 4.18.2009.7 | Engine: 1.1.17500.4) + + Security intelligence update version: **1.325.10.0** + Released: **October 01, 2020** + Platform: **4.18.2009.7** + Engine: **1.1.17500.4** + Support phase: **Technical upgrade support (only)** + +### What's new + +- Admin permissions are required to restore files in quarantine +- XML formatted events are now supported +- CSP support for ignoring exclusion merges +- New management interfaces for: + - UDP Inspection + - Network Protection on Server 2019 + - IP Address exclusions for Network Protection +- Improved visibility into TPM measurements +- Improved Office VBA module scanning + +### Known Issues + +No known issues +
    +
    +
    + August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5) + + Security intelligence update version: **1.323.9.0** + Released: **August 27, 2020** + Platform: **4.18.2008.9** + Engine: **1.1.17400.5** + Support phase: **Technical upgrade support (only)** + +### What's new + +- Add more telemetry events +- Improved scan event telemetry +- Improved behavior monitoring for memory scans +- Improved macro streams scanning +- Added `AMRunningMode` to Get-MpComputerStatus PowerShell cmdlet +- [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) is ignored. Microsoft Defender Antivirus automatically turns itself off when it detects another antivirus program. + + +### Known Issues +No known issues +
    +
    + +
    + July-2020 (Platform: 4.18.2007.8 | Engine: 1.1.17300.4) + + Security intelligence update version: **1.321.30.0** + Released: **July 28, 2020** + Platform: **4.18.2007.8** + Engine: **1.1.17300.4** + Support phase: **Technical upgrade support (only)** + +### What's new + +- Improved telemetry for BITS +- Improved Authenticode code signing certificate validation + +### Known Issues +No known issues +
    +
    +
    June-2020 (Platform: 4.18.2006.10 | Engine: 1.1.17200.2) @@ -64,15 +216,16 @@ All our updates contain:  Released: **June 22, 2020**  Platform: **4.18.2006.10**  Engine: **1.1.17200.2** - Support phase: **Security and Critical Updates** + Support phase: **Technical upgrade support (only)** ### What's new -* Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data) -* Skipping aggressive catchup scan in Passive mode. -* Allow Defender to update on metered connections -* Fixed performance tuning when caching is disabled -* Fixed registry query -* Fixed scantime randomization in ADMX + +- Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data) +- Skipping aggressive catchup scan in Passive mode. +- Allow Defender to update on metered connections +- Fixed performance tuning when caching is disabled +- Fixed registry query +- Fixed scantime randomization in ADMX ### Known Issues No known issues @@ -86,15 +239,16 @@ No known issues  Released: **May 26, 2020**  Platform: **4.18.2005.4**  Engine: **1.1.17100.2** - Support phase: **Security and Critical Updates** + Support phase: **Technical upgrade support (only)** ### What's new -* Improved logging for scan events -* Improved user mode crash handling. -* Added event tracing for Tamper protection -* Fixed AMSI Sample submission -* Fixed AMSI Cloud blocking -* Fixed Security update install log + +- Improved logging for scan events +- Improved user mode crash handling. +- Added event tracing for Tamper protection +- Fixed AMSI Sample submission +- Fixed AMSI Cloud blocking +- Fixed Security update install log ### Known Issues No known issues @@ -108,16 +262,16 @@ No known issues  Released: **April 30, 2020**  Platform: **4.18.2004.6**  Engine: **1.1.17000.2** - Support phase: **Security and Critical Updates** + Support phase: **Technical upgrade support (only)** ### What's new -* WDfilter improvements -* Add more actionable event data to ASR detection events -* Fixed version information in diagnostic data and WMI -* Fixed incorrect platform version in UI after platform update -* Dynamic URL intel for Fileless threat protection -* UEFI scan capability -* Extend logging for updates +- WDfilter improvements +- Add more actionable event data to attack surface reduction detection events +- Fixed version information in diagnostic data and WMI +- Fixed incorrect platform version in UI after platform update +- Dynamic URL intel for Fileless threat protection +- UEFI scan capability +- Extend logging for updates ### Known Issues No known issues @@ -131,15 +285,15 @@ No known issues  Released: **March 24, 2020**  Platform: **4.18.2003.8**  Engine: **1.1.16900.4** - Support phase: **Technical upgrade Support (Only)** + Support phase: **Technical upgrade support (only)** ### What's new -* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) -* Improve diagnostic capability -* reduce Security intelligence timeout (5min) -* Extend AMSI engine internal log capability -* Improve notification for process blocking +- CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) +- Improve diagnostic capability +- reduce Security intelligence timeout (5 min) +- Extend AMSI engine internal log capability +- Improve notification for process blocking ### Known Issues [**Fixed**] Microsoft Defender Antivirus is skipping files when running a scan. @@ -152,11 +306,11 @@ No known issues February-2020 (Platform: - | Engine: 1.1.16800.2) - Security intelligence update version: **1.311.4.0** - Released: **February 25, 2020** - Platform/Client: **-** - Engine: **1.1.16800.2** - Support phase: **N/A** + Security intelligence update version: **1.311.4.0** + Released: **February 25, 2020** + Platform/Client: **-** + Engine: **1.1.16800.2** + Support phase: **Technical upgrade support (only)** ### What's new @@ -174,54 +328,58 @@ Security intelligence update version: **1.309.32.0** Released: **January 30, 2020** Platform/Client: **4.18.2001.10** Engine: **1.1.16700.2** -Support phase: **Technical upgrade Support (Only)** + Support phase: **Technical upgrade support (only)** ### What's new -* Fixed BSOD on WS2016 with Exchange -* Support platform updates when TMP is redirected to network path -* Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates) -* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility) -* Fix 4.18.1911.10 hang +- Fixed BSOD on WS2016 with Exchange +- Support platform updates when TMP is redirected to network path +- Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates) +- extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility) +- Fix 4.18.1911.3 hang ### Known Issues + [**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.
    > [!IMPORTANT] -> This updates is needed by RS1 devices running lower version of the platform to support SHA2.
    This update has reboot flag for systems that are experiencing the hang issue.
    the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability. +> This update is: +> - needed by RS1 devices running lower version of the platform to support SHA2; +> - has a reboot flag for systems that have hanging issues; +> - is re-released in April 2020 and will not be superseded by newer updates to keep future availability; +> - is categorized as an update due to the reboot requirement; and +> - is only be offered with [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update).
    - November-2019 (Platform: 4.18.1911.2 | Engine: 1.1.16600.7) + November-2019 (Platform: 4.18.1911.3 | Engine: 1.1.16600.7) Security intelligence update version: **1.307.13.0** Released: **December 7, 2019** -Platform: **4.18.1911.2** +Platform: **4.18.1911.3** Engine: **1.1.17000.7** Support phase: **No support** ### What's new -* Fixed MpCmdRun tracing level -* Fixed WDFilter version info -* Improve notifications (PUA) -* add MRT logs to support files +- Fixed MpCmdRun tracing level +- Fixed WDFilter version info +- Improve notifications (PUA) +- add MRT logs to support files ### Known Issues -No known issues +When this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version.
    + ## Microsoft Defender Antivirus platform support -As stated above, platform and engine updates are provided on a monthly cadence. -Customers must stay current with the latest platform update to be fully supported. Our support structure is now dynamic, evolving into two phases depending on the availability of the latest platform version: +Platform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform version: - -* **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform. +- **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform. - -* **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.* +- **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.* \* Technical support will continue to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version. @@ -231,24 +389,117 @@ During the technical support (only) phase, commercially reasonable support incid The below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases: |Windows 10 release |Platform version |Engine version |Support phase | -|-|-|-|-| -|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade Support (Only) | -|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade Support (Only) | -|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade Support (Only) | -|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade Support (Only) | -|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade Support (Only) | -|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade Support (Only) | -|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade Support (Only) | +|:---|:---|:---|:---| +|2004 (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade support (only) | +|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade support (only) | +|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade support (only) | +|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade support (only) | +|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade support (only) | +|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade support (only) | +|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade support (only) | +|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade support (only) | -Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet). +For Windows 10 release information, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet). +## Updates for Deployment Image Servicing and Management (DISM) -## In this section +We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 OS installation images with the latest antivirus and antimalware updates. Keeping your OS installation images up to date helps avoid a gap in protection. -Article | Description ----|--- -[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through a number of sources. -[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded. -[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next log on. -[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. -[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines. +For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images). + +
    +1.1.2102.03 + + Package version: **1.1.2102.03** + Platform version: **4.18.2011.6** + Engine version: **1.17800.5** + Signature version: **1.331.174.0** + +### Fixes +- None + +### Additional information +- None +
    +
    +1.1.2101.02 + + Package version: **1.1.2101.02** + Platform version: **4.18.2011.6** + Engine version: **1.17700.4** + Signature version: **1.329.1796.0** + +### Fixes +- None + +### Additional information +- None +
    +
    +1.1.2012.01 + + Package version: **1.1.2012.01** + Platform version: **4.18.2010.7** + Engine version: **1.17600.5** + Signature version: **1.327.1991.0** + +### Fixes +- None + +### Additional information +- None +
    +
    +1.1.2011.02 + + Package version: **1.1.2011.02** + Platform version: **4.18.2010.7** + Engine version: **1.17600.5** + Signature version: **1.327.658.0** + +### Fixes +- None + +### Additional information +- Refreshed Microsoft Defender Antivirus signatures +
    +
    +1.1.2011.01 + + Package version: **1.1.2011.01** + Platform version: **4.18.2009.7** + Engine version: **1.17600.5** + Signature version: **1.327.344.0** + +### Fixes +- None + +### Additional information +- None +
    +
    +1.1.2009.10 + + Package version: **1.1.2011.01** + Platform version: **4.18.2008.9** + Engine version: **1.17400.5** + Signature version: **1.327.2216.0** + +### Fixes +- None + +### Additional information +- Added support for Windows 10 RS1 or later OS install images. +
    +
    + +## Additional resources + +| Article | Description | +|:---|:---| +|[Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images) | Review antimalware update packages for your OS installation images (WIM and VHD files). Get Microsoft Defender Antivirus updates for Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 installation images. | +|[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through many sources. | +|[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded. | +|[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan the next time a user signs in. | +|[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. | +|[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines. | diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md index 86217f98d9..8f192cc64b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md @@ -1,9 +1,9 @@ --- -title: Define how mobile devices are updated by Microsoft Defender AV -description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender AV protection updates. +title: Define how mobile devices are updated by Microsoft Defender Antivirus +description: Manage how mobile devices, such as laptops, should be updated with Microsoft Defender Antivirus protection updates. keywords: updates, protection, schedule updates, battery, mobile device, laptop, notebook, opt-in, microsoft update, wsus, override search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,64 +11,70 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Manage updates for mobile devices and virtual machines (VMs) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates. +Mobile devices and VMs may require more configuration to ensure performance is not impacted by updates. -There are two settings that are particularly useful for these devices: +There are two settings that are useful for these devices: -- Opt-in to Microsoft Update on mobile computers without a WSUS connection +- Opt in to Microsoft Update on mobile computers without a WSUS connection - Prevent Security intelligence updates when running on battery power -The following topics may also be useful in these situations: +The following articles may also be useful in these situations: - [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) - [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) - [Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-microsoft-defender-antivirus.md) -## Opt-in to Microsoft Update on mobile computers without a WSUS connection +## Opt in to Microsoft Update on mobile computers without a WSUS connection You can use Microsoft Update to keep Security intelligence on mobile devices running Microsoft Defender Antivirus up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection. This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update. -You can opt-in to Microsoft Update on the mobile device in one of the following ways: +You can opt in to Microsoft Update on the mobile device in one of the following ways: -1. Change the setting with Group Policy -2. Use a VBScript to create a script, then run it on each computer in your network. -3. Manually opt-in every computer on your network through the **Settings** menu. +- Change the setting with Group Policy. +- Use a VBScript to create a script, then run it on each computer in your network. +- Manually opt in every computer on your network through the **Settings** menu. -### Use Group Policy to opt-in to Microsoft Update +### Use Group Policy to opt in to Microsoft Update -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +2. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Policies** then **Administrative templates**. +3. Select **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**. -6. Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**. +5. Set **Allow security intelligence updates from Microsoft Update** to **Enabled**, and then select **OK**. -### Use a VBScript to opt-in to Microsoft Update +### Use a VBScript to opt in to Microsoft Update -1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript. -2. Run the VBScript you created on each computer in your network. +1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript. -### Manually opt-in to Microsoft Update +2. Run the VBScript you created on each computer in your network. -1. Open **Windows Update** in **Update & security** settings on the computer you want to opt-in. -2. Click **Advanced** options. -3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**. +### Manually opt in to Microsoft Update + +1. Open **Windows Update** in **Update & security** settings on the computer you want to opt in. + +2. Select **Advanced** options. + +3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**. ## Prevent Security intelligence updates when running on battery power @@ -76,17 +82,15 @@ You can configure Microsoft Defender Antivirus to only download protection updat ### Use Group Policy to prevent security intelligence updates on battery power -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), choose the Group Policy Object you want to configure, and open it for editing. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +2. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Policies** then **Administrative templates**. +3. Select **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following setting: - - 1. Double-click the **Allow security intelligence updates when running on battery power** setting and set the option to **Disabled**. - 2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power. +4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Updates**, and then set **Allow security intelligence updates when running on battery power** to **Disabled**. Then select **OK**. +This action prevents protection updates from downloading when the PC is on battery power. ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 8f16436956..20a13881ec 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -1,61 +1,74 @@ --- title: Microsoft Defender Antivirus compatibility with other security products -description: Microsoft Defender Antivirus operates in different ways depending on what other security products you have installed, and the operating system you are using. -keywords: windows defender, atp, advanced threat protection, compatibility, passive mode +description: What to expect from Microsoft Defender Antivirus with other security products and the operating systems you are using. +keywords: windows defender, next-generation, antivirus, compatibility, passive mode search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.reviewer: +ms.reviewer: tewchen, pahuijbr, shwjha manager: dansimp +ms.date: 02/09/2021 +ms.technology: mde --- # Microsoft Defender Antivirus compatibility +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Overview -Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection. -- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus automatically goes into disabled mode. -- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.) -- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) (currently in private preview) enabled, then Microsoft Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack. +Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection. +- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender for Endpoint is not used, then Microsoft Defender Antivirus automatically goes into disabled mode. +- If your organization is using Microsoft Defender for Endpoint together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.) +- If your organization is using Microsoft Defender for Endpoint together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) enabled, then whenever a malicious artifact is detected, Microsoft Defender for Endpoint takes action to block and remediate the artifact. -## Antivirus and Microsoft Defender ATP +## Antivirus and Microsoft Defender for Endpoint -The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP. +The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender for Endpoint. -| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Microsoft Defender Antivirus state | +| Windows version | Antimalware protection | Microsoft Defender for Endpoint enrollment | Microsoft Defender Antivirus state | |------|------|-------|-------| -| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode | -| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode | -| Windows 10 | Microsoft Defender Antivirus | Yes | Active mode | -| Windows 10 | Microsoft Defender Antivirus | No | Active mode | -| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] | -| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | No | Active mode[[1](#fn1)] | -| Windows Server 2016 or 2019 | Microsoft Defender Antivirus | Yes | Active mode | -| Windows Server 2016 or 2019 | Microsoft Defender Antivirus | No | Active mode | +| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode | +| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatically disabled mode | +| Windows 10 | Microsoft Defender Antivirus | Yes | Active mode | +| Windows 10 | Microsoft Defender Antivirus | No | Active mode | +| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Must be set to passive mode (manually) [[1](#fn1)] | +| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | No | Must be disabled (manually) [[2](#fn2)] | +| Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | Yes | Active mode | +| Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | No | Active mode | +| Windows Server 2016 | Microsoft Defender Antivirus | Yes | Active mode | +| Windows Server 2016 | Microsoft Defender Antivirus | No | Active mode | +| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Must be disabled (manually) [[2](#fn2)] | +| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Must be disabled (manually) [[2](#fn2)] | -(1) On Windows Server 2016 or 2019, Microsoft Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Microsoft Defender Antivirus on Windows Server 2016 or 2019](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-microsoft-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine. +(1) On Windows Server, version 1803 or newer, or Windows Server 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server. -If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key: +If you are using Windows Server, version 1803 or newer, or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` -- Name: ForceDefenderPassiveMode -- Type: REG_DWORD -- Value: 1 +- Name: `ForceDefenderPassiveMode` +- Type: `REG_DWORD` +- Value: `1` -See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations. +> [!NOTE] +> The `ForceDefenderPassiveMode` registry key is not supported on Windows Server 2016. + +(2) On Windows Server 2016, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In addition, Microsoft Defender Antivirus is not supported in passive mode. In those cases, [disable/uninstall Microsoft Defender Antivirus manually](microsoft-defender-antivirus-on-windows-server-2016.md#are-you-using-windows-server-2016) to prevent problems caused by having multiple antivirus products installed on a server. + +See [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations. > [!IMPORTANT] -> Microsoft Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019. +> Microsoft Defender Antivirus is only available on devices running Windows 10, Windows Server 2016, Windows Server, version 1803 or later, and Windows Server 2019. > > In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager. > @@ -63,38 +76,53 @@ See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-def ## Functionality and features available in each state -The following table summarizes the functionality and features that are available in each state: +The table in this section summarizes the functionality and features that are available in each state. The table is designed to be informational only. It is intended to describe the features & capabilities that are actively working or not, according to whether Microsoft Defender Antivirus is in active mode, in passive mode, or is disabled/uninstalled. -|State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | -|--|--|--|--|--|--| -|Active mode

    |Yes |No |Yes |Yes |Yes | -|Passive mode |No |No |Yes |No |Yes | -|[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md) |No |No |Yes |Yes |Yes | -|Automatic disabled mode |No |Yes |No |No |No | +> [!IMPORTANT] +> Do not turn off capabilities, such as real-time protection, cloud-delivered protection, or limited periodic scanning, if you are using Microsoft Defender Antivirus in passive mode or you are using EDR in block mode. -- In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself). -- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service. -- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) (currently in private preview) is turned on, Microsoft Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items. -- In Automatic disabled mode, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. +|Protection |Active mode |Passive mode |EDR in block mode |Disabled or uninstalled | +|:---|:---|:---|:---|:---| +| [Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | Yes | No [[3](#fn3)] | No | No | +| [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | No | No | No | Yes | +| [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | Yes | Yes | Yes | No | +| [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | Yes | See note [[4](#fn4)] | Yes | No | +| [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | Yes | Yes | Yes | No | + +(3) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode. + +(4) When Microsoft Defender Antivirus is in passive mode, threat remediation features are active only during scheduled or on-demand scans. + +> [!NOTE] +> [Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in active or passive mode. ## Keep the following points in mind -If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. +- In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself). -When Microsoft Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. +- In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode. -In passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. +- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items. -If you uninstall the other product, and choose to use Microsoft Defender Antivirus to provide protection to your endpoints, Microsoft Defender Antivirus will automatically return to its normal active mode. +- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution. + +- If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. + +- When Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the protection offered by a non-Microsoft antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. Automatic re-enabling helps to ensure that antivirus protection is maintained on your devices. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. + +- When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have an up-to-date, non-Microsoft antivirus product providing real-time protection from malware. + + If you uninstall the non-Microsoft antivirus product, and use Microsoft Defender Antivirus to provide protection to your devices, Microsoft Defender Antivirus will return to its normal active mode automatically. > [!WARNING] -> You should not attempt to disable, stop, or modify any of the associated services used by Microsoft Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md). +> Do not disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This recommendation includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md). -## Related topics +## See also - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) -- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) +- [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server-2016.md) - [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) - [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) -- [Configure Endpoint Protection on a standalone client](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure-standalone-client) +- [Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md) +- [Learn about Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md index 3952f63c4c..63a22fd4f7 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md @@ -1,45 +1,48 @@ --- title: Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 -description: Learn how to manage, configure, and use Microsoft Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016 +description: Learn how to manage, configure, and use Microsoft Defender Antivirus, built-in antimalware and antivirus protection. keywords: Microsoft Defender Antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium +ms.localizationpriority: high author: denisebmsft ms.author: deniseb -ms.date: 02/25/2020 +ms.date: 12/16/2020 ms.reviewer: manager: dansimp ms.custom: nextgen +ms.technology: mde --- -# Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019 +# Next-generation protection in Windows + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Microsoft Defender Antivirus: Your next-generation protection -Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Next-generation protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Next-generation protection services include the following: +Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender for Endpoint. This protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Your next-generation protection services include the following capabilities: -- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-microsoft-defender-antivirus.md). This includes always-on scanning using file and process behavior monitoring and other heuristics (also known as "real-time protection"). It also includes detecting and blocking apps that are deemed unsafe, but may not be detected as malware. -- [Cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). This includes near-instant detection and blocking of new and emerging threats. -- [Dedicated protection and product updates](manage-updates-baselines-microsoft-defender-antivirus.md). This includes updates related to keeping Microsoft Defender Antivirus up to date. +- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-microsoft-defender-antivirus.md), which includes always-on scanning using file and process behavior monitoring and other heuristics (also known as *real-time protection*). It also includes detecting and blocking apps that are deemed unsafe, but might not be detected as malware. +- [Cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md), which includes near-instant detection and blocking of new and emerging threats. +- [Dedicated protection and product updates](manage-updates-baselines-microsoft-defender-antivirus.md), which includes updates related to keeping Microsoft Defender Antivirus up to date. ## Try a demo! -Visit the [Microsoft Defender ATP demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios: +Visit the [Microsoft Defender for Endpoint demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios: - Cloud-delivered protection - Block at first sight (BAFS) protection - Potentially unwanted applications (PUA) protection ## Minimum system requirements -Microsoft Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see: +Microsoft Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see the following resources: - [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) - [Hardware component guidelines](https://docs.microsoft.com/windows-hardware/design/component-guidelines/components) @@ -51,8 +54,8 @@ For information on how to configure next-generation protection services, see [Co > [!Note] > Configuration and management is largely the same in Windows Server 2016 and Windows Server 2019, while running Microsoft Defender Antivirus; however, there are some differences. To learn more, see [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md). -## Related articles +## See also +- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) - [Microsoft Defender Antivirus management and configuration](configuration-management-reference-microsoft-defender-antivirus.md) - - [Evaluate Microsoft Defender Antivirus protection](evaluate-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md index a5087f74b0..0f1c9bbc2f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md @@ -1,30 +1,35 @@ --- -title: Microsoft Defender Antivirus on Windows Server 2016 and 2019 -description: Enable and configure Microsoft Defender AV on Windows Server 2016 and 2019 +title: Microsoft Defender Antivirus on Windows Server +description: Learn how to enable and configure Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019. keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012 search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 02/25/2020 -ms.reviewer: +ms.date: 01/21/2021 +ms.reviewer: pahuijbr, shwjha manager: dansimp +ms.technology: mde --- -# Microsoft Defender Antivirus on Windows Server 2016 and 2019 +# Microsoft Defender Antivirus on Windows Server + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- Windows Server 2016 +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +Microsoft Defender Antivirus is available on the following editions/versions of Windows Server: - Windows Server 2019 +- Windows Server, version 1803 or later +- Windows Server 2016. -Microsoft Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Microsoft Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same. - -While the functionality, configuration, and management are largely the same for Microsoft Defender Antivirus on Windows 10, there are a few key differences on Windows Server 2016 or Windows Server 2019: +In some instances, Microsoft Defender Antivirus is referred to as *Endpoint Protection*; however, the protection engine is the same. Although the functionality, configuration, and management are largely the same for [Microsoft Defender Antivirus on Windows 10](microsoft-defender-antivirus-in-windows-10.md), there are a few key differences on Windows Server: - In Windows Server, [automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md) are applied based on your defined Server Role. - In Windows Server, Microsoft Defender Antivirus does not automatically disable itself if you are running another antivirus product. @@ -33,35 +38,29 @@ While the functionality, configuration, and management are largely the same for The process of setting up and running Microsoft Defender Antivirus on a server platform includes several steps: -1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019) +1. [Enable the interface](#enable-the-user-interface-on-windows-server). +2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server). +3. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running). +4. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence). +5. (As needed) [Submit samples](#submit-samples). +6. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions). +7. (Only if necessary) [Set Microsoft Defender Antivirus to passive mode](#need-to-set-microsoft-defender-antivirus-to-passive-mode). -2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server-2016-or-2019) +## Enable the user interface on Windows Server -2. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running) - -3. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence) - -4. (As needed) [Submit samples](#submit-samples) - -5. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions) - -6. (Only if necessary) [Uninstall Microsoft Defender Antivirus](#need-to-uninstall-microsoft-defender-antivirus) - -## Enable the user interface on Windows Server 2016 or 2019 - -By default, Microsoft Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or PowerShell. +By default, Microsoft Defender Antivirus is installed and functional on Windows Server. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. If the GUI is not installed on your server, you can add it by using the **Add Roles and Features** wizard, or by using PowerShell cmdlets. ### Turn on the GUI using the Add Roles and Features Wizard -1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**. +1. See [Install roles, role services, and features by using the add Roles and Features Wizard](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**. 2. When you get to the **Features** step of the wizard, under **Windows Defender Features**, select the **GUI for Windows Defender** option. -In Windows Server 2016, the **Add Roles and Features Wizard** looks like this: + In Windows Server 2016, the **Add Roles and Features Wizard** looks like this: -![Add roles and feature wizard showing the GUI for Windows Defender option](images/server-add-gui.png) + ![Add roles and feature wizard showing the GUI for Windows Defender option](images/server-add-gui.png) -In Windows Server 2019, the **Add Roles and Feature Wizard** looks much the same. + In Windows Server 2019, the **Add Roles and Feature Wizard** is similar. ### Turn on the GUI using PowerShell @@ -71,7 +70,7 @@ The following PowerShell cmdlet will enable the interface: Install-WindowsFeature -Name Windows-Defender-GUI ``` -## Install Microsoft Defender Antivirus on Windows Server 2016 or 2019 +## Install Microsoft Defender Antivirus on Windows Server You can use either the **Add Roles and Features Wizard** or PowerShell to install Microsoft Defender Antivirus. @@ -116,16 +115,16 @@ The `sc query` command returns information about the Microsoft Defender Antiviru ## Update antimalware Security intelligence -In order to get updated antimalware Security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage. +To get updated antimalware security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage. -By default, Windows Update does not download and install updates automatically on Windows Server 2016 or 2019. You can change this configuration by using one of the following methods: +By default, Windows Update does not download and install updates automatically on Windows Server 2019 or Windows Server 2016. You can change this configuration by using one of the following methods: |Method |Description | |---------|---------| |**Windows Update** in Control Panel |- **Install updates automatically** results in all updates being automatically installed, including Windows Defender Security intelligence updates.
    - **Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. | |**Group Policy** | You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates** | -|The **AUOptions** registry key |The following two values allow Windows Update to automatically download and install Security intelligence updates:
    - **4** Install updates automatically. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates.
    - **3** Download updates but let me choose whether to install them. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. | +|The **AUOptions** registry key |The following two values allow Windows Update to automatically download and install Security intelligence updates:
    - **4** - **Install updates automatically**. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates.
    - **3** - **Download updates but let me choose whether to install them**. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. | To ensure that protection from malware is maintained, we recommend that you enable the following services: @@ -159,10 +158,10 @@ To enable automatic sample submission, start a Windows PowerShell console as an |Setting |Description | |---------|---------| -|**0** Always prompt |The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. | -|**1** Send safe samples automatically |The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. | -|**2** Never send |The Microsoft Defender Antivirus service does not prompt and does not send any files. | -|**3** Send all samples automatically |The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. | +|**0** - **Always prompt** |The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. | +|**1** - **Send safe samples automatically** |The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. | +|**2** - **Never send** |The Microsoft Defender Antivirus service does not prompt and does not send any files. | +|**3** - **Send all samples automatically** |The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. | ## Configure automatic exclusions @@ -170,38 +169,29 @@ To help ensure security and performance, certain exclusions are automatically ad See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md). -## Need to uninstall Microsoft Defender Antivirus? +## Need to set Microsoft Defender Antivirus to passive mode? -If you are using a third-party antivirus solution and you're running into issues with that solution and Microsoft Defender Antivirus, you can consider uninstalling Microsoft Defender Antivirus. Before you do that, review the following resources: +If you are using a non-Microsoft antivirus product as your primary antivirus solution, set Microsoft Defender Antivirus to passive mode. -- See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/wdsi/help/antimalware-faq#multiple-products). +### Set Microsoft Defender Antivirus to passive mode using a registry key -- See [Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus). This article describes 10 advantages to using Microsoft Defender Antivirus together with Microsoft Defender Advanced Threat Protection. +If you are using Windows Server, version 1803 or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key: +- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` +- Name: `ForceDefenderPassiveMode` +- Type: `REG_DWORD` +- Value: `1` -If you determine you do want to uninstall Microsoft Defender Antivirus, follow the steps in the following sections. +### Disable Microsoft Defender Antivirus using the Remove Roles and Features wizard -### Uninstall Microsoft Defender Antivirus using the Remove Roles and Features wizard +1. See [Install or Uninstall Roles, Role Services, or Features](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**. -1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**. +2. When you get to the **Features** step of the wizard, clear the **Windows Defender Features** option. -2. When you get to the **Features** step of the wizard, unselect the **Windows Defender Features** option. - - If you unselect **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**. + If you clear **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**. - Microsoft Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature. + Microsoft Defender Antivirus will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature. -### Uninstall Microsoft Defender Antivirus using PowerShell - ->[!NOTE] ->You can't uninstall the Windows Security app, but you can disable the interface with these instructions. - -The following PowerShell cmdlet will also uninstall Microsoft Defender AV on Windows Server 2016 or 2019: - -```PowerShell -Uninstall-WindowsFeature -Name Windows-Defender -``` - -### Turn off the GUI using PowerShell +### Turn off the Microsoft Defender Antivirus user interface using PowerShell To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell cmdlet: @@ -209,11 +199,22 @@ To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell c Uninstall-WindowsFeature -Name Windows-Defender-GUI ``` +### Are you using Windows Server 2016? -## Related topics +If you are using Windows Server 2016 and a third-party antimalware/antivirus product that is not offered or developed by Microsoft, you'll need to disable/uninstall Microsoft Defender Antivirus. + +> [!NOTE] +> You can't uninstall the Windows Security app, but you can disable the interface with these instructions. + +The following PowerShell cmdlet uninstalls Microsoft Defender Antivirus on Windows Server 2016: + +```PowerShell +Uninstall-WindowsFeature -Name Windows-Defender +``` + +## See also - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - -- [Configure exclusions in Microsoft Defender AV on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md index e824427101..b22545f7af 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md @@ -3,7 +3,7 @@ title: Microsoft Defender Offline in Windows 10 description: You can use Microsoft Defender Offline straight from the Windows Defender Antivirus app. You can also manage how it is deployed in your network. keywords: scan, defender, offline search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,13 +13,17 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- # Run and review the results of a Microsoft Defender Offline scan +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR). @@ -55,7 +59,7 @@ See the [Manage Microsoft Defender Antivirus Security intelligence updates](man In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Microsoft Defender Offline needs to run, it will prompt the user on the endpoint. -The need to perform an offline scan will also be revealed in Microsoft Endpoint Configuration Manager if you're using it to manage your endpoints. +The need to perform an offline scan will also be revealed in Microsoft Endpoint Manager if you're using it to manage your endpoints. The prompt can occur via a notification, similar to the following: @@ -67,7 +71,7 @@ In Configuration Manager, you can identify the status of endpoints by navigating Microsoft Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**. -![Microsoft Endpoint Configuration Manager indicating a Microsoft Defender Offline scan is required](images/defender/sccm-wdo.png) +![Microsoft Endpoint Manager indicating a Microsoft Defender Offline scan is required](images/defender/sccm-wdo.png) ## Configure notifications diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md index d32346b285..81bb63ed13 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md @@ -3,7 +3,7 @@ title: Microsoft Defender Antivirus in the Windows Security app description: With Microsoft Defender AV now included in the Windows Security app, you can review, compare, and perform common tasks. keywords: wdav, antivirus, firewall, security, windows search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,39 +13,39 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- # Microsoft Defender Antivirus in the Windows Security app +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Security. Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703. > [!IMPORTANT] -> Disabling the Windows Security Center service will not disable Microsoft Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date. -> -> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. -> -> It may also prevent Microsoft Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed. -> +> Disabling the Windows Security Center service does not disable Microsoft Defender Antivirus or [Windows Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date. +> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app might display stale or inaccurate information about any antivirus or firewall products you have installed on the device. +> It might also prevent Microsoft Defender Antivirus from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you might have previously installed. > This will significantly lower the protection of your device and could lead to malware infection. See the [Windows Security article](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app. -The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md). +The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md). ## Review virus and threat protection settings in the Windows Security app +![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) + 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). - - ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) - +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar). + ## Comparison of settings and functions of the old app and the new app All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Security app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app. @@ -56,13 +56,13 @@ The following diagrams compare the location of settings and functions between th ![Microsoft Defender Antivirus in Windows 10, version 1703 and later](images/defender/wdav-wdsc.png) -Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | Description ----|---|---|--- -1 | **Update** tab | **Protection updates** | Update the protection (Security intelligence) -2 | **History** tab | **Scan history** | Review threats that were quarantined, removed, or allowed -3 | **Settings** (links to **Windows Settings**) | **Virus & threat protection settings** | Enable various features, including Real-time protection, Cloud-delivered protection, Advanced notifications, and Automatic ample submission -4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Microsoft Defender Offline scan -5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 and later, you can run custom and full scans under the **Advanced scan** option +| Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | Description | +|:---|:---|:---|:---| +| 1 | **Update** tab | **Protection updates** | Update the protection (Security intelligence) | +| 2 | **History** tab | **Scan history** | Review threats that were quarantined, removed, or allowed | +| 3 | **Settings** (links to **Windows Settings**) | **Virus & threat protection settings** | Enable various features, including Real-time protection, Cloud-delivered protection, Advanced notifications, and Automatic ample submission | +| 4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Microsoft Defender Antivirus Offline scan | +| 5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 and later, you can run custom and full scans under the **Advanced scan** option | ## Common tasks @@ -76,55 +76,41 @@ This section describes how to perform some of the most common tasks when reviewi ### Run a scan with the Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). - -3. Click **Scan now**. - -4. Click **Run a new advanced scan** to specify different types of scans, such as a full scan. +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar). +3. Select **Scan now**. +4. Select **Run a new advanced scan** to specify different types of scans, such as a full scan. ### Review the security intelligence update version and download the latest updates in the Windows Security app +![Security intelligence version number information](images/defender/wdav-wdsc-defs.png) + 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). - -3. Click **Virus & threat protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check this against the latest version available for manual download, or review the change log for that version. - - ![Security intelligence version number information](images/defender/wdav-wdsc-defs.png) - -4. Click **Check for updates** to download new protection updates (if there are any). +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar). +3. Select **Virus & threat protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check this against the latest version available for manual download, or review the change log for that version. +4. Select **Check for updates** to download new protection updates (if there are any). ### Ensure Microsoft Defender Antivirus is enabled in the Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). - -3. Click **Virus & threat protection settings**. - +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar). +3. Select **Virus & threat protection settings**. 4. Toggle the **Real-time protection** switch to **On**. > [!NOTE] > If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats. - > - > If you install another antivirus product, Microsoft Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md). + > If you install another antivirus product, Microsoft Defender Antivirus automatically disables itself and is indicated as such in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md). ### Add exclusions for Microsoft Defender Antivirus in the Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). - -3. Click **Virus & threat protection settings**. - -4. Under the **Exclusions** setting, click **Add or remove exclusions**. - -5. Click the plus icon to choose the type and set the options for each exclusion. +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar). +3. Under the **Manage settings**, select **Virus & threat protection settings**. +4. Under the **Exclusions** setting, select **Add or remove exclusions**. +5. Select the plus icon (**+**) to choose the type and set the options for each exclusion. The following table summarizes exclusion types and what happens: @@ -136,34 +122,26 @@ The following table summarizes exclusion types and what happens: |**File type** |File extension
    Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Microsoft Defender Antivirus. | |**Process** |Executable file path
    Example: `c:\test\process.exe` |The specific process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. | -To learn more, see: +To learn more, see the following resources: - [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus) - [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus) ### Review threat detection history in the Windows Defender Security Center app - 1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - - 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). - - 3. Click **Threat history** - - 4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**). +1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar). +3. Select **Threat history** +4. Select **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**). ### Set ransomware protection and recovery options 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). - -3. Click **Ransomware protection**. - +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar). +3. Select **Ransomware protection**. 4. To change Controlled folder access settings, see [Protect important folders with Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard). +5. To set up ransomware recovery options, select **Set up** under **Ransomware data recovery** and follow the instructions for linking or setting up your OneDrive account so you can easily recover from a ransomware attack. -5. To set up ransomware recovery options, click **Set up** under **Ransomware data recovery** and follow the instructions for linking or setting up your OneDrive account so you can easily recover from a ransomware attack. - -## Related articles - +## See also - [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md index 55931f992b..7f35ddf666 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md @@ -1,35 +1,39 @@ --- -title: "Better together - Microsoft Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats" -description: "Office 365, which includes OneDrive, goes together wonderfully with Microsoft Defender Antivirus. Read this article to learn more." +title: Better together - Microsoft Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats +description: Office 365, which includes OneDrive, goes together wonderfully with Microsoft Defender Antivirus. Read this article to learn more. keywords: windows defender, antivirus, office 365, onedrive, restore, ransomware search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -audience: ITPro -ms.topic: article +audience: ITPro +ms.topic: article author: denisebmsft ms.author: deniseb ms.custom: nextgen ms.date: 03/04/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Better together: Microsoft Defender Antivirus and Office 365 -**Applies to:** +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Microsoft Defender Antivirus -- Office 365 +- Microsoft 365 You might already know that: - **Microsoft Defender Antivirus protects your Windows 10 device from software threats, such as viruses, malware, and spyware**. Microsoft Defender Antivirus is your complete, ongoing protection, built into Windows 10 and ready to go. [Microsoft Defender Antivirus is your next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). -- **Office 365 includes antiphishing, antispam, and antimalware protection**. With your Office 365 subscription, you get premium email and calendars, Office apps, 1 TB of cloud storage (via OneDrive), and advanced security across all your devices. This is true for home and business users. And if you're a business user, and your organization is using Office 365 E5, you get even more protection through Office 365 Advanced Threat Protection. [Protect against threats with Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats). +- **Office 365 includes antiphishing, antispam, and antimalware protection**. With your Office 365 subscription, you get premium email and calendars, Office apps, 1 TB of cloud storage (via OneDrive), and advanced security across all your devices. This is true for home and business users. And if you're a business user, and your organization is using Office 365 E5, you get even more protection through Microsoft Defender for Office 365 [Protect against threats with Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats). - **OneDrive, included in Office 365, enables you to store your files and folders online, and share them as you see fit**. You can work together with people (for work or fun), and coauthor files that are stored in OneDrive. You can also access your files across all your devices (your PC, phone, and tablet). [Manage sharing in OneDrive](https://docs.microsoft.com/OneDrive/manage-sharing). @@ -45,9 +49,9 @@ Read the following sections to learn more. When you save your files to [OneDrive](https://docs.microsoft.com/onedrive), and [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) detects a ransomware threat on your device, the following things occur: -1. **You are told about the threat**. (If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (ATP), your security operations team is notified, too.) +1. **You are told about the threat**. (If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection), your security operations team is notified, too.) -2. **Microsoft Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender ATP, your security operations team can determine whether other devices are infected and take appropriate action, too.) +2. **Microsoft Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender for Endpoint, your security operations team can determine whether other devices are infected and take appropriate action, too.) 3. **You get the option to recover your files in OneDrive**. With the OneDrive Files Restore feature, you can recover your files in OneDrive to the state they were in before the ransomware attack occurred. See [Ransomware detection and recovering your files](https://support.office.com/article/0d90ec50-6bfd-40f4-acc7-b8c12c73637f). @@ -55,19 +59,19 @@ Think of the time and hassle this can save. ## Integration means better protection -Office 365 Advanced Threat Protection integrated with Microsoft Defender Advanced Threat Protection means better protection for your organization. Here's how: +Microsoft Defender for Office 365 integrated with Microsoft Defender for Endpoint means better protection for your organization. Here's how: -- [Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) safeguards your organization against malicious threats posed in email messages, email attachments, and links (URLs) in Office documents. +- [Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) safeguards your organization against malicious threats posed in email messages, email attachments, and links (URLs) in Office documents. AND -- [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) protects your devices from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves your security posture. +- [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) protects your devices from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves your security posture. SO - Once integration is enabled, your security operations team can see a list of devices that are used by the recipients of any detected URLs or email messages, along with recent alerts for those devices, in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). -If you haven't already done so, [integrate Office 365 Advanced Threat Protection with Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/office-365-security/integrate-office-365-ti-with-wdatp). +If you haven't already done so, [integrate Microsoft Defender for Office 365 with Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/office-365-security/integrate-office-365-ti-with-wdatp). ## More good reasons to use OneDrive @@ -79,8 +83,8 @@ Protection from ransomware is one great reason to put your files in OneDrive. An [OneDrive](https://docs.microsoft.com/onedrive) -[Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp?view=o365-worldwide) +[Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp?view=o365-worldwide) -[Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) +[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 52690f977b..a4354b5403 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -1,12 +1,12 @@ --- title: Protect security settings with tamper protection -ms.reviewer: +ms.reviewer: shwjha, hayhov manager: dansimp description: Use tamper protection to prevent malicious apps from changing important security settings. keywords: malware, defender, antivirus, tamper protection search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -14,17 +14,27 @@ audience: ITPro author: denisebmsft ms.author: deniseb ms.custom: nextgen +ms.date: 01/07/2021 +ms.technology: mde --- # Protect security settings with tamper protection +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +Tamper protection is available on devices running the following versions of Windows: + - Windows 10 +- Windows Server 2016 and 2019 (if using tenant attach with [Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006)) ## Overview -During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring. +During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent these kinds of things from occurring. With tamper protection, malicious apps are prevented from taking actions such as: @@ -37,19 +47,20 @@ With tamper protection, malicious apps are prevented from taking actions such as ### How it works - Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as: +Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as: - Configuring settings in Registry Editor on your Windows machine - Changing settings through PowerShell cmdlets - Editing or removing security settings through group policies -Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; this is managed by your security team. +Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; tamper protection is managed by your security team. ### What do you want to do? 1. Turn tamper protection on
    - [For an individual machine, use Windows Security](#turn-tamper-protection-on-or-off-for-an-individual-machine). - [For your organization, use Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune). + - [Use tenant attach with Configuration Manager, version 2006, for devices running Windows 10 or Windows Server 2019](#manage-tamper-protection-with-configuration-manager-version-2006) 2. [View information about tampering attempts](#view-information-about-tampering-attempts). @@ -66,9 +77,9 @@ Tamper protection doesn't prevent you from viewing your security settings. And, > > Once you’ve made this update, tamper protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors. -If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do this. +If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do change security settings, such as tamper protection. -1. Click **Start**, and start typing *Defender*. In the search results, select **Windows Security**. +1. Click **Start**, and start typing *Security*. In the search results, select **Windows Security**. 2. Select **Virus & threat protection** > **Virus & threat protection settings**. @@ -80,51 +91,75 @@ If you are a home user, or you are not subject to settings managed by a security ## Turn tamper protection on (or off) for your organization using Intune -If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the Microsoft 365 Device Management portal ([https://aka.ms/intuneportal](https://aka.ms/intuneportal)). - -> [!NOTE] -> The ability to manage tamper protection in Intune is rolling out now; if you don't have it yet, you should very soon, assuming your organization has [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) (Microsoft Defender ATP) and that you meet the prerequisites listed below. +If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) portal. You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task. -1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune: +1. Make sure your organization meets all of the following requirements to use Intune to manage tamper protection: - - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)). - - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.) - - Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.) + - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; Intune is included in Microsoft 365 E5.) + - Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019) or later. (For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information).) - You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above). - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).) -2. Go to the Microsoft 365 Device Management portal ([https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com)) and sign in with your work or school account. +2. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) and sign in with your work or school account. -3. Select **Device configuration** > **Profiles**. +3. Select **Devices** > **Configuration Profiles**. -4. Create a profile as follows: +4. Create a profile that includes the following settings: - - Platform: **Windows 10 and later** + - **Platform: Windows 10 and later** - - Profile type: **Endpoint protection** + - **Profile type: Endpoint protection** - - Category: **Microsoft Defender Security Center** + - **Category: Microsoft Defender Security Center** - - Tamper Protection: **Enabled** + - **Tamper Protection: Enabled** - ![Turn tamper protection on with Intune](images/turnontamperprotect-intune.png) + ![Turn tamper protection on with Intune](images/turnontamperprotect-MEM.png) 5. Assign the profile to one or more groups. ### Are you using Windows OS 1709, 1803, or 1809? -If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled. +If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled. #### Use PowerShell to determine whether tamper protection is turned on 1. Open the Windows PowerShell app. -2. Use the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) PowerShell cmdlet. +2. Use the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) PowerShell cmdlet. 3. In the list of results, look for `IsTamperProtected`. (A value of *true* means tamper protection is enabled.) +## Manage tamper protection with Configuration Manager, version 2006 + +> [!IMPORTANT] +> The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Make sure to review the prerequisites and other information in the resources mentioned in this procedure. + +If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10, Windows Server 2016, and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices. + +1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions). + +2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and choose **+ Create Policy**.
    + + - In the **Platform** list, select **Windows 10 and Windows Server (ConfigMgr)**. + + - In the **Profile** list, select **Windows Security experience (preview)**.
    + + The following screenshot illustrates how to create your policy: + + :::image type="content" source="images/win-security- exp-policy-endpt-security.png" alt-text="Windows security experience in Endpoint Manager"::: + +3. Deploy the policy to your device collection. + +Need help? See the following resources: + +- [Settings for the Windows Security experience profile in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/antivirus-security-experience-windows-settings) + +- [Tech Community Blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin) + + ## View information about tampering attempts Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats. @@ -133,7 +168,7 @@ When a tampering attempt is detected, an alert is raised in the [Microsoft Defen ![Microsoft Defender Security Center](images/tamperattemptalert.png) -Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender ATP, your security operations team can investigate and address such attempts. +Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts. ## Review your security recommendations @@ -151,54 +186,45 @@ To learn more about Threat & Vulnerability Management, see [Threat & Vulnerabili ### To which Windows OS versions is configuring tamper protection is applicable? -Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). +Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). -### Is configuring tamper protection in Intune supported on servers? +If you are using Configuration Manager, version 2006, with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy). -No - -### Will tamper protection have any impact on third party antivirus registration? +### Will tamper protection have any impact on third-party antivirus registration? No. Third-party antivirus offerings will continue to register with the Windows Security application. ### What happens if Microsoft Defender Antivirus is not active on a device? -Tamper protection will not have any impact on such devices. +Devices that are onboarded to Microsoft Defender for Endpoint will have Microsoft Defender Antivirus running in passive mode. Tamper protection will continue to protect the service and its features. ### How can I turn tamper protection on/off? If you are a home user, see [Turn tamper protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine). -If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune). +If you are an organization using [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article: + +- [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune) + +- [Manage tamper protection with Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006) ### How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus through my group policy? Your regular group policy doesn’t apply to tamper protection, and changes to Microsoft Defender Antivirus settings are ignored when tamper protection is on. -> [!NOTE] -> A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Microsoft Defender Antivirus features protected by tamper protection. +### For Microsoft Defender for Endpoint, is configuring tamper protection in Intune targeted to the entire organization only? -To avoid any potential delays, we recommend that you remove settings that control Microsoft Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Microsoft Defender Antivirus settings. - -Some sample Microsoft Defender Antivirus settings: - -- *Turn off real-time protection*
    - Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\\
    - Value `DisableRealtimeMonitoring` = 0 - -### For Microsoft Defender ATP E5, is configuring tamper protection in Intune targeted to the entire organization only? - -Configuring tamper protection in Intune can be targeted to your entire organization as well as to specific devices and user groups. +Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization and to specific devices and user groups. ### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager? -Currently we do not have support to manage Tamper Protection through Microsoft Endpoint Configuration Manager. +If you are using tenant attach, you can use Microsoft Endpoint Configuration Manager. See [Manage tamper protection with Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006) and [Tech Community blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin). ### I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune? -Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). +Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). -### What happens if I try to change Microsoft Defender ATP settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device? +### What happens if I try to change Microsoft Defender for Endpoint settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device? You won’t be able to change the features that are protected by tamper protection; such change requests are ignored. @@ -206,28 +232,24 @@ You won’t be able to change the features that are protected by tamper protecti No. Local admins cannot change or modify tamper protection settings. -### What happens if my device is onboarded with Microsoft Defender ATP and then goes into an off-boarded state? +### What happens if my device is onboarded with Microsoft Defender for Endpoint and then goes into an off-boarded state? -In this case, tamper protection status changes, and this feature is no longer applied. +If a device is off-boarded from Microsoft Defender for Endpoint, tamper protection is turned on, which is the default state for unmanaged devices. ### Will there be an alert about tamper protection status changing in the Microsoft Defender Security Center? Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**. -In addition, your security operations team can use hunting queries, such as the following: +In addition, your security operations team can use hunting queries, such as the following example: `DeviceAlertEvents | where Title == "Tamper Protection bypass"` [View information about tampering attempts](#view-information-about-tampering-attempts). -### Will there be a group policy setting for tamper protection? - -No. - -## Related articles +## See also [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) -[Get an overview of Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) +[Get an overview of Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) -[Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](why-use-microsoft-defender-antivirus.md) +[Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md index a2c6bdee36..93d033b274 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Hide the Microsoft Defender Antivirus interface description: You can hide virus and threat protection tile in the Windows Security app. keywords: ui lockdown, headless mode, hide app, hide settings, hide interface search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,13 +14,17 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can use Group Policy to prevent users on endpoints from seeing the Microsoft Defender Antivirus interface. You can also prevent them from pausing scans. @@ -37,7 +41,7 @@ With the setting set to **Disabled** or not configured: ![Screenshot of Windows Security showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png) >[!NOTE] ->Hiding the interface will also prevent Microsoft Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) +>Hiding the interface will also prevent Microsoft Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender for Endpoint notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app." @@ -61,6 +65,9 @@ See [Prevent users from locally modifying policy settings](configure-local-polic You can prevent users from pausing scans, which can be helpful to ensure scheduled or on-demand scans are not interrupted by users. +> [!NOTE] +> This setting is not supported on Windows 10. + ### Use Group Policy to prevent users from pausing a scan 1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md index da205310f1..f6c46b93b9 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Monitor and report on Microsoft Defender Antivirus protection description: Use Configuration Manager or security information and event management (SIEM) tools to consume reports, and monitor Microsoft Defender AV with PowerShell and WMI. keywords: siem, monitor, report, Microsoft Defender AV search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,18 +11,24 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 12/07/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Report on Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). +Microsoft Defender Antivirus is built into Windows 10, Windows Server 2019, and Windows Server 2016. Microsoft Defender Antivirus is of your next-generation protection in Microsoft Defender for Endpoint. Next-generation protection helps protect your devices from software threats like viruses, malware, and spyware across email, apps, the cloud, and the web. + +With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Microsoft Defender Antivirus issues, including protection updates and real-time protection settings. @@ -39,5 +45,5 @@ For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, s ## Related articles - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - +- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016) - [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md index 434a02f941..e3f5c1f0fe 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Restore quarantined files in Microsoft Defender AV description: You can restore files and folders that were quarantined by Microsoft Defender AV. keywords: search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,13 +14,17 @@ ms.custom: nextgen ms.date: 05/20/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Restore quarantined files in Microsoft Defender AV +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) If Microsoft Defender Antivirus is configured to detect and remediate threats on your device, Microsoft Defender Antivirus quarantines suspicious files. If you are certain a quarantined file is not a threat, you can restore it. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md index d23aa3b802..4168fb1d63 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md @@ -1,9 +1,9 @@ --- -title: Review the results of Microsoft Defender AV scans +title: Review the results of Microsoft Defender AV scans description: Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app keywords: scan results, remediation, full scan, quick scan search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,26 +11,24 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 09/28/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Review Microsoft Defender Antivirus scan results +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -After an Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results. +After a Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results. -## Use Microsoft Intune to review scan results - -1. In Intune, go to **Devices > All Devices** and select the device you want to scan. - -2. Click the scan results in **Device actions status**. - ## Use Configuration Manager to review scan results See [How to monitor Endpoint Protection status](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection). @@ -43,7 +41,7 @@ The following cmdlet will return each detection on the endpoint. If there are mu Get-MpThreatDetection ``` -![IMAGEALT](images/defender/wdav-get-mpthreatdetection.png) +![screenshot of PowerShell cmdlets and outputs](images/defender/wdav-get-mpthreatdetection.png) You can specify `-ThreatID` to limit the output to only show the detections for a specific threat. @@ -53,7 +51,7 @@ If you want to list threat detections, but combine detections of the same threat Get-MpThreat ``` -![IMAGEALT](images/defender/wdav-get-mpthreat.png) +![screenshot of PowerShell](images/defender/wdav-get-mpthreat.png) See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md index 5266967e27..5a65b6a165 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Run and customize on-demand scans in Microsoft Defender AV description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app keywords: scan, on-demand, dos, intune, instant scan search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,52 +11,65 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 11/13/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure and run on-demand Microsoft Defender Antivirus scans +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type. - ## Quick scan versus full scan -Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. +Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. -Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. +> [!IMPORTANT] +> Microsoft Defender Antivirus runs in the context of the [LocalSystem](https://docs.microsoft.com/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share. -In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection. +Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they're opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. -A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans. +In most instances, a quick scan is adequate to find malware that wasn't picked up by real-time protection. ->[!NOTE] ->By default, quick scans run on mounted removable devices, such as USB drives. +A full scan can be useful on endpoints that have reported a malware threat. The scan can identify if there are any inactive components that require a more thorough clean-up. This is ideal if your organization is running on-demand scans. -## Use Configuration Manager to run a scan +> [!NOTE] +> By default, quick scans run on mounted removable devices, such as USB drives. -See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using Microsoft Endpoint Configuration Manager (current branch) to run a scan. +## Use Microsoft Endpoint Manager to run a scan + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in. +2. Choose **Endpoint security** > **Antivirus**. +3. In the list of tabs, select **Windows 10 unhealthy endpoints**. +4. From the list of actions provided, select **Quick Scan** or **Full Scan**. + +[ ![IMAGE](images/mem-antivirus-scan-on-demand.png) ](images/mem-antivirus-scan-on-demand.png#lightbox) + +> [!TIP] +> For more information about using Microsoft Endpoint Manager to run a scan, see [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers). ## Use the mpcmdrun.exe command-line utility to run a scan Use the following `-scan` parameter: -```DOS +```console mpcmdrun.exe -scan -scantype 1 ``` -See [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths. + +For more information about how to use the tool and additional parameters, including starting a full scan, or defining paths, see [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md). ## Use Microsoft Intune to run a scan -1. In Intune, go to **Devices > All Devices** and select the device you want to scan. - -2. Select **...More** and then select **Quick Scan** or **Full Scan**. - +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in. +2. From the sidebar, select **Devices > All Devices** and choose the device you want to scan. +3. Select **...More**. From the options, select **Quick Scan** or **Full Scan**. ## Use the Windows Security app to run a scan @@ -69,15 +82,14 @@ Use the following cmdlet: ```PowerShell Start-MpScan ``` -See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. + +For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). ## Use Windows Management Instruction (WMI) to run a scan -Use the [**Start** method of the **MSFT_MpScan**](https://msdn.microsoft.com/library/dn455324(v=vs.85).aspx#methods) class. - -See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) +Use the [**Start** method](https://docs.microsoft.com/previous-versions/windows/desktop/defender/start-msft-mpscan) of the **MSFT_MpScan** class. +For more information about which parameters are allowed, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md index 7c297d11d4..ce888c039c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md @@ -1,9 +1,9 @@ --- -title: Schedule regular quick and full scans with Microsoft Defender AV +title: Schedule regular quick and full scans with Microsoft Defender Antivirus description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans keywords: quick scan, full scan, quick vs full, schedule scan, daily, weekly, time, scheduled, recurring, regular search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,28 +11,32 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 07/22/2020 -ms.reviewer: +ms.date: 11/02/2020 +ms.reviewer: pauhijbr manager: dansimp +ms.technology: mde --- # Configure scheduled quick or full Microsoft Defender Antivirus scans +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + > [!NOTE] > By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default. - In addition to always-on real-time protection and [on-demand](run-scan-microsoft-defender-antivirus.md) scans, you can set up regular, scheduled scans. You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur. -This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +This article describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10). -To configure the Group Policy settings described in this topic: +## To configure the Group Policy settings described in this article 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -42,7 +46,9 @@ To configure the Group Policy settings described in this topic: 5. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below. -6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. +6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. + +7. Click **OK**, and repeat for any other settings. Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) topics. @@ -72,12 +78,13 @@ Scheduled scans will run at the day and time you specify. You can use Group Poli ### Use Group Policy to schedule scans -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Scan | Specify the scan type to use for a scheduled scan | Quick scan -Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never -Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am -Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
    In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled +|Location | Setting | Description | Default setting (if not configured) | +|:---|:---|:---|:---| +|Scan | Specify the scan type to use for a scheduled scan | Quick scan | +|Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never | +|Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.). | 2 a.m. | +|Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
    In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled | + ### Use PowerShell cmdlets to schedule scans @@ -98,8 +105,10 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI -SignatureFallbackOrder -SignatureDefinitionUpdateFileSharesSouce +ScanParameters +ScanScheduleDay +ScanScheduleTime +RandomizeScheduleTaskTimes ``` See the following for more information and allowed parameters: @@ -117,9 +126,9 @@ You can set the scheduled scan to only occur when the endpoint is turned on but ### Use Group Policy to schedule scans -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled +|Location | Setting | Description | Default setting (if not configured) | +|:---|:---|:---|:---| +|Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled | ### Use PowerShell cmdlets @@ -136,8 +145,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI -SignatureFallbackOrder -SignatureDefinitionUpdateFileSharesSouce +ScanOnlyIfIdleEnabled ``` See the following for more information and allowed parameters: @@ -150,10 +158,10 @@ Some threats may require a full scan to complete their removal and remediation. ### Use Group Policy to schedule remediation-required scans -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never -Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am +| Location | Setting | Description | Default setting (if not configured) | +|---|---|---|---| +|Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never | +|Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. | ### Use PowerShell cmdlets @@ -171,8 +179,8 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI -SignatureFallbackOrder -SignatureDefinitionUpdateFileSharesSouce +RemediationScheduleDay +RemediationScheduleTime ``` See the following for more information and allowed parameters: @@ -188,17 +196,18 @@ You can enable a daily quick scan that can be run in addition to your other sche ### Use Group Policy to schedule daily scans -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never -Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am + +|Location | Setting | Description | Default setting (if not configured) | +|:---|:---|:---|:---| +|Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never | +|Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. | ### Use PowerShell cmdlets to schedule daily scans Use the following cmdlets: ```PowerShell -Set-MpPreference -ScanScheduleQuickTime +Set-MpPreference -ScanScheduleQuickScanTime ``` See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. @@ -208,8 +217,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI -SignatureFallbackOrder -SignatureDefinitionUpdateFileSharesSouce +ScanScheduleQuickScanTime ``` See the following for more information and allowed parameters: @@ -222,13 +230,11 @@ You can force a scan to occur after every [protection update](manage-protection- ### Use Group Policy to schedule scans after protection updates -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled - -## Related topics - +|Location | Setting | Description | Default setting (if not configured)| +|:---|:---|:---|:---| +|Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled | +## See also - [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) - [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md) - [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md index 07f45f646e..1e4c37caba 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md @@ -1,77 +1,88 @@ --- -title: Specify cloud-delivered protection level in Microsoft Defender Antivirus -description: Set the aggressiveness of cloud-delivered protection in Microsoft Defender Antivirus. +title: Specify the cloud-delivered protection level for Microsoft Defender Antivirus +description: Set your level of cloud-delivered protection for Microsoft Defender Antivirus. keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 08/12/2020 +ms.date: 10/26/2020 ms.reviewer: manager: dansimp ms.custom: nextgen +ms.technology: mde --- # Specify the cloud-delivered protection level +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -You can specify the level of cloud-protection offered by Microsoft Defender Antivirus with Group Policy and Microsoft Endpoint Configuration Manager. +You can specify your level of cloud-delivered protection offered by Microsoft Defender Antivirus by using Microsoft Endpoint Manager (recommended) or Group Policy. ->[!NOTE] ->The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. +> [!TIP] +> Cloud protection is not simply protection for files that are stored in the cloud. The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and devices (also called endpoints). Cloud protection with Microsoft Defender Antivirus uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional security intelligence updates. +> Microsoft Intune and Microsoft Endpoint Manager are now part of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). -## Use Intune to specify the level of cloud-delivered protection -1. Sign in to the [Azure portal](https://portal.azure.com). -2. Select **All services > Intune**. -3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). -4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**. -5. On the **File Blocking Level** switch, select one of the following: +## Use Microsoft Endpoint Manager to specify the level of cloud-delivered protection + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. + +2. Choose **Endpoint security** > **Antivirus**. + +3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). + +4. Select **Properties**. Then, next to **Configuration settings**, choose **Edit**. + +5. Expand **Cloud protection**, and then in the **Cloud-delivered protection level** list, select one of the following: 1. **High**: Applies a strong level of detection. - 2. **High +**: Uses the **High** level and applies additional protection measures (may impact client performance). + 2. **High plus**: Uses the **High** level and applies additional protection measures (may impact client performance). 3. **Zero tolerance**: Blocks all unknown executables. -8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. +6. Choose **Review + save**, and then choose **Save**. -For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) +> [!TIP] +> Need some help? See the following resources: +> - [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) +> - [Add endpoint protection settings in Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-configure) -## Use Configuration Manager to specify the level of cloud-delivered protection - -See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). - ## Use Group Policy to specify the level of cloud-delivered protection 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx). 2. Right-click the Group Policy Object you want to configure, and then click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +3. In the **Group Policy Management Editor** go to **Computer Configuration** > **Administrative templates**. -4. Click **Administrative templates**. +4. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus** > **MpEngine**. -5. Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine**. - -6. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection: +5. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection: - **Default blocking level** provides strong detection without increasing the risk of detecting legitimate files. - **Moderate blocking level** provides moderate only for high confidence detections - - **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives). - - **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives). + - **High blocking level** applies a strong level of detection while optimizing client performance (but can also give you a greater chance of false positives). + - **High + blocking level** applies additional protection measures (might impact client performance and increase your chance of false positives). - **Zero tolerance blocking level** blocks all unknown executables. > [!WARNING] > While unlikely, setting this switch to **High** or **High +** may cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection). -7. Click **OK**. +6. Click **OK**. +7. Deploy your updated Group Policy Object. See [Group Policy Management Console](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx) + +> [!TIP] +> Are you using Group Policy Objects on premises? See how they translate in the cloud. [Analyze your on-premises group policy objects using Group Policy analytics in Microsoft Endpoint Manager - Preview](https://docs.microsoft.com/mem/intune/configuration/group-policy-analytics). ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md new file mode 100644 index 0000000000..d0c2933ef9 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md @@ -0,0 +1,136 @@ +--- +title: Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution +description: Troubleshoot common errors when migrating to Microsoft Defender Antivirus +keywords: event, error code, logging, troubleshooting, microsoft defender antivirus, windows defender antivirus, migration +search.product: eADQiWindows 10XVcnh +ms.prod: m365-security +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: medium +author: martyav +ms.author: v-maave +ms.custom: nextgen +ms.date: 09/11/2018 +ms.reviewer: +manager: dansimp +ms.technology: mde +--- + +# Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + + +You can find help here if you encounter issues while migrating from a third-party security solution to Microsoft Defender Antivirus. + +## Review event logs + +Open the Event viewer app by selecting the **Search** icon in the taskbar, and searching for *event viewer*. + +Information about Microsoft Defender Antivirus can be found under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender**. + +From there, select **Open** underneath **Operational**. + +Selecting an event from the details pane will show you more information about an event in the lower pane, under the **General** and **Details** tabs. + +## Microsoft Defender Antivirus won't start + +This issue can manifest in the form of several different event IDs, all of which have the same underlying cause. + +### Associated event IDs + + Event ID | Log name | Description | Source +-|-|-|- +15 | Application | Updated Windows Defender status successfully to SECURITY_PRODUCT_STATE_OFF. | Security Center +5007 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.

    **Old value:** Default\IsServiceRunning = 0x0
    **New value:** HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 | Windows Defender +5010 | Microsoft-Windows-Windows Defender/Operational | Windows Defender Antivirus scanning for spyware and other potentially unwanted software is disabled. | Windows Defender + +### How to tell if Microsoft Defender Antivirus won't start because a third-party antivirus is installed + +On a Windows 10 device, if you are not using Microsoft Defender for Endpoint, and you have a third-party antivirus installed, then Microsoft Defender Antivirus will be automatically turned off. If you are using Microsoft Defender for Endpoint with a third-party antivirus installed, Microsoft Defender Antivirus will start in passive mode, with reduced functionality. + +> [!TIP] +> The scenario just described applies only to Windows 10. Other versions of Windows have [different responses](microsoft-defender-antivirus-compatibility.md) to Microsoft Defender Antivirus being run alongside third-party security software. + +#### Use Services app to check if Microsoft Defender Antivirus is turned off + +To open the Services app, select the **Search** icon from the taskbar and search for *services*. You can also open the app from the command-line by typing *services.msc*. + +Information about Microsoft Defender Antivirus will be listed within the Services app under **Windows Defender** > **Operational**. The antivirus service name is *Windows Defender Antivirus Service*. + +While checking the app, you may see that *Windows Defender Antivirus Service* is set to manual — but when you try to start this service manually, you get a warning stating, *The Windows Defender Antivirus Service service on Local Computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.* + +This indicates that Microsoft Defender Antivirus has been automatically turned off to preserve compatibility with a third-party antivirus. + +#### Generate a detailed report + +You can generate a detailed report about currently active group policies by opening a command prompt in **Run as admin** mode, then entering the following command: + +```powershell +GPresult.exe /h gpresult.html +``` + +This will generate a report located at *./gpresult.html*. Open this file and you might see the following results, depending on how Microsoft Defender Antivirus was turned off. + +##### Group policy results + +##### If security settings are implemented via group policy (GPO) at the domain or local level, or though System center configuration manager (SCCM) + +Within the GPResults report, under the heading, *Windows Components/Windows Defender Antivirus*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off. + +Policy | Setting | Winning GPO +-|-|- +Turn off Windows Defender Antivirus | Enabled | Win10-Workstations + +###### If security settings are implemented via Group policy preference (GPP) + +Under the heading, *Registry item (Key path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender, Value name: DisableAntiSpyware)*, you may see something like the following entry, indicating that Microsoft Defender Antivirus is turned off. + +DisableAntiSpyware | - +-|- +Winning GPO | Win10-Workstations +Result: Success | +**General** | +Action | Update +**Properties** | +Hive | HKEY_LOCAL_MACHINE +Key path | SOFTWARE\Policies\Microsoft\Windows Defender +Value name | DisableAntiSpyware +Value type | REG_DWORD +Value data | 0x1 (1) + +###### If security settings are implemented via registry key + +The report may contain the following text, indicating that Microsoft Defender Antivirus is turned off: + +> Registry (regedit.exe) +> +> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender +> DisableAntiSpyware (dword) 1 (hex) + +###### If security settings are set in Windows or your Windows Server image + +Your imagining admin might have set the security policy, **[DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware)**, locally via *GPEdit.exe*, *LGPO.exe*, or by modifying the registry in their task sequence. You can [configure a Trusted Image Identifier](https://docs.microsoft.com/windows-hardware/manufacture/desktop/configure-a-trusted-image-identifier-for-windows-defender) for Microsoft Defender Antivirus. + +### Turn Microsoft Defender Antivirus back on + +Microsoft Defender Antivirus will automatically turn on if no other antivirus is currently active. You'll need to turn the third-party antivirus completely off to ensure Microsoft Defender Antivirus can run with full functionality. + +> [!WARNING] +> Solutions suggesting that you edit the *Windows Defender* start values for *wdboot*, *wdfilter*, *wdnisdrv*, *wdnissvc*, and *windefend* in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services are unsupported, and may force you to re-image your system. + +Passive mode is available if you start using Microsoft Defender for Endpoint and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender to scan files and update itself, but it will not remediate threats. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) is not available under passive mode, unless [Endpoint data loss prevention (DLP)](../microsoft-defender-atp/information-protection-in-windows-overview.md) is deployed. + +Another feature, known as [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), is available to end-users when Microsoft Defender Antivirus is set to automatically turn off. This feature allows Microsoft Defender Antivirus to scan files periodically alongside a third-party antivirus, using a limited number of detections. + +> [!IMPORTANT] +> Limited periodic scanning is not recommended in enterprise environments. The detection, management and reporting capabilities available when running Microsoft Defender Antivirus in this mode are reduced as compared to active mode. + +### See also + +* [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md) +* [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md index 6bc4a4a744..b65212267f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Microsoft Defender AV event IDs and error codes description: Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -13,13 +13,17 @@ ms.custom: nextgen ms.date: 09/11/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) If you encounter a problem with Microsoft Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution. @@ -30,7 +34,7 @@ The tables list: - [Internal Microsoft Defender Antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes) > [!TIP] -> You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: +> You can also visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: > > - Cloud-delivered protection > - Fast learning (including Block at first sight) @@ -48,7 +52,7 @@ The table in this section lists the main Microsoft Defender Antivirus event IDs ## To view a Microsoft Defender Antivirus event 1. Open **Event Viewer**. -2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Microsoft Defender Antivirus**. +2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**. 3. Double-click on **Operational**. 4. In the details pane, view the list of individual events to find your event. 5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md index a2747a705d..0b3b787b77 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md @@ -3,7 +3,7 @@ title: Troubleshoot problems with reporting tools for Microsoft Defender AV description: Identify and solve common problems when attempting to report in Microsoft Defender AV protection status in Update Compliance keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,18 +13,22 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- # Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) > [!IMPORTANT] > On March 31, 2020, the Microsoft Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates. -You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx). +You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender for Endpoint portal](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx). When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of devices or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Microsoft Defender Antivirus, you might encounter problems or issues. @@ -56,7 +60,7 @@ In order for devices to properly show up in Update Compliance, you have to meet > - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level). > - It has been 3 days since all requirements have been met -“You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal (https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options" +“You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender for Endpoint portal (https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options" If the above prerequisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md index 58572c3d52..b3383fd1a6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md @@ -1,25 +1,29 @@ --- title: Configure Microsoft Defender Antivirus with Group Policy -description: Configure Microsoft Defender Antivirus settings with Group Policy +description: Learn how to use a Group Policy to configure and manage Microsoft Defender Antivirus on your endpoints in Microsoft Defender for Endpoint. keywords: group policy, GPO, configuration, settings search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 -ms.reviewer: +ms.date: 10/01/2018 +ms.reviewer: ksarens manager: dansimp +ms.technology: mde --- # Use Group Policy settings to configure and manage Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx) to configure and manage Microsoft Defender Antivirus on your endpoints. @@ -93,7 +97,7 @@ Root | Allow antimalware service to start up with normal priority | [Configure r Root | Allow antimalware service to remain running always | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) Root | Turn off routine remediation | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) Root | Randomize scheduled task times | [Configure scheduled scans for Microsoft Defender Antivirus](scheduled-catch-up-scans-microsoft-defender-antivirus.md) -Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) +Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) (Not supported on Windows 10) Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md index 71edcfc785..75f4f1b7cc 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md @@ -1,9 +1,9 @@ --- title: Configure Microsoft Defender Antivirus with Configuration Manager and Intune -description: Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure Microsoft Defender AV and Endpoint Protection +description: Use Microsoft Endpoint Manager and Microsoft Intune to configure Microsoft Defender AV and Endpoint Protection keywords: scep, intune, endpoint protection, configuration search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,24 +11,38 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 10/26/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- -# Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage Microsoft Defender Antivirus +# Use Microsoft Endpoint Manager and Microsoft Intune to configure and manage Microsoft Defender Antivirus + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -If you are using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Microsoft Defender Antivirus scans. +If you were using Microsoft Endpoint Manager or Microsoft Intune to manage the endpoints on your network, you can now use Microsoft Endpoint Manager to manage Microsoft Defender Antivirus scans. -In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Microsoft Defender Antivirus. +1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Endpoint Security**. -See the [Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager. +2. Under **Manage**, choose **Antivirus**. -For Microsoft Intune, consult the [Microsoft Intune library](https://docs.microsoft.com/intune/introduction-intune) and [Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +3. Select your Microsoft Defender Antivirus policy. + +4. Under **Manage**, choose **Properties**. + +5. Next to **Configuration settings**, choose **Edit**. + +6. Expand the **Scan** section, and review or edit your scanning settings. + +7. Choose **Review + save** + +Need help? See [Manage endpoint security in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security). ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md index 2bfad82a62..078fbf7fab 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Use PowerShell cmdlets to configure and run Microsoft Defender AV description: In Windows 10, you can use PowerShell cmdlets to run scans, update Security intelligence, and change settings in Microsoft Defender Antivirus. keywords: scan, command line, mpcmdrun, defender search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,13 +14,17 @@ ms.custom: nextgen ms.date: 07/23/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration. You can read more about it at the [PowerShell hub on MSDN](https://docs.microsoft.com/previous-versions/msdn10/mt173057(v=msdn.10)). diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md index 49f9134d53..92f746d03d 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md @@ -1,9 +1,9 @@ --- title: Configure Microsoft Defender Antivirus with WMI -description: Use WMI scripts to configure Microsoft Defender AV. +description: Learn how to configure and manage Microsoft Defender Antivirus by using WMI scripts to retrieve, modify, and update settings in Microsoft Defender for Endpoint. keywords: wmi, scripts, windows management instrumentation, configuration search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,13 +14,17 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Use Windows Management Instrumentation (WMI) to configure and manage Microsoft Defender Antivirus +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md index 9eb816975e..5bc184057b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Use next-generation technologies in Microsoft Defender Antivirus through description: next-generation technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection. keywords: Microsoft Defender Antivirus, next-generation technologies, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,17 +12,21 @@ ms.author: deniseb ms.reviewer: shwjha manager: dansimp ms.custom: nextgen +ms.technology: mde --- # Use next-generation technologies in Microsoft Defender Antivirus through cloud-delivered protection +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models. -Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). +Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). ![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) To take advantage of the power and speed of these next-generation technologies, Microsoft Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense. @@ -42,11 +46,11 @@ src="https://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc Read the following blog posts for detailed protection stories involving cloud-protection and Microsoft AI: -- [Why Microsoft Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-microsoft-defender-antivirus-is-the-most-deployed-in-the-enterprise/) -- [Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/) -- [How artificial intelligence stopped an Emotet outbreak](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak/) -- [Detonating a bad rabbit: Microsoft Defender Antivirus and layered machine learning defenses](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-microsoft-defender-antivirus-and-layered-machine-learning-defenses/) -- [Microsoft Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware](https://cloudblogs.microsoft.com/microsoftsecure/2017/07/18/microsoft-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/) +- [Why Microsoft Defender Antivirus is the most deployed in the enterprise](https://www.microsoft.com/security/blog/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise) +- [Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign](https://www.microsoft.com/security/blog/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign) +- [How artificial intelligence stopped an Emotet outbreak](https://www.microsoft.com/security/blog/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak) +- [Detonating a bad rabbit: Microsoft Defender Antivirus and layered machine learning defenses](https://www.microsoft.com/security/blog/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses) +- [Microsoft Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware](https://www.microsoft.com/security/blog/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware) ## Get cloud-delivered protection @@ -65,7 +69,7 @@ The following table describes the differences in cloud-delivered protection betw |Windows 10, version 1607 (Group Policy) |Microsoft Advanced Protection Service |Advanced |No | |Windows 10, version 1703 or greater (Group Policy) |Cloud-based Protection |Advanced |Configurable | |System Center 2012 Configuration Manager | N/A |Dependent on Windows version |Not configurable | -|Microsoft Endpoint Configuration Manager (Current Branch) |Cloud protection service |Dependent on Windows version |Configurable | +|Microsoft Endpoint Manager (Current Branch) |Cloud protection service |Dependent on Windows version |Configurable | |Microsoft Intune |Microsoft Advanced Protection Service |Dependent on Windows version |Configurable | You can also [configure Microsoft Defender Antivirus to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-microsoft-defender-antivirus.md#cloud-report-updates). @@ -79,6 +83,6 @@ You can also [configure Microsoft Defender Antivirus to automatically receive ne - [Configure and validate network connections for Microsoft Defender Antivirus](configure-network-connections-microsoft-defender-antivirus.md). There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This article lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection. -- [Configure the block at first sight feature](configure-block-at-first-sight-microsoft-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy. +- [Configure the block at first sight feature](configure-block-at-first-sight-microsoft-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Manager and Group Policy. -- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md). Microsoft Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy. +- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md). Microsoft Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Manager and Group Policy. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md index 91d3f43edb..bf55abf1c4 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md @@ -1,51 +1,55 @@ --- -title: "Why you should use Microsoft Defender Antivirus together with Microsoft Defender Advanced Threat Protection" -description: "For best results, use Microsoft Defender Antivirus together with your other Microsoft offerings." +title: Why you should use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint +description: For best results, use Microsoft Defender Antivirus together with your other Microsoft offerings. keywords: windows defender, antivirus, third party av search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium -audience: ITPro -ms.topic: article +audience: ITPro +ms.topic: article author: denisebmsft ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- -# Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection +# Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) +- [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) -Microsoft Defender Antivirus is the next-generation protection component of [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender ATP). +Microsoft Defender Antivirus is the next-generation protection component of [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender for Endpoint). -Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to using Microsoft Defender Antivirus together with Microsoft Defender ATP. Not only is Microsoft Defender Antivirus an excellent next-generation antivirus solution, but combined with other Microsoft Defender ATP capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you get better protection that's coordinated across products and services. +Although you can use a non-Microsoft antivirus solution with Microsoft Defender for Endpoint, there are advantages to using Microsoft Defender Antivirus together with Defender for Endpoint. Not only is Microsoft Defender Antivirus an excellent next-generation antivirus solution, but combined with other Defender for Endpoint capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you get better protection that's coordinated across products and services. -## 11 reasons to use Microsoft Defender Antivirus together with Microsoft Defender ATP +## 11 reasons to use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint | |Advantage |Why it matters | |--|--|--| -|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Microsoft Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). | +|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Microsoft Defender for Endpoint](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). | |2|Threat analytics and your score for devices |Microsoft Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [Microsoft Secure Score for Devices](../microsoft-defender-atp/tvm-microsoft-secure-score-devices.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. | -|3|Performance |Microsoft Defender ATP is designed to work with Microsoft Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md) and [Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md).| -|4|Details about blocked malware |More details and actions for blocked malware are available with Microsoft Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).| +|3|Performance |Microsoft Defender for Endpoint is designed to work with Microsoft Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md) and [Microsoft Defender for Endpoint](../microsoft-defender-atp/evaluate-atp.md).| +|4|Details about blocked malware |More details and actions for blocked malware are available with Microsoft Defender Antivirus and Microsoft Defender for Endpoint. [Understand malware & other threats](../intelligence/understanding-malware.md).| |5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).| |6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).| |7|Attack Surface Reduction |Your organization's security team can reduce your vulnerabilities (attack surfaces), giving attackers fewer ways to perform attacks. Attack surface reduction uses cloud protection for a number of rules. [Get an overview of attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction).| |8|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) | |9|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). | |10|File recovery via OneDrive |If you are using Microsoft Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).| -|11|Technical support |By using Microsoft Defender ATP together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md). | +|11|Technical support |By using Microsoft Defender for Endpoint together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md). | ## Learn more -[Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) +[Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) [Threat & Vulnerability Management](../microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md index 35f40da2a5..52b3bb034e 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md @@ -4,4 +4,5 @@ ## [Install WDAG](install-md-app-guard.md) ## [Configure WDAG policies](configure-md-app-guard.md) ## [Test scenarios](test-scenarios-md-app-guard.md) +## [Microsoft Defender Application Guard Extension](md-app-guard-browser-extension.md) ## [FAQ](faq-md-app-guard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 121ed70fbe..bbab8b350a 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -1,7 +1,7 @@ --- title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows 10) description: Learn about the available Group Policy settings for Microsoft Defender Application Guard. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -12,12 +12,13 @@ ms.date: 10/17/2017 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Configure Microsoft Defender Application Guard policy settings **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index 061966afc5..60b5e96c41 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -1,39 +1,40 @@ --- title: FAQ - Microsoft Defender Application Guard (Windows 10) description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 08/12/2020 +ms.date: 01/21/2021 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Frequently asked questions - Microsoft Defender Application Guard -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) Answering frequently asked questions about Microsoft Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration. ## Frequently Asked Questions -### Can I enable Application Guard on machines equipped with 4GB RAM? | -We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. +### Can I enable Application Guard on machines equipped with 4-GB RAM? +We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. -`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is 4 cores.) +`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.) -`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8GB.) +`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.) -`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5GB.) +`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.) ### Can employees download documents from the Application Guard Edge session onto host devices? -In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy. +In Windows 10 Enterprise edition 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy. In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. @@ -45,9 +46,9 @@ Depending on your organization's settings, employees can copy and paste images ( To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device. -### Are extensions supported in the Application Guard? +### Why aren’t employees able to see their Extensions in the Application Guard Edge session? -Extension installs in the container are supported from Microsoft Edge version 81. For more details, see [Extension support inside the container](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard#extension-support-inside-the-container). +Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this. ### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? @@ -71,47 +72,47 @@ The following Input Method Editors (IME) introduced in Windows 10, version 1903 ### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? -This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and we’ll work with you to enable the feature. +This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. ### What is the WDAGUtilityAccount local account? -This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware. +This account is part of Application Guard beginning with Windows 10, version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware. ### How do I trust a subdomain in my site list? -To trust a subdomain, you must precede your domain with two dots, for example: `..contoso.com` will ensure `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted. +To trust a subdomain, you must precede your domain with two dots, for example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted. ### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? -When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard). +When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard). ### Is there a size limit to the domain lists that I need to configure? -Yes, both the Enterprise Resource domains hosted in the cloud and the Domains categorized as both work and personal have a 16383B limit. +Yes, both the Enterprise Resource domains hosted in the cloud and the Domains categorized as both work and personal have a 16383-B limit. ### Why does my encryption driver break Microsoft Defender Application Guard? -Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT"). +Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). ### Why do the Network Isolation policies in Group Policy and CSP look different? -There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP. +There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. -Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources" -Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)" +Mandatory network isolation GP policy to deploy Application Guard: "DomainSubnets or CloudResources" +Mandatory network isolation CSP policy to deploy Application Guard: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)" For EnterpriseNetworkDomainNames, there is no mapped CSP policy. -Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`). +Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). ### Why did Application Guard stop working after I turned off hyperthreading? If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. -### Why am I getting the error message ("ERROR_VIRTUAL_DISK_LIMITATION")? +### Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"? -Application Guard may not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. +Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. -### Why am I getting the error message ("ERR_NAME_NOT_RESOLVED") after not being able to reach PAC file? +### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach PAC file? This is a known issue. To mitigate this you need to create two firewall rules. For guidance on how to create a firewall rule by using group policy, see: @@ -120,52 +121,67 @@ For guidance on how to create a firewall rule by using group policy, see: First rule (DHCP Server): 1. Program path: `%SystemRoot%\System32\svchost.exe` -2. Local Service: Sid: `S-1-5-80-2009329905-444645132-2728249442-922493431-93864177` (Internet Connection Service (SharedAccess)) +2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))` 3. Protocol UDP 4. Port 67 Second rule (DHCP Client) This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps: -1. Right click on inbound rules, create a new rule. -2. Choose **custom rule**. -3. Program path: **%SystemRoot%\System32\svchost.exe**. -4. Protocol Type: UDP, Specific ports: 67, Remote port: any. -5. Any IP addresses. -6. Allow the connection. -7. All profiles. -8. The new rule should show up in the user interface. Right click on the **rule** > **properties**. -9. In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. +1. Right click on inbound rules, create a new rule. +2. Choose **custom rule**. +3. Program path: `%SystemRoot%\System32\svchost.exe`. +4. Protocol Type: UDP, Specific ports: 67, Remote port: any. +5. Any IP addresses. +6. Allow the connection. +7. All profiles. +8. The new rule should show up in the user interface. Right click on the **rule** > **properties**. +9. In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. ### Why can I not launch Application Guard when Exploit Guard is enabled? -There is a known issue where if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to Windows Security-> App and Browser control -> Exploit Protection Setting -> switch CFG to the “use default". +There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**. ### How can I have ICS in enabled state yet still use Application Guard? -This is a two step process. +ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. -Step 1: +1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**. -Enable Internet Connection sharing by changing the Group Policy setting **Prohibit use of Internet Connection Sharing on your DNS domain network.** This setting is part of the Microsoft security baseline. Change it from Enabled to Disabled. - -Step 2: - -1. Disable IpNat.sys from ICS load: -`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`. -2. Configure ICS (SharedAccess) to enabled: -`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`. -3. Disable IPNAT (Optional): -`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`. -4. Restart the device. +2. Disable IpNat.sys from ICS load as follows:
    +`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` -### Why doesn't Application Guard work, even though it's enabled through Group Policy? +3. Configure ICS (SharedAccess) to enabled as follows:
    +`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3` -Application Guard must meet all these prerequisites to be enabled in Enterprise mode: [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard). -To understand why it is not enabled in Enterprise mode, check the status of the evaluation to understand what's missing. +4. (This is optional) Disable IPNAT as follows:
    +`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4` -For CSP (Intune) you can query the status node by using **Get**. This is described in the [Application Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/windowsdefenderapplicationguard-csp). -On this page, you will see the **status** node as well as the meaning of each bit. If the status is not 63, you are missing a prerequisite. +5. Reboot the device. -For Group Policy you need to look at the registry. See **Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HVSIGP** Status. The meaning of each bit is the same as the CSP. +### Why doesn't the container fully load when device control policies are enabled? +Allow-listed items must be configured as "allowed" in the Group Policy Object ensure AppGuard works properly. + +Policy: Allow installation of devices that match any of these device IDs +- `SCSI\DiskMsft____Virtual_Disk____` +- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba` +- `VMS_VSF` +- `root\Vpcivsp` +- `root\VMBus` +- `vms_mp` +- `VMS_VSP` +- `ROOT\VKRNLINTVSP` +- `ROOT\VID` +- `root\storvsp` +- `vms_vsmp` +- `VMS_PP` + +Policy: Allow installation of devices using drivers that match these device setup classes +- `{71a27cdd-812a-11d0-bec7-08002be2092f}` + + + +## See also + +[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png new file mode 100644 index 0000000000..4ad77f8a06 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png new file mode 100644 index 0000000000..25e3ef533b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png new file mode 100644 index 0000000000..779f647b33 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png index 1afbd303b0..7ee172b509 100644 Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png and b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png index 56acb4be53..99e590e6ca 100644 Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png and b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index 8aba080ae4..919fc5c18b 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -1,23 +1,24 @@ --- title: Enable hardware-based isolation for Microsoft Edge (Windows 10) description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 02/19/2019 +ms.date: 10/21/2020 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Prepare to install Microsoft Defender Application Guard **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Review system requirements diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md new file mode 100644 index 0000000000..2731dfe662 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md @@ -0,0 +1,99 @@ +--- +title: Microsoft Defender Application Guard Extension +description: Learn about the Microsoft Defender Application Guard browser extension, which extends Application Guard's protection to more web browsers. +ms.prod: m365-security +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: martyav +ms.author: v-maave +ms.date: 06/12/2020 +ms.reviewer: +manager: dansimp +ms.custom: asr +ms.technology: mde +--- + +# Microsoft Defender Application Guard Extension + +**Applies to:** + +- Windows 10 + +[Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/). + +[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers. + +> [!TIP] +> Application Guard, by default, offers [native support](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard) to both Microsoft Edge and Internet Explorer. These browsers do not need the extension described here for Application Guard to protect them. + +Microsoft Defender Application Guard Extension defends devices in your organization from advanced attacks, by redirecting untrusted websites to an isolated version of [Microsoft Edge](https://www.microsoft.com/edge). If an untrusted website turns out to be malicious, it remains within Application Guard's secure container, keeping the device protected. + +## Prerequisites + +Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version 1803 or later: + +- Windows 10 Professional +- Windows 10 Enterprise +- Windows 10 Education + +Application Guard itself is required for the extension to work. It has its own set of [requirements](reqs-md-app-guard.md). Check the Application Guard [installation guide](install-md-app-guard.md) for further steps, if you don't have it installed already. + +## Installing the extension + +Application Guard can be run under [managed mode](install-md-app-guard.md#enterprise-managed-mode) or [standalone mode](install-md-app-guard.md#standalone-mode). The main difference between the two modes is whether policies have been set to define the organization's boundaries. + +Enterprise administrators running Application Guard under managed mode should first define Application Guard's [network isolation settings](configure-md-app-guard.md#network-isolation-settings), so a set of enterprise sites is already in place. + +From there, the steps for installing the extension are similar whether Application Guard is running in managed or standalone mode. + +1. On the local device, download and install the Application Guard extension for Google [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and/or Mozilla [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/). +1. Install the [Microsoft Defender Application Guard companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8#activetab=pivot:overviewtab) from the Microsoft Store. This companion app enables Application Guard to work with web browsers other than Microsoft Edge or Internet Explorer. +1. Restart the device. + +### Recommended browser group policies + +Both Chrome and Firefox have their own browser-specific group policies. We recommend that admins use the following policy settings. + +#### Chrome policies + +These policies can be found along the filepath, *Software\Policies\Google\Chrome\\*, with each policy name corresponding to the file name (e.g., IncognitoModeAvailability is located at *Software\Policies\Google\Chrome\IncognitoModeAvailability*). + +Policy name | Values | Recommended setting | Reason +-|-|-|- +[IncognitoModeAvailability](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=IncognitoModeAvailability) | `0` = Enabled
    `1` = Disabled
    `2` = Forced (i.e. forces pages to only open in Incognito mode) | Disabled | This policy allows users to start Chrome in Incognito mode. In this mode, all extensions are turned off by default. +[BrowserGuestModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BrowserGuestModeEnabled) | `false` or `0` = Disabled
    `true`, `1`, or not configured = Enabled | Disabled | This policy allows users to login as *Guest*, which opens a session in Incognito mode. In this mode, all extensions are turned off by default. +[BackgroundModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BackgroundModeEnabled) | `false` or `0` = Disabled
    `true` or `1` = Enabled

    **Note:** If this policy is not set, the user can enable or disable background mode through local browser settings. | Enabled | This policy keeps Chrome running in the background, ensuring that navigation is always passed to the extension. +[ExtensionSettings](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) | This policy accepts a dictionary that configures multiple other management settings for Chrome. See the [Google Cloud documentation](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) for complete schema. | Include an entry for `force_installed` | This policy prevents users from manually removing the extension. + +#### Firefox policies + +These policies can be found along the filepath, *Software\Policies\Mozilla\Firefox\\*, with each policy name corresponding to the file name (e.g., DisableSafeMode is located at *Software\Policies\Mozilla\Firefox\DisableSafeMode*). + +Policy name | Values | Recommended setting | Reason +-|-|-|- +[DisableSafeMode](https://github.com/mozilla/policy-templates/blob/master/README.md#DisableSafeMode) | `false` or `0` = Safe mode is enabled
    `true` or `1` = Safe mode is disabled | True (i.e. the policy is enabled and Safe mode is *not* allowed to run) | Safe mode can allow users to circumvent Application Guard +[BlockAboutConfig](https://github.com/mozilla/policy-templates/blob/master/README.md#BlockAboutConfig) | `false` or `0` = User access to *about:config* is allowed
    `true` or `1` = User access to *about:config* is not allowed | True (i.e. the policy is enabled and access to about:config is *not* allowed) | *About:config* is a special page within Firefox that offers control over many settings that may compromise security +[Extensions - Locked](https://github.com/mozilla/policy-templates/blob/master/README.md#Extensions) | This setting accepts a list of UUIDs for extensions (these can be found by searching `extensions.webextensions.uuids` within the about:config page) | Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "`ApplicationGuardRel@microsoft.com`" | This setting allows you to lock the extension, so the user cannot disable or uninstall it. + +## Troubleshooting guide + + + +Error message | Cause | Actions +-|-|- +Application Guard undetermined state | The extension was unable to communicate with the companion app during the last information request. | 1. Install the [companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab) and reboot
    2. If the companion app is already installed, reboot and see if that resolves the error
    3. If you still see the error after rebooting, uninstall and re-install the companion app
    4. Check for updates in both the Microsoft store and the respective web store for the affected browser +ExceptionThrown | An unexpected exception was thrown. | 1. [File a bug](https://aka.ms/wdag-fb)
    2. Retry the operation +Failed to determine if Application Guard is enabled | The extension was able to communicate with the companion app, but the information request failed in the app. | 1. Restart the browser
    2. Check for updates in both the Microsoft store and the respective web store for the affected browser +Launch in WDAG failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed
    2. If the companion app is installed, reboot and see if that resolves the error
    3. If you still see the error after rebooting, uninstall and re-install the companion app
    4. Check for updates in both the Microsoft store and the respective web store for the affected browser +Main page navigation caught an unexpected error | An unexpected exception was thrown during the main page navigation. | 1. [File a bug](https://aka.ms/wdag-fb)
    2. Retry the operation +Process trust response failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running.| 1. Make sure the companion app is installed.
    2. If the companion app is installed, reboot and see if that resolves the error
    3. If you still see the error after rebooting, uninstall and re-install the companion app
    4. Check for updates in both the Microsoft store and the respective web store for the affected browser +Protocol out of sync | The extension and native app cannot communicate with each other. This is likely caused by one being updated without supporting the protocol of the other. | Check for updates in both the Microsoft store, and the web store for the affected browser +Security patch level does not match | Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. | Check for updates in both the Microsoft store, and the web store for the affected browser +Unexpected response while processing trusted state | The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. | 1. [File a bug](https://aka.ms/wdag-fb)
    2. Check if Edge is working
    3. Retry the operation + +## Related articles + +- [Microsoft Defender Application Guard overview](md-app-guard-overview.md) +- [Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 9a278e3b9b..84ae3ac222 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -1,51 +1,56 @@ --- title: Microsoft Defender Application Guard (Windows 10) description: Learn about Microsoft Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 03/28/2019 +ms.date: 01/27/2021 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Microsoft Defender Application Guard overview -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. +Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. ## What is Application Guard and how does it work? -Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. +For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container. + +For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials. -If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials. ![Hardware isolation diagram](images/appguard-hardware-isolation.png) ### What types of devices should use Application Guard? -Application Guard has been created to target several types of systems: +Application Guard has been created to target several types of devices: -- **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network. +- **Enterprise desktops**. These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network. -- **Enterprise mobile laptops.** These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network. +- **Enterprise mobile laptops**. These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network. -- **Bring your own device (BYOD) mobile laptops.** These personally-owned laptops are not domain-joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home. +- **Bring your own device (BYOD) mobile laptops**. These personally-owned laptops are not domain-joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home. -- **Personal devices.** These personally-owned desktops or mobile laptops are not domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside. +- **Personal devices**. These personally-owned desktops or mobile laptops are not domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside. ## Related articles |Article |Description | -|------|------------| +|:------|:------------| |[System requirements for Microsoft Defender Application Guard](reqs-md-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.| |[Prepare and install Microsoft Defender Application Guard](install-md-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.| |[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.| |[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.| +| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide | +| [Microsoft Defender Application Guard for Microsoft Office](https://docs.microsoft.com/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide | |[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| +|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 5757f18c10..4444817c21 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -1,7 +1,7 @@ --- title: System requirements for Microsoft Defender Application Guard (Windows 10) description: Learn about the system requirements for installing and running Microsoft Defender Application Guard. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -12,11 +12,12 @@ ms.date: 02/11/2020 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # System requirements for Microsoft Defender Application Guard -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index e2a6d3e0ec..0c7e53c3fb 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -1,7 +1,7 @@ --- title: Testing scenarios with Microsoft Defender Application Guard (Windows 10) description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -10,69 +10,69 @@ author: denisebmsft ms.author: deniseb ms.reviewer: manager: dansimp +ms.date: 09/14/2020 ms.custom: asr +ms.technology: mde --- # Application Guard testing scenarios +**Applies to:** -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization. - ## Application Guard in standalone mode You can see how an employee would use standalone mode with Application Guard. ### To test Application Guard in Standalone mode -1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard). +1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard). -2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu. +2. Restart the device, start Microsoft Edge, and then select **New Application Guard window** from the menu. ![New Application Guard window setting option](images/appguard-new-window.png) - + 3. Wait for Application Guard to set up the isolated environment. >[!NOTE] - >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays. - + >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays. + 4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues. ![Untrusted website running in Application Guard](images/appguard-visual-cues.png) -## Application Guard in Enterprise-managed mode +## Application Guard in Enterprise-managed mode How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode. ### Install, set up, and turn on Application Guard -Before you can use Application Guard in enterprise mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings. +Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, which includes the functionality. Then, you must use Group Policy to set up the required settings. 1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard#install-application-guard). -2. Restart the device and then start Microsoft Edge. +2. Restart the device, and then start Microsoft Edge. 3. Set up the Network Isolation settings in Group Policy: - a. Click on the **Windows** icon, type _Group Policy_, and then click **Edit Group Policy**. - + a. Click on the **Windows** icon, type `Group Policy`, and then click **Edit Group Policy**. + b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting. - c. For the purposes of this scenario, type _.microsoft.com_ into the **Enterprise cloud resources** box. + c. For the purposes of this scenario, type `.microsoft.com` into the **Enterprise cloud resources** box. ![Group Policy editor with Enterprise cloud resources setting](images/appguard-gp-network-isolation.png) d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting. - e. For the purposes of this scenario, type _bing.com_ into the **Neutral resources** box. + e. For the purposes of this scenario, type `bing.com` into the **Neutral resources** box. ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png) -4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Enterprise Mode** setting. +4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Managed Mode** setting. 5. Click **Enabled**, choose Option **1**, and click **OK**. @@ -81,14 +81,14 @@ Before you can use Application Guard in enterprise mode, you must install Window >[!NOTE] >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario. -6. Start Microsoft Edge and type www.microsoft.com. - +6. Start Microsoft Edge and type `https://www.microsoft.com`. + After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard. ![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png) 7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists. - + After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment. ![Untrusted website running in Application Guard](images/appguard-visual-cues.png) @@ -108,6 +108,7 @@ Application Guard provides the following default behavior for your employees: You have the option to change each of these settings to work with your enterprise from within Group Policy. **Applies to:** + - Windows 10 Enterprise edition, version 1709 or higher - Windows 10 Professional edition, version 1803 @@ -116,24 +117,24 @@ You have the option to change each of these settings to work with your enterpris 1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard clipboard settings**. 2. Click **Enabled** and click **OK**. - + ![Group Policy editor clipboard options](images/appguard-gp-clipboard.png) 3. Choose how the clipboard works: - + - Copy and paste from the isolated session to the host PC - + - Copy and paste from the host PC to the isolated session - + - Copy and paste both directions 4. Choose what can be copied: - - - **1.** Only text can be copied between the host PC and the isolated container. - - **2.** Only images can be copied between the host PC and the isolated container. + - Only text can be copied between the host PC and the isolated container. - - **3.** Both text and images can be copied between the host PC and the isolated container. + - Only images can be copied between the host PC and the isolated container. + + - Both text and images can be copied between the host PC and the isolated container. 5. Click **OK**. @@ -156,21 +157,26 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. ![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png) - + 3. Open Microsoft Edge and browse to an untrusted, but safe URL. - The website opens in the isolated session. + The website opens in the isolated session. 4. Add the site to your **Favorites** list and then close the isolated session. -5. Log out and back on to your device, opening Microsoft Edge in Application Guard again. +5. Log out and back on to your device, opening Microsoft Edge in Application Guard again. The previously added site should still appear in your **Favorites** list. - >[!NOTE] - >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.

    If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

    **To reset the container, follow these steps:**
    1. Open a command-line program and navigate to Windows/System32.
    2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
    3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data. - + > [!NOTE] + > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10. + > + > If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data. + > + > **To reset the container, follow these steps:**
    1. Open a command-line program and navigate to Windows/System32.
    2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
    3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data. + **Applies to:** + - Windows 10 Enterprise edition, version 1803 - Windows 10 Professional edition, version 1803 @@ -181,10 +187,10 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. ![Group Policy editor Download options](images/appguard-gp-download.png) - + 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. -4. Download a file from Microsoft Defender Application Guard. +4. Download a file from Microsoft Defender Application Guard. 5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files. @@ -195,12 +201,13 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. ![Group Policy editor hardware acceleration options](images/appguard-gp-vgpu.png) - -3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. -4. Assess the visual experience and battery performance. +3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. + +4. Assess the visual experience and battery performance. **Applies to:** + - Windows 10 Enterprise edition, version 1809 - Windows 10 Professional edition, version 1809 @@ -210,11 +217,11 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled**, set **Options** to 2, and click **OK**. - ![Group Policy editor Download options](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png) - + ![Group Policy editor File trust options](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png) + 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. -4. Open a file in Edge, such an Office 365 file. +4. Open a file in Edge, such an Office 365 file. 5. Check to see that an antivirus scan completed before the file was opened. @@ -224,11 +231,11 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. - ![Group Policy editor Download options](images/appguard-gp-allow-camera-and-mic.png) - + ![Group Policy editor Camera and microphone options](images/appguard-gp-allow-camera-and-mic.png) + 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. -4. Open an application with video or audio capability in Edge. +4. Open an application with video or audio capability in Edge. 5. Check that the camera and microphone work as expected. @@ -238,7 +245,23 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**. - ![Group Policy editor Download options](images/appguard-gp-allow-root-certificates.png) - + ![Group Policy editor Root certificate options](images/appguard-gp-allow-root-certificates.png) + 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. +## Application Guard Extension for third-party web browsers + +The [Application Guard Extension](md-app-guard-browser-extension.md) available for Chrome and Firefox allows Application Guard to protect users even when they are running a web browser other than Microsoft Edge or Internet Explorer. + +Once a user has the extension and its companion app installed on their enterprise device, you can run through the following scenarios. + +1. Open either Firefox or Chrome — whichever browser you have the extension installed on. + +2. Navigate to an enterprise website, i.e. an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded. + ![The evaluation page displayed while the page is being loaded, explaining that the user must wait](images/app-guard-chrome-extension-evaluation-page.png) + +3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge. + ![A non-enterprise website being redirected to an Application Guard container -- the text displayed explains that the page is being opened in Application Guard for Microsoft Edge](images/app-guard-chrome-extension-launchIng-edge.png) + +4. Open a new Application Guard window, by select the Microsoft Defender Application Guard icon, then **New Application Guard Window** + ![The "New Application Guard Window" option is highlighted in red](images/app-guard-chrome-extension-new-app-guard-page.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md new file mode 100644 index 0000000000..3abe07fc71 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md @@ -0,0 +1,126 @@ +--- +title: Onboard Windows 10 multi-session devices in Windows Virtual Desktop +description: Read more in this article about Onboarding Windows 10 multi-session devices in Windows Virtual Desktop +keywords: Windows Virtual Desktop, WVD, microsoft defender, endpoint, onboard +search.product: eADQiWindows 10XVcnh +ms.prod: m365-security +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.topic: article +author: dansimp +ms.author: dansimp +ms.custom: nextgen +ms.date: 02/04/2021 +ms.reviewer: +manager: dansimp +ms.technology: mde +--- + +# Onboard Windows 10 multi-session devices in Windows Virtual Desktop + +Applies to: +- Windows 10 multi-session running on Windows Virtual Desktop (WVD) + +Microsoft Defender for Endpoint supports monitoring both VDI as well as Windows Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Windows Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity. + + ## Before you begin +Familiarize yourself with the [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). Although [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment, and thus impacts what entries are created and maintained in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), potentially reducing visibility for your security analysts. + +> [!NOTE] +> Depending on your choice of onboarding method, devices can appear in Microsoft Defender Security Center as either: +> - Single entry for each virtual desktop +> - Multiple entries for each virtual desktop + +Microsoft recommends onboarding Windows Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Security Center is in the context of one device based on the machine name. Organizations that frequently delete and re-deploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender Security Center. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently. + +Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD image. This way, you can be sure that this onboarding script runs immediately at first boot. It is executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you are using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy. + +> [!NOTE] +> The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It is NOT recommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 & 2 take this into account. + +## Scenarios +There are several ways to onboard a WVD host machine: + +- Run the script in the golden image (or from a shared location) during startup. +- Use a management tool to run the script. + +### Scenario 1: Using local group policy +This scenario requires placing the script in a golden image and uses local group policy to run early in the boot process. + +Use the instructions in [Onboard non-persistent virtual desktop infrastructure VDI devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). + +Follow the instructions for a single entry for each device. + +### Scenario 2: Using domain group policy +This scenario uses a centrally located script and runs it using a domain-based group policy. You can also place the script in the golden image and run it in the same way. + +#### Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center +1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) + - In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**. + - Select Windows 10 as the operating system. + - In the **Deployment method** field, select VDI onboarding scripts for non-persistent endpoints. + - Click **Download package** and save the .zip file. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called **OptionalParamsPolicy** and the files **WindowsDefenderATPOnboardingScript.cmd** and **Onboard-NonPersistentMachine.ps1**. + +#### Use Group Policy management console to run the script when the virtual machine starts +1. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. +1. In the Group Policy Management Editor, go to **Computer configuration** \> **Preferences** \> **Control panel settings**. +1. Right-click **Scheduled tasks**, click **New**, and then click **Immediate Task** (At least Windows 7). +1. In the Task window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM. Click **Check Names** and then click OK. NT AUTHORITY\SYSTEM appears as the user account the task will run as. +1. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box. +1. Go to the **Actions** tab and click **New**. Ensure that **Start a program** is selected in the Action field. +Enter the following: + +> Action = "Start a program"
    +> Program/Script = C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
    +> Add Arguments (optional) = -ExecutionPolicy Bypass -command "& \\Path\To\Onboard-NonPersistentMachine.ps1" + +Click **OK** and close any open GPMC windows. + +### Scenario 3: Onboarding using management tools + +If you plan to manage your machines using a management tool, you can onboard devices with Microsoft Endpoint Configuration Manager. + +For more information, see: [Onboard Windows 10 devices using Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm) + +> [!WARNING] +> If you plan to use [Attack Surface reduction Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), please note that rule “[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used as it is incompatible with management through Microsoft Endpoint Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly. + +> [!TIP] +> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test). + +## Tagging your machines when building your image + +As part of your onboarding, you may want to consider setting a machine tag to be able to differentiate WVD machines more easily in the Microsoft Security Center. For more information, see +[Add device tags by setting a registry key value](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags#add-device-tags-by-setting-a-registry-key-value). + +## Other recommended configuration settings + +When building your image, you may want to configure initial protection settings as well. For more information, see [Other recommended configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp#other-recommended-configuration-settings). + +In addition, if you are using FSlogix user profiles, we recommend you exclude the following files from always-on protection: + +### Exclude Files + +> %ProgramFiles%\FSLogix\Apps\frxdrv.sys
    +> %ProgramFiles%\FSLogix\Apps\frxdrvvt.sys
    +> %ProgramFiles%\FSLogix\Apps\frxccd.sys
    +> %TEMP%\*.VHD
    +> %TEMP%\*.VHDX
    +> %Windir%\TEMP\*.VHD
    +> %Windir%\TEMP\*.VHDX
    +> \\storageaccount.file.core.windows.net\share\*\*.VHD
    +> \\storageaccount.file.core.windows.net\share\*\*.VHDX
    + +### Exclude Processes + +> %ProgramFiles%\FSLogix\Apps\frxccd.exe
    +> %ProgramFiles%\FSLogix\Apps\frxccds.exe
    +> %ProgramFiles%\FSLogix\Apps\frxsvc.exe
    + +## Licensing requirements + +Windows 10 Multi-session is a client OS. Licensing requirements for Microsoft Defender for endpoint can be found at: [Licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements). diff --git a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md index 647939803c..e7059f44d9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md +++ b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md @@ -4,7 +4,7 @@ description: Access the Microsoft Defender Security Center MSSP customer portal keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,21 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Access the Microsoft Defender Security Center MSSP customer portal +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) @@ -53,4 +57,4 @@ Use the following steps to obtain the MSSP customer tenant ID and then use the I ## Related topics - [Grant MSSP access to the portal](grant-mssp-access.md) - [Configure alert notifications](configure-mssp-notifications.md) -- [Fetch alerts from customer tenant](fetch-alerts-mssp.md) \ No newline at end of file +- [Fetch alerts from customer tenant](fetch-alerts-mssp.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md index 07fcff8c6f..41a3a471ac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md @@ -1,9 +1,9 @@ --- title: Add or Remove Machine Tags API -description: Use this API to Add or Remove machine tags. +description: Learn how to use the Add or Remove machine tags API to adds or remove a tag for a machine in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, tags, machine tags search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,15 +12,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Add or Remove Machine Tags API -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -35,7 +44,7 @@ Adds or remove tag to a specific [Machine](machine.md). ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -51,7 +60,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine ## HTTP request ```http -POST https://api.securitycenter.windows.com/api/machines/{id}/tags +POST https://api.securitycenter.microsoft.com/api/machines/{id}/tags ``` ## Request headers @@ -81,11 +90,11 @@ If successful, this method returns 200 - Ok response code and the updated Machin Here is an example of a request that adds machine tag. -[!include[Improve request performance](../../includes/improve-request-performance.md)] +``` +POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags +``` -```http -POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags -Content-type: application/json +```json { "Value" : "test Tag 2", "Action": "Add" diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index d5802d8faf..0230069f42 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -4,7 +4,7 @@ description: Turn on advanced features such as block file in Microsoft Defender keywords: advanced features, settings, block file, automated investigation, auto-resolve, skype, azure atp, office 365, azure information protection, intune search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,21 +13,31 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Configure advanced features in Microsoft Defender ATP +# Configure advanced features in Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) -Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Microsoft Defender ATP with. +Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Defender for Endpoint with. -Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations: +## Enable advanced features + +1. In the navigation pane, select **Preferences setup** > **Advanced features**. +2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**. +3. Click **Save preferences**. + +Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations. ## Automated investigation @@ -39,6 +49,12 @@ Turn on this feature so that users with the appropriate permissions can start a For more information about role assignments, see [Create and manage roles](user-roles.md). +## Live response for servers +Turn on this feature so that users with the appropriate permissions can start a live response session on servers. + +For more information about role assignments, see [Create and manage roles](user-roles.md). + + ## Live response unsigned script execution Enabling this feature allows you to run unsigned scripts in a live response session. @@ -85,7 +101,7 @@ To use this feature, devices must be running Windows 10 version 1709 or later. T For more information, see [Manage indicators](manage-indicators.md). >[!NOTE] ->Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Microsoft Defender ATP data. +>Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Defender for Endpoint data. ## Show user details @@ -111,6 +127,35 @@ The integration with Azure Advanced Threat Protection allows you to pivot direct >[!NOTE] >You'll need to have the appropriate license to enable this feature. +## Office 365 Threat Intelligence connection + +This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page. + +When you turn this feature on, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices. + +>[!NOTE] +>You'll need to have the appropriate license to enable this feature. + +To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Defender for Endpoint settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). + +## Microsoft Threat Experts + +Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability. Experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Defender for Endpoint portal's alerts dashboard and via email if you configure it. + +>[!NOTE] +>The Microsoft Threat Experts capability in Defender for Endpoint is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security). + +## Microsoft Cloud App Security + +Enabling this setting forwards Defender for Endpoint signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data. + +>[!NOTE] +>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. + +## Azure Information Protection + +Turning on this setting allows signals to be forwarded to Azure Information Protection. It gives data owners and administrators visibility into protected data on onboarded devices and device risk ratings. + ## Microsoft Secure Score Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data. @@ -127,41 +172,12 @@ To receive contextual device integration in Azure ATP, you'll also need to enabl After completing the integration steps on both portals, you'll be able to see relevant alerts in the device details or user details page. -## Office 365 Threat Intelligence connection - -This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page. - -When you turn this feature on, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices. - ->[!NOTE] ->You'll need to have the appropriate license to enable this feature. - -To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Microsoft Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). - -## Microsoft Threat Experts - -Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability. Experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Microsoft Defender ATP portal's alerts dashboard and via email if you configure it. - ->[!NOTE] ->The Microsoft Threat Experts capability in Microsoft Defender ATP is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security). - -## Microsoft Cloud App Security - -Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data. - ->[!NOTE] ->This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. - -## Azure Information Protection - -Turning on this setting allows signals to be forwarded to Azure Information Protection. It gives data owners and administrators visibility into protected data on onboarded devices and device risk ratings. - ## Microsoft Intune connection -Microsoft Defender ATP can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Microsoft Defender ATP device information with Intune, enhancing policy enforcement. +Defender for Endpoint can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Defender for Endpoint device information with Intune, enhancing policy enforcement. >[!IMPORTANT] ->You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature. For more information on specific steps, see [Configure Conditional Access in Microsoft Defender ATP](configure-conditional-access.md). +>You'll need to enable the integration on both Intune and Defender for Endpoint to use this feature. For more information on specific steps, see [Configure Conditional Access in Defender for Endpoint](configure-conditional-access.md). This feature is only available if you have the following: @@ -175,10 +191,9 @@ When you enable Intune integration, Intune will automatically create a classic C >[!NOTE] > The classic CA policy created by Intune is distinct from modern [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints. - ## Preview features -Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. +Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience. You'll have access to upcoming features, which you can provide feedback on to help improve the overall experience before features are generally available. @@ -186,16 +201,10 @@ You'll have access to upcoming features, which you can provide feedback on to he Forwards endpoint security alerts and their triage status to Microsoft Compliance Center, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data. -After configuring the [Security policy violation indicators](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-settings.md#indicators) in the insider risk management settings, Microsoft Defender ATP alerts will be shared with insider risk management for applicable users. - -## Enable advanced features - -1. In the navigation pane, select **Preferences setup** > **Advanced features**. -2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**. -3. Click **Save preferences**. +After configuring the [Security policy violation indicators](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-settings.md#indicators) in the insider risk management settings, Defender for Endpoint alerts will be shared with insider risk management for applicable users. ## Related topics - [Update data retention settings](data-retention-settings.md) - [Configure alert notifications](configure-email-notifications.md) -- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md new file mode 100644 index 0000000000..2d0e83a1c6 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md @@ -0,0 +1,81 @@ +--- +title: AssignedIPAddresses() function in advanced hunting for Microsoft Defender Advanced Threat Protection +description: Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 09/20/2020 +ms.technology: mde +--- + +# AssignedIPAddresses() + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +Use the `AssignedIPAddresses()` function in your advanced hunting queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time. + +This function returns a table with the following columns: + +Column | Data type | Description +-|-|- +`Timestamp` | datetime | Latest time when the device was observed using the IP address +`IPAddress` | string | IP address used by the device +`IPType` | string | Indicates whether the IP address is a public or private address +`NetworkAdapterType` | int | Network adapter type used by the device that has been assigned the IP address. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype) +`ConnectedNetworks` | int | Networks that the adapter with the assigned IP address is connected to. Each JSON array contains the network name, category (public, private, or domain), a description, and a flag indicating if it's connected publicly to the internet + +## Syntax + +```kusto +AssignedIPAddresses(x, y) +``` + +## Arguments + +- **x**—`DeviceId` or `DeviceName` value identifying the device +- **y**—`Timestamp` (datetime) value instructing the function to obtain the most recent assigned IP addresses from a specific time. If not specified, the function returns the latest IP addresses. + +## Examples + +### Get the list of IP addresses used by a device 24 hours ago + +```kusto +AssignedIPAddresses('example-device-name', ago(1d)) +``` + +### Get IP addresses used by a device and find devices communicating with it + +This query uses the `AssignedIPAddresses()` function to get assigned IP addresses for the device (`example-device-name`) on or before a specific date (`example-date`). It then uses the IP addresses to find connections to the device initiated by other devices. + +```kusto +let Date = datetime(example-date); +let DeviceName = "example-device-name"; +// List IP addresses used on or before the specified date +AssignedIPAddresses(DeviceName, Date) +| project DeviceName, IPAddress, AssignedTime = Timestamp +// Get all network events on devices with the assigned IP addresses as the destination addresses +| join kind=inner DeviceNetworkEvents on $left.IPAddress == $right.RemoteIP +// Get only network events around the time the IP address was assigned +| where Timestamp between ((AssignedTime - 1h) .. (AssignedTime + 1h)) +``` + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index 669be788ad..d287cdbb3b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -4,7 +4,7 @@ description: Learn how to construct fast, efficient, and error-free threat hunti keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,25 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: m365-security-compliance ms.topic: article +ms.technology: mde --- # Advanced hunting query best practices -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink) +**Applies to:** + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink) ## Optimize query performance -Apply these recommendations to get results faster and avoid timeouts while running complex queries. + +Apply these recommendations to get results faster and avoid timeouts while running complex queries. + - When trying new queries, always use `limit` to avoid extremely large result sets. You can also initially assess the size of the result set using `count`. - Use time filters first. Ideally, limit your queries to seven days. - Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter. @@ -40,6 +46,7 @@ Apply these recommendations to get results faster and avoid timeouts while runni ## Query tips and pitfalls ### Queries with process IDs + Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific device, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the device identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`). The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares. @@ -54,6 +61,7 @@ DeviceNetworkEvents The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID. ### Queries with command lines + Command lines can vary. When applicable, filter on file names and do fuzzy matching. There are numerous ways to construct a command line to accomplish a task. For example, an attacker could reference an image file with or without a path, without a file extension, using environment variables, or with quotes. In addition, the attacker could also change the order of parameters or add multiple quotes and spaces. @@ -84,9 +92,12 @@ DeviceProcessEvents | where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc" ``` ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink) ## Related topics + - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) -- [Understand the schema](advanced-hunting-schema-reference.md) \ No newline at end of file +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Work with query results](advanced-hunting-query-results.md) +- [Custom detections overview](overview-custom-detections.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md index cad9c6214b..e3c67bd93e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md @@ -4,7 +4,7 @@ description: Learn about alert generation events in the DeviceAlertEvents table keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, DeviceAlertEvents, alert, severity, category search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,22 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 01/22/2020 +ms.technology: mde --- # DeviceAlertEvents +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceAlertEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about alerts in Microsoft Defender Security Center. Use this reference to construct queries that return information from the table. @@ -50,4 +54,4 @@ For information on other tables in the advanced hunting schema, see [the advance ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) -- [Understand the schema](advanced-hunting-schema-reference.md) \ No newline at end of file +- [Understand the schema](advanced-hunting-schema-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md index a3844f8f21..71741e06aa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md @@ -4,7 +4,7 @@ description: Learn about antivirus, firewall, and other event types in the misce keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard, MiscEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,21 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceEvents +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The miscellaneous device events or `DeviceEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Microsoft Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md index 2e1e4ccfe6..d3f4b6a040 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md @@ -4,7 +4,7 @@ description: Learn about file signing information in the DeviceFileCertificateIn keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, digital signature, certificate, file signing, DeviceFileCertificateInfo search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,22 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 01/14/2020 +ms.technology: mde --- # DeviceFileCertificateInfo +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceFileCertificateInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file signing certificates. This table uses data obtained from certificate verification activities regularly performed on files on endpoints. @@ -55,4 +59,4 @@ For information on other tables in the advanced hunting schema, see [the advance ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) -- [Understand the schema](advanced-hunting-schema-reference.md) \ No newline at end of file +- [Understand the schema](advanced-hunting-schema-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md index 351be8cfc8..e80863221a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md @@ -1,10 +1,10 @@ --- -title: DeviceFileEvents table in the advanced hunting schema +title: DeviceFileEvents table in the advanced hunting schema description: Learn about file-related events in the DeviceFileEvents table of the advanced hunting schema keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicefileevents, files, path, hash, sha1, sha256, md5, FileCreationEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,21 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceFileEvents +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceFileEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md index 2327ce1a4e..6a341b969b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md @@ -4,7 +4,7 @@ description: Learn about DLL loading events in the DeviceImageLoadEvents table o keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceimageloadevents, DLL loading, library, file image, ImageLoadEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,21 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceImageLoadEvents +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceImageLoadEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md index cc3663977a..8f18931852 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md @@ -1,10 +1,10 @@ --- title: DeviceInfo table in the advanced hunting schema description: Learn about OS, computer name, and other device information in the DeviceInfo table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, OS, platform, users, DeviceInfo +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, OS, platform, users, DeviceInfo search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,21 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceInfo +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about devices in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table. @@ -35,7 +39,7 @@ For information on other tables in the advanced hunting schema, see [the advance | `DeviceId` | string | Unique identifier for the device in the service | | `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `ClientVersion` | string | Version of the endpoint agent or sensor running on the device | -| `PublicIP` | string | Public IP address used by the onboarded device to connect to the Microsoft Defender ATP service. This could be the IP address of the device itself, a NAT device, or a proxy | +| `PublicIP` | string | Public IP address used by the onboarded device to connect to the Defender for Endpoint service. This could be the IP address of the device itself, a NAT device, or a proxy | | `OSArchitecture` | string | Architecture of the operating system running on the device | | `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 | | `OSBuild` | string | Build version of the operating system running on the device | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md index 1f7e4db8a1..7f162f6d82 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md @@ -4,7 +4,7 @@ description: Learn about authentication or sign-in events in the DeviceLogonEven keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicelogonevents, authentication, logon, sign in, LogonEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,21 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceLogonEvents +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceLogonEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md index 3defded189..cf5f540d22 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md @@ -4,7 +4,7 @@ description: Learn about network connection events you can query from the Device keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, devicenetworkevents, network connection, remote ip, local ip, NetworkCommunicationEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,21 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceNetworkEvents +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceNetworkEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table. @@ -64,4 +68,4 @@ For information on other tables in the advanced hunting schema, see [the advance ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) -- [Understand the schema](advanced-hunting-schema-reference.md) \ No newline at end of file +- [Understand the schema](advanced-hunting-schema-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md index 82d860e259..3983f87831 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md @@ -4,7 +4,7 @@ description: Learn about network configuration information in the DeviceNetworkI keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, device, mac, ip, adapter, dns, dhcp, gateway, tunnel, DeviceNetworkInfo search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,21 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceNetworkInfo +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceNetworkInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of devices, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table. @@ -37,8 +41,8 @@ For information on other tables in the advanced hunting schema, see [the advance | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns | | `NetworkAdapterName` | string | Name of the network adapter | | `MacAddress` | string | MAC address of the network adapter | -| `NetworkAdapterType` | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) | -| `NetworkAdapterStatus` | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2) | +| `NetworkAdapterType` | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2&preserve-view=true) | +| `NetworkAdapterStatus` | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2&preserve-view=true) | | `TunnelType` | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH | | `ConnectedNetworks` | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet | | `DnsAddresses` | string | DNS server addresses in JSON array format | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md index 4c9e3d2d15..eff542c7ae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md @@ -4,7 +4,7 @@ description: Learn about the process spawning or creation events in the DevicePr keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceprocessevents, process id, command line, ProcessCreationEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,21 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceProcessEvents +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceProcessEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md index bff256d499..8e3b625f9b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md @@ -4,7 +4,7 @@ description: Learn about registry events you can query from the DeviceRegistryEv keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceregistryevents, registry, key, subkey, value, RegistryEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,21 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceRegistryEvents +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceRegistryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md index 0b1624d685..7030a063ab 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md @@ -1,10 +1,10 @@ --- title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema -description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide device information as well as security configuration details, impact, and compliance information. -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment +description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide device information as well as security configuration details, impact, and compliance information. +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,21 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceTvmSecureConfigurationAssessment +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] @@ -42,11 +46,13 @@ For information on other tables in the advanced hunting schema, see [the advance | `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | | `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) | | `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured | - +| `IsApplicable` | boolean | Indicates whether the configuration or policy applies to the device | +| `Context` | string | Additional contextual information about the configuration or policy | +| `IsExpectedUserImpactCompliant` | boolean | Indicates whether there will be user impact if the configuration or policy is applied | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) - [Understand the schema](advanced-hunting-schema-reference.md) -- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md index a50f7b4988..7238db9c90 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md @@ -1,10 +1,10 @@ --- title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema -description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema. +description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema. keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,21 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceTvmSecureConfigurationAssessmentKB +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md index 6e83ac102d..c4e032f3e4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md @@ -4,7 +4,7 @@ description: Learn about the inventory of software in your devices and their vul keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,21 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceTvmSoftwareInventoryVulnerabilities +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md index aa46c9d8a9..7c4190748d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md @@ -1,10 +1,10 @@ --- title: DeviceTvmSoftwareVulnerabilitiesKB table in the advanced hunting schema -description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema. -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB +description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema. +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,21 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceTvmSoftwareVulnerabilitiesKB +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md new file mode 100644 index 0000000000..2a99d2648b --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md @@ -0,0 +1,47 @@ +--- +title: Handle errors in advanced hunting for Microsoft Defender ATP +description: Understand errors displayed when using advanced hunting +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, m365, search, query, telemetry, schema, kusto, timeout, resources, errors, unknown error +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.technology: mde +--- + +# Handle advanced hunting errors + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) + + +Advanced hunting displays errors to notify for syntax mistakes and whenever queries hit [predefined limits](advanced-hunting-limits.md). Refer to the table below for tips on how to resolve or avoid errors. + +| Error type | Cause | Resolution | Error message examples | +|--|--|--|--| +| Syntax errors | The query contains unrecognized names, including references to nonexistent operators, columns, functions, or tables. | Ensure references to [Kusto operators and functions](https://docs.microsoft.com/azure/data-explorer/kusto/query/) are correct. Check [the schema](advanced-hunting-schema-reference.md) for the correct advanced hunting columns, functions, and tables. Enclose variable strings in quotes so they are recognized. While writing your queries, use the autocomplete suggestions from IntelliSense. | `A recognition error occurred.` | +| Semantic errors | While the query uses valid operator, column, function, or table names, there are errors in its structure and resulting logic. In some cases, advanced hunting identifies the specific operator that caused the error. | Check for errors in the structure of query. Refer to [Kusto documentation](https://docs.microsoft.com/azure/data-explorer/kusto/query/) for guidance. While writing your queries, use the autocomplete suggestions from IntelliSense. | `'project' operator: Failed to resolve scalar expression named 'x'`| +| Timeouts | A query can only run within a [limited period before timing out](advanced-hunting-limits.md). This error can happen more frequently when running complex queries. | [Optimize the query](advanced-hunting-best-practices.md) | `Query exceeded the timeout period.` | +| CPU throttling | Queries in the same tenant have exceeded the [CPU resources](advanced-hunting-limits.md) that have been allocated based on tenant size. | The service checks CPU resource usage every 15 minutes and daily and displays warnings after usage exceeds 10% of the allocated limit. If you reach 100% utilization, the service blocks queries until after the next daily or 15-minute cycle. [Optimize your queries to avoid hitting CPU limits](advanced-hunting-best-practices.md) | - `This query used X% of your organization's allocated resources for the current 15 minutes.`
    - `You have exceeded processing resources allocated to this tenant. You can run queries again in .` | +| Result size limit exceeded | The aggregate size of the result set for the query has exceeded the maximum limit. This error can occur if the result set is so large that truncation at the 10,000-record limit can't reduce it to an acceptable size. Results that have multiple columns with sizable content are more likely to be impacted by this error. | [Optimize the query](advanced-hunting-best-practices.md) | `Result size limit exceeded. Use "summarize" to aggregate results, "project" to drop uninteresting columns, or "take" to truncate results.` | +| Excessive resource consumption | The query has consumed excessive amounts of resources and has been stopped from completing. In some cases, advanced hunting identifies the specific operator that wasn't optimized. | [Optimize the query](advanced-hunting-best-practices.md) | -`Query stopped due to excessive resource consumption.`
    -`Query stopped. Adjust use of the operator to avoid excessive resource consumption.` | +| Unknown errors | The query failed because of an unknown reason. | Try running the query again. Contact Microsoft through the portal if queries continue to return unknown errors. | `An unexpected error occurred during query execution. Please try again in a few minutes.` + +## Related topics +- [Advanced hunting best practices](advanced-hunting-best-practices.md) +- [Service limits](advanced-hunting-limits.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Kusto Query Language overview](https://docs.microsoft.com/azure/data-explorer/kusto/query/) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md new file mode 100644 index 0000000000..0b15378b40 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md @@ -0,0 +1,49 @@ +--- +title: Extend advanced hunting coverage with the right settings +description: Check auditing settings on Windows devices and other settings to help ensure that you get the most comprehensive data in advanced hunting +keywords: advanced hunting, incident, pivot, entity, audit settings, user account management, security group management, threat hunting, cyber threat hunting, search, query, telemetry, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/10/2020 +ms.technology: mde +--- + +# Extend advanced hunting coverage with the right settings + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +[Advanced hunting](advanced-hunting-overview.md) relies on data coming from across your organization. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources. + +## Advanced security auditing on Windows devices + +Turn on these advanced auditing settings to ensure you get data about activities on your devices, including local account management, local security group management, and service creation. + +Data | Description | Schema table | How to configure +-|-|-|- +Account management | Events captured as various `ActionType` values indicating local account creation, deletion, and other account-related activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit User Account Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-user-account-management)
    - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing) +Security group management | Events captured as various `ActionType` values indicating local security group creation and other local group management activities | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security Group Management](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-group-management)
    - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing) +Service installation | Events captured with the `ActionType` value `ServiceInstalled`, indicating that a service has been created | [DeviceEvents](advanced-hunting-deviceevents-table.md) | - Deploy an advanced security audit policy: [Audit Security System Extension](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-security-system-extension)
    - [Learn about advanced security audit policies](https://docs.microsoft.com/windows/security/threat-protection/auditing/advanced-security-auditing) + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Work with query results](advanced-hunting-query-results.md) +- [Apply query best practices](advanced-hunting-best-practices.md) +- [Custom detections overview](overview-custom-detections.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md new file mode 100644 index 0000000000..bea6b0caac --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md @@ -0,0 +1,86 @@ +--- +title: FileProfile() function in advanced hunting for Microsoft Defender Advanced Threat Protection +description: Learn how to use the FileProfile() to enrich information about files in your advanced hunting query results +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 09/20/2020 +ms.technology: mde +--- + +# FileProfile() + +**Applies to:** + +- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +The `FileProfile()` function is an enrichment function in [advanced hunting](advanced-hunting-overview.md) that adds the following data to files found by the query. + +Column | Data type | Description +-|-|- +SHA1 | string | SHA-1 of the file that the recorded action was applied to +SHA256 | string | SHA-256 of the file that the recorded action was applied to +MD5 | string | MD5 hash of the file that the recorded action was applied to +FileSize | int | Size of the file in bytes +GlobalPrevalence | int | Number of instances of the entity observed by Microsoft globally +GlobalFirstSeen | datetime | Date and time when the entity was first observed by Microsoft globally +GlobalLastSeen | datetime | Date and time when the entity was last observed by Microsoft globally +Signer | string | Information about the signer of the file +Issuer | string | Information about the issuing certificate authority (CA) +SignerHash | string | Unique hash value identifying the signer +IsCertificateValid | boolean | Whether the certificate used to sign the file is valid +IsRootSignerMicrosoft | boolean | Indicates whether the signer of the root certificate is Microsoft +IsExecutable | boolean | Whether the file is a Portable Executable (PE) file +ThreatName | string | Detection name for any malware or other threats found +Publisher | string | Name of the organization that published the file +SoftwareName | string | Name of the software product + +## Syntax + +```kusto +invoke FileProfile(x,y) +``` + +## Arguments + +- **x** — file ID column to use: `SHA1`, `SHA256`, `InitiatingProcessSHA1` or `InitiatingProcessSHA256`; function uses `SHA1` if unspecified +- **y** — limit to the number of records to enrich, 1-1000; function uses 100 if unspecified + +## Examples + +### Project only the SHA1 column and enrich it + +```kusto +DeviceFileEvents +| where isnotempty(SHA1) and Timestamp > ago(1d) +| take 10 +| project SHA1 +| invoke FileProfile() +``` + +### Enrich the first 500 records and list low-prevalence files + +```kusto +DeviceFileEvents +| where ActionType == "FileCreated" and Timestamp > ago(1d) +| project CreatedOn = Timestamp, FileName, FolderPath, SHA1 +| invoke FileProfile("SHA1", 500) +| where GlobalPrevalence < 15 +``` + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md new file mode 100644 index 0000000000..f340f5f99e --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md @@ -0,0 +1,108 @@ +--- +title: Get relevant info about an entity with go hunt +description: Learn how to use the go hunt tool to quickly query for relevant information about an entity or event using advanced hunting. +keywords: advanced hunting, incident, pivot, entity, go hunt, relevant events, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft Threat Protection +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +f1.keywords: + - NOCSH +ms.author: v-maave +author: martyav +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.technology: mde +--- + +# Quickly hunt for entity or event information with go hunt + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +With the *go hunt* action, you can quickly investigate events and various entity types using powerful query-based [advanced hunting](advanced-hunting-overview.md) capabilities. This action automatically runs an advanced hunting query to find relevant information about the selected event or entity. + +The *go hunt* action is available in various sections of the security center whenever event or entity details are displayed. For example, you can use *go hunt* from the following sections: + +- In the [incident page](investigate-incidents.md), you can review details about users, devices, and many other entities associated with an incident. When you select an entity, you get additional information as well as various actions you could take on that entity. In the example below, a device is selected, showing details about the device as well the option to hunt for more information about the device. + + ![Image showing device details with the go hunt option](./images/go-hunt-device.png) + +- In the incident page, you can also access a list of entities under the evidence tab. Selecting one of those entities provides an option to quickly hunt for information about that entity. + + ![Image showing selected url with the go hunt option in the Evidence tab](./images/go-hunt-evidence-url.png) + +- When viewing the timeline for a device, you can select an event in the timeline to view additional information about that event. Once an event is selected, you get the option to hunt for other relevant events in advanced hunting. + + ![Image showing event details with the go hunt option](./images/go-hunt-event.png) + +Selecting **Go hunt** or **Hunt for related events** passes different queries, depending on whether you've selected an entity or an event. + +## Query for entity information + +When using *go hunt* to query for information about a user, device, or any other type of entity, the query checks all relevant schema tables for any events involving that entity. To keep the results manageable, the query is scoped to around the same time period as the earliest activity in the past 30 days that involves the entity and is associated with the incident. + +Here is an example of the go hunt query for a device: + +```kusto +let selectedTimestamp = datetime(2020-06-02T02:06:47.1167157Z); +let deviceName = "fv-az770.example.com"; +let deviceId = "device-guid"; +search in (DeviceLogonEvents, DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceImageLoadEvents, DeviceEvents, DeviceImageLoadEvents, IdentityLogonEvents, IdentityQueryEvents) +Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h)) +and DeviceName == deviceName +// or RemoteDeviceName == deviceName +// or DeviceId == deviceId +| take 100 +``` + +### Supported entity types + +You can use *go hunt* after selecting any of these entity types: + +- Files +- Users +- Devices +- IP addresses +- URLs + +## Query for event information + +When using *go hunt* to query for information about a timeline event, the query checks all relevant schema tables for other events around the time of the selected event. For example, the following query lists events in various schema tables that occurred around the same time period on the same device: + +```kusto +// List relevant events 30 minutes before and after selected RegistryValueSet event +let selectedEventTimestamp = datetime(2020-10-06T21:40:25.3466868Z); +search in (DeviceFileEvents, DeviceProcessEvents, DeviceEvents, DeviceRegistryEvents, DeviceNetworkEvents, DeviceImageLoadEvents, DeviceLogonEvents) + Timestamp between ((selectedEventTimestamp - 30m) .. (selectedEventTimestamp + 30m)) + and DeviceId == "a305b52049c4658ec63ae8b55becfe5954c654a4" +| sort by Timestamp desc +| extend Relevance = iff(Timestamp == selectedEventTimestamp, "Selected event", iff(Timestamp < selectedEventTimestamp, "Earlier event", "Later event")) +| project-reorder Relevance +``` + +## Adjust the query + +With some knowledge of the [query language](advanced-hunting-query-language.md), you can adjust the query to your preference. For example, you can adjust this line, which determines the size of the time window: + +```kusto +Timestamp between ((selectedTimestamp - 1h) .. (selectedTimestamp + 1h)) +``` + +In addition to modifying the query to get more relevant results, you can also: + +- [View the results as charts](advanced-hunting-query-results.md#view-query-results-as-a-table-or-chart) +- [Create a custom detection rule](custom-detection-rules.md) + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Work with query results](advanced-hunting-query-results.md) +- [Custom detection rules](custom-detection-rules.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md new file mode 100644 index 0000000000..65059297a7 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md @@ -0,0 +1,49 @@ +--- +title: Advanced hunting limits in Microsoft Defender ATP +description: Understand various service limits that keep the advanced hunting service responsive +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, schema, kusto, CPU limit, query limit, resources, maximum results +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.technology: mde +--- + +# Advanced hunting service limits + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** +- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) + +To keep the service performant and responsive, advanced hunting sets various limits for queries run manually and by [custom detection rules](custom-detection-rules.md). Refer to the following table to understand these limits. + +| Limit | Size | Refresh cycle | Description | +|--|--|--|--| +| Data range | 30 days | Every query | Each query can look up data from up to the past 30 days. | +| Result set | 10,000 rows | Every query | Each query can return up to 10,000 records. | +| Timeout | 10 minutes | Every query | Each query can run for up to 10 minutes. If it does not complete within 10 minutes, the service displays an error. +| CPU resources | Based on tenant size | - On the hour and then every 15 minutes
    - Daily at 12 midnight | The service enforces the daily and the 15-minute limit separately. For each limit, the [portal displays an error](advanced-hunting-errors.md) whenever a query runs and the tenant has consumed over 10% of allocated resources. Queries are blocked if the tenant has reached 100% until after the next daily or 15-minute cycle. | + +>[!NOTE] +>A separate set of limits apply to advanced hunting queries performed through the API. [Read about advanced hunting APIs](run-advanced-query-api.md) + +Customers who run multiple queries regularly should track consumption and [apply optimization best practices](advanced-hunting-best-practices.md) to minimize disruption resulting from exceeding these limits. + +## Related topics + +- [Advanced hunting best practices](advanced-hunting-best-practices.md) +- [Handle advanced hunting errors](advanced-hunting-errors.md) +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Custom detections rules](custom-detection-rules.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md index 5cd3f15a09..40e92ba327 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md @@ -1,10 +1,10 @@ --- title: Overview of advanced hunting in Microsoft Defender ATP description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto, time zone, UTC search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,45 +13,67 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Proactively hunt for threats with advanced hunting + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) -Advanced hunting is a query-based threat-hunting tool that lets you explore raw data for the last 30 days. You can proactively inspect events in your network to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats. +Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats. -You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured devices. - -## Get started with advanced hunting Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast. -

    +
    +
    > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqo] -You can also go through each of the following steps to ramp up your advanced hunting knowledge. +You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings. + +>[!TIP] +>Use [advanced hunting in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview) to hunt for threats using data from Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity. [Turn on Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable) + +## Get started with advanced hunting + +Go through the following steps to ramp up your advanced hunting knowledge. + +We recommend going through several steps to quickly get up and running with advanced hunting. | Learning goal | Description | Resource | |--|--|--| -| **Get a feel for the language** | Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting-query-language.md) | +| **Learn the language** | Advanced hunting is based on [Kusto query language](https://docs.microsoft.com/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting-query-language.md) | | **Learn how to use the query results** | Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries and drill down to get richer information. | [Work with query results](advanced-hunting-query-results.md) | -| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. This will help you determine where to look for data and how to construct your queries. | [Schema reference](advanced-hunting-schema-reference.md) | +| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. Learn where to look for data when constructing your queries. | [Schema reference](advanced-hunting-schema-reference.md) | | **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) | -| **Learn about custom detections** | Understand how you can use advanced hunting queries to trigger alerts and apply response actions automatically. | - [Custom detections overview](overview-custom-detections.md)
    - [Custom detection rules](custom-detection-rules.md) | +| **Optimize queries and handle errors** | Understand how to create efficient and error-free queries. | - [Query best practices](advanced-hunting-best-practices.md)
    - [Handle errors](advanced-hunting-errors.md) | +| **Get the most complete coverage** | Use audit settings to provide better data coverage for your organization. | - [Extend advanced hunting coverage](advanced-hunting-extend-data.md) | +| **Run a quick investigation** | Quickly run an advanced hunting query to investigate suspicious activity. | - [Quickly hunt for entity or event information with *go hunt*](advanced-hunting-go-hunt.md) | +| **Contain threats and address compromises** | Respond to attacks by quarantining files, restricting app execution, and other actions | - [Take action on advanced hunting query results](advanced-hunting-take-action.md) | +| **Create custom detection rules** | Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. | - [Custom detections overview](overview-custom-detections.md)
    - [Custom detection rules](custom-detection-rules.md) | -## Get help as you write queries -Take advantage of the following functionality to write queries faster: -- **Autosuggest** — as you write queries, advanced hunting provides suggestions from IntelliSense. -- **Schema reference** — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor. +## Data freshness and update frequency + +Advanced hunting data can be categorized into two distinct types, each consolidated differently. + +- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Defender for Endpoint. +- **Entity data**—populates tables with consolidated information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity. + +## Time zone + +Time information in advanced hunting is currently in the UTC time zone. ## Related topics + - [Learn the query language](advanced-hunting-query-language.md) - [Work with query results](advanced-hunting-query-results.md) - [Use shared queries](advanced-hunting-shared-queries.md) - [Understand the schema](advanced-hunting-schema-reference.md) - [Apply query best practices](advanced-hunting-best-practices.md) -- [Custom detections overview](overview-custom-detections.md) +- [Custom detections overview](overview-custom-detections.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md index 947c3638f3..b8df669734 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md @@ -4,7 +4,7 @@ description: Create your first threat hunting query and learn about common opera keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,21 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Learn the advanced hunting query language +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) -Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for advanced hunting. To understand these concepts better, run your first query. +Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto operators and statements to construct queries that locate information in a specialized [schema](advanced-hunting-schema-reference.md). To understand these concepts better, run your first query. ## Try your first query @@ -49,26 +52,21 @@ union DeviceProcessEvents, DeviceNetworkEvents FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType | top 100 by Timestamp ``` - -This is how it will look like in advanced hunting. - -![Image of Microsoft Defender ATP advanced hunting query](images/advanced-hunting-query-example-2.png) - +**[Run this query in advanced hunting](https://securitycenter.windows.com/hunting?query=H4sIAAAAAAAEAI2TT0vDQBDF5yz4HUJPFcTqyZsXqyCIBFvxKNGWtpo_NVlbC8XP7m8mado0K5Zls8nkzdu3b2Z70pNAbmUmqYyk4D2UTJYyllwGMmWNGQHrN_NNvsSBzUBrbMFMiWieAx3xDEBl4GL4AuNd8B0bNgARENcdUmIZ3yM5liPwac3bN-YZPGPU5ET1rWDc7Ox4uod8YDp4MzI-GkjlX4Ne2nly0zEkKzFWh4ZE5sSuTN8Ehq5couvEMnvmUAhez-HsRBMipVa_W_OG6vEfGtT12JRHpqV064e1Kx04NsxFzXxW1aFjp_djXmDRPbfY3XMMcLogTz2bWZ2KqmIJI6q6wKe2WYnrRsa9KVeU9kCBBo2v7BzPxF_Bx2DKiqh63SGoRoc6Njti48z_yL71XHQAcgAur6rXRpcqH3l-4knZF23Utsbq2MircEqmw-G__xR1TdZ1r7zb7XLezmx3etkvGr-ze6NdGdW92azUfpcdluWvr-aqbh_nofnqcWI3aYyOsBV7giduRUO7187LMKTT5rxvHHX80_t8IeeMgLquvL7-Ak3q-kz8BAAA&runQuery=true&timeRangeId=week)** ### Describe the query and specify the tables to search -A short comment has been added to the beginning of the query to describe what it is for. This helps if you later decide to save the query and share it with others in your organization. +A short comment has been added to the beginning of the query to describe what it is for. This comment helps if you later decide to save the query and share it with others in your organization. ```kusto // Finds PowerShell execution events that could involve a download ``` - -The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by creating a union of two tables, `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed. +The query itself will typically start with a table name followed by several elements that start with a pipe (`|`). In this example, we start by creating a union of two tables, `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed. ```kusto union DeviceProcessEvents, DeviceNetworkEvents ``` ### Set the time range -The first piped element is a time filter scoped to the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out. +The first piped element is a time filter scoped to the previous seven days. Limiting the time range helps ensure that queries perform well, return manageable results, and don't time out. ```kusto | where Timestamp > ago(7d) @@ -77,7 +75,7 @@ The first piped element is a time filter scoped to the previous seven days. Keep ### Check specific processes The time range is immediately followed by a search for process file names representing the PowerShell application. -``` +```kusto // Pivoting on PowerShell processes | where FileName in~ ("powershell.exe", "powershell_ise.exe") ``` @@ -98,7 +96,7 @@ Afterwards, the query looks for strings in command lines that are typically used ``` ### Customize result columns and length -Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process. +Now that your query clearly identifies the data you want to locate, you can define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process. ```kusto | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, @@ -106,7 +104,7 @@ FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType | top 100 by Timestamp ``` -Click **Run query** to see the results. Select the expand icon at the top right of the query editor to focus on your hunting query and the results. +Select **Run query** to see the results. Use the expand icon at the top right of the query editor to focus on your hunting query and the results. ![Image of the Expand control in the advanced hunting query editor](images/advanced-hunting-expand.png) @@ -115,7 +113,7 @@ Click **Run query** to see the results. Select the expand icon at the top right ## Learn common query operators for advanced hunting -Now that you've run your first query and have a general idea of its components, it's time to backtrack a little bit and learn some basics. The Kusto query language used by advanced hunting supports a range of operators, including the following common ones. +You've just run your first query and have a general idea of its components. It's time to backtrack slightly and learn some basics. The Kusto query language used by advanced hunting supports a range of operators, including the following common ones. | Operator | Description and usage | |--|--| @@ -134,24 +132,43 @@ To see a live example of these operators, run them from the **Get started** sect ## Understand data types -Data in advanced hunting tables are generally classified into the following data types. +Advanced hunting supports Kusto data types, including the following common types: | Data type | Description and query implications | |--|--| -| `datetime` | Data and time information typically representing event timestamps | -| `string` | Character string | -| `bool` | True or false | -| `int` | 32-bit numeric value | -| `long` | 64-bit numeric value | +| `datetime` | Data and time information typically representing event timestamps. [See supported datetime formats](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/datetime) | +| `string` | Character string in UTF-8 enclosed in single quotes (`'`) or double quotes (`"`). [Read more about strings](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/string) | +| `bool` | This data type supports `true` or `false` states. [See supported literals and operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/bool) | +| `int` | 32-bit integer | +| `long` | 64-bit integer | + +To learn more about these data types, [read about Kusto scalar data types](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/). + +## Get help as you write queries +Take advantage of the following functionality to write queries faster: + +- **Autosuggest**—as you write queries, advanced hunting provides suggestions from IntelliSense. +- **Schema tree**—a schema representation that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor. +- **[Schema reference](advanced-hunting-schema-reference.md#get-schema-information-in-the-security-center)**—in-portal reference with table and column descriptions as well as supported event types (`ActionType` values) and sample queries + +## Work with multiple queries in the editor +You can use the query editor to experiment with multiple queries. To use multiple queries: + +- Separate each query with an empty line. +- Place the cursor on any part of a query to select that query before running it. This will run only the selected query. To run another query, move the cursor accordingly and select **Run query**. + +![Image of the advanced hunting query editor with multiple queries](images/ah-multi-query.png) +_Query editor with multiple queries_ + ## Use sample queries The **Get started** section provides a few simple queries using commonly used operators. Try running these queries and making small modifications to them. -![Image of advanced hunting window](images/atp-advanced-hunting.png) +![Image of the advanced hunting get started tab](images/atp-advanced-hunting.png) > [!NOTE] -> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository. +> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the [GitHub query repository](https://aka.ms/hunting-queries). ## Access comprehensive query language reference @@ -160,7 +177,6 @@ For detailed information about the query language, see [Kusto query language doc ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Work with query results](advanced-hunting-query-results.md) +- [Use shared queries](advanced-hunting-shared-queries.md) - [Understand the schema](advanced-hunting-schema-reference.md) - [Apply query best practices](advanced-hunting-best-practices.md) - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md index 34716e8296..3d01e56992 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md @@ -4,7 +4,7 @@ description: Make the most of the query results returned by advanced hunting in keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill down search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,20 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Work with advanced hunting query results +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) - -[!INCLUDE [Prerelease information](../../includes/prerelease.md)] +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) While you can construct your [advanced hunting](advanced-hunting-overview.md) queries to return very precise information, you can also work with the query results to gain further insight and investigate specific activities and indicators. You can take the following actions on your query results: @@ -115,6 +117,12 @@ After running a query, select **Export** to save the results to local file. Your ## Drill down from query results To view more information about entities, such as devices, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity. +To quickly inspect a record in your query results, select the corresponding row to open the Inspect record panel. The panel provides the following information based on the selected record: + +- **Assets** — A summarized view of the main assets (mailboxes, devices, and users) found in the record, enriched with available information, such as risk and exposure levels +- **Process tree** — A chart generated for records with process information and enriched using available contextual information; in general, queries that return more columns can result in richer process trees. +- **All details** — Lists all the values from the columns in the record + ## Tweak your queries from the results Right-click a value in the result set to quickly enhance your query. You can use the options to: @@ -125,9 +133,9 @@ Right-click a value in the result set to quickly enhance your query. You can use ![Image of advanced hunting result set](images/advanced-hunting-results-filter.png) ## Filter the query results -The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances. +The filters displayed in the right pane provide a summary of the result set. Every column has its own section in the pane, each of which lists the values found in that column, and the number of instances. -Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude and then selecting **Run query**. +Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude. Then select **Run query**. ![Image of advanced hunting filter](images/advanced-hunting-filter.png) @@ -139,4 +147,4 @@ Once you apply the filter to modify the query and then run the query, the result - [Use shared queries](advanced-hunting-shared-queries.md) - [Understand the schema](advanced-hunting-schema-reference.md) - [Apply query best practices](advanced-hunting-best-practices.md) -- [Custom detections overview](overview-custom-detections.md) \ No newline at end of file +- [Custom detections overview](overview-custom-detections.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index 59a850ea64..05d0ff1e4e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -1,10 +1,10 @@ --- title: Advanced hunting schema reference -description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on +description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on. keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, data search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,23 +13,40 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 01/14/2020 +ms.technology: mde --- # Understand the advanced hunting schema -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] The [advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about devices and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema. -## Schema tables +## Get schema information in the security center +While constructing queries, use the built-in schema reference to quickly get the following information about each table in the schema: + +- **Tables description**—type of data contained in the table and the source of that data. +- **Columns**—all the columns in the table. +- **Action types**—possible values in the `ActionType` column representing the event types supported by the table. This is provided only for tables that contain event information. +- **Sample query**—example queries that feature how the table can be utilized. + +### Access the schema reference +To quickly access the schema reference, select the **View reference** action next to the table name in the schema representation. You can also select **Schema reference** to search for a table. + +![Image showing how to access in-portal schema reference](images/ah-reference.png) + +## Learn the schema tables The following reference lists all the tables in the advanced hunting schema. Each table name links to a page describing the column names for that table. @@ -53,8 +70,11 @@ Table and column names are also listed within the Microsoft Defender Security Ce | **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices | | **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks | + ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) -- [Work with query results](advanced-hunting-query-results.md) - [Learn the query language](advanced-hunting-query-language.md) +- [Work with query results](advanced-hunting-query-results.md) +- [Apply query best practices](advanced-hunting-best-practices.md) +- [Custom detections overview](overview-custom-detections.md) - [Advanced hunting data schema changes](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md index 677a74ca65..cbc1ca3ff9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md @@ -4,7 +4,7 @@ description: Start threat hunting immediately with predefined and shared queries keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,16 +13,20 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Use shared queries in advanced hunting -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) [Advanced hunting](advanced-hunting-overview.md) queries can be shared among users in the same organization. You can also find queries shared publicly on GitHub. These queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch. @@ -40,7 +44,7 @@ You can save a new or existing query so that it is only accessible to you or sha ![Image of saving a query](images/advanced-hunting-save-query.png) 4. Select the folder where you'd like to save the query. - - **Shared queries** — shared to all users in the your organization + - **Shared queries** — shared to all users in your organization - **My queries** — accessible only to you 5. Select **Save**. @@ -63,4 +67,8 @@ Microsoft security researchers regularly share advanced hunting queries in a [de ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) -- [Learn the query language](advanced-hunting-query-language.md) \ No newline at end of file +- [Learn the query language](advanced-hunting-query-language.md) +- [Work with query results](advanced-hunting-query-results.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Apply query best practices](advanced-hunting-best-practices.md) +- [Custom detections overview](overview-custom-detections.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md new file mode 100644 index 0000000000..c15efd569f --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md @@ -0,0 +1,83 @@ +--- +title: Take action on advanced hunting query results in Microsoft Threat Protection +description: Quickly address threats and affected assets in your advanced hunting query results +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: lomayor +author: lomayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 09/20/2020 +ms.technology: mde +--- + +# Take action on advanced hunting query results + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +You can quickly contain threats or address compromised assets that you find in [advanced hunting](advanced-hunting-overview.md) using powerful and comprehensive action options. With these options, you can: + +- Take various actions on devices +- Quarantine files + +## Required permissions + +To be able to take action through advanced hunting, you need a role in Defender for Endpoint with [permissions to submit remediation actions on devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#permission-options). If you can't take action, contact a global administrator about getting the following permission: + +*Active remediation actions > Threat and vulnerability management - Remediation handling* + +## Take various actions on devices + +You can take the following actions on devices identified by the `DeviceId` column in your query results: + +- Isolate affected devices to contain an infection or prevent attacks from moving laterally +- Collect investigation package to obtain more forensic information +- Run an antivirus scan to find and remove threats using the latest security intelligence updates +- Initiate an automated investigation to check and remediate threats on the device and possibly other affected devices +- Restrict app execution to only Microsoft-signed executable files, preventing subsequent threat activity through malware or other untrusted executables + +To learn more about how these response actions are performed through Defender for Endpoint, [read about response actions on devices](respond-machine-alerts.md). + +## Quarantine files + +You can deploy the *quarantine* action on files so that they are automatically quarantined when encountered. When selecting this action, you can choose between the following columns to identify which files in your query results to quarantine: + +- `SHA1` — In most advanced hunting tables, this is the SHA-1 of the file that was affected by the recorded action. For example, if a file was copied, this would be the copied file. +- `InitiatingProcessSHA1` — In most advanced hunting tables, this is the file responsible for initiating the recorded action. For example, if a child process was launched, this would be the parent process. +- `SHA256` — This is the SHA-256 equivalent of the file identified by the `SHA1` column. +- `InitiatingProcessSHA256` — This is the SHA-256 equivalent of the file identified by the `InitiatingProcessSHA1` column. + +To learn more about how quarantine actions are taken and how files can be restored, [read about response actions on files](respond-file-alerts.md). + +>[!NOTE] +>To locate files and quarantine them, the query results should also include `DeviceId` values as device identifiers. + +## Take action + +To take any of the described actions, select one or more records in your query results and then select **Take actions**. A wizard will guide you through the process of selecting and then submitting your preferred actions. + +![Image of selected record with panel for inspecting the record](images/ah-take-actions.png) + +## Review actions taken + +Each action is individually recorded in the action center, under **Action center** > **History** ([security.microsoft.com/action-center/history](https://security.microsoft.com/action-center/history)). Go to the action center to check the status of each action. + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Work with query results](advanced-hunting-query-results.md) +- [Apply query best practices](advanced-hunting-best-practices.md) +- [Custom detections overview](overview-custom-detections.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md index 4a29f349d6..6c96b5ea1e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md @@ -5,7 +5,7 @@ description: View and manage the alerts surfaced in Microsoft Defender Security keywords: search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,12 +14,16 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/03/2018 +ms.technology: mde --- # Alerts queue in Microsoft Defender Security Center + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as devices, files, or user accounts. diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md index c745548afb..bcfca19802 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md @@ -4,7 +4,7 @@ description: Learn about how the Microsoft Defender ATP alerts queues work, and keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period, microsoft threat experts alerts search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,22 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 03/27/2020 +ms.technology: mde --- -# View and organize the Microsoft Defender Advanced Threat Protection Alerts queue +# View and organize the Microsoft Defender for Endpoint Alerts queue + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink) The **Alerts queue** shows a list of alerts that were flagged from devices in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view. The most recent alerts are showed at the top of the list helping you see the most recent alerts first. @@ -58,15 +62,15 @@ Informational
    (Grey) | Alerts that might not be considered harmful to the n #### Understanding alert severity -Microsoft Defender Antivirus (Microsoft Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes. +Microsoft Defender Antivirus (Microsoft Defender AV) and Defender for Endpoint alert severities are different because they represent different scopes. The Microsoft Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual device, if infected. -The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the device but more importantly the potential risk to the organization. +The Defender for Endpoint alert severity represents the severity of the detected behavior, the actual risk to the device but more importantly the potential risk to the organization. So, for example: -- The severity of a Microsoft Defender ATP alert about a Microsoft Defender AV detected threat that was completely prevented and did not infect the device is categorized as "Informational" because there was no actual damage. +- The severity of a Defender for Endpoint alert about a Microsoft Defender AV detected threat that was completely prevented and did not infect the device is categorized as "Informational" because there was no actual damage. - An alert about a commercial malware was detected while executing, but blocked and remediated by Microsoft Defender AV, is categorized as "Low" because it may have caused some damage to the individual device but poses no organizational threat. - An alert about malware detected while executing which can pose a threat not only to the individual device but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". - Suspicious behavioral alerts, which weren't blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. @@ -77,24 +81,24 @@ We've redefined the alert categories to align to the [enterprise attack tactics] The table below lists the current categories and how they generally map to previous categories. -| New category | Previous categories | Detected threat activity or component | -|----------------------|----------------------|-------------| -| Collection | - | Locating and collecting data for exfiltration | -| Command and control | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands | -| Credential access | CredentialTheft | Obtaining valid credentials to extend control over devices and other resources in the network | -| Defense evasion | - | Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits | -| Discovery | Reconnaissance, WebFingerprinting | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers | -| Execution | Delivery, MalwareDownload | Launching attacker tools and malicious code, including RATs and backdoors | -| Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location | -| Exploit | Exploit | Exploit code and possible exploitation activity | -| Initial access | SocialEngineering, WebExploit, DocumentExploit | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails | -| Lateral movement | LateralMovement, NetworkPropagation | Moving between devices in the target network to reach critical resources or gain network persistence | -| Malware | Malware, Backdoor, Trojan, TrojanDownloader, CredentialStealing, Weaponization, RemoteAccessTool | Backdoors, trojans, and other types of malicious code | -| Persistence | Installation, Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts | -| Privilege escalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account | -| Ransomware | Ransomware | Malware that encrypts files and extorts payment to restore access | -| Suspicious activity | General, None, NotApplicable, EnterprisePolicy, SuspiciousNetworkTraffic | Atypical activity that could be malware activity or part of an attack | -| Unwanted software | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) | +| New category | API category name | Detected threat activity or component | +|----------------------|---------------------|-----------------------------------------------------------------------------------------------------------------------------------------| +| Collection | Collection | Locating and collecting data for exfiltration | +| Command and control | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands | +| Credential access | CredentialAccess | Obtaining valid credentials to extend control over devices and other resources in the network | +| Defense evasion | DefenseEvasion | Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits | +| Discovery | Discovery | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers | +| Execution | Execution | Launching attacker tools and malicious code, including RATs and backdoors | +| Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location | +| Exploit | Exploit | Exploit code and possible exploitation activity | +| Initial access | InitialAccess | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails | +| Lateral movement | LateralMovement | Moving between devices in the target network to reach critical resources or gain network persistence | +| Malware | Malware | Backdoors, trojans, and other types of malicious code | +| Persistence | Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts | +| Privilege escalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account | +| Ransomware | Ransomware | Malware that encrypts files and extorts payment to restore access | +| Suspicious activity | SuspiciousActivity | Atypical activity that could be malware activity or part of an attack | +| Unwanted software | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) | ### Status @@ -115,11 +119,27 @@ You can choose between showing alerts that are assigned to you or automation. ### Detection source -Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts-managed hunting service. +Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts-managed hunting service. >[!NOTE] >The Antivirus filter will only appear if devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product. +| Detection source | API value | +|-----------------------------------|----------------------------| +| 3rd party sensors | ThirdPartySensors | +| Antivirus | WindowsDefenderAv | +| Automated investigation | AutomatedInvestigation | +| Custom detection | CustomDetection | +| Custom TI | CustomerTI | +| EDR | WindowsDefenderAtp | +| Microsoft 365 Defender | MTP | +| Microsoft Defender for Office 365 | OfficeATP | +| Microsoft Threat Experts | ThreatExperts | +| SmartScreen | WindowsDefenderSmartScreen | + + + + ### OS platform @@ -135,11 +155,11 @@ Use this filter to focus on alerts that are related to high profile threats. You ## Related topics -- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) -- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) -- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) -- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) -- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) -- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) -- [Investigate a user account in Microsoft Defender ATP](investigate-user.md) +- [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md) +- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md) +- [Investigate a file associated with a Microsoft Defender for Endpoint alert](investigate-files.md) +- [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md) +- [Investigate an IP address associated with a Microsoft Defender for Endpoint alert](investigate-ip.md) +- [Investigate a domain associated with a Microsoft Defender for Endpoint alert](investigate-domain.md) +- [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index 820026e626..a9c6b01922 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -1,9 +1,9 @@ --- title: Get alerts API -description: Retrieve recent Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) alerts. +description: Learn about the methods and properties of the Alert resource type in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,13 +14,22 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Alert resource type -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## Methods @@ -28,7 +37,8 @@ Method |Return Type |Description :---|:---|:--- [Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object. [List alerts](get-alerts.md) | [Alert](alerts.md) collection | List [alert](alerts.md) collection. -[Update alert](get-alerts.md) | [Alert](update-alert.md) | Update specific [alert](alerts.md). +[Update alert](update-alert.md) | [Alert](alerts.md) | Update specific [alert](alerts.md). +[Batch update alerts](batch-update-alerts.md) | | Update a batch of [alerts](alerts.md). [Create alert](create-alert-by-reference.md)|[Alert](alerts.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md). [List related domains](get-alert-related-domain-info.md)|Domain collection| List URLs associated with the alert. [List related files](get-alert-related-files-info.md) | [File](files.md) collection | List the [file](files.md) entities that are associated with the [alert](alerts.md). @@ -60,45 +70,145 @@ determination | Nullable Enum | Specifies the determination of the alert. Possib category| String | Category of the alert. detectionSource | String | Detection source. threatFamilyName | String | Threat family. +threatName | String | Threat name. machineId | String | ID of a [machine](machine.md) entity that is associated with the alert. computerDnsName | String | [machine](machine.md) fully qualified name. aadTenantId | String | The Azure Active Directory ID. -comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time. +detectorId | String | The ID of the detector that triggered the alert. +comments | List of Alert comments | Alert Comment object contains: comment string, createdBy string and createTime date time. +Evidence | List of Alert evidence | Evidence related to the alert. See example below. ### Response example for getting single alert: -``` -GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-292920499 +```http +GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_1364969609 ``` ```json { - "id": "da637084217856368682_-292920499", - "incidentId": 66860, - "investigationId": 4416234, - "investigationState": "Running", - "assignedTo": "secop@contoso.com", - "severity": "Low", - "status": "New", - "classification": "TruePositive", - "determination": null, - "detectionSource": "WindowsDefenderAtp", - "category": "CommandAndControl", - "threatFamilyName": null, - "title": "Network connection to a risky host", - "description": "A network connection was made to a risky host which has exhibited malicious activity.", - "alertCreationTime": "2019-11-03T23:49:45.3823185Z", - "firstEventTime": "2019-11-03T23:47:16.2288822Z", - "lastEventTime": "2019-11-03T23:47:51.2966758Z", - "lastUpdateTime": "2019-11-03T23:55:52.6Z", - "resolvedTime": null, - "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd", - "comments": [ - { - "comment": "test comment for docs", - "createdBy": "secop@contoso.com", - "createdTime": "2019-11-05T14:08:37.8404534Z" - } - ] + "id": "da637472900382838869_1364969609", + "incidentId": 1126093, + "investigationId": null, + "assignedTo": null, + "severity": "Low", + "status": "New", + "classification": null, + "determination": null, + "investigationState": "Queued", + "detectionSource": "WindowsDefenderAtp", + "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952", + "category": "Execution", + "threatFamilyName": null, + "title": "Low-reputation arbitrary code executed by signed executable", + "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.", + "alertCreationTime": "2021-01-26T20:33:57.7220239Z", + "firstEventTime": "2021-01-26T20:31:32.9562661Z", + "lastEventTime": "2021-01-26T20:31:33.0577322Z", + "lastUpdateTime": "2021-01-26T20:33:59.2Z", + "resolvedTime": null, + "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625", + "computerDnsName": "temp123.middleeast.corp.microsoft.com", + "rbacGroupName": "A", + "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], + "relatedUser": { + "userName": "temp123", + "domainName": "MIDDLEEAST" + }, + "comments": [ + { + "comment": "test comment for docs", + "createdBy": "secop123@contoso.com", + "createdTime": "2021-01-26T01:00:37.8404534Z" + } + ], + "evidence": [ + { + "entityType": "User", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", + "sha1": null, + "sha256": null, + "fileName": null, + "filePath": null, + "processId": null, + "processCommandLine": null, + "processCreationTime": null, + "parentProcessId": null, + "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": "eranb", + "domainName": "MIDDLEEAST", + "userSid": "S-1-5-21-11111607-1111760036-109187956-75141", + "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627", + "userPrincipalName": "temp123@microsoft.com", + "detectionStatus": null + }, + { + "entityType": "Process", + "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z", + "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed", + "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6", + "fileName": "rundll32.exe", + "filePath": "C:\\Windows\\SysWOW64", + "processId": 3276, + "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe", + "processCreationTime": "2021-01-26T20:31:32.9581596Z", + "parentProcessId": 8420, + "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z", + "parentProcessFileName": "rundll32.exe", + "parentProcessFilePath": "C:\\Windows\\System32", + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" + }, + { + "entityType": "File", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", + "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c", + "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608", + "fileName": "suspicious.dll", + "filePath": "c:\\temp", + "processId": null, + "processCommandLine": null, + "processCreationTime": null, + "parentProcessId": null, + "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" + } + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md index 9022d913df..c0d3f7f4e0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md @@ -1,11 +1,11 @@ --- title: Configure Microsoft Defender ATP for Android features -ms.reviewer: -description: Describes how to configure Microsoft Defender ATP for Android +ms.reviewer: +description: Describes how to configure Microsoft Defender ATP for Android keywords: microsoft, defender, atp, android, configuration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,40 +14,46 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- -# Configure Microsoft Defender ATP for Android features +# Configure Defender for Endpoint for Android features + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md) +- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md) -## Conditional Access with Microsoft Defender ATP for Android -Microsoft Defender ATP for Android along with Microsoft Intune and Azure Active +## Conditional Access with Defender for Endpoint for Android +Microsoft Defender for Endpoint for Android along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies -based on device risk levels. Microsoft Defender ATP is a Mobile Threat Defense +based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune. -For more information about how to set up Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and +For more information about how to set up Defender for Endpoint for Android and Conditional Access, see [Defender for Endpoint and Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). ## Configure custom indicators >[!NOTE] -> Microsoft Defender ATP for Android only supports creating custom indicators for IP addresses and URLs/domains. +> Defender for Endpoint for Android only supports creating custom indicators for IP addresses and URLs/domains. -Microsoft Defender ATP for Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see [Manage indicators](manage-indicators.md). +Defender for Endpoint for Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see [Manage indicators](manage-indicators.md). ## Configure web protection -Microsoft Defender ATP for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center. +Defender for Endpoint for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center. >[!NOTE] -> Microsoft Defender ATP for Android would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. +> Defender for Endpoint for Android would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-manage-android). ## Related topics -- [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md) -- [Deploy Microsoft Defender ATP for Android with Microsoft Intune](android-intune.md) +- [Overview of Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md) +- [Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune](android-intune.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md index d2f56eeeb1..dcaf457b37 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md @@ -1,11 +1,11 @@ --- title: Deploy Microsoft Defender ATP for Android with Microsoft Intune -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for Android with Microsoft Intune keywords: microsoft, defender, atp, android, installation, deploy, uninstallation, search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,183 +14,157 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- -# Deploy Microsoft Defender ATP for Android with Microsoft Intune +# Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md) +- [Defender for Endpoint](microsoft-defender-atp-android.md) -This topic describes deploying Microsoft Defender ATP for Android on Intune +Learn how to deploy Defender for Endpoint for Android on Intune Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll your device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-company-portal). > [!NOTE] -> During public preview, instructions to deploy Microsoft Defender ATP for Android on Intune enrolled Android devices are different across Device Administrator and Android Enterprise entrollment modes.
    -> **When Microsoft Defender ATP for Android reaches General Availability (GA), the app will be available on Google Play.** +> **Defender for Endpoint for Android is now available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx)**
    +> You can connect to Google Play from Intune to deploy Defender for Endpoint app across Device Administrator and Android Enterprise entrollment modes. + Updates to the app are automatic via Google Play. ## Deploy on Device Administrator enrolled devices -**Deploy Microsoft Defender ATP for Android on Intune Company Portal - Device +**Deploy Defender for Endpoint for Android on Intune Company Portal - Device Administrator enrolled devices** -This topic describes how to deploy Microsoft Defender ATP for Android on Intune Company Portal - Device Administrator enrolled devices. Upgrade from the Preview APK to the GA version on Google Play would be supported. +Learn how to deploy Defender for Endpoint for Android on Intune Company Portal - Device Administrator enrolled devices. -### Download the onboarding package - -Download the onboarding package from Microsoft Defender Security Center. - -1. In [Microsoft Defender Security -Center](https://securitycenter.microsoft.com), go to **Settings** \> **Machine Management** \> **Onboarding**. - -2. In the first drop-down, select **Android** as the Operating system. - -3. Select **Download Onboarding package** and save the downloaded .APK file. - - ![Image of onboarding package page](images/onboarding_package_1.png) - -### Add as Line of Business (LOB) App - -The downloaded Microsoft Defender ATP for Android onboarding package. It is a -.APK file can be deployed to user groups as a Line of Business app during the -preview from Microsoft Endpoint Manager Admin Center. +### Add as Android store app 1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \> -**Android Apps** \> **Add \> Line-of-business app** and click **Select**. +**Android Apps** \> **Add \> Android store app** and choose **Select**. - ![Image of Microsoft Endpoint Manager Admin Center](images/eba67e1a3adfec2c77c35a34cb030fba.png) + ![Image of Microsoft Endpoint Manager Admin Center](images/mda-addandroidstoreapp.png) -2. On the **Add app** page and in the *App Information* section, click **Select -add package file** and then click the ![Icon](images/1a62eac0222a9ba3c2fd62744bece76e.png) icon and select the MDATP Universal APK file that was downloaded from the *Download Onboarding package* step. +2. On the **Add app** page and in the *App Information* section enter: - ![Image of Microsoft Endpoint Manager Admin Center](images/e78d36e06495c2f70eb14230de6f7429.png) + - **Name** + - **Description** + - **Publisher** as Microsoft. + - **App store URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Defender for Endpoint app Google Play Store URL) + Other fields are optional. Select **Next**. -3. Select **OK**. + ![Image of Microsoft Endpoint Manager Admin Center](images/mda-addappinfo.png) -4. In the *App Information* section that comes up, enter the **Publisher** as -Microsoft. Other fields are optional and then select **Next**. - - ![Image of Microsoft Endpoint Manager Admin Center](images/190a979ec5b6a8f57c9067fe1304cda8.png) - -5. In the *Assignments* section, go to the **Required** section and select **Add -group.** You can then choose the user group(s) that you would like to target -Microsoft Defender ATP for Android app. Click **Select** and then **Next**. +3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Defender for Endpoint for Android app. Choose **Select** and then **Next**. >[!NOTE] >The selected user group should consist of Intune enrolled users. - ![Image of Microsoft Endpoint Manager Admin Center](images/363bf30f7d69a94db578e8af0ddd044b.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager Admin Center](images/363bf30f7d69a94db578e8af0ddd044b.png) -6. In the **Review+Create** section, verify that all the information entered is -correct and then select **Create**. +4. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**. - In a few moments, the Microsoft Defender ATP app would be created successfully, -and a notification would show up at the top-right corner of the page. + In a few moments, the Defender for Endpoint app would be created successfully, and a notification would show up at the top-right corner of the page. ![Image of Microsoft Endpoint Manager Admin Center](images/86cbe56f88bb6e93e9c63303397fc24f.png) -7. In the app information page that is displayed, in the **Monitor** section, +5. In the app information page that is displayed, in the **Monitor** section, select **Device install status** to verify that the device installation has completed successfully. - ![Image of Microsoft Endpoint Manager Admin Center](images/513cf5d59eaaef5d2b5bc122715b5844.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager Admin Center](images/513cf5d59eaaef5d2b5bc122715b5844.png) -During Public Preview, to **update** Microsoft Defender ATP for Android deployed -as a Line of Business app, download the latest APK. Following the steps in -*Download the onboarding package* section and follow instructions on how to [update -a Line of Business -App](https://docs.microsoft.com/mem/intune/apps/lob-apps-android#step-5-update-a-line-of-business-app). - ### Complete onboarding and check status -1. Once Microsoft Defender ATP for Android has been installed on the device, you'll see the app icon. +1. Once Defender for Endpoint for Android has been installed on the device, you'll see the app icon. ![Icon on mobile device](images/7cf9311ad676ec5142002a4d0c2323ca.jpg) 2. Tap the Microsoft Defender ATP app icon and follow the on-screen instructions -to complete onboarding the app. The details include end-user acceptance of Android permissions required by Microsoft Defender ATP for Android. +to complete onboarding the app. The details include end-user acceptance of Android permissions required by Defender for Endpoint for Android. 3. Upon successful onboarding, the device will start showing up on the Devices list in Microsoft Defender Security Center. - ![Image of device in Microsoft Defender ATP portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png) + ![Image of device in Defender for Endpoint portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png) ## Deploy on Android Enterprise enrolled devices -Microsoft Defender ATP for Android supports Android Enterprise enrolled devices. +Defender for Endpoint for Android supports Android Enterprise enrolled devices. For more information on the enrollment options supported by Intune, see -[Enrollment -Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll) . +[Enrollment Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll). -As Microsoft Defender ATP for Android is deployed via managed Google Play, -updates to the app are automatic via Google Play. - -Currently only Personal devices with Work Profile enrolled are supported for deployment. +**Currently, Personally owned devices with work profile and Corporate-owned fully managed user device enrollments are supported for deployment.** ->[!NOTE] ->During Public Preview, to access Microsoft Defender ATP in your managed Google Play, contact [atpm@microsoft.com](mailto:atpm@microsoft.com) with the organization ID of your managed Google Play for next steps. This can be found under the **Admin Settings** of [managed Google Play](https://play.google.com/work/).
    -> At General Availability (GA), Microsoft Defender ATP for Android will be available as a public app. Upgrades from preview to GA version will be supported. -## Add Microsoft Defender ATP for Android as a managed Google Play app +## Add Microsoft Defender for Endpoint for Android as a Managed Google Play app -After receiving a confirmation e-mail from Microsoft that your managed Google -Play organization ID has been approved, follow the steps below to add Microsoft -Defender ATP app into your managed Google Play. +Follow the steps below to add Microsoft Defender for Endpoint app into your managed Google Play. 1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \> -**Android Apps** \> **Add** and select **managed Google Play app**. +**Android Apps** \> **Add** and select **Managed Google Play app**. - ![Image of Microsoft Endpoint Manager admin center](images/579ff59f31f599414cedf63051628b2e.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager admin center](images/579ff59f31f599414cedf63051628b2e.png) 2. On your managed Google Play page that loads subsequently, go to the search box and lookup **Microsoft Defender.** Your search should display the Microsoft -Defender ATP app in your Managed Google Play. Click on the Microsoft Defender -ATP app from the Apps search result. +Defender for Endpoint app in your Managed Google Play. Click on the Microsoft Defender for Endpoint app from the Apps search result. ![Image of Microsoft Endpoint Manager admin center](images/0f79cb37900b57c3e2bb0effad1c19cb.png) 3. In the App description page that comes up next, you should be able to see app -details on Microsoft Defender ATP. Review the information on the page and then +details on Defender for Endpoint. Review the information on the page and then select **Approve**. - ![A screenshot of a Managed Google Play](images/07e6d4119f265037e3b80a20a73b856f.png) + > [!div class="mx-imgBorder"] + > ![A screenshot of a Managed Google Play](images/07e6d4119f265037e3b80a20a73b856f.png) -4. You should now be presented with the permissions that Microsoft Defender ATP +4. You'll be presented with the permissions that Defender for Endpoint obtains for it to work. Review them and then select **Approve**. - ![A screenshot of Microsoft Defender ATP preview app approval](images/206b3d954f06cc58b3466fb7a0bd9f74.png) + ![A screenshot of Defender for Endpoint preview app approval](images/206b3d954f06cc58b3466fb7a0bd9f74.png) 5. You'll be presented with the Approval settings page. The page confirms -your preference to handle new app permissions that Microsoft Defender ATP for +your preference to handle new app permissions that Defender for Endpoint for Android might ask. Review the choices and select your preferred option. Select **Done**. By default, managed Google Play selects *Keep approved when app requests new permissions* - ![Image of notifications tab](images/ffecfdda1c4df14148f1526c22cc0236.png) + > [!div class="mx-imgBorder"] + > ![Image of notifications tab](images/ffecfdda1c4df14148f1526c22cc0236.png) -6. After the permissions handling selection is made, select **Sync** to sync -Microsoft Defender ATP to your apps list. +6. After the permissions handling selection is made, select **Sync** to sync Microsoft +Defender for Endpoint to your apps list. - ![Image of sync page](images/34e6b9a0dae125d085c84593140180ed.png) + > [!div class="mx-imgBorder"] + > ![Image of sync page](images/34e6b9a0dae125d085c84593140180ed.png) 7. The sync will complete in a few minutes. @@ -200,54 +174,61 @@ Microsoft Defender ATP to your apps list. 8. Select the **Refresh** button in the Android apps screen and Microsoft Defender ATP should be visible in the apps list. - ![Image of list of Android apps](images/fa4ac18a6333335db3775630b8e6b353.png) + > [!div class="mx-imgBorder"] + > ![Image of list of Android apps](images/fa4ac18a6333335db3775630b8e6b353.png) -9. Microsoft Defender ATP supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s). +9. Defender for Endpoint supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s). - a. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**. + 1. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**. - ![Image of Microsoft Endpoint Manager admin center](images/android-mem.png) + ![Image of Microsoft Endpoint Manager admin center](images/android-mem.png) - b. In the **Create app configuration policy** page, enter the following details: + 1. In the **Create app configuration policy** page, enter the following details: + - Name: Microsoft Defender ATP. - Choose **Android Enterprise** as platform. - Choose **Work Profile only** as Profile Type. - Click **Select App**, choose **Microsoft Defender ATP**, select **OK** and then **Next**. - ![Image of create app configuration policy page](images/android-create-app.png) + > [!div class="mx-imgBorder"] + > ![Image of create app configuration policy page](images/android-create-app.png) - c. In the **Settings** page, go to the Permissions section click on Add to view the list of supported permissions. In the Add Permissions section, select the following permissions - - External storage (read) - - External storage (write) + 1. In the **Settings** page, go to the Permissions section click on Add to view the list of supported permissions. In the Add Permissions section, select the following permissions: - Then select **OK**. + - External storage (read) + - External storage (write) - ![Image of create app configuration policy](images/android-create-app-config.png) + Then select **OK**. + + > [!div class="mx-imgBorder"] + > ![Image of create app configuration policy](images/android-create-app-config.png) - d. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**. + 1. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**. - ![Image of create app configuration policy](images/android-auto-grant.png) + > [!div class="mx-imgBorder"] + > ![Image of create app configuration policy](images/android-auto-grant.png) - e. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender ATP Android app. + 1. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app. - ![Image of create app configuration policy](images/android-select-group.png) + > [!div class="mx-imgBorder"] + > ![Image of create app configuration policy](images/android-select-group.png) - f. In the **Review + Create** page that comes up next, review all the information and then select **Create**.
    + 1. In the **Review + Create** page that comes up next, review all the information and then select **Create**.
    - The app configuration policy for Microsoft Defender ATP auto-granting the storage permission is now assigned to the selected user group. - - ![Image of create app configuration policy](images/android-review-create.png) + The app configuration policy for Defender for Endpoint autogranting the storage permission is now assigned to the selected user group. + > [!div class="mx-imgBorder"] + > ![Image of create app configuration policy](images/android-review-create.png) 10. Select **Microsoft Defender ATP** app in the list \> **Properties** \> **Assignments** \> **Edit**. - ![Image of list of apps](images/9336bbd778cff5e666328bb3db7c76fd.png) + ![Image of list of apps](images/mda-properties.png) 11. Assign the app as a *Required* app to a user group. It is automatically installed in the *work profile* during the next sync of @@ -255,40 +236,79 @@ the device via Company Portal app. This assignment can be done by navigating to the *Required* section \> **Add group,** selecting the user group and click **Select**. - ![Image of edit application page](images/ea06643280075f16265a596fb9a96042.png) + > [!div class="mx-imgBorder"] + > ![Image of edit application page](images/ea06643280075f16265a596fb9a96042.png) 12. In the **Edit Application** page, review all the information that was entered above. Then select **Review + Save** and then **Save** again to commence assignment. +### Auto Setup of Always-on VPN +Defender for Endpoint supports Device configuration policies for managed devices via Intune. This capability can be leveraged to **Auto setup of Always-on VPN** on Android Enterprise enrolled devices, so the end user does not need to set up VPN service while onboarding. +1. On **Devices**, select **Configuration Profiles** > **Create Profile** > **Platform** > **Android Enterprise** +Select **Device restrictions** under one of the following, based on your device enrollment type +- **Fully Managed, Dedicated, and Corporate-Owned Work Profile** +- **Personally owned Work Profile** + +Select **Create**. + + > ![Image of devices configuration profile Create](images/1autosetupofvpn.png) + +2. **Configuration Settings** + Provide a **Name** and a **Description** to uniquely identify the configuration profile. + + > ![Image of devices configuration profile Name and Description](images/2autosetupofvpn.png) + + 3. Select **Connectivity** and configure VPN: +- Enable **Always-on VPN** +Setup a VPN client in the work profile to automatically connect and reconnect to the VPN whenever possible. Only one VPN client can be configured for always-on VPN on a given device, so be sure to have no more than one always-on VPN policy deployed to a single device. +- Select **Custom** in VPN client dropdown list +Custom VPN in this case is Defender for Endpoint VPN which is used to provide the Web Protection feature. + > [!NOTE] + > Microsoft Defender ATP app must be installed on user’s device, in order to functioning of auto setup of this VPN. + +- Enter **Package ID** of the Microsoft Defender ATP app in Google Play store. For the Defender app URL https://play.google.com/store/apps/details?id=com.microsoft.scmx, Package ID is **com.microsoft.scmx** +- **Lockdown mode** Not configured (Default) + + ![Image of devices configuration profile enable Always-on VPN](images/3autosetupofvpn.png) + +4. **Assignment** +In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups** to include and selecting the applicable group and then click **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app. + + ![Image of devices configuration profile Assignment](images/4autosetupofvpn.png) + +5. In the **Review + Create** page that comes up next, review all the information and then select **Create**. +The device configuration profile is now assigned to the selected user group. + + ![Image of devices configuration profile Review and Create](images/5autosetupofvpn.png) + ## Complete onboarding and check status -1. Confirm the installation status of Microsoft Defender ATP for Android by +1. Confirm the installation status of Microsoft Defender for Endpoint for Android by clicking on the **Device Install Status**. Verify that the device is displayed here. - ![Image of device installation status](images/900c0197aa59f9b7abd762ab2b32e80c.png) + > [!div class="mx-imgBorder"] + > ![Image of device installation status](images/900c0197aa59f9b7abd762ab2b32e80c.png) -2. On the device, you can confirm the same by going to the **work profile** and -confirm that Microsoft Defender ATP is available. +2. On the device, you can validate the onboarding status by going to the **work profile**. Confirm that Defender for Endpoint is available and that you are enrolled to the **Personally owned devices with work profile**. If you are enrolled to a **Corporate-owned, fully managed user device**, you will have a single profile on the device where you can confirm that Defender for Endpoint is available. ![Image of app in mobile device](images/c2e647fc8fa31c4f2349c76f2497bc0e.png) 3. When the app is installed, open the app and accept the permissions and then your onboarding should be successful. - ![Image of mobile device with Microsoft Defender ATP app](images/23c125534852dcef09b8e37c98e82148.png) + ![Image of mobile device with Microsoft Defender for Endpoint app](images/mda-devicesafe.png) -4. At this stage the device is successfully onboarded onto Microsoft Defender -ATP for Android. You can verify this on the [Microsoft Defender Security +4. At this stage the device is successfully onboarded onto Defender for Endpoint for Android. You can verify this on the [Microsoft Defender Security Center](https://securitycenter.microsoft.com) by navigating to the **Devices** page. - ![Image of Microsoft Defender ATP portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png) + ![Image of Microsoft Defender for Endpoint portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png) ## Related topics -- [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md) -- [Configure Microsoft Defender ATP for Android features](android-configure.md) +- [Overview of Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md) +- [Configure Microsoft Defender for Endpoint for Android features](android-configure.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md new file mode 100644 index 0000000000..d14d7b7606 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md @@ -0,0 +1,111 @@ +--- +title: Microsoft Defender ATP for Android - Privacy information +description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Android. +keywords: microsoft, defender, atp, android, privacy, diagnostic +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.technology: mde +--- + +# Microsoft Defender for Endpoint for Android - Privacy information + +**Applies to:** + +- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md) + + +Defender for Endpoint for Android collects information from your configured +Android devices and stores it in the same tenant where you have Defender for Endpoint. + +Information is collected to help keep Defender for Endpoint for Android secure, +up-to-date, performing as expected and to support the service. + +## Required Data + +Required data consists of data that is necessary to make Defender for Endpoint +for Android work as expected. This data is essential to the operation of the +service and can include data related to the end user, organization, device, and +apps. Here's a list of the types of data being collected: + +### App information + +Information about Android application packages (APKs) on the device including + +- Install source +- Storage location (file path) of the APK +- Time of install, size of APK and permissions + +### Web page / Network information + +- Full URL (on supported browsers), when clicked +- Connection information +- Protocol type (such as HTTP, HTTPS, etc.) + + +### Device and account information + +- Device information such as date & time, Android version, OEM model, CPU + info, and Device identifier +- Device identifier is one of the below: + - Wi-Fi adapter MAC address + - [Android + ID](https://developer.android.com/reference/android/provider/Settings.Secure#ANDROID_ID) + (as generated by Android at the time of first boot of the device) + - Randomly generated globally unique identifier (GUID) + +- Tenant, Device and User information + - Azure Active Directory (AD) Device ID and Azure User ID: Uniquely + identifies the device, User respectively at Azure Active directory. + + - Azure tenant ID - GUID that identifies your organization within + Azure Active Directory + + - Microsoft Defender ATP org ID - Unique identifier associated with + the enterprise that the device belongs to. Allows Microsoft to + identify whether issues are impacting a select set of enterprises + and how many enterprises are impacted  + + - User Principal Name – Email ID of the user + +### Product and service usage data +- App package info, including name, version, and app upgrade status + +- Actions performed in the app + +- Threat detection information, such as threat name, category, etc. + +- Crash report logs generated by Android + +## Optional Data + +Optional data includes diagnostic data and feedback data. Optional diagnostic +data is additional data that helps us make product improvements and provides +enhanced information to help us detect, diagnose, and fix issues. Optional +diagnostic data includes: + +- App, CPU, and network usage + +- State of the device from the app perspective, including scan status, scan + timings, app permissions granted, and upgrade status + +- Features configured by the admin + +- Basic information about the browsers on the device + +**Feedback Data** is collected through in-app feedback provided by the user + +- The user’s email address, if they choose to provide it + +- Feedback type (smile, frown, idea) and any feedback comments submitted by + the user diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md new file mode 100644 index 0000000000..f9fe77aefa --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md @@ -0,0 +1,100 @@ +--- +title: Troubleshoot issues on Microsoft Defender ATP for Android +ms.reviewer: +description: Troubleshoot issues for Microsoft Defender ATP for Android +keywords: microsoft, defender, atp, android, cloud, connectivity, communication +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: + - m365-security-compliance + - m365initiative-defender-endpoint +ms.topic: conceptual +ms.technology: mde +--- + +# Troubleshooting issues on Microsoft Defender for Endpoint for Android + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** + +- [Defender for Endpoint](microsoft-defender-atp-android.md) + +During onboarding, you might encounter sign in issues after the app is installed on your device. + +This article provides solutions to address the sign on issues. + +## Sign in failed - unexpected error +**Sign in failed:** *Unexpected error, try later* + +![Image of sign in failed error Unexpected error](images/f9c3bad127d636c1f150d79814f35d4c.png) + +**Message:** + +Unexpected error, try later + +**Cause:** + +You have an older version of "Microsoft Authenticator" app installed on your +device. + +**Solution:** + +Install latest version and of [Microsoft +Authenticator](https://play.google.com/store/apps/details?androidid=com.azure.authenticator) +from Google Play Store and try again + +## Sign in failed - invalid license + +**Sign in failed:** *Invalid license, please contact administrator* + +![Image of sign in failed please contact administrator](images/920e433f440fa1d3d298e6a2a43d4811.png) + +**Message:** *Invalid license, please contact administrator* + +**Cause:** + +You do not have Microsoft 365 license assigned, or your organization does not +have a license for Microsoft 365 Enterprise subscription. + +**Solution:** + +Contact your administrator for help. + +## Phishing pages are not blocked on specific OEM devices + +**Applies to:** Specific OEMs only + +- **Xiaomi** + +Phishing and harmful web connection threats detected by Defender for Endpoint +for Android are not blocked on some Xiaomi devices. The following functionality does not work on these devices. + +![Image of site reported unsafe](images/0c04975c74746a5cdb085e1d9386e713.png) + + +**Cause:** + +Xiaomi devices introduced a new permission that prevents Defender for Endpoint +for Android app from displaying pop-up windows while running in the background. + +Xiaomi devices permission: "Display pop-up windows while running in the +background." + +![Image of pop up setting](images/6e48e7b29daf50afddcc6c8c7d59fd64.png) + +**Solution:** + +Enable the required permission on Xiaomi devices. + +- Display pop-up windows while running in the background. diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md index c7309c2bb9..05151f5a7c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md @@ -1,11 +1,11 @@ --- title: Microsoft Defender ATP for Android Application license terms -ms.reviewer: +ms.reviewer: description: Describes the Microsoft Defender ATP for Android license terms -keywords: microsoft, defender, atp, android,license, terms, application, use, installation, service, feedback, scope, +keywords: microsoft, defender, atp, android,license, terms, application, use, installation, service, feedback, scope, search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -17,14 +17,18 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual hideEdit: true +ms.technology: mde --- -# Microsoft Defender ATP for Android application license terms +# Microsoft Defender for Endpoint for Android application license terms + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md) +- [Microsoft Defender for Endpoint](microsoft-defender-atp-android.md) -## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER ATP +## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER FOR ENDPOINT These license terms ("Terms") are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They @@ -49,21 +53,21 @@ DO NOT USE THE APPLICATION.** 1. **INSTALLATION AND USE RIGHTS.** 1. **Installation and Use.** You may install and use any number of copies - of this application on Android enabled device or devices which you own + of this application on Android enabled device or devices that you own or control. You may use this application with your company's valid - subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or - an online service that includes MDATP functionalities. + subscription of Microsoft Defender for Endpoint or + an online service that includes Microsoft Defender for Endpoint functionalities. - 2. **Updates.** Updates or upgrades to MDATP may be required for full + 2. **Updates.** Updates or upgrades to Microsoft Defender for Endpoint may be required for full functionality. Some functionality may not be available in all countries. - 3. **Third Party Programs.** The application may include third party + 3. **Third-Party Programs.** The application may include third-party programs that Microsoft, not the third party, licenses to you under this agreement. Notices, if any, for the third-party program are included for your information only. 2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to - Internet access, data transfer and other services per the terms of the data + Internet access, data transfer, and other services per the terms of the data service plan and any other agreement you have with your network operator due to use of the application. You are solely responsible for any network operator charges. @@ -89,21 +93,21 @@ DO NOT USE THE APPLICATION.** improve Microsoft products and services and enhance your experience. You may limit or control collection of some usage and performance data through your device settings. Doing so may disrupt your use of - certain features of the application. For additional information on - Microsoft's data collection and use, see the [Online Services + certain features of the application. For more information about + Microsoft data collection and use, see the [Online Services Terms](https://go.microsoft.com/fwlink/?linkid=2106777). 2. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could harm it or impair anyone else's use of it or the wireless network. You may not use the service to try to gain - unauthorized access to any service, data, account or network by any + unauthorized access to any service, data, account, or network by any means. 4. **FEEDBACK.** If you give feedback about the application to Microsoft, you - give to Microsoft, without charge, the right to use, share and commercialize + give to Microsoft, without charge, the right to use, share, and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, - technologies and services to use or interface with any specific parts of a + technologies, and services to use or interface with any specific parts of a Microsoft software or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback @@ -127,35 +131,35 @@ DO NOT USE THE APPLICATION.** - publish the application for others to copy; - - rent, lease or lend the application; or + - rent, lease, or lend the application; or - transfer the application or this agreement to any third party. 6. **EXPORT RESTRICTIONS.** The application is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the application. These laws - include restrictions on destinations, end users and end use. For additional + include restrictions on destinations, end users, and end use. For more information, - see[www.microsoft.com/exporting](https://www.microsoft.com/exporting). + + see [www.microsoft.com/exporting](https://www.microsoft.com/exporting). 7. **SUPPORT SERVICES.** Because this application is "as is," we may not provide support services for it. If you have any issues or questions about your use of this application, including questions about your company's - privacy policy, please contact your company's admin. Do not contact the + privacy policy, contact your company's admin. Do not contact the application store, your network operator, device manufacturer, or Microsoft. The application store provider has no obligation to furnish support or maintenance with respect to the application. 8. **APPLICATION STORE.** - 1. If you obtain the application through an application store (e.g., Google - Play), please review the applicable application store terms to ensure + 1. If you obtain the application through an application store (for example, Google + Play), review the applicable application store terms to ensure your download and use of the application complies with such terms. - Please note that these Terms are between you and Microsoft and not with + Note that these Terms are between you and Microsoft and not with the application store. - 2. The respective application store provider and its subsidiaries are third - party beneficiaries of these Terms, and upon your acceptance of these + 2. The respective application store provider and its subsidiaries are third-party beneficiaries of these Terms, and upon your acceptance of these Terms, the application store provider(s) will have the right to directly enforce and rely upon any provision of these Terms that grants them a benefit or rights. @@ -210,20 +214,20 @@ DO NOT USE THE APPLICATION.** This limitation applies to: - anything related to the application, services, content (including code) on - third party Internet sites, or third party programs; and + third-party internet sites, or third-party programs; and -- claims for breach of contract, warranty, guarantee or condition; consumer +- claims for breach of contract, warranty, guarantee, or condition; consumer protection; deception; unfair competition; strict liability, negligence, - misrepresentation, omission, trespass or other tort; violation of statute or + misrepresentation, omission, trespass, or other tort; violation of statute or regulation; or unjust enrichment; all to the extent permitted by applicable law. It also applies even if: -a. Repair, replacement or refund for the application does not fully compensate +a. Repair, replacement, or refund for the application does not fully compensate you for any losses; or b. Covered Parties knew or should have known about the possibility of the damages. -The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. +The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential, or other damages. diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md index 09f3293f1a..3e72e99874 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md @@ -1,11 +1,11 @@ --- -title: API Explorer in Microsoft Defender ATP +title: API Explorer in Microsoft Defender ATP ms.reviewer: description: Use the API Explorer to construct and do API queries, test, and send requests for any available API -keywords: api, explorer, send, request, get, post, +keywords: api, explorer, send, request, get, post, search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,19 +14,23 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # API Explorer +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -The Microsoft Defender ATP API Explorer is a tool that helps you explore various Microsoft Defender ATP APIs interactively. +The Microsoft Defender for Endpoint API Explorer is a tool that helps you explore various Defender for Endpoint APIs interactively. -The API Explorer makes it easy to construct and do API queries, test, and send requests for any available Microsoft Defender ATP API endpoint. Use the API Explorer to take actions or find data that might not yet be available through the user interface. +The API Explorer makes it easy to construct and do API queries, test, and send requests for any available Defender for Endpoint API endpoint. Use the API Explorer to take actions or find data that might not yet be available through the user interface. The tool is useful during app development. It allows you to perform API queries that respect your user access settings, reducing the need to generate access tokens. @@ -44,7 +48,7 @@ From the left navigation menu, select **Partners & APIs** > **API Explorer**. ## Supported APIs -API Explorer supports all the APIs offered by Microsoft Defender ATP. +API Explorer supports all the APIs offered by Defender for Endpoint. The list of supported APIs is available in the [APIs documentation](apis-intro.md). @@ -58,7 +62,7 @@ Some of the samples may require specifying a parameter in the URL, for example, ## FAQ **Do I need to have an API token to use the API Explorer?**
    -Credentials to access an API aren't needed. The API Explorer uses the Microsoft Defender ATP management portal token whenever it makes a request. +Credentials to access an API aren't needed. The API Explorer uses the Defender for Endpoint management portal token whenever it makes a request. The logged-in user authentication credential is used to verify that the API Explorer is authorized to access data on your behalf. diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md index 88fd42601a..9d645dbb75 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md @@ -4,7 +4,7 @@ ms.reviewer: description: Create a practice 'Hello world'-style API call to the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) API. keywords: apis, supported apis, advanced hunting, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,15 +13,23 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Microsoft Defender ATP API - Hello World +# Microsoft Defender for Endpoint API - Hello World -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## Get Alerts using a simple PowerShell script @@ -44,7 +52,7 @@ For the Application registration stage, you must have a **Global administrator** 3. In the registration form, choose a name for your application and then click **Register**. -4. Allow your Application to access Microsoft Defender ATP and assign it **'Read all alerts'** permission: +4. Allow your Application to access Defender for Endpoint and assign it **'Read all alerts'** permission: - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**. @@ -100,8 +108,8 @@ $tenantId = '' ### Paste your tenant ID here $appId = '' ### Paste your Application ID here $appSecret = '' ### Paste your Application secret here -$resourceAppIdUri = 'https://api.securitycenter.windows.com' -$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token" +$resourceAppIdUri = 'https://api.securitycenter.microsoft.com' +$oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/token" $authBody = [Ordered] @{ resource = "$resourceAppIdUri" client_id = "$appId" @@ -139,7 +147,7 @@ $dateTime = (Get-Date).ToUniversalTime().AddHours(-48).ToString("o") # The URL contains the type of query and the time filter we create above # Read more about other query options and filters at Https://TBD- add the documentation link -$url = "https://api.securitycenter.windows.com/api/alerts?`$filter=alertCreationTime ge $dateTime" +$url = "https://api.securitycenter.microsoft.com/api/alerts?`$filter=alertCreationTime ge $dateTime" # Set the WebRequest headers $headers = @{ @@ -174,6 +182,6 @@ You’re all done! You have just successfully: ## Related topic -- [Microsoft Defender ATP APIs](exposed-apis-list.md) -- [Access Microsoft Defender ATP with application context](exposed-apis-create-app-webapp.md) -- [Access Microsoft Defender ATP with user context](exposed-apis-create-app-nativeapp.md) +- [Microsoft Defender for Endpoint APIs](exposed-apis-list.md) +- [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md) +- [Access Microsoft Defender for Endpoint with user context](exposed-apis-create-app-nativeapp.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md index e4a1dddb18..6daada5960 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md @@ -4,7 +4,7 @@ ms.reviewer: description: Use Microsoft Defender ATP Flow connector to automate security and create a flow that will be triggered any time a new alert occurs on your tenant. keywords: flow, supported apis, api, Microsoft flow, query, automation search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,15 +13,19 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Microsoft Power Automate (formerly Microsoft Flow), and Azure Functions -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional cyber defenders forces SOC to work in the most efficient way and automation is a must. Microsoft Power Automate supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within a few minutes. @@ -78,4 +82,4 @@ The Alert trigger provides only the Alert ID and the Machine ID. You can use the You can also create a **scheduled** flow that runs Advanced Hunting queries and much more! ## Related topic -- [Microsoft Defender ATP APIs](apis-intro.md) +- [Microsoft Defender for Endpoint APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md index 1e157ea511..2327c105d6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md @@ -4,7 +4,7 @@ description: Understand how the Detections API fields map to the values in Micro keywords: detections, detections fields, fields, api, fields, pull Detections, rest api, request, response search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,29 +13,33 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Microsoft Defender ATP detections API fields +# Microsoft Defender for Endpoint detections API fields + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink) Understand what data fields are exposed as part of the detections API and how they map to Microsoft Defender Security Center. >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. +>- [Defender for Endpoint Alert](alerts.md) is composed from one or more detections. >- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Device and its related **Alert** details. ->- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). +>- The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). ## Detections API fields and portal mapping The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal. -The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md). +The ArcSight field column contains the default mapping between the Defender for Endpoint fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md). Field numbers match the numbers in the images below. @@ -46,12 +50,12 @@ Field numbers match the numbers in the images below. > | 1 | AlertTitle | name | Microsoft Defender AV detected 'Mikatz' high-severity malware | Value available for every Detection. | > | 2 | Severity | deviceSeverity | High | Value available for every Detection. | > | 3 | Category | deviceEventCategory | Malware | Value available for every Detection. | -> | 4 | Detection source | sourceServiceName | Antivirus | Microsoft Defender Antivirus or Microsoft Defender ATP. Value available for every Detection. | +> | 4 | Detection source | sourceServiceName | Antivirus | Microsoft Defender Antivirus or Defender for Endpoint. Value available for every Detection. | > | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every Detection. | > | 6 | FileName | fileName | Robocopy.exe | Available for detections associated with a file or process. | > | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for detections associated with a file or process. | -> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based detections. | -> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based detections. | +> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Defender for Endpoint behavioral based detections. | +> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Defender for Endpoint behavioral based detections. | > | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for detections associated with a file or process. | > | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Microsoft Defender AV detections. | > | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Microsoft Defender AV detections. | @@ -69,6 +73,9 @@ Field numbers match the numbers in the images below. > | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available. | > | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. | > | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. | +| | LinkToMTP | No mapping | `https://security.microsoft.com/alert/da637370718981685665_16349121` | Value available for every Detection. +| | IncidentLinkToMTP | No mapping | `"https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection. +| | IncidentLinkToWDATP | No mapping | `https://securitycenter.windows.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection. > | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. | > | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. | > | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. | @@ -91,7 +98,7 @@ Field numbers match the numbers in the images below. ## Related topics -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) -- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) +- [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md) +- [Configure ArcSight to pull Microsoft Defender for Endpoint detections](configure-arcsight.md) +- [Pull Microsoft Defender for Endpoint detections using REST API](pull-alerts-using-rest-api.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md index a7f95c1789..6028056d7c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md @@ -4,7 +4,7 @@ ms.reviewer: description: Create a Power Business Intelligence (BI) report on top of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) APIs. keywords: apis, supported apis, Power BI, reports search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,25 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create custom reports using Power BI -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -In this section you will learn create a Power BI report on top of Microsoft Defender ATP APIs. +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + +In this section you will learn create a Power BI report on top of Defender for Endpoint APIs. The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs, such as Machine Actions or Alerts. @@ -43,9 +51,9 @@ The first example demonstrates how to connect Power BI to Advanced Hunting API a ``` let - AdvancedHuntingQuery = "DeviceEvents | where ActionType contains 'Anti'", + AdvancedHuntingQuery = "DeviceEvents | where ActionType contains 'Anti' | limit 20", - HuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries", + HuntingUrl = "https://api.securitycenter.microsoft.com/api/advancedqueries", Response = Json.Document(Web.Contents(HuntingUrl, [Query=[key=AdvancedHuntingQuery]])), @@ -111,7 +119,7 @@ The first example demonstrates how to connect Power BI to Advanced Hunting API a Query = "MachineActions", - Source = OData.Feed("https://api.securitycenter.windows.com/api/" & Query, null, [Implementation="2.0", MoreColumns=true]) + Source = OData.Feed("https://api.securitycenter.microsoft.com/api/" & Query, null, [Implementation="2.0", MoreColumns=true]) in Source @@ -130,6 +138,6 @@ View the Microsoft Defender ATP Power BI report samples. For more information, s ## Related topic -- [Microsoft Defender ATP APIs](apis-intro.md) +- [Defender for Endpoint APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Using OData Queries](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md new file mode 100644 index 0000000000..b46d84553b --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -0,0 +1,73 @@ +--- +title: Microsoft Defender for Endpoint API release notes +description: Release notes for updates made to the Microsoft Defender for Endpoint set of APIs. +keywords: microsoft defender for endpoint api release notes, mde, apis, mdatp api, updates, notes, release +search.product: eADQiWindows 10XVcnh +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.technology: mde +--- + +# Microsoft Defender for Endpoint API release notes + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +The following information lists the updates made to the Microsoft Defender for Endpoint APIs and the dates they were made. + + +### 25.01.2021 +
    + +- Updated rate limitations for [Advanced Hunting API](run-advanced-query-api.md) from 15 to 45 requests per minute. + +
    + +### 21.01.2021 +
    + +- Added new API: [Find devices by tag](machine-tags.md). +- Added new API: [Import Indicators](import-ti-indicators.md). + +
    + +### 03.01.2021 +
    + +- Updated Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName*** properties. +- Updated [Alert entity](alerts.md): added ***detectorId*** property. + +
    + +### 15.12.2020 +
    + +- Updated [Device](machine.md) entity: added ***IpInterfaces*** list. See [List devices](get-machines.md). + +
    + +### 04.11.2020 +
    + +- Added new API: [Set device value](set-device-value.md). +- Updated [Device](machine.md) entity: added ***deviceValue*** property. + +
    + +### 01.09.2020 +
    + +- Added option to expand the Alert entity with its related Evidence. See [List Alerts](get-alerts.md). + +
    +
    \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md index 1e42b10a63..b4e75388d9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md @@ -3,7 +3,7 @@ title: Microsoft Defender ATP API license and terms of use description: Description of the license and terms of use for Microsoft Defender APIs keywords: license, terms, apis, legal, notices, code of conduct search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,15 +12,19 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Microsoft Defender ATP API license and terms of use +# Microsoft Defender for Endpoint API license and terms of use + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + ## APIs -Microsoft Defender ATP APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/legal/microsoft-apis/terms-of-use). +Defender for Endpoint APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/legal/microsoft-apis/terms-of-use). ### Throttling limits diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md index aac9695165..444d2c945c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md +++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md @@ -1,10 +1,10 @@ --- -title: Access the Microsoft Defender Advanced Threat Protection APIs +title: Access the Microsoft Defender Advanced Threat Protection APIs ms.reviewer: description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender ATP capabilities keywords: apis, api, wdatp, open api, microsoft defender atp api, public api, supported apis, alerts, device, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,34 +13,37 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- -# Access the Microsoft Defender Advanced Threat Protection APIs +# Access the Microsoft Defender for Endpoint APIs -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -Watch this video for a quick overview of Microsoft Defender ATP's APIs. +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). + +Watch this video for a quick overview of Defender for Endpoint's APIs. >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M] In general, you’ll need to take the following steps to use the APIs: - Create an AAD application - Get an access token using this application -- Use the token to access Microsoft Defender ATP API +- Use the token to access Defender for Endpoint API -You can access Microsoft Defender ATP API with **Application Context** or **User Context**. +You can access Defender for Endpoint API with **Application Context** or **User Context**. - **Application Context: (Recommended)**
    Used by apps that run without a signed-in user present. for example, apps that run as background services or daemons. - Steps that need to be taken to access Microsoft Defender ATP API with application context: + Steps that need to be taken to access Defender for Endpoint API with application context: 1. Create an AAD Web-Application. 2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'. @@ -54,7 +57,8 @@ You can access Microsoft Defender ATP API with **Application Context** or **User - **User Context:**
    Used to perform actions in the API on behalf of a user. - Steps that needs to be taken to access Microsoft Defender ATP API with application context: + Steps to take to access Defender for Endpoint API with application context: + 1. Create AAD Native-Application. 2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc. 3. Get token using the application with user credentials. @@ -64,6 +68,6 @@ You can access Microsoft Defender ATP API with **Application Context** or **User ## Related topics -- [Microsoft Defender ATP APIs](exposed-apis-list.md) -- [Access Microsoft Defender ATP with application context](exposed-apis-create-app-webapp.md) -- [Access Microsoft Defender ATP with user context](exposed-apis-create-app-nativeapp.md) +- [Microsoft Defender for Endpoint APIs](exposed-apis-list.md) +- [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md) +- [Access Microsoft Defender for Endpoint with user context](exposed-apis-create-app-nativeapp.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md index 1181ff8181..e7fadf1bcc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md @@ -4,7 +4,7 @@ description: Assign read and write or read only access to the Microsoft Defender keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,21 +13,25 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 11/28/2018 +ms.technology: mde --- # Assign user access to Microsoft Defender Security Center +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** - Azure Active Directory - Office 365 -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) -Microsoft Defender ATP supports two ways to manage permissions: +Defender for Endpoint supports two ways to manage permissions: - **Basic permissions management**: Set permissions to either full access or read-only. - **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to device groups. For more information on RBAC, see [Manage portal access using role-based access control](rbac.md). @@ -35,7 +39,7 @@ Microsoft Defender ATP supports two ways to manage permissions: > [!NOTE] > If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch: > -> - Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Microsoft Defender ATP administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Microsoft Defender ATP administrator role after switching to RBAC. Only users assigned to the Microsoft Defender ATP administrator role can manage permissions using RBAC. +> - Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Defender for Endpoint administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Defender for Endpoint administrator role after switching to RBAC. Only users assigned to the Defender for Endpoint administrator role can manage permissions using RBAC. > - Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC. > - After switching to RBAC, you will not be able to switch back to using basic permissions management. diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md index 492d7037dc..1d68f71101 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md @@ -4,7 +4,7 @@ description: Run the provided attack scenario simulations to experience how Micr keywords: wdatp, test, scenario, attack, simulation, simulated, diy, microsoft defender advanced threat protection search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,24 +13,28 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 11/20/2018 +ms.technology: mde --- -# Experience Microsoft Defender ATP through simulated attacks +# Experience Microsoft Defender for Endpoint through simulated attacks + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink) >[!TIP] ->- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). ->- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). +>- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Defender for Endpoint?](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). -You might want to experience Microsoft Defender ATP before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Microsoft Defender ATP surfaces malicious activity and explore how it enables an efficient response. +You might want to experience Defender for Endpoint before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Defender for Endpoint surfaces malicious activity and explore how it enables an efficient response. ## Before you begin @@ -58,10 +62,10 @@ Read the walkthrough document provided with each attack scenario. Each document > Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test device. > > -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink) ## Related topics - [Onboard devices](onboard-configure.md) -- [Onboard Windows 10 devices](configure-endpoints.md) \ No newline at end of file +- [Onboard Windows 10 devices](configure-endpoints.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md index 992ba51235..642503eab4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md @@ -4,7 +4,7 @@ description: Find answers to frequently asked questions about Microsoft Defender keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -14,17 +14,21 @@ ms.author: v-maave ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Attack surface reduction frequently asked questions (FAQ) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ## Is attack surface reduction (ASR) part of Windows? -ASR was originally a feature of the suite of exploit guard features introduced as a major update to Microsoft Defender Antivirus, in Windows 10 version 1709. Microsoft Defender Antivirus is the native antimalware component of Windows. However, the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Microsoft Defender Antivirus exclusions. +ASR was originally a feature of the suite of exploit guard features introduced as a major update to Microsoft Defender Antivirus, in Windows 10, version 1709. Microsoft Defender Antivirus is the native antimalware component of Windows. However, the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Microsoft Defender Antivirus exclusions. ## Do I need to have an enterprise license to run ASR rules? @@ -40,7 +44,7 @@ Yes. ASR is supported for Windows Enterprise E3 and above. All of the rules supported with E3 are also supported with E5. -E5 also added greater integration with Microsoft Defender ATP. With E5, you can [use Microsoft Defender ATP to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/mtp/monitor-devices?view=o365-worldwide#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports. +E5 also added greater integration with Defender for Endpoint. With E5, you can [use Defender for Endpoint to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/mtp/monitor-devices?view=o365-worldwide&preserve-view=true#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports. ## What are the currently supported ASR rules? @@ -72,13 +76,13 @@ Larger organizations should consider rolling out ASR rules in "rings," by auditi Keep the rule in audit mode for about 30 days to get a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them. -## I'm making the switch from a third-party security solution to Microsoft Defender ATP. Is there an "easy" way to export rules from another security solution to ASR? +## I'm making the switch from a third-party security solution to Defender for Endpoint. Is there an "easy" way to export rules from another security solution to ASR? -In most cases, it's easier and better to start with the baseline recommendations suggested by [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. +In most cases, it's easier and better to start with the baseline recommendations suggested by [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. -The default configuration for most ASR rules, combined with Microsoft Defender ATP's real-time protection, will protect against a large number of exploits and vulnerabilities. +The default configuration for most ASR rules, combined with Defender for Endpoint's real-time protection, will protect against a large number of exploits and vulnerabilities. -From within Microsoft Defender ATP, you can update your defenses with custom indicators, to allow and block certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-business applications that might get blocked. +From within Defender for Endpoint, you can update your defenses with custom indicators, to allow and block certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-business applications that might get blocked. ## Does ASR support file or folder exclusions that include system variables and wildcards in the path? @@ -92,9 +96,9 @@ It depends on the rule. Most ASR rules cover the behavior of Microsoft Office pr ASR uses Microsoft Defender Antivirus to block applications. It is not possible to configure ASR to use another security solution for blocking at this time. -## I have an E5 license and enabled some ASR rules in conjunction with Microsoft Defender ATP. Is it possible for an ASR event to not show up at all in Microsoft Defender ATP's event timeline? +## I have an E5 license and enabled some ASR rules in conjunction with Defender for Endpoint. Is it possible for an ASR event to not show up at all in Defender for Endpoint's event timeline? -Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Microsoft Defender ATP portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Microsoft Defender ATP. +Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Defender for Endpoint portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Defender for Endpoint. ## I applied a rule using GPO. Now when I try to check the indexing options for the rule in Microsoft Outlook, I get a message stating, 'Access denied'. @@ -124,7 +128,7 @@ Because many legitimate processes throughout a typical day will be calling on ls Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe. -## Related topics +## See also * [Attack surface reduction overview](attack-surface-reduction.md) * [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index de60666730..eaee14028a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -3,7 +3,7 @@ title: Use attack surface reduction rules to prevent malware infection description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware. keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,48 +11,109 @@ ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb -ms.reviewer: +ms.reviewer: sugamar, jcedola manager: dansimp ms.custom: asr +ms.technology: mde + --- -# Reduce attack surfaces with attack surface reduction rules +# Use attack surface reduction rules to prevent malware infection + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -Your attack surface is the total number of places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means offering attackers fewer ways to perform attacks. +## Why attack surface reduction rules are important -Attack surface reduction rules target software behaviors that are often abused by attackers, such as: +Your organization's attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Microsoft Defender for Endpoint can help! -- Launching executable files and scripts that attempt to download or run files -- Running obfuscated or otherwise suspicious scripts -- Performing behaviors that apps don't usually initiate during normal day-to-day work +Attack surface reduction rules target certain software behaviors, such as: -Such behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe. +- Launching executable files and scripts that attempt to download or run files; +- Running obfuscated or otherwise suspicious scripts; and +- Performing behaviors that apps don't usually initiate during normal day-to-day work. -Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity. - -Whenever a rule is triggered, a notification will be displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays within the Microsoft Defender Security Center and the Microsoft 365 security center. +Such software behaviors are sometimes seen in legitimate applications; however, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain risky behaviors and help keep your organization safe. For more information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md). +## Assess rule impact before deployment + +You can assess how an attack surface reduction rule might affect your network by opening the security recommendation for that rule in [threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/#tvm). + +:::image type="content" source="images/asrrecommendation.png" alt-text="Security reco for attack surface reduction rule"::: + +In the recommendation details pane, check for user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adversely affecting productivity. + +## Audit mode for evaluation + +Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would affect your organization if they were enabled. Run all rules in audit mode first so you can understand how they affect your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without reducing productivity. + +## Warn mode for users + +(**NEW**!) Prior to warn mode capabilities, attack surface reduction rules that are enabled could be set to either audit mode or block mode. With the new warn mode, whenever content is blocked by an attack surface reduction rule, users see a dialog box that indicates the content is blocked. The dialog box also offers the user an option to unblock the content. The user can then retry their action, and the operation completes. When a user unblocks content, the content remains unblocked for 24 hours, and then blocking resumes. + +Warn mode helps your organization have attack surface reduction rules in place without preventing users from accessing the content they need to perform their tasks. + +### Requirements for warn mode to work + +Warn mode is supported on devices running the following versions of Windows: +- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later + +Microsoft Defender Antivirus must be running with real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state). + +In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed. +- Minimum platform release requirement: `4.18.2008.9` +- Minimum engine release requirement: `1.1.17400.5` + +For more information and to get your updates, see [Update for Microsoft Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform). + +### Cases where warn mode is not supported + +Warn mode is not supported for the following attack surface reduction rules: + +- [Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) (GUID `d3e037e1-3eb8-44c8-a917-57927947596d`) +- [Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) (GUID `e6db77e5-3df2-4cf1-b95a-636979351e5b`) +- [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) (GUID `c1db55ab-c21a-4637-bb3f-a12568109d35`) + +In addition, warn mode is not supported on devices running older versions of Windows. In those cases, attack surface reduction rules that are configured to run in warn mode will run in block mode. + +## Notifications and alerts + +Whenever an attack surface reduction rule is triggered, a notification is displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. + +In addition, when certain attack surface reduction rules are triggered, alerts are generated. + +Notifications and any alerts that are generated can be viewed in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and in the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)). + +## Advanced hunting and attack surface reduction events + +You can use advanced hunting to view attack surface reduction events. To streamline the volume of incoming data, only unique processes for each hour are viewable with advanced hunting. The time of an attack surface reduction event is the first time that event is seen within the hour. + +For example, suppose that an attack surface reduction event occurs on 10 devices during the 2:00 PM hour. Suppose that the first event occurred at 2:15, and the last at 2:45. With advanced hunting, you'll see one instance of that event (even though it actually occurred on 10 devices), and its timestamp will be 2:15 PM. + +For more information about advanced hunting, see [Proactively hunt for threats with advanced hunting](advanced-hunting-overview.md). + ## Attack surface reduction features across Windows versions -You can set attack surface reduction rules for devices running any of the following editions and versions of Windows: +You can set attack surface reduction rules for devices that are running any of the following editions and versions of Windows: - Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later - Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later - Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events. +Although attack surface reduction rules don't require a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), if you have Windows E5, you get advanced management capabilities. These capabilities available only in Windows E5 include monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with a Windows Professional or Windows E3 license; however, if you do have those licenses, you can use Event Viewer and Microsoft Defender Antivirus logs to review your attack surface reduction rule events. ## Review attack surface reduction events in the Microsoft Defender Security Center -Microsoft Defender ATP provides detailed reporting for events and blocks, as part of its alert investigation scenarios. +Defender for Endpoint provides detailed reporting for events and blocks as part of alert investigation scenarios. -You can query Microsoft Defender ATP data by using [advanced hunting](advanced-hunting-query-language.md). If you're running [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment. +You can query Defender for Endpoint data by using [advanced hunting](advanced-hunting-query-language.md). If you're running [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment. Here is an example query: @@ -66,46 +127,101 @@ DeviceEvents You can review the Windows event log to view events generated by attack surface reduction rules: 1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device. - 2. Enter the words, *Event Viewer*, into the Start menu to open the Windows Event Viewer. - 3. Under **Actions**, select **Import custom view...**. - 4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md). - 5. Select **OK**. -This will create a custom view that filters events to only show the following, all of which are related to controlled folder access: +You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access: |Event ID | Description | -|---|---| +|:---|:---| |5007 | Event when settings are changed | |1121 | Event when rule fires in Block-mode | |1122 | Event when rule fires in Audit-mode | -The "engine version" listed for attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not by the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all devices with Windows 10 installed. +The "engine version" listed for attack surface reduction events in the event log, is generated by Defender for Endpoint, not by the operating system. Defender for Endpoint is integrated with Windows 10, so this feature works on all devices with Windows 10 installed. ## Attack surface reduction rules -The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs: +The following table and subsections describe each of the 15 attack surface reduction rules. The attack surface reduction rules are listed in alphabetical order, by rule name. + +If you are configuring attack surface reduction rules by using Group Policy or PowerShell, you'll need the GUIDs. On the other hand, if you use Microsoft Endpoint Manager or Microsoft Intune, you do not need the GUIDs. + | Rule name | GUID | File & folder exclusions | Minimum OS supported | -|-----|----|---|---| -|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|:-----|:-----:|:-----|:-----| +|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) |`26190899-1602-49e8-8b27-eb1d0a1ce869` |Supported |[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater | |[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | |[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | `26190899-1602-49e8-8b27-eb1d0a1ce869` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | -|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater | +|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | +|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater | + +### Block Adobe Reader from creating child processes + +This rule prevents attacks by blocking Adobe Reader from creating processes. + +Through social engineering or exploits, malware can download and launch payloads, and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading. + +This rule was introduced in: +- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) + +Intune name: `Process creation from Adobe Reader (beta)` + +Configuration Manager name: Not yet available + +GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` + +### Block all Office applications from creating child processes + +This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access. + +Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run more payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings. + +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `Office apps launching child processes` + +Configuration Manager name: `Block Office application from creating child processes` + +GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` + +### Block credential stealing from the Windows local security authority subsystem + +This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS). + +LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. + +> [!NOTE] +> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. + +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `Flag credential stealing from the Windows local security authority subsystem` + +Configuration Manager name: `Block credential stealing from the Windows local security authority subsystem` + +GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` ### Block executable content from email client and webmail @@ -118,37 +234,86 @@ This rule was introduced in: - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Microsoft Endpoint Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) +- [Microsoft Endpoint Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) +Intune name: `Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)` -Microsoft Endpoint Configuration Manager name: Block executable content from email client and webmail +Microsoft Endpoint Manager name: `Block executable content from email client and webmail` GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` -### Block all Office applications from creating child processes +> [!NOTE] +> The rule **Block executable content from email client and webmail** has the following alternative descriptions, depending on which application you use: +> - Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions). +> - Endpoint Manager: Block executable content download from email and webmail clients. +> - Group Policy: Block executable content from email client and webmail. -This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. +### Block executable files from running unless they meet a prevalence, age, or trusted list criterion -Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings. +This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list: + +- Executable files (such as .exe, .dll, or .scr) + +Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious. + +> [!IMPORTANT] +> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.

    The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID `01443614-cd74-433a-b99e-2ecdc07bfc25` is owned by Microsoft and is not specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly. +> +>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to. This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `Executables that don't meet a prevalence, age, or trusted list criteria` + +Configuration Manager name: `Block executable files from running unless they meet a prevalence, age, or trusted list criteria` + +GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25` + +### Block execution of potentially obfuscated scripts + +This rule detects suspicious properties within an obfuscated script. + +Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software. + +This rule was introduced in: - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Office apps launching child processes +Intune name: `Obfuscated js/vbs/ps/macro code` -Configuration Manager name: Block Office application from creating child processes +Configuration Manager name: `Block execution of potentially obfuscated scripts` -GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` +GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` + +### Block JavaScript or VBScript from launching downloaded executable content + +This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet. + +Although not common, line-of-business applications sometimes use scripts to download and launch installers. + +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `js/vbs executing payload downloaded from Internet (no exceptions)` + +Configuration Manager name: `Block JavaScript or VBScript from launching downloaded executable content` + +GUID: `D3E037E1-3EB8-44C8-A917-57927947596D` ### Block Office applications from creating executable content This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk. - Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique. +Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique. This rule was introduced in: - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) @@ -156,9 +321,9 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [System Center Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager) -Intune name: Office apps/macros creating executable content +Intune name: `Office apps/macros creating executable content` -SCCM name: Block Office applications from creating executable content +SCCM name: `Block Office applications from creating executable content` GUID: `3B576869-A4EC-4529-8536-B80A7769E899` @@ -178,173 +343,17 @@ This rule was introduced in: - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) -Intune name: Office apps injecting code into other processes (no exceptions) +Intune name: `Office apps injecting code into other processes (no exceptions)` -Configuration Manager name: Block Office applications from injecting code into other processes +Configuration Manager name: `Block Office applications from injecting code into other processes` GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` -### Block JavaScript or VBScript from launching downloaded executable content - -This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet. - -Although not common, line-of-business applications sometimes use scripts to download and launch installers. - -This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: js/vbs executing payload downloaded from Internet (no exceptions) - -Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content - -GUID: `D3E037E1-3EB8-44C8-A917-57927947596D` - -### Block execution of potentially obfuscated scripts - -This rule detects suspicious properties within an obfuscated script. - -Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software. - -This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Obfuscated js/vbs/ps/macro code - -Configuration Manager name: Block execution of potentially obfuscated scripts. - -GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` - -### Block Win32 API calls from Office macros - -This rule prevents VBA macros from calling Win32 APIs. - -Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways. - -This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Win32 imports from Office macro code - -Configuration Manager name: Block Win32 API calls from Office macros - -GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` - -### Block executable files from running unless they meet a prevalence, age, or trusted list criterion - -This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list: - -- Executable files (such as .exe, .dll, or .scr) - -Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious. - -> [!IMPORTANT] -> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.

    The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly. -> ->You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to. - -This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Executables that don't meet a prevalence, age, or trusted list criteria. - -Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria - -GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25` - -### Use advanced protection against ransomware - -This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list. - -> [!NOTE] -> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule. - -This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Advanced ransomware protection - -Configuration Manager name: Use advanced protection against ransomware - -GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35` - -### Block credential stealing from the Windows local security authority subsystem - -This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS). - -LSASS authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. - -> [!NOTE] -> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. - -This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Flag credential stealing from the Windows local security authority subsystem - -Configuration Manager name: Block credential stealing from the Windows local security authority subsystem - -GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` - -### Block process creations originating from PSExec and WMI commands - -This rule blocks processes created through [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec) and [WMI](https://docs.microsoft.com/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network. - -> [!WARNING] -> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly. - -This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - -Intune name: Process creation from PSExec and WMI commands - -Configuration Manager name: Not applicable - -GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c` - -### Block untrusted and unsigned processes that run from USB - -With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include: - -* Executable files (such as .exe, .dll, or .scr) -* Script files (such as a PowerShell .ps, Visual Basic .vbs, or JavaScript .js file) - -This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) - -Intune name: Untrusted and unsigned processes that run from USB - -Configuration Manager name: Block untrusted and unsigned processes that run from USB - -GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` - ### Block Office communication application from creating child processes This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions. -This protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. +This rule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. > [!NOTE] > This rule applies to Outlook and Outlook.com only. @@ -354,29 +363,12 @@ This rule was introduced in: - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -Intune name: Process creation from Office communication products (beta) +Intune name: `Process creation from Office communication products (beta)` -Configuration Manager name: Not yet available +Configuration Manager name: Not available GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869` -### Block Adobe Reader from creating child processes - -This rule prevents attacks by blocking Adobe Reader from creating additional processes. - -Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading. - -This rule was introduced in: -- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) -- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) -- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) - -Intune name: Process creation from Adobe Reader (beta) - -Configuration Manager name: Not yet available - -GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` - ### Block persistence through WMI event subscription This rule prevents malware from abusing WMI to attain persistence on a device. @@ -390,18 +382,86 @@ This rule was introduced in: - [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) - [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909) -Intune name: Not yet available +Intune name: Not available -Configuration Manager name: Not yet available +Configuration Manager name: Not available GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b` -## Related topics +### Block process creations originating from PSExec and WMI commands + +This rule blocks processes created through [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec) and [WMI](https://docs.microsoft.com/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network. + +> [!WARNING] +> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly. + +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) + +Intune name: `Process creation from PSExec and WMI commands` + +Configuration Manager name: Not applicable + +GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c` + +### Block untrusted and unsigned processes that run from USB + +With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr) + +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `Untrusted and unsigned processes that run from USB` + +Configuration Manager name: `Block untrusted and unsigned processes that run from USB` + +GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` + +### Block Win32 API calls from Office macros + +This rule prevents VBA macros from calling Win32 APIs. + +Office VBA enables Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways. + +This rule was introduced in: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `Win32 imports from Office macro code` + +Configuration Manager name: `Block Win32 API calls from Office macros` + +GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` + +### Use advanced protection against ransomware + +This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list. + +> [!NOTE] +> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule. + +This rule was introduced in: +- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) +- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates) + +Intune name: `Advanced ransomware protection` + +Configuration Manager name: `Use advanced protection against ransomware` + +GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35` + +## See also - [Attack surface reduction FAQ](attack-surface-reduction-faq.md) - - [Enable attack surface reduction rules](enable-attack-surface-reduction.md) - - [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) - -- [Compatibility of Microsoft Defender with other antivirus/antimalware](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) +- [Compatibility of Microsoft Defender Antivirus with other antivirus/antimalware solutions](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md index 093a2013f5..f2db4d1af0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md +++ b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md @@ -3,7 +3,7 @@ title: Test how Microsoft Defender ATP features work in audit mode description: Audit mode lets you use the event log to see how Microsoft Defender ATP would protect your devices if it was enabled. keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,13 +13,17 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- -# Test how Microsoft Defender ATP features work in audit mode +# Test how Microsoft Defender for Endpoint features work in audit mode + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. Audit mode lets you see a record of what *would* have happened if you had enabled the feature. @@ -29,7 +33,7 @@ The features won't block or prevent apps, scripts, or files from being modified. To find the audited entries, go to **Applications and Services** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**. -You can use Microsoft Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +You can use Defender for Endpoint to get greater details for each event, especially for investigating attack surface reduction rules. Using the Defender for Endpoint console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). This article provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index cb7648e275..938cf4405d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -1,9 +1,9 @@ --- -title: View details and results of automated investigations +title: Visit the Action center to see remediation actions description: Use the action center to view details and results following an automated investigation keywords: action, center, autoir, automated, investigation, response, remediation search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,153 +12,72 @@ author: denisebmsft ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: how-to +ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs +ms.date: 01/28/2021 +ms.technology: mde --- -# View details and results of automated investigations +# Visit the Action center to see remediation actions -During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP) is configured for your organization, some remediation actions are taken automatically. +During and after an automated investigation, remediation actions for threat detections are identified. Depending on the particular threat and how [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) is configured for your organization, some remediation actions are taken automatically, and others require approval. If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center**. -If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation. +## (NEW!) A unified Action center ->[!NOTE] ->If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the device or device group will be able to view the entire investigation. +We are pleased to announce a new, unified Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center))! -## The Action center +:::image type="content" source="images/mde-action-center-unified.png" alt-text="Action center in Microsoft 365 security center"::: -![Action center page](images/action-center.png) +The following table compares the new, unified Action center to the previous Action center. -The action center consists of two main tabs: **Pending actions** and **History**. -- **Pending actions** Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject. The Pending tab appears only if there are pending actions to be approved (or rejected). -- **History** Acts as an audit log for all of the following items:
    - - Remediation actions that were taken as a result of an automated investigation - - Remediation actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone) - - Commands that were run and remediation actions that were applied in Live Response sessions (some actions can be undone) - - Remediation actions that were applied by Microsoft Defender Antivirus (some actions can be undone) - -Use the **Customize columns** menu to select columns that you'd like to show or hide. - -You can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages. - -## The Investigations page - -![Image of Auto investigations page](images/atp-auto-investigations-list.png) - -On the **Investigations** page, you'll find a list of all automated investigations. Select an item in the list to view additional information about that automated investigation. - -By default, the automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range. - -Use the **Customize columns** menu to select columns that you'd like to show or hide. - -From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages. - -### Filters for the list of investigations - -On the **Investigations** page, you can view details and use filters to focus on specific information. The following table lists available filters: - -|Filter |Description | +|The new, unified Action center |The previous Action center | |---------|---------| -|**Status** |(See [Automated investigation status](#automated-investigation-status)) | -|**Triggering alert** | The alert that initiated the automated investigation | -|**Detection source** |The source of the alert that initiated the automated investigation | -|**Entities** | Entities can include device or devices, and device groups. You can filter the automated investigations list to zone in a specific device to see other investigations related to the device, or to see specific device groups that were created. | -|**Threat** |The category of threat detected during the automated investigation | -|**Tags** |Filter using manually added tags that capture the context of an automated investigation| -|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't| +|Lists pending and completed actions for devices and email in one location
    ([Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md) plus [Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp))|Lists pending and completed actions for devices
    ([Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md) only) | +|Is located at:
    [https://security.microsoft.com/action-center](https://security.microsoft.com/action-center) |Is located at:
    [https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center) | +| In the Microsoft 365 security center, choose **Action center**.

    :::image type="content" source="images/action-center-nav-new.png" alt-text="Navigating to the Action Center in the Microsoft 365 security center"::: | In the Microsoft Defender Security Center, choose **Automated investigations** > **Action center**.

    :::image type="content" source="images/action-center-nav-old.png" alt-text="Navigating to the Action center from the Microsoft Defender Security Center"::: | -## Automated investigation status +The unified Action center brings together remediation actions across Defender for Endpoint and Defender for Office 365. It defines a common language for all remediation actions, and provides a unified investigation experience. -An automated investigation can have one of the following status values: +You can use the unified Action center if you have appropriate permissions and one or more of the following subscriptions: +- [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md) +- [Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) +- [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) -|Status |Description | +> [!TIP] +> To learn more, see [Requirements](https://docs.microsoft.com/microsoft-365/security/mtp/prerequisites). + +## Using the Action center + +To get to the unified Action center in the improved Microsoft 365 security center: +1. Go to the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)) and sign in. +2. In the navigation pane, select **Action center**. + +When you visit the Action center, you see two tabs: **Pending actions** and **History**. The following table summarizes what you'll see on each tab: + +|Tab |Description | |---------|---------| -| Running | The investigation process has started and is underway. Malicious artifacts that are found are remediated. | -| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for specific details. | -| No threats found | The investigation has finished and no threats were identified.
    If you suspect something was missed (such as a false negative), you can use [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). | -| Pending action | The investigation has found a threat, and an action to remediate that threat is awaiting approval. The Pending Action state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to see if other items are still pending completion. | -| Remediated | The investigation finished and all actions were approved (fully remediated). | -| Partially remediated | The investigation resulted in remediation actions, and some were approved and completed. Other actions are still pending. | -| Terminated by system | The investigation stopped. An investigation can stop for several reasons:
    - The investigation's pending actions expired. Pending actions can time out after awaiting approval for an extended period of time.
    - There are too many actions in the list.
    Visit the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) to view and approve any pending actions. | -| Failed | At least one investigation analyzer ran into a problem where it could not complete properly.

    If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for detailed results. | -| Queued | An investigation is being held in a queue. When other investigations complete, queued investigations begin. | -| Waiting for device | Investigation paused. The investigation will resume as soon as the device is available. | -| Terminated by user | A user stopped the investigation before it could complete. | +|**Pending** | Displays a list of actions that require attention. You can approve or reject actions one at a time, or select multiple actions if they have the same type of action (such as **Quarantine file**).
    **TIP**: Make sure to [review and approve (or reject) pending actions](manage-auto-investigation.md) as soon as possible so that your automated investigations can complete in a timely manner. | +|**History** | Serves as an audit log for actions that were taken, such as:
    - Remediation actions that were taken as a result of automated investigations
    - Remediation actions that were approved by your security operations team
    - Commands that were run and remediation actions that were applied during Live Response sessions
    - Remediation actions that were taken by threat protection features in Microsoft Defender Antivirus

    Provides a way to undo certain actions (see [Undo completed actions](manage-auto-investigation.md#undo-completed-actions)). | +You can customize, sort, filter, and export data in the Action center. -## View details about an automated investigation +:::image type="content" source="images/new-action-center-columnsfilters.png" alt-text="Columns and filters in the Action center"::: -![Image of investigation details window](images/atp-analyze-auto-ir.png) - -You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the device that was investigated, and other information. - -In this view, you'll see the name of the investigation, when it started and ended. - -### Investigation graph - -The investigation graph provides a graphical representation of an automated investigation. All investigation-related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information. - -A progress ring shows two status indicators: -- Orange ring - shows the pending portion of the investigation -- Green ring - shows the running time portion of the investigation - -![Image of start, end, and pending time for an automated investigation](images/atp-auto-investigation-pending.png) - -In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore, the entire investigation was running for 29 minutes and 27 seconds. - -The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for example, the device might have disconnected from the network) or pending for approval. - -From this view, you can also view and add comments and tags about the investigation. - -### Alerts - -The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the device associated with the alert, user, time in queue, status, investigation state, and to whom the investigation is assigned. - -Additional alerts seen on a device can be added to an automated investigation as long as the investigation is ongoing. - -Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related device, logged-on users, and comments and history. - -Clicking on an alert title brings you the alert page. - -### Devices - -The **Devices** tab Shows details the device name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated. - -Devices that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more devices are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view. - -Selecting a device using the checkbox brings up the device details pane where you can see more information such as device details and logged-on users. - -Clicking on a device name brings you the device page. - -### Evidence - -The **Evidence** tab shows details related to threats associated with this investigation. - -### Entities - -The **Entities** tab shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or had no threats found. - -### Log - -The **Log** tab gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, device name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration. - -As with other sections, you can customize columns, select the number of items to show per page, and filter the log. - -Available filters include action type, action, status, device name, and description. - -You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data. - -### Pending actions - -If there are pending actions on an automated investigation, you'll see a pop-up similar to the following image. - -![Image of pending actions](images/pending-actions.png) - -When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **automated investigation** > **Action center**. +- Select a column heading to sort items in ascending or descending order. +- Use the time period filter to view data for the past day, week, 30 days, or 6 months. +- Choose the columns that you want to view. +- Specify how many items to include on each page of data. +- Use filters to view just the items you want to see. +- Select **Export** to export results to a .csv file. ## Next steps - [View and approve remediation actions](manage-auto-investigation.md) - -- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide) +- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide) +## See also + +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/autoir-investigation-results.md b/windows/security/threat-protection/microsoft-defender-atp/autoir-investigation-results.md new file mode 100644 index 0000000000..dfde5d03b9 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/autoir-investigation-results.md @@ -0,0 +1,94 @@ +--- +title: Details and results of an automated investigation +description: During and after an automated investigation, you can view the results and key findings +keywords: automated, investigation, results, analyze, details, remediation, autoair +search.appverid: met150 +ms.prod: m365-security +ms.technology: mde +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +f1.keywords: +- NOCSH +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- M365-security-compliance +- m365initiative-m365-defender +ms.topic: conceptual +ms.custom: autoir +ms.reviewer: evaldm, isco +ms.date: 02/02/2021 +--- + +# Details and results of an automated investigation + +**Applies to:** +- Microsoft Defender for Endpoint + +With Microsoft Defender for Endpoint, when an [automated investigation](automated-investigations.md) runs, details about that investigation are available both during and after the automated investigation process. If you have the necessary permissions, you can view those details in an investigation details view. The investigation details view provides you with up-to-date status and the ability to approve any pending actions. + +## (NEW!) Unified investigation page + +The investigation page has recently been updated to include information across your devices, email, and collaboration content. The new, unified investigation page defines a common language and provides a unified experience for automatic investigations across [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md) and [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-atp). + +> [!TIP] +> To learn more about what's changing, see [(NEW!) Unified investigation page](/microsoft-365/security/mtp/mtp-autoir-results). + +## Open the investigation details view + +You can open the investigation details view by using one of the following methods: +- [Select an item in the Action center](#select-an-item-in-the-action-center) +- [Select an investigation from an incident details page](#open-an-investigation-from-an-incident-details-page) + +### Select an item in the Action center + +The improved [Action center](auto-investigation-action-center.md) brings together [remediation actions](manage-auto-investigation.md#remediation-actions) across your devices, email & collaboration content, and identities. Listed actions include remediation actions that were taken automatically or manually. In the Action center, you can view actions that are awaiting approval and actions that were already approved or completed. You can also navigate to more details, such as an investigation page. + +1. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in. +2. In the navigation pane, choose **Action center**. +3. On either the **Pending** or **History** tab, select an item. Its flyout pane opens. +4. Review the information in the flyout pane, and then take one of the following steps: + - Select **Open investigation page** to view more details about the investigation. + - Select **Approve** to initiate a pending action. + - Select **Reject** to prevent a pending action from being taken. + - Select **Go hunt** to go into [Advanced hunting](advanced-hunting-overview.md). + +### Open an investigation from an incident details page + +Use an incident details page to view detailed information about an incident, including alerts that were triggered information about any affected devices, user accounts, or mailboxes. + +1. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in. +2. In the navigation pane, choose **Incidents & alerts** > **Incidents**. +3. Select an item in the list, and then choose **Open incident page**. +4. Select the **Investigations** tab, and then select an investigation in the list. Its flyout pane opens. +5. Select **Open investigation page**. + +## Investigation details + +Use the investigation details view to see past, current, and pending activity pertaining to an investigation. The investigation details view resembles the following image: + +In the Investigation details view, you can see information on the **Investigation graph**, **Alerts**, **Devices**, **Identities**, **Key findings**, **Entities**, **Log**, and **Pending actions** tabs, described in the following table. + +> [!NOTE] +> The specific tabs you see in an investigation details page depends on what your subscription includes. For example, if your subscription does not include Microsoft Defender for Office 365 Plan 2, you won't see a **Mailboxes** tab. + +| Tab | Description | +|:--------|:--------| +| **Investigation graph** | Provides a visual representation of the investigation. Depicts entities and lists threats found, along with alerts and whether any actions are awaiting approval.
    You can select an item on the graph to view more details. For example, selecting the **Evidence** icon takes you to the **Evidence** tab, where you can see detected entities and their verdicts. | +| **Alerts** | Lists alerts associated with the investigation. Alerts can come from threat protection features on a user's device, in Office apps, Cloud App Security, and other Microsoft 365 Defender features.| +| **Devices** | Lists devices included in the investigation along with their remediation level. (Remediation levels correspond to the [automation level for device groups](automation-levels.md).) | +| **Mailboxes** |Lists mailboxes that are impacted by detected threats. | +| **Users** | Lists user accounts that are impacted by detected threats. | +| **Evidence** | Lists pieces of evidence raised by alerts/investigations. Includes verdicts (*Malicious*, *Suspicious*, or *No threats found*) and remediation status. | +| **Entities** | Provides details about each analyzed entity, including a verdict for each entity type (*Malicious*, *Suspicious*, or *No threats found*).| +|**Log** | Provides a chronological, detailed view of all the investigation actions taken after an alert was triggered.| +| **Pending actions** | Lists items that require approval to proceed. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) to approve pending actions. | + +## See also + +- [Review remediation actions following an automated investigation](manage-auto-investigation.md) +- [View and organize the Microsoft Defender for Endpoint Incidents queue](view-incidents-queue.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index fa431dbc93..dc1cd47378 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -1,59 +1,55 @@ --- title: Use automated investigations to investigate and remediate threats -description: Understand the automated investigation flow in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). -keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export +description: Understand the automated investigation flow in Microsoft Defender for Endpoint. +keywords: automated, investigation, detection, defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft +ms.date: 02/02/2021 ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: how-to +ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs +ms.custom: AIR --- # Overview of automated investigations -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh] +**Applies to** -Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, and to reduce the volume of alerts that must be investigated individually, Microsoft Defender ATP includes automated investigation and remediation capabilities. +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -Automated investigation leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. Automated investigation and remediation capabilities significantly reduce alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when each investigation was initiated. +If your organization is using Microsoft Defender for Endpoint, your security operations team receives an alert whenever a malicious or suspicious artifact is detected. Given the seemingly never-ending flow of threats that come in, security teams often face challenges in addressing the high volume of alerts. Fortunately, Defender for Endpoint includes automated investigation and remediation (AIR) capabilities that can help your security operations team address threats more efficiently and effectively. + +Want to see how it works? Watch the following video:

    + +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bOeh] + +The technology in automated investigation uses various inspection algorithms and is based on processes that are used by security analysts. AIR capabilities are designed to examine alerts and take immediate action to resolve breaches. AIR capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. All remediation actions, whether pending or completed, are tracked in the [Action center](auto-investigation-action-center.md). In the Action center, pending actions are approved (or rejected), and completed actions can be undone if needed. + +This article provides an overview of AIR and includes links to next steps and additional resources. > [!TIP] -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink). ## How the automated investigation starts -When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation. +An automated investigation can start when an alert is triggered or when a security operator initiates the investigation. ->[!NOTE] ->Currently, automated investigation only supports the following OS versions: ->- Windows Server 2019 ->- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later ->- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later ->- Later versions of Windows 10 - -## Details of an automated investigation - -During and after an automated investigation, you can view details about the investigation. Select a triggering alert to view the investigation details. From there, you can go to the **Investigation graph**, **Alerts**, **Devices**, **Evidence**, **Entities**, and **Log** tabs. - -|Tab |Description | -|--|--| -|**Alerts**| Shows the alert that started the investigation.| -|**Devices** |Shows where the alert was seen.| -|**Evidence** |Shows the entities that were found to be malicious during the investigation.| -|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). | -|**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.| -|**Pending actions** |If there are any actions awaiting approval as a result of the investigation, the **Pending actions** tab is displayed. On the **Pending actions** tab, you can approve or reject each action. | - -> [!IMPORTANT] -> Go to the **Action center** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions. +|Situation |What happens | +|---------|---------| +|An alert is triggered | In general, an automated investigation starts when an [alert](review-alerts.md) is triggered, and an [incident](view-incidents-queue.md) is created. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and incident is created. An automated investigation process begins on the device. As other alerts are generated because of the same file on other devices, they are added to the associated incident and to the automated investigation. | +|An investigation is started manually | An automated investigation can be started manually by your security operations team. For example, suppose a security operator is reviewing a list of devices and notices that a device has a high risk level. The security operator can select the device in the list to open its flyout, and then select **Initiate Automated Investigation**. | ## How an automated investigation expands its scope @@ -63,37 +59,39 @@ If an incriminated entity is seen in another device, the automated investigation ## How threats are remediated -Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically remediates threats. +As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be +- *Malicious*; +- *Suspicious*; or +- *No threats found*. -> [!NOTE] -> Microsoft Defender ATP tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups). +As verdicts are reached, automated investigations can result in one or more remediation actions. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. To learn more, see [Remediation actions](manage-auto-investigation.md#remediation-actions). -You can configure the following levels of automation: +Depending on the [level of automation](automation-levels.md) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. Additional security settings that can affect automatic remediation include [protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (PUA). -|Automation level | Description| -|---|---| -|**Full - remediate threats automatically** | All remediation actions are performed automatically.

    *This option is selected by default for Microsoft Defender ATP tenants created on or after August 16, 2020.*| -|**Semi - require approval for core folders remediation** | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.

    Files or executables in all other folders are automatically remediated, if needed.| -|**Semi - require approval for non-temp folders remediation** | An approval is required on files or executables that are not in temporary folders.

    Files or executables in temporary folders, such as the user's download folder or the user's temp folder, are automatically be remediated (if needed).| -|**Semi - require approval for any remediation** | An approval is needed for any remediation action.

    *This option is selected by default for Microsoft Defender ATP tenants created before August 16, 2020.*| -|**No automated response** | Devices do not get any automated investigations run on them.

    *This option is not recommended, because it fully disables automated investigation and remediation capabilities, and reduces the security posture of your organization's devices.* | +All remediation actions, whether pending or completed, are tracked in the [Action center](auto-investigation-action-center.md). If necessary, your security operations team can undo a remediation action. To learn more, see [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation). -### A few points to keep in mind +> [!TIP] +> Check out the new, unified investigation page in the Microsoft 365 security center. To learn more, see [(NEW!) Unified investigation page](/microsoft-365/security/mtp/mtp-autoir-results.md#new-unified-investigation-page). -- Your level of automation is determined by your device group settings. See [Set up device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups). -- If your Microsoft Defender ATP tenant was created before August 16, 2020, you have a default device group that is configured for semi-automatic remediation. Any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). You can configure your device groups to use full automation so that no user approval is needed. +## Requirements for AIR -- If your Microsoft Defender ATP tenant was created on or after August 16, 2020, you have a default device group that is configured for full automation. Remediation actions are taken automatically for entities that are considered to be malicious. Remediation actions that were taken can be viewed on the **History** tab in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center). +Your organization must have Defender for Endpoint (see [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md)). + +Currently, AIR only supports the following OS versions: +- Windows Server 2019 +- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later +- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later +- Windows 10, version [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later ## Next steps -- [Learn about the automated investigations dashboard](manage-auto-investigation.md) +- [Learn more about automation levels](automation-levels.md) +- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide) +- [Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint](configure-automated-investigations-remediation.md) -- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide) +## See also -## Related articles - -- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air) - -- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir) \ No newline at end of file +- [PUA protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) +- [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air) +- [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md new file mode 100644 index 0000000000..e17539d14a --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md @@ -0,0 +1,62 @@ +--- +title: Automation levels in automated investigation and remediation +description: Get an overview of automation levels and how they work in Microsoft Defender for Endpoint +keywords: automated, investigation, level, defender atp +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.technology: mde +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.date: 10/22/2020 +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: + - m365-security-compliance + - m365initiative-defender-endpoint +ms.topic: conceptual +ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs +ms.custom: AIR +--- + +# Automation levels in automated investigation and remediation capabilities + +Automated investigation and remediation (AIR) capabilities in Microsoft Defender for Endpoint can be configured to one of several levels of automation. Your automation level affects whether remediation actions following AIR investigations are taken automatically or only upon approval. +- *Full automation* (recommended) means remediation actions are taken automatically on artifacts determined to be malicious. +- *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. (See the table in [Levels of automation](#levels-of-automation).) +- All remediation actions, whether pending or completed, are tracked in the Action Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). + +> [!TIP] +> For best results, we recommend using full automation when you [configure AIR](configure-automated-investigations-remediation.md). Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers who are using lower levels of automation. Full automation can help free up your security operations resources to focus more on your strategic initiatives. + +## Levels of automation + +The following table describes each level of automation and how it works. + +|Automation level | Description| +|:---|:---| +|**Full - remediate threats automatically**
    (also referred to as *full automation*)| With full automation, remediation actions are performed automatically. All remediation actions that are taken can be viewed in the [Action Center](auto-investigation-action-center.md) on the **History** tab. If necessary, a remediation action can be undone.

    ***Full automation is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.* | +|**Semi - require approval for any remediation**
    (also referred to as *semi-automation*)| With this level of semi-automation, approval is required for *any* remediation action. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.

    *This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*| +|**Semi - require approval for core folders remediation**
    (also a type of *semi-automation*) | With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are in core folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`).

    Remediation actions can be taken automatically on files or executables that are in other (non-core) folders.

    Pending actions for files or executables in core folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.

    Actions that were taken on files or executables in other folders can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab. | +|**Semi - require approval for non-temp folders remediation**
    (also a type of *semi-automation*)| With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are *not* in temporary folders.

    Temporary folders can include the following examples:
    - `\users\*\appdata\local\temp\*`
    - `\documents and settings\*\local settings\temp\*`
    - `\documents and settings\*\local settings\temporary\*`
    - `\windows\temp\*`
    - `\users\*\downloads\*`
    - `\program files\`
    - `\program files (x86)\*`
    - `\documents and settings\*\users\*`

    Remediation actions can be taken automatically on files or executables that are in temporary folders.

    Pending actions for files or executables that are not in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.

    Actions that were taken on files or executables in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **History** tab. | +|**No automated response**
    (also referred to as *no automation*) | With no automation, automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. However, other threat protection features, such as [protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus), can be in effect, depending on how your antivirus and next-generation protection features are configured.

    ***Using the *no automation* option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up your automation level to full automation (or at least semi-automation)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)*. | + +## Important points about automation levels + +- Full automation has proven to be reliable, efficient, and safe, and is recommended for all customers. Full automation frees up your critical security resources so they can focus more on your strategic initiatives. + +- New tenants (which include tenants that were created on or after August 16, 2020) with Microsoft Defender for Endpoint are set to full automation by default. + +- If your security team has defined device groups with a level of automation, those settings are not changed by the new default settings that are rolling out. + +- You can keep your default automation settings, or change them according to your organizational needs. To change your settings, [set your level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups). + +## Next steps + +- [Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint](configure-automated-investigations-remediation.md) + +- [Visit the Action Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md index d9ced772ad..b23fc4b775 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md @@ -4,7 +4,7 @@ description: Learn how to use basic permissions to access the Microsoft Defender keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,64 +13,74 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Use basic permissions to access the portal + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** - Azure Active Directory -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-basicaccess-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-basicaccess-abovefoldlink) -Refer to the instructions below to use basic permissions management. +Refer to the instructions below to use basic permissions management. -You can use either of the following: +You can use either of the following solutions: - Azure PowerShell -- Azure Portal +- Azure portal For granular control over permissions, [switch to role-based access control](rbac.md). ## Assign user access using Azure PowerShell + You can assign users with one of the following levels of permissions: - Full access (Read and Write) - Read-only access ### Before you begin -- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
    + +- Install Azure PowerShell. For more information, see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
    > [!NOTE] > You need to run the PowerShell cmdlets in an elevated command-line. -- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx). +- Connect to your Azure Active Directory. For more information, see [Connect-MsolService](https://docs.microsoft.com/powershell/module/msonline/connect-msolservice?view=azureadps-1.0&preserve-view=true). **Full access**
    Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. Assigning full access rights requires adding the users to the "Security Administrator" or "Global Administrator" AAD built-in roles. -**Read only access**
    -Users with read only access can log in, view all alerts, and related information. +**Read-only access**
    +Users with read-only access can log in, view all alerts, and related information. They will not be able to change alert states, submit files for deep analysis or perform any state changing operations. -Assigning read only access rights requires adding the users to the "Security Reader" AAD built-in role. +Assigning read-only access rights requires adding the users to the "Security Reader" Azure AD built-in role. Use the following steps to assign security roles: - For **read and write** access, assign users to the security administrator role by using the following command: - ```text + + ```PowerShell Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com" ``` -- For **read only** access, assign users to the security reader role by using the following command: - ```text + +- For **read-only** access, assign users to the security reader role by using the following command: + + ```PowerShell Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com" ``` -For more information see, [Add or remove group memberships](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). +For more information, see [Add or remove group members using Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal). ## Assign user access using the Azure portal -For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). +For more information, see [Assign administrator and non-administrator roles to users with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). ## Related topic + - [Manage portal access using RBAC](rbac.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/batch-update-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/batch-update-alerts.md new file mode 100644 index 0000000000..2b93144552 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/batch-update-alerts.md @@ -0,0 +1,108 @@ +--- +title: Batch Update alert entities API +description: Learn how to update Microsoft Defender for Endpoint alerts in a batch by using this API. You can update the status, determination, classification, and assignedTo properties. +keywords: apis, graph api, supported apis, get, alert, information, id +search.product: eADQiWindows 10XVcnh +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.technology: mde +--- + +# Batch update alerts + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + + +## API description +Updates properties of a batch of existing [Alerts](alerts.md). +
    Submission of **comment** is available with or without updating properties. +
    Updatable properties are: `status`, `determination`, `classification` and `assignedTo`. + + +## Limitations +1. You can update alerts that are available in the API. See [List Alerts](get-alerts.md) for more information. +2. Rate limitations for this API are 10 calls per minute and 500 calls per hour. + + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alerts.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) + +## HTTP request +```http +POST /api/alerts/batchUpdate +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | String | application/json. **Required**. + + +## Request body +In the request body, supply the IDs of the alerts to be updated and the values of the relevant fields that you wish to update for these alerts. +
    Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. +
    For best performance you shouldn't include existing values that haven't changed. + +Property | Type | Description +:---|:---|:--- +alertIds | List<String>| A list of the IDs of the alerts to be updated. **Required** +status | String | Specifies the updated status of the specified alerts. The property values are: 'New', 'InProgress' and 'Resolved'. +assignedTo | String | Owner of the specified alerts +classification | String | Specifies the specification of the specified alerts. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. +determination | String | Specifies the determination of the specified alerts. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other' +comment | String | Comment to be added to the specified alerts. + +## Response +If successful, this method returns 200 OK, with an empty response body. + + +## Example + +**Request** + +Here is an example of the request. + +```http +POST https://api.securitycenter.microsoft.com/api/alerts/batchUpdate +``` + +```json +{ + "alertIds": ["da637399794050273582_760707377", "da637399989469816469_51697947354"], + "status": "Resolved", + "assignedTo": "secop2@contoso.com", + "classification": "FalsePositive", + "determination": "Malware", + "comment": "Resolve my alert and assign to secop2" +} +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md index 04569f6785..c635331c7b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -8,37 +8,43 @@ author: denisebmsft ms.author: deniseb manager: dansimp ms.reviewer: shwetaj -audience: ITPro -ms.topic: article -ms.prod: w10 +audience: ITPro +ms.topic: article +ms.prod: m365-security ms.localizationpriority: medium ms.custom: -- next-gen -- edr + - next-gen + - edr ms.collection: + - m365-security-compliance + - m365initiative-defender-endpoint +ms.technology: mde --- # Behavioral blocking and containment +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ## Overview -Today’s threat landscape is overrun by [fileless malware](https://docs.microsoft.com/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised devices. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and device learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security). +Today’s threat landscape is overrun by [fileless malware](https://docs.microsoft.com/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised devices. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and device learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Defender for Endpoint](https://docs.microsoft.com/windows/security). -Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Microsoft Defender ATP components and features work together in behavioral blocking and containment capabilities. +Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Defender for Endpoint components and features work together in behavioral blocking and containment capabilities. :::image type="content" source="images/mdatp-next-gen-EDR-behavblockcontain.png" alt-text="Behavioral blocking and containment"::: -Behavioral blocking and containment capabilities work with multiple components and features of Microsoft Defender ATP to stop attacks immediately and prevent attacks from progressing. +Behavioral blocking and containment capabilities work with multiple components and features of Defender for Endpoint to stop attacks immediately and prevent attacks from progressing. - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) (which includes Microsoft Defender Antivirus) can detect threats by analyzing behaviors, and stop threats that have started running. - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) receives security signals across your network, devices, and kernel behavior. As threats are detected, alerts are created. Multiple alerts of the same type are aggregated into incidents, which makes it easier for your security operations team to investigate and respond. -- [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) has a wide range of optics across identities, email, data, and apps, in addition to the network, endpoint, and kernel behavior signals received through EDR. A component of [Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection), Microsoft Defender ATP processes and correlates these signals, raises detection alerts, and connects related alerts in incidents. +- [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) has a wide range of optics across identities, email, data, and apps, in addition to the network, endpoint, and kernel behavior signals received through EDR. A component of [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection), Defender for Endpoint processes and correlates these signals, raises detection alerts, and connects related alerts in incidents. With these capabilities, more threats can be prevented or blocked, even if they start running. Whenever suspicious behavior is detected, the threat is contained, alerts are created, and threats are stopped in their tracks. @@ -54,7 +60,7 @@ The following image shows an example of an alert that was triggered by behaviora - **[Feedback-loop blocking](feedback-loop-blocking.md)** (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.) -- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.) +- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode is not enabled by default; you turn it on in the Microsoft Defender Security Center.) Expect more to come in the area of behavioral blocking and containment, as Microsoft continues to improve threat protection features and capabilities. To see what's planned and rolling out now, visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap). @@ -80,7 +86,7 @@ Below are two real-life examples of behavioral blocking and containment in actio As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the user’s device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server. -Behavior-based device learning models in Microsoft Defender ATP caught and stopped the attacker’s techniques at two points in the attack chain: +Behavior-based device learning models in Defender for Endpoint caught and stopped the attacker’s techniques at two points in the attack chain: - The first protection layer detected the exploit behavior. Device learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack. - The second protection layer, which helped stop cases where the attack got past the first layer, detected process hollowing, stopped that process, and removed the corresponding files (such as Lokibot). @@ -90,9 +96,9 @@ While the attack was detected and stopped, alerts, such as an "initial access al This example shows how behavior-based device learning models in the cloud add new layers of protection against attacks, even after they have started running. -### Example 2: NTML relay - Juicy Potato malware variant +### Example 2: NTLM relay - Juicy Potato malware variant -As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Microsoft Defender ATP detected a privilege escalation activity on a device in an organization. An alert called “Possible privilege escalation using NTLM relay” was triggered. +As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Defender for Endpoint detected a privilege escalation activity on a device in an organization. An alert called “Possible privilege escalation using NTLM relay” was triggered. :::image type="content" source="images/NTLMalertjuicypotato.png" alt-text="NTLM alert for Juicy Potato malware"::: @@ -108,7 +114,7 @@ This example shows that with behavioral blocking and containment capabilities, t ## Next steps -- [Learn more about Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) +- [Learn more about Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Configure your attack surface reduction rules](attack-surface-reduction.md) @@ -116,4 +122,4 @@ This example shows that with behavioral blocking and containment capabilities, t - [See recent global threat activity](https://www.microsoft.com/wdsi/threats) -- [Get an overview of Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) +- [Get an overview of Microsoft 365 Defender ](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) diff --git a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md index 621f338029..103ed6ab7a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md +++ b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md @@ -4,7 +4,7 @@ description: Check the sensor health on devices to identify which ones are misco keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,34 +13,38 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 04/24/2018 +ms.technology: mde --- -# Check sensor health state in Microsoft Defender ATP +# Check sensor health state in Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-checksensor-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-checksensor-abovefoldlink) -The **Devices with sensor issues** tile is found on the Security Operations dashboard. This tile provides information on the individual device’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many devices require attention and helps you identify problematic devices and take action to correct known issues. +The **Devices with sensor issues** tile is found on the Security Operations dashboard. This tile provides information on the individual device’s ability to provide sensor data and communicate with the Defender for Endpoint service. It reports how many devices require attention and helps you identify problematic devices and take action to correct known issues. There are two status indicators on the tile that provide information on the number of devices that are not reporting properly to the service: -- **Misconfigured** - These devices might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected. -- **Inactive** - Devices that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month. +- **Misconfigured** - These devices might partially be reporting sensor data to the Defender for Endpoint service and might have configuration errors that need to be corrected. +- **Inactive** - Devices that have stopped reporting to the Defender for Endpoint service for more than seven days in the past month. Clicking any of the groups directs you to **Devices list**, filtered according to your choice. ![Screenshot of Devices with sensor issues tile](images/atp-devices-with-sensor-issues-tile.png) On **Devices list**, you can filter the health state list by the following status: -- **Active** - Devices that are actively reporting to the Microsoft Defender ATP service. -- **Misconfigured** - These devices might partially be reporting sensor data to the Microsoft Defender ATP service but have configuration errors that need to be corrected. Misconfigured devices can have either one or a combination of the following issues: +- **Active** - Devices that are actively reporting to the Defender for Endpoint service. +- **Misconfigured** - These devices might partially be reporting sensor data to the Defender for Endpoint service but have configuration errors that need to be corrected. Misconfigured devices can have either one or a combination of the following issues: - **No sensor data** - Devices has stopped sending sensor data. Limited alerts can be triggered from the device. - **Impaired communications** - Ability to communicate with device is impaired. Sending files for deep analysis, blocking files, isolating device from network and other actions that require communication with the device may not work. -- **Inactive** - Devices that have stopped reporting to the Microsoft Defender ATP service. +- **Inactive** - Devices that have stopped reporting to the Defender for Endpoint service. You can also download the entire list in CSV format using the **Export** feature. For more information on filters, see [View and organize the Devices list](machines-view-overview.md). @@ -52,4 +56,4 @@ You can also download the entire list in CSV format using the **Export** feature You can view the device details when you click on a misconfigured or inactive device. ## Related topic -- [Fix unhealthy sensors in Microsoft Defender ATP](fix-unhealthy-sensors.md) +- [Fix unhealthy sensors in Defender for Endpoint](fix-unhealthy-sensors.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md index 19fabebbdf..b7fdee5e13 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md +++ b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md @@ -8,25 +8,31 @@ author: denisebmsft ms.author: deniseb manager: dansimp ms.reviewer: shwetaj -audience: ITPro -ms.topic: article -ms.prod: w10 +audience: ITPro +ms.topic: article +ms.prod: m365-security ms.localizationpriority: medium ms.custom: -- next-gen -- edr + - next-gen + - edr ms.collection: + - m365-security-compliance + - m365initiative-defender-endpoint +ms.technology: mde --- # Client behavioral blocking +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ## Overview -Client behavioral blocking is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in Microsoft Defender ATP. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically. +Client behavioral blocking is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in Defender for Endpoint. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically. :::image type="content" source="images/pre-execution-and-post-execution-detection-engines.png" alt-text="Cloud and client protection"::: @@ -67,11 +73,11 @@ Behavior-based detections are named according to the [MITRE ATT&CK Matrix for En ## Configuring client behavioral blocking -If your organization is using Microsoft Defender ATP, client behavioral blocking is enabled by default. However, to benefit from all Microsoft Defender ATP capabilities, including [behavioral blocking and containment](behavioral-blocking-containment.md), make sure the following features and capabilities of Microsoft Defender ATP are enabled and configured: +If your organization is using Defender for Endpoint, client behavioral blocking is enabled by default. However, to benefit from all Defender for Endpoint capabilities, including [behavioral blocking and containment](behavioral-blocking-containment.md), make sure the following features and capabilities of Defender for Endpoint are enabled and configured: -- [Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline) +- [Defender for Endpoint baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline) -- [Devices onboarded to Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure) +- [Devices onboarded to Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure) - [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) @@ -87,4 +93,4 @@ If your organization is using Microsoft Defender ATP, client behavioral blocking - [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/) -- [Helpful Microsoft Defender ATP resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources) +- [Helpful Defender for Endpoint resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources) diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md index d8929fdd67..1ff9f0d001 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md +++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md @@ -3,7 +3,7 @@ title: Collect investigation package API description: Use this API to create calls related to the collecting an investigation package from a device. keywords: apis, graph api, supported apis, collect investigation package search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,16 +12,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article - +ms.technology: mde --- # Collect investigation package API -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description Collect investigation package from a device. @@ -32,7 +40,7 @@ Collect investigation package from a device. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -46,7 +54,7 @@ Delegated (work or school account) | Machine.CollectForensics | 'Collect forensi ## HTTP request ``` -POST https://api.securitycenter.windows.com/api/machines/{id}/collectInvestigationPackage +POST https://api.securitycenter.microsoft.com/api/machines/{id}/collectInvestigationPackage ``` ## Request headers @@ -73,11 +81,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] - +```http +POST https://api.securitycenter.microsoft.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage ``` -POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage -Content-type: application/json + +```json { "Comment": "Collect forensics due to alert 1234" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md deleted file mode 100644 index 558f93dfb9..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md +++ /dev/null @@ -1,108 +0,0 @@ ---- -title: Microsoft Defender ATP for US Government GCC High customers -description: Learn about the requirements and the available Microsoft Defender ATP capabilities for US Government CCC High customers -keywords: government, gcc, high, requirements, capabilities, defender, defender atp, mdatp -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Microsoft Defender ATP for US Government GCC High customers - -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for US Government Community Cloud High (GCC High) customers, built in the US Azure Government environment, uses the same underlying technologies as Microsoft Defender ATP in Azure Commercial. - -This offering is currently available to US Office 365 GCC High customers and is based on the same prevention, detection, investigation, and remediation as the commercial version. However, there are some key differences in the availability of capabilities for this offering. - - -## Endpoint versions -The following OS versions are supported: - -- Windows 10, version 1903 -- Windows 10, version 1809 (OS Build 17763.404 with [KB4490481](https://support.microsoft.com/en-us/help/4490481)) -- Windows 10, version 1803 (OS Build 17134.799 with [KB4499183](https://support.microsoft.com/help/4499183)) -- Windows 10, version 1709 (OS Build 16299.1182 with [KB4499147](https://support.microsoft.com/help/4499147)) -- Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/en-us/help/4490481)) - ->[!NOTE] ->A patch must be deployed before device onboarding in order to configure Microsoft Defender ATP to the correct environment. - -The following OS versions are supported via Azure Security Center: -- Windows Server 2008 R2 SP1 -- Windows Server 2012 R2 -- Windows Server 2016 - -The following OS versions are not supported: -- Windows Server 2008 R2 SP1 (standalone, not via ASC) -- Windows Server 2012 R2 (standalone, not via ASC) -- Windows Server 2016 (standalone, not via ASC) -- Windows Server, version 1803 -- Windows 7 SP1 Enterprise -- Windows 7 SP1 Pro -- Windows 8 Pro -- Windows 8.1 Enterprise -- macOS -- Linux - -The initial release of Microsoft Defender ATP will not have immediate parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government (GCC High) customers, there are some capabilities not yet available that we'd like to highlight. These are the known gaps as of August 2019: - -## Threat Analytics -Not currently available. - -## Threat & Vulnerability Management -Not currently available. - - -## Automated investigation and remediation -The following capabilities are not currently available: -- Response to Office 365 alerts -- Live response - - - -## Management and APIs -The following capabilities are not currently available: - -- Threat protection report -- Device health and compliance report -- Integration with third-party products - - -## Email notifications -Not currently available. - - -## Integrations -Integrations with the following Microsoft products are not currently available: -- Azure Advanced Threat Protection -- Azure Information Protection -- Office 365 Advanced Threat Protection -- Microsoft Cloud App Security -- Skype for Business -- Microsoft Intune (sharing of device information and enhanced policy enforcement) - -## Microsoft Threat Experts -Not currently available. - -## Required connectivity settings -You'll need to ensure that traffic from the following are allowed: - -Service location | DNS record -:---|:--- -Common URLs for all locations (Global location) | ```crl.microsoft.com```
    ```ctldl.windowsupdate.com```
    ```notify.windows.com```
    ```settings-win.data.microsoft.com```

    NOTE: ```settings-win.data.microsoft.com``` is only needed on Windows 10 devices running version 1803 or earlier. -Microsoft Defender ATP GCC High specific | ```us4-v20.events.data.microsoft.com```
    ```winatp-gw-usgt.microsoft.com```
    ```winatp-gw-usgv.microsoft.com```
    ```*.blob.core.usgovcloudapi.net``` - - - diff --git a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md index bcc6ba7dc3..c0c401ff5c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md +++ b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md @@ -1,9 +1,9 @@ --- title: Common Microsoft Defender ATP API errors description: List of common Microsoft Defender ATP API errors with descriptions. -keywords: apis, mdatp api, errors, troubleshooting +keywords: apis, mdatp api, errors, troubleshooting search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,13 +12,16 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Common REST API error codes -* The error codes listed in the following table may be returned by an operation on any of Microsoft Defender ATP APIs. +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +* The error codes listed in the following table may be returned by an operation on any of Microsoft Defender for Endpoint APIs. * Note that in addition to the error code, every error response contains an error message which can help resolving the problem. * Note that the message is a free text that can be changed. * At the bottom of the page you can find response examples. @@ -37,19 +40,20 @@ MaximumBatchSizeExceeded | BadRequest (400) | Maximum batch size exceeded. Recei MissingRequiredParameter | BadRequest (400) | Parameter {the missing parameter} is missing. OsPlatformNotSupported | BadRequest (400) | OS Platform {the client OS Platform} is not supported for this action. ClientVersionNotSupported | BadRequest (400) | {The requested action} is supported on client version {supported client version} and above. -Unauthorized | Unauthorized (401) | Unauthorized (usually invalid or expired authorization header). +Unauthorized | Unauthorized (401) | Unauthorized (invalid or expired authorization header). Forbidden | Forbidden (403) | Forbidden (valid token but insufficient permission for the action). DisabledFeature | Forbidden (403) | Tenant feature is not enabled. DisallowedOperation | Forbidden (403) | {the disallowed operation and the reason}. NotFound | Not Found (404) | General Not Found error message. ResourceNotFound | Not Found (404) | Resource {the requested resource} was not found. InternalServerError | Internal Server Error (500) | (No error message, try retry the operation or contact us if it does not resolved) +TooManyRequests | Too Many Requests (429) | Response will represent reaching quota limit either by number of requests or by CPU. -## Body parameters are case sensitive +## Body parameters are case-sensitive -The submitted body parameters are currently case sensitive. +The submitted body parameters are currently case-sensitive.
    If you experience an **InvalidRequestBody** or **MissingRequiredParameter** errors, it might be caused from a wrong parameter capital or lower-case letter. -
    It is recommended to go to the requested Api documentation page and check that the submitted parameters match the relevant example. +
    We recommend that you go to the requested API documentation page and check that the submitted parameters match the relevant example. ## Correlation request ID diff --git a/windows/security/threat-protection/microsoft-defender-atp/community.md b/windows/security/threat-protection/microsoft-defender-atp/community.md index 78f18ff20e..c38f71682a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/community.md +++ b/windows/security/threat-protection/microsoft-defender-atp/community.md @@ -4,7 +4,7 @@ description: Access the Microsoft Defender ATP Community Center to share experie keywords: community, community center, tech community, conversation, announcements search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,20 +13,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/24/2018 +ms.technology: mde --- -# Access the Microsoft Defender ATP Community Center +# Access the Microsoft Defender for Endpoint Community Center + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. +The Defender for Endpoint Community Center is a place where community members can learn, collaborate, and share experiences about the product. There are several spaces you can explore to learn about specific information: - Announcements @@ -35,8 +39,8 @@ There are several spaces you can explore to learn about specific information: There are several ways you can access the Community Center: -- In the Microsoft Defender Security Center navigation pane, select **Community center**. A new browser tab opens and takes you to the Microsoft Defender ATP Tech Community page. -- Access the community through the [Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page +- In the Microsoft Defender Security Center navigation pane, select **Community center**. A new browser tab opens and takes you to the Defender for Endpoint Tech Community page. +- Access the community through the [Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page You can instantly view and read conversations that have been posted in the community. diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md index fb8e70489a..8222bee9d9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md @@ -4,7 +4,7 @@ description: Enable Conditional Access to prevent applications from running if a keywords: conditional access, block applications, security level, intune, search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,22 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Enable Conditional Access to better protect users, devices, and data +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink) Conditional Access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications. @@ -34,7 +38,7 @@ With Conditional Access, you can control access to enterprise information based You can define security conditions under which devices and applications can run and access information from your network by enforcing policies to stop applications from running until a device returns to a compliant state. -The implementation of Conditional Access in Microsoft Defender ATP is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies. +The implementation of Conditional Access in Defender for Endpoint is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies. The compliance policy is used with Conditional Access to allow only devices that fulfill one or more device compliance policy rules to access applications. @@ -64,15 +68,15 @@ When the risk is removed either through manual or automated remediation, the dev The following example sequence of events explains Conditional Access in action: -1. A user opens a malicious file and Microsoft Defender ATP flags the device as high risk. +1. A user opens a malicious file and Defender for Endpoint flags the device as high risk. 2. The high risk assessment is passed along to Intune. In parallel, an automated investigation is initiated to remediate the identified threat. A manual remediation can also be done to remediate the identified threat. 3. Based on the policy created in Intune, the device is marked as not compliant. The assessment is then communicated to Azure AD by the Intune Conditional Access policy. In Azure AD, the corresponding policy is applied to block access to applications. -4. The manual or automated investigation and remediation is completed and the threat is removed. Microsoft Defender ATP sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications. +4. The manual or automated investigation and remediation is completed and the threat is removed. Defender for Endpoint sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications. 5. Users can now access applications. ## Related topic -- [Configure Conditional Access in Microsoft Defender ATP](configure-conditional-access.md) +- [Configure Conditional Access in Microsoft Defender for Endpoint](configure-conditional-access.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md index 2dc93956ba..df34c2cfe1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md @@ -4,7 +4,7 @@ description: Configure Micro Focus ArcSight to receive and pull detections from keywords: configure Micro Focus ArcSight, security information and events management tools, arcsight search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,26 +13,29 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections +# Configure Micro Focus ArcSight to pull Defender for Endpoint detections + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink) -You'll need to install and configure some files and tools to use Micro Focus ArcSight so that it can pull Microsoft Defender ATP detections. +You'll need to install and configure some files and tools to use Micro Focus ArcSight so that it can pull Defender for Endpoint detections. >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections ->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. +>- [Defender for Endpoint Alert](alerts.md) is composed from one or more detections +>- [Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. ## Before you begin @@ -40,7 +43,7 @@ Configuring the Micro Focus ArcSight Connector tool requires several configurati This section guides you in getting the necessary information to set and use the required configuration files correctly. -- Make sure you have enabled the SIEM integration feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md). +- Make sure you have enabled the SIEM integration feature from the **Settings** menu. For more information, see [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md). - Have the file you saved from enabling the SIEM integration feature ready. You'll need to get the following values: - OAuth 2.0 Token refresh URL @@ -103,8 +106,8 @@ The following steps assume that you have completed all the required steps in [Be For example, if the configuration file in "flexagent" directory is named "WDATP-Connector.jsonparser.properties", you must type "WDATP-Connector" as the name of the client property file. Events URL - Depending on the location of your datacenter, select either the EU or the US URL:

    For EU: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
    -
    For US: https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME

    For UK: https://wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME + Depending on the location of your datacenter, select either the EU or the US URL:

    For EU: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
    +
    For US: https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME

    For UK: https://wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME Authentication Type OAuth 2 @@ -113,7 +116,7 @@ The following steps assume that you have completed all the required steps in [Be Browse to the location of the wdatp-connector.properties file. The name must match the file provided in the .zip that you downloaded. Refresh Token - You can obtain a refresh token in two ways: by generating a refresh token from the SIEM settings page or using the restutil tool.

    For more information on generating a refresh token from the Preferences setup , see Enable SIEM integration in Microsoft Defender ATP.

    Get your refresh token using the restutil tool:
    a. Open a command prompt. Navigate to C:\folder_location\current\bin where folder_location represents the location where you installed the tool.

    b. Type: arcsight restutil token -config from the bin directory.For example: arcsight restutil boxtoken -proxy proxy.location.hp.com:8080 A Web browser window will open.

    c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.

    d. A refresh token is shown in the command prompt.

    e. Copy and paste it into the Refresh Token field. + You can obtain a refresh token in two ways: by generating a refresh token from the SIEM settings page or using the restutil tool.

    For more information on generating a refresh token from the Preferences setup , see Enable SIEM integration in Defender for Endpoint.

    Get your refresh token using the restutil tool:
    a. Open a command prompt. Navigate to C:\folder_location\current\bin where folder_location represents the location where you installed the tool.

    b. Type: arcsight restutil token -config from the bin directory.For example: arcsight restutil boxtoken -proxy proxy.location.hp.com:8080 A Web browser window will open.

    c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.

    d. A refresh token is shown in the command prompt.

    e. Copy and paste it into the Refresh Token field. @@ -175,7 +178,7 @@ The following steps assume that you have completed all the required steps in [Be You can now run queries in the Micro Focus ArcSight console. -Microsoft Defender ATP detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name. +Defender for Endpoint detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name. ## Troubleshooting Micro Focus ArcSight connection @@ -201,7 +204,7 @@ Microsoft Defender ATP detections will appear as discrete events, with "Microsof > Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear. ## Related topics -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) -- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) +- [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md) +- [Configure Splunk to pull Defender for Endpoint detections](configure-splunk.md) +- [Pull Defender for Endpoint detections using REST API](pull-alerts-using-rest-api.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md index 50726aa946..3db29d7045 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md @@ -4,7 +4,7 @@ description: Use Microsoft Intune, Microsoft Endpoint Configuration Manager, Pow keywords: asr, attack surface reduction, windows defender, microsoft defender, antivirus, av search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,12 +13,16 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Configure attack surface reduction +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + You can configure attack surface reduction with a number of tools, including: * Microsoft Intune diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md index a4c17d2c2a..1f196772bd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -1,10 +1,11 @@ --- title: Configure automated investigation and remediation capabilities -description: Set up your automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). +description: Set up your automated investigation and remediation capabilities in Microsoft Defender for Endpoint. keywords: configure, setup, automated, investigation, detection, alerts, remediation, response search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +14,23 @@ author: denisebmsft ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual +ms.collection: M365-security-compliance +ms.topic: how-to +ms.date: 01/27/2021 +ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs --- -# Configure automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection +# Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint **Applies to** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). +If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Defender for Endpoint), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). -To configure automated investigation and remediation, you [turn on the features](#turn-on-automated-investigation-and-remediation), and then you [set up device groups](#set-up-device-groups). +To configure automated investigation and remediation, +1. [Turn on the features](#turn-on-automated-investigation-and-remediation); and +2. [Set up device groups](#set-up-device-groups). ## Turn on automated investigation and remediation @@ -40,7 +45,7 @@ To configure automated investigation and remediation, you [turn on the features] 2. Select **+ Add device group**. 3. Create at least one device group, as follows: - Specify a name and description for the device group. - - In the **Automation level list**, select a level, such as **Full – remediate threats automatically**. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated). + - In the **Automation level list**, select a level, such as **Full – remediate threats automatically**. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [Automation levels in automated investigation and remediation](automation-levels.md). - In the **Members** section, use one or more conditions to identify and include devices. - On the **User access** tab, select the [Azure Active Directory groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups?context=azure/active-directory/users-groups-roles/context/ugr-context) who should have access to the device group you're creating. 4. Select **Done** when you're finished setting up your device group. @@ -48,8 +53,8 @@ To configure automated investigation and remediation, you [turn on the features] ## Next steps - [Visit the Action Center to view pending and completed remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center) +- [Review and approve pending actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation) -- [Review and approve actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation) - -- [Manage indicators for files, IP addresses, URLs, or domains](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) +## See also +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md index 944a823a64..e294b0d8a5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md @@ -4,7 +4,7 @@ description: Learn about steps that you need to do in Intune, Microsoft Defender keywords: conditional access, conditional, access, device risk, risk level, integration, intune integration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,13 +13,17 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Configure Conditional Access in Microsoft Defender ATP +# Configure Conditional Access in Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) This section guides you through all the steps you need to take to properly implement Conditional Access. @@ -51,7 +55,7 @@ It's important to note the required roles to access these portals and implement Take the following steps to enable Conditional Access: - Step 1: Turn on the Microsoft Intune connection from Microsoft Defender Security Center -- Step 2: Turn on the Microsoft Defender ATP integration in Intune +- Step 2: Turn on the Defender for Endpoint integration in Intune - Step 3: Create the compliance policy in Intune - Step 4: Assign the policy - Step 5: Create an Azure AD Conditional Access policy @@ -63,7 +67,7 @@ Take the following steps to enable Conditional Access: 3. Click **Save preferences**. -### Step 2: Turn on the Microsoft Defender ATP integration in Intune +### Step 2: Turn on the Defender for Endpoint integration in Intune 1. Sign in to the [Azure portal](https://portal.azure.com). 2. Select **Device compliance** > **Microsoft Defender ATP**. 3. Set **Connect Windows 10.0.15063+ devices to Microsoft Defender Advanced Threat Protection** to **On**. @@ -104,4 +108,4 @@ Take the following steps to enable Conditional Access: For more information, see [Enable Microsoft Defender ATP with Conditional Access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection). ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md index e605898b2f..ded8ef06d9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md @@ -4,7 +4,7 @@ description: You can use Microsoft Defender Advanced Threat Protection to config keywords: email notifications, configure alert notifications, microsoft defender atp notifications, microsoft defender atp alerts, windows 10 enterprise, windows 10 education search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,23 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Configure alert notifications in Microsoft Defender ATP +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-emailconfig-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-emailconfig-abovefoldlink) -You can configure Microsoft Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity. +You can configure Defender for Endpoint to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity. > [!NOTE] > Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. @@ -54,7 +58,7 @@ You can create rules that determine the devices and alert severities to send ema - **Include device information** - Includes the device name in the email alert body. >[!NOTE] - > This information might be processed by recipient mail servers that ar not in the geographic location you have selected for your Microsoft Defender ATP data. + > This information might be processed by recipient mail servers that ar not in the geographic location you have selected for your Defender for Endpoint data. - **Devices** - Choose whether to notify recipients for alerts on all devices (Global administrator role only) or on selected device groups. For more information, see [Create and manage device groups](machine-groups.md). - **Alert severity** - Choose the alert severity level. @@ -89,11 +93,10 @@ This section lists various issues that you may encounter when using email notifi **Solution:** Make sure that the notifications are not blocked by email filters: -1. Check that the Microsoft Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk. -2. Check that your email security product is not blocking the email notifications from Microsoft Defender ATP. -3. Check your email application rules that might be catching and moving your Microsoft Defender ATP email notifications. +1. Check that the Defender for Endpoint email notifications are not sent to the Junk Email folder. Mark them as Not junk. +2. Check that your email security product is not blocking the email notifications from Defender for Endpoint. +3. Check your email application rules that might be catching and moving your Defender for Endpoint email notifications. ## Related topics - [Update data retention settings](data-retention-settings.md) -- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) - [Configure advanced features](advanced-features.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md index 413259ce26..7f4bbd4a62 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md @@ -4,7 +4,7 @@ description: Use Group Policy to deploy the configuration package on Windows 10 keywords: configure devices using group policy, device management, configure Windows ATP devices, onboard Microsoft Defender Advanced Threat Protection devices, group policy search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,23 +13,27 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 04/24/2018 +ms.technology: mde --- # Onboard Windows 10 devices using Group Policy +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** - Group Policy -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink) > [!NOTE] @@ -38,6 +42,14 @@ ms.date: 04/24/2018 > For Windows Server 2019, you may need to replace NT AUTHORITY\Well-Known-System-Account with NT AUTHORITY\SYSTEM of the XML file that the Group Policy preference creates. ## Onboard devices using Group Policy + +[![Image of the PDF showing the various deployment paths](images/onboard-gp.png)](images/onboard-gp.png#lightbox) + + +Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint. + + + 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -65,9 +77,9 @@ ms.date: 04/24/2018 9. Click **OK** and close any open GPMC windows. >[!TIP] -> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md). +> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md). -## Additional Microsoft Defender ATP configuration settings +## Additional Defender for Endpoint configuration settings For each device, you can state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature. @@ -223,5 +235,5 @@ With Group Policy there isn’t an option to monitor deployment of policies on t - [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) - [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP devices](run-detection-test.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Run a detection test on a newly onboarded Microsoft Defender for Endpoint devices](run-detection-test.md) +- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md index 50e1369d5f..fa54228453 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md @@ -4,7 +4,7 @@ description: Use Mobile Device Management tools to deploy the configuration pack keywords: onboard devices using mdm, device management, onboard Windows ATP devices, onboard Microsoft Defender Advanced Threat Protection devices, mdm search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,22 +13,26 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Onboard Windows 10 devices using Mobile Device Management tools +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink) -You can use mobile device management (MDM) solutions to configure devices. Microsoft Defender ATP supports MDMs by providing OMA-URIs to create policies to manage devices. +You can use mobile device management (MDM) solutions to configure devices. Defender for Endpoint supports MDMs by providing OMA-URIs to create policies to manage devices. -For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). +For more information on using Defender for Endpoint CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). ## Before you begin If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully. @@ -37,9 +41,13 @@ For more information on enabling MDM with Microsoft Intune, see [Device enrollme ## Onboard devices using Microsoft Intune +[![Image of the PDF showing onboarding devices to Defender for Endpoint using Microsoft Intune](images/onboard-intune.png) ](images/onboard-intune-big.png#lightbox) + +Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint. + Follow the instructions from [Intune](https://docs.microsoft.com/intune/advanced-threat-protection). -For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). +For more information on using Defender for Endpoint CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). > [!NOTE] @@ -48,9 +56,10 @@ For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedTh >[!TIP] -> After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md). +> After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md). +Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender ATP. ## Offboard and monitor devices using Mobile Device Management tools For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. @@ -90,5 +99,5 @@ For more information on Microsoft Intune policy settings see, [Windows 10 policy - [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md) +- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md index e59d230fb9..f294e61abc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md @@ -4,7 +4,7 @@ description: Configure non-Windows devices so that they can send sensor data to keywords: onboard non-Windows devices, macos, linux, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,31 +13,35 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Onboard non-Windows devices +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** - macOS - Linux -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-nonwindows-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-nonwindows-abovefoldlink) -Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. +Defender for Endpoint provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. -You'll need to know the exact Linux distros and macOS versions that are compatible with Microsoft Defender ATP for the integration to work. For more information, see: -- [Microsoft Defender ATP for Linux system requirements](microsoft-defender-atp-linux.md#system-requirements) -- [Microsoft Defender ATP for Mac system requirements](microsoft-defender-atp-mac.md#system-requirements). +You'll need to know the exact Linux distros and macOS versions that are compatible with Defender for Endpoint for the integration to work. For more information, see: +- [Microsoft Defender for Endpoint for Linux system requirements](microsoft-defender-atp-linux.md#system-requirements) +- [Microsoft Defender for Endpoint for Mac system requirements](microsoft-defender-atp-mac.md#system-requirements). ## Onboarding non-Windows devices You'll need to take the following steps to onboard non-Windows devices: 1. Select your preferred method of onboarding: - - For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-party solution. For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-atp-mac). + - For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-party solution. For more information, see [Microsoft Defender for Endpoint for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). - For other non-Windows devices choose **Onboard non-Windows devices through third-party integration**. 1. In the navigation pane, select **Interoperability** > **Partners**. Make sure the third-party solution is listed. @@ -53,7 +57,7 @@ You'll need to take the following steps to onboard non-Windows devices: ## Offboard non-Windows devices -1. Follow the third-party's documentation to disconnect the third-party solution from Microsoft Defender ATP. +1. Follow the third-party's documentation to disconnect the third-party solution from Microsoft Defender for Endpoint. 2. Remove permissions for the third-party solution in your Azure AD tenant. 1. Sign in to the [Azure portal](https://portal.azure.com). @@ -66,4 +70,4 @@ You'll need to take the following steps to onboard non-Windows devices: - [Onboard Windows 10 devices](configure-endpoints.md) - [Onboard servers](configure-server-endpoints.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) -- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Troubleshooting Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md index 4536ced3cc..20a91dac4c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md @@ -4,7 +4,7 @@ description: Use Configuration Manager to deploy the configuration package on de keywords: onboard devices using sccm, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,20 +13,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 02/07/2020 +ms.technology: mde --- # Onboard Windows 10 devices using Configuration Manager +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- Microsoft Endpoint Configuration Manager current branch +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) +- Microsoft Endpoint Manager current branch - System Center 2012 R2 Configuration Manager ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink) ## Supported client operating systems @@ -34,21 +38,34 @@ Based on the version of Configuration Manager you're running, the following clie #### Configuration Manager version 1910 and prior -- Clients computers running Windows 10, version 1607 and later +- Clients computers running Windows 10 #### Configuration Manager version 2002 and later Starting in Configuration Manager version 2002, you can onboard the following operating systems: - Windows 8.1 -- Windows 10, version 1607 or later +- Windows 10 - Windows Server 2012 R2 - Windows Server 2016 - Windows Server 2016, version 1803 or later - Windows Server 2019 +>[!NOTE] +>For more information on how to onboard Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019, see, [Onboard Windows servers](configure-server-endpoints.md). + + + ### Onboard devices using System Center Configuration Manager + +[![Image of the PDF showing the various deployment paths](images/onboard-config-mgr.png)](images/onboard-config-mgr.png#lightbox) + + +Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender for Endpoint. + + + 1. Open the Configuration Manager configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -66,10 +83,10 @@ Starting in Configuration Manager version 2002, you can onboard the following op a. Choose a predefined device collection to deploy the package to. > [!NOTE] -> Microsoft Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading. +> Defender for Endpoint doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading. >[!TIP] -> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md). +> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md). > > Note that it is possible to create a detection rule on a Configuration Manager application to continuously check if a device has been onboarded. An application is a different type of object than a package and program. > If a device is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the device until the rule detects the status change. @@ -151,9 +168,9 @@ For security reasons, the package used to Offboard devices will expire 30 days a > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions. -### Offboard devices using Microsoft Endpoint Configuration Manager current branch +### Offboard devices using Microsoft Endpoint Manager current branch -If you use Microsoft Endpoint Configuration Manager current branch, see [Create an offboarding configuration file](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#create-an-offboarding-configuration-file). +If you use Microsoft Endpoint Manager current branch, see [Create an offboarding configuration file](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#create-an-offboarding-configuration-file). ### Offboard devices using System Center 2012 R2 Configuration Manager @@ -179,13 +196,13 @@ If you use Microsoft Endpoint Configuration Manager current branch, see [Create ## Monitor device configuration -If you're using Microsoft Endpoint Configuration Manager current branch, use the built-in Microsoft Defender ATP dashboard in the Configuration Manager console. For more information, see [Microsoft Defender Advanced Threat Protection - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor). +If you're using Microsoft Endpoint Manager current branch, use the built-in Defender for Endpoint dashboard in the Configuration Manager console. For more information, see [Defender for Endpoint - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor). If you're using System Center 2012 R2 Configuration Manager, monitoring consists of two parts: 1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the devices in your network. -2. Checking that the devices are compliant with the Microsoft Defender ATP service (this ensures the device can complete the onboarding process and can continue to report data to the service). +2. Checking that the devices are compliant with the Defender for Endpoint service (this ensures the device can complete the onboarding process and can continue to report data to the service). ### Confirm the configuration package has been correctly deployed @@ -197,7 +214,7 @@ If you're using System Center 2012 R2 Configuration Manager, monitoring consists 4. Review the status indicators under **Completion Statistics** and **Content Status**. - If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information, see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md). + If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information, see, [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md). ![Configuration Manager showing successful deployment with no errors](images/sccm-deployment.png) @@ -221,4 +238,4 @@ For more information, see [Introduction to compliance settings in System Center - [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) - [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md index ebc09038ff..647e8a9281 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md @@ -4,7 +4,7 @@ description: Use a local script to deploy the configuration package on devices s keywords: configure devices using a local script, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,58 +13,71 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Onboard Windows 10 devices using a local script +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) -You can also manually onboard individual devices to Microsoft Defender ATP. You might want to do this first when testing the service before you commit to onboarding all devices in your network. +You can also manually onboard individual devices to Defender for Endpoint. You might want to do this first when testing the service before you commit to onboarding all devices in your network. -> [!NOTE] -> The script has been optimized to be used on a limited number of devices (1-10 devices). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 devices](configure-endpoints.md). +> [!IMPORTANT] +> This script has been optimized for use on up to 10 devices. +> +> To deploy at scale, use [other deployment options](configure-endpoints.md). For example, you can deploy an onboarding script to more than 10 devices in production with the script available in [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md). ## Onboard devices + +[![Image of the PDF showing the various deployment paths](images/onboard-script.png)](images/onboard-script.png#lightbox) + + +Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint. + + 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Onboarding**. + 1. In the navigation pane, select **Settings** > **Onboarding**. - b. Select Windows 10 as the operating system. + 1. Select Windows 10 as the operating system. - c. In the **Deployment method** field, select **Local Script**. + 1. In the **Deployment method** field, select **Local Script**. - d. Click **Download package** and save the .zip file. + 1. Click **Download package** and save the .zip file. 2. Extract the contents of the configuration package to a location on the device you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. 3. Open an elevated command-line prompt on the device and run the script: - a. Go to **Start** and type **cmd**. + 1. Go to **Start** and type **cmd**. - b. Right-click **Command prompt** and select **Run as administrator**. + 1. Right-click **Command prompt** and select **Run as administrator**. - ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) + ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) 4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd* 5. Press the **Enter** key or click **OK**. -For information on how you can manually validate that the device is compliant and correctly reports sensor data see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md). +For information on how you can manually validate that the device is compliant and correctly reports sensor data see, [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md). >[!TIP] -> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). +> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint endpoint](run-detection-test.md). ## Configure sample collection settings For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. @@ -73,7 +86,7 @@ You can manually configure the sample sharing setting on the device by using *re The configuration is set through the following registry key entry: -``` +```console Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” Name: "AllowSampleCollection" Value: 0 or 1 @@ -95,23 +108,23 @@ For security reasons, the package used to Offboard devices will expire 30 days a 1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): - a. In the navigation pane, select **Settings** > **Offboarding**. + 1. In the navigation pane, select **Settings** > **Offboarding**. - b. Select Windows 10 as the operating system. + 1. Select Windows 10 as the operating system. - c. In the **Deployment method** field, select **Local Script**. + 1. In the **Deployment method** field, select **Local Script**. - d. Click **Download package** and save the .zip file. + 1. Click **Download package** and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the devices. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. 3. Open an elevated command-line prompt on the device and run the script: - a. Go to **Start** and type **cmd**. + 1. Go to **Start** and type **cmd**. - b. Right-click **Command prompt** and select **Run as administrator**. + 1. Right-click **Command prompt** and select **Run as administrator**. - ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) + ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) 4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd* @@ -139,5 +152,5 @@ Monitoring can also be done directly on the portal, or by using the different de - [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md) +- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md index 32e7e448f6..bd29f01bd5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md @@ -4,7 +4,7 @@ description: Deploy the configuration package on virtual desktop infrastructure keywords: configure virtual desktop infrastructure (VDI) device, vdi, device management, configure Windows ATP endpoints, configure Microsoft Defender Advanced Threat Protection endpoints search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,36 +13,42 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 04/16/2020 +ms.technology: mde --- # Onboard non-persistent virtual desktop infrastructure (VDI) devices +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** - Virtual desktop infrastructure (VDI) devices +- Windows 10, Windows Server 2019, Windows Server 2008R2/2012R2/2016 ->[!WARNING] -> Microsoft Defender ATP support for Windows Virtual Desktop multi-user scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However single session scenarios on Windows Virtual Desktop are fully supported. ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink) ## Onboard non-persistent virtual desktop infrastructure (VDI) devices -Microsoft Defender ATP supports non-persistent VDI session onboarding. +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +Defender for Endpoint supports non-persistent VDI session onboarding. >[!Note] ->To onboard non-persistent VDI sessions, VDI devices must be on Windows 10. +>To onboard non-persistent VDI sessions, VDI devices must be Windows 10 or Windows Server 2019. > ->While other Windows versions might work, only Windows 10 is supported. +>While other Windows versions might work, only Windows 10 and Windows Server 2019 are supported. There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario: -- Instant early onboarding of a short-lived sessions, which must be onboarded to Microsoft Defender ATP prior to the actual provisioning. +- Instant early onboarding of a short-lived sessions, which must be onboarded to Defender for Endpoint prior to the actual provisioning. - The device name is typically reused for new sessions. -VDI devices can appear in Microsoft Defender ATP portal as either: +VDI devices can appear in Defender for Endpoint portal as either: - Single entry for each device. Note that in this case, the *same* device name must be configured when the session is created, for example using an unattended answer file. @@ -51,7 +57,10 @@ Note that in this case, the *same* device name must be configured when the sessi The following steps will guide you through onboarding VDI devices and will highlight steps for single and multiple entries. >[!WARNING] -> For environments where there are low resource configurations, the VDI boot procedure might slow the Microsoft Defender ATP sensor onboarding. +> For environments where there are low resource configurations, the VDI boot procedure might slow the Defender for Endpoint sensor onboarding. + + +### For Windows 10 or Windows Server 2019 1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): @@ -63,25 +72,21 @@ The following steps will guide you through onboarding VDI devices and will highl 1. Click **Download package** and save the .zip file. -2. Copy the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`. +2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. - >[!NOTE] - >If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer. + 1. If you are not implementing a single entry for each device, copy WindowsDefenderATPOnboardingScript.cmd. -3. The following step is only applicable if you're implementing a single entry for each device:
    - **For single entry for each device**: + 1. If you are implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd. - 1. From the `WindowsDefenderATPOnboardingPackage`, copy the `Onboard-NonPersistentMachine.ps1` and `WindowsDefenderATPOnboardingScript.cmd` file to `golden/master` image to the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
    + > [!NOTE] + > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from File Explorer. - > [!NOTE] - > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer. - -4. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**. +3. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**. > [!NOTE] > Domain Group Policy may also be used for onboarding non-persistent VDI devices. -5. Depending on the method you'd like to implement, follow the appropriate steps:
    +4. Depending on the method you'd like to implement, follow the appropriate steps:
    **For single entry for each device**:
    Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. @@ -90,7 +95,7 @@ The following steps will guide you through onboarding VDI devices and will highl Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`. -6. Test your solution: +5. Test your solution: 1. Create a pool with one device. @@ -103,9 +108,17 @@ The following steps will guide you through onboarding VDI devices and will highl 1. **For single entry for each device**: Check only one entry in Microsoft Defender Security Center.
    **For multiple entries for each device**: Check multiple entries in Microsoft Defender Security Center. -7. Click **Devices list** on the Navigation pane. +6. Click **Devices list** on the Navigation pane. + +7. Use the search function by entering the device name and select **Device** as search type. + + +## For downlevel SKUs +1. Set registry value 'HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging|VDI’ to “NonPersistent' + +2. Follow the [server onboarding process](configure-server-endpoints.md#windows-server-2008-r2-sp1-windows-server-2012-r2-and-windows-server-2016). + -8. Use the search function by entering the device name and select **Device** as search type. ## Updating non-persistent virtual desktop infrastructure (VDI) images As a best practice, we recommend using offline servicing tools to patch golden/master images.
    @@ -124,7 +137,7 @@ For more information on DISM commands and offline servicing, please refer to the If offline servicing is not a viable option for your non-persistent VDI environment, the following steps should be taken to ensure consistency and sensor health: -1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Microsoft Defender ATP sensor. For more information, see [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script). +1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Defender for Endpoint sensor. For more information, see [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script). 2. Ensure the sensor is stopped by running the command below in a CMD window: @@ -151,4 +164,4 @@ If offline servicing is not a viable option for your non-persistent VDI environm - [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) - [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md index 867e457571..fe24027108 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md @@ -4,7 +4,7 @@ description: Onboard Windows 10 devices so that they can send sensor data to the keywords: Onboard Windows 10 devices, group policy, endpoint configuration manager, mobile device management, local script, gp, sccm, mdm, intune search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,19 +13,23 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Onboarding tools and methods for Windows 10 devices +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Endpoint data loss prevention (DLP)](/microsoft-365/compliance/endpoint-dlp-learn-about) -Devices in your organization must be configured so that the Microsoft Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization. +Devices in your organization must be configured so that the Defender for Endpoint service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization. The following deployment tools and methods are supported: @@ -38,10 +42,10 @@ The following deployment tools and methods are supported: Topic | Description :---|:--- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) | Use Group Policy to deploy the configuration package on devices. -[Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices. +[Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Manager (current branch) version 1606 or Microsoft Endpoint Manager (current branch) version 1602 or earlier to deploy the configuration package on devices. [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device. [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) | Learn how to use the local script to deploy the configuration package on endpoints. [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI devices. ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink) \ No newline at end of file +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md index 42f46bd701..ee85dd307b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md @@ -1,10 +1,10 @@ --- title: Optimize ASR rule deployment and detections -description: Optimize your attack surface reduction (ASR) rules to identify and prevent typical malware exploits. +description: Optimize your attack surface reduction (ASR) rules to identify and prevent typical malware exploits. keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,21 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Optimize ASR rule deployment and detections +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink). +> Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink). [Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent typical malware exploits. They control when and how potentially malicious code can run. For example, they can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, and block processes that run from USB drives. @@ -49,5 +53,5 @@ For more information about ASR rule deployment in Microsoft 365 security center, **Related topics** * [Ensure your devices are configured properly](configure-machines.md) -* [Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md) -* [Monitor compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) +* [Get devices onboarded to Microsoft Defender for Endpoint](configure-machines-onboarding.md) +* [Monitor compliance to the Microsoft Defender for Endpoint security baseline](configure-machines-security-baseline.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md index c189165c5f..c4a097c931 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md @@ -4,7 +4,7 @@ description: Track onboarding of Intune-managed devices to Microsoft Defender AT keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, configuration management search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,16 +13,20 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Get devices onboarded to Microsoft Defender ATP +# Get devices onboarded to Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) Each onboarded device adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a device can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks. @@ -32,17 +36,17 @@ Before you can track and manage onboarding of devices: ## Discover and track unprotected devices -The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 devices that have actually onboarded to Microsoft Defender ATP against the total number of Intune-managed Windows 10 devices. +The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 devices that have actually onboarded to Defender for Endpoint against the total number of Intune-managed Windows 10 devices. ![Device configuration management Onboarding card](images/secconmgmt_onboarding_card.png)
    *Card showing onboarded devices compared to the total number of Intune-managed Windows 10 device* >[!NOTE] ->If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your devices. +>If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Defender for Endpoint onboarding and assign that profile to your devices. ## Onboard more devices with Intune profiles -Microsoft Defender ATP provides several convenient options for [onboarding Windows 10 devices](onboard-configure.md). For Intune-managed devices, however, you can leverage Intune profiles to conveniently deploy the Microsoft Defender ATP sensor to select devices, effectively onboarding these devices to the service. +Defender for Endpoint provides several convenient options for [onboarding Windows 10 devices](onboard-configure.md). For Intune-managed devices, however, you can leverage Intune profiles to conveniently deploy the Defender for Endpoint sensor to select devices, effectively onboarding these devices to the service. From the **Onboarding** card, select **Onboard more devices** to create and assign a profile on Intune. The link takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state. @@ -50,21 +54,21 @@ From the **Onboarding** card, select **Onboard more devices** to create and assi *Microsoft Defender ATP device compliance page on Intune device management* >[!TIP] ->Alternatively, you can navigate to the Microsoft Defender ATP onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**. +>Alternatively, you can navigate to the Defender for Endpoint onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**. >[!NOTE] > If you want to view the most up-to-date device data, click on **List of devices without ATP sensor**. -From the device compliance page, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the devices you want to onboard. To do this, you can either: +From the device compliance page, create a configuration profile specifically for the deployment of the Defender for Endpoint sensor and assign that profile to the devices you want to onboard. To do this, you can either: - Select **Create a device configuration profile to configure ATP sensor** to start with a predefined device configuration profile. - Create the device configuration profile from scratch. -For more information, [read about using Intune device configuration profiles to onboard devices to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile). +For more information, [read about using Intune device configuration profiles to onboard devices to Defender for Endpoint](https://docs.microsoft.com/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile). >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) ## Related topics - [Ensure your devices are configured properly](configure-machines.md) -- [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) +- [Increase compliance to the Defender for Endpoint security baseline](configure-machines-security-baseline.md) - [Optimize ASR rule deployment and detections](configure-machines-asr.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md index 958fa4756c..c801fe5195 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md @@ -4,7 +4,7 @@ description: The Microsoft Defender ATP security baseline sets Microsoft Defende keywords: Intune management, MDATP, WDATP, Microsoft Defender, advanced threat protection ASR, security baseline search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,18 +13,22 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Increase compliance to the Microsoft Defender ATP security baseline +# Increase compliance to the Microsoft Defender for Endpoint security baseline + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) -Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection. +Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Defender for Endpoint security baseline sets Defender for Endpoint security controls to provide optimal protection. To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a). @@ -33,22 +37,22 @@ Before you can deploy and track compliance to security baselines: - [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions) ## Compare the Microsoft Defender ATP and the Windows Intune security baselines -The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure devices running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Microsoft Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see: +The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure devices running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Microsoft Defender Antivirus. In contrast, the Defender for Endpoint baseline provides settings that optimize all the security controls in the Defender for Endpoint stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see: - [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows) - [Microsoft Defender ATP baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-defender-atp) -Ideally, devices onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls. To benefit from the latest data on risks and threats and to minimize conflicts as baselines evolve, always apply the latest versions of the baselines across all products as soon as they are released. +Ideally, devices onboarded to Defender for Endpoint are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Defender for Endpoint security baseline layered on top to optimally configure the Defender for Endpoint security controls. To benefit from the latest data on risks and threats and to minimize conflicts as baselines evolve, always apply the latest versions of the baselines across all products as soon as they are released. >[!NOTE] ->The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machine (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments. +>The Defender for Endpoint security baseline has been optimized for physical devices and is currently not recommended for use on virtual machine (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments. -## Monitor compliance to the Microsoft Defender ATP security baseline +## Monitor compliance to the Defender for Endpoint security baseline -The **Security baseline** card on [device configuration management](configure-machines.md) provides an overview of compliance across Windows 10 devices that have been assigned the Microsoft Defender ATP security baseline. +The **Security baseline** card on [device configuration management](configure-machines.md) provides an overview of compliance across Windows 10 devices that have been assigned the Defender for Endpoint security baseline. ![Security baseline card](images/secconmgmt_baseline_card.png)
    -*Card showing compliance to the Microsoft Defender ATP security baseline* +*Card showing compliance to the Defender for Endpoint security baseline* Each device is given one of the following status types: @@ -62,20 +66,20 @@ To review specific devices, select **Configure security baseline** on the card. >[!NOTE] >You might experience discrepancies in aggregated data displayed on the device configuration management page and those displayed on overview screens in Intune. -## Review and assign the Microsoft Defender ATP security baseline +## Review and assign the Microsoft Defender for Endpoint security baseline -Device configuration management monitors baseline compliance only of Windows 10 devices that have been specifically assigned the Microsoft Defender ATP security baseline. You can conveniently review the baseline and assign it to devices on Intune device management. +Device configuration management monitors baseline compliance only of Windows 10 devices that have been specifically assigned the Microsoft Defender for Endpoint security baseline. You can conveniently review the baseline and assign it to devices on Intune device management. 1. Select **Configure security baseline** on the **Security baseline** card to go to Intune device management. A similar overview of baseline compliance is displayed. >[!TIP] - > Alternatively, you can navigate to the Microsoft Defender ATP security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines > Microsoft Defender ATP baseline**. + > Alternatively, you can navigate to the Defender for Endpoint security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines > Microsoft Defender ATP baseline**. 2. Create a new profile. - ![Microsoft Defender ATP security baseline overview on Intune](images/secconmgmt_baseline_intuneprofile1.png)
    - *Microsoft Defender ATP security baseline overview on Intune* + ![Microsoft Defender for Endpoint security baseline overview on Intune](images/secconmgmt_baseline_intuneprofile1.png)
    + *Microsoft Defender for Endpoint security baseline overview on Intune* 3. During profile creation, you can review and adjust specific settings on the baseline. @@ -95,9 +99,9 @@ Device configuration management monitors baseline compliance only of Windows 10 >[!TIP] >Security baselines on Intune provide a convenient way to comprehensively secure and protect your devices. [Learn more about security baselines on Intune](https://docs.microsoft.com/intune/security-baselines). ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) ## Related topics - [Ensure your devices are configured properly](configure-machines.md) -- [Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md) +- [Get devices onboarded to Microsoft Defender for Endpoint](configure-machines-onboarding.md) - [Optimize ASR rule deployment and detections](configure-machines-asr.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md index 3e3bb64cc8..bbfac451bc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md @@ -4,7 +4,7 @@ description: Properly configure devices to boost overall resilience against thre keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,21 +13,25 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Ensure your devices are configured properly -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) + +**Applies to:** +- [Microsoft Defender for Endpoint ](https://go.microsoft.com/fwlink/?linkid=2154037) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) With properly configured devices, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your devices: -- Onboard to Microsoft Defender ATP -- Meet or exceed the Microsoft Defender ATP security baseline configuration +- Onboard to Microsoft Defender for Endpoint +- Meet or exceed the Defender for Endpoint security baseline configuration - Have strategic attack surface mitigations in place Click **Configuration management** from the navigation menu to open the Device configuration management page. @@ -53,7 +57,7 @@ Before you can ensure your devices are configured properly, enroll them to Intun >To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/intune/licenses-assign). >[!TIP] ->To optimize device management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). +>To optimize device management through Intune, [connect Intune to Defender for Endpoint](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). ## Obtain required permissions By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage and assign the device configuration profiles needed for onboarding devices and deploying the security baseline. @@ -74,8 +78,8 @@ If you have been assigned other roles, ensure you have the necessary permissions ## In this section Topic | Description :---|:--- -[Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)| Track onboarding status of Intune-managed devices and onboard more devices through Intune. -[Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed devices. +[Get devices onboarded to Defender for Endpoint](configure-machines-onboarding.md)| Track onboarding status of Intune-managed devices and onboard more devices through Intune. +[Increase compliance to the Defender for Endpoint security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed devices. [Optimize ASR rule deployment and detections](configure-machines-asr.md) | Review rule deployment and tweak detections using impact analysis tools in Microsoft 365 security center. ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) \ No newline at end of file +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index 0be1734f27..7c149c51f5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -5,7 +5,7 @@ description: Register to Microsoft Threats Experts to configure, manage, and use keywords: Microsoft Threat Experts, managed threat hunting service, MTE, Microsoft managed hunting service search.product: Windows 10 search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,24 +14,33 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Configure and manage Microsoft Threat Experts capabilities + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ## Before you begin -Ensure that you have Microsoft Defender ATP deployed in your environment with devices enrolled, and not just on a laboratory set-up. +> [!NOTE] +> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service. -Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service. +Ensure that you have Defender for Endpoint deployed in your environment with devices enrolled, and not just on a laboratory set-up. -If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription. +Defender for Endpoint customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service. + +If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on-Demand subscription. ## Register to Microsoft Threat Experts managed threat hunting service -If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal. +If you're already a Defender for Endpoint customer, you can apply through the Microsoft Defender for Endpoint portal. 1. From the navigation pane, go to **Settings > General > Advanced features > Microsoft Threat Experts**. @@ -51,7 +60,7 @@ If you're already a Microsoft Defender ATP customer, you can apply through the M ## Receive targeted attack notification from Microsoft Threat Experts You can receive targeted attack notification from Microsoft Threat Experts through the following medium: -- The Microsoft Defender ATP portal's **Alerts** dashboard +- The Defender for Endpoint portal's **Alerts** dashboard - Your email, if you choose to configure it To receive targeted attack notifications through email, create an email notification rule. @@ -76,7 +85,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w 1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or device is in view before you send an investigation request. -2. From the upper right-hand menu, click **?**. Then, select **Consult a threat expert**. +2. From the upper right-hand menu, click the **?** icon. Then, select **Consult a threat expert**. ![Image of Microsoft Threat Experts Experts on Demand from the menu](images/mte-eod-menu.png) @@ -84,7 +93,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w ![Image of Microsoft Threat Experts Experts on Demand screen](images/mte-eod.png) - The following screen shows when you are on a full Microsoft Threat Experts - Experts on Demand subscription. + The following screen shows when you are on a full Microsoft Threat Experts - Experts on-Demand subscription. ![Image of Microsoft Threat Experts Experts on Demand full subscription screen](images/mte-eod-fullsubscription.png) @@ -107,8 +116,8 @@ Watch this video for a quick overview of the Microsoft Services Hub. **Alert information** - We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further? -- We’ve observed two similar attacks, which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference? -- I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find any further evidence around these sign-in attempts. How can Microsoft Defender ATP see these attempts? What type of sign-ins are being monitored? +- We’ve observed two similar attacks, which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious PowerShell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference? +- I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find any further evidence around these sign-in attempts. How can Defender for Endpoint see these attempts? What type of sign-ins are being monitored? - Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”. **Possible machine compromise** @@ -116,8 +125,8 @@ Watch this video for a quick overview of the Microsoft Services Hub. - Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]? **Threat intelligence details** -- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events, which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link? -- I recently saw a [social media reference, for example, Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor? +- We detected a phishing email that delivered a malicious Word document to a user. The malicious Word document caused a series of suspicious events, which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link? +- I recently saw a [social media reference, for example, Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Defender for Endpoint provides against this threat actor? **Microsoft Threat Experts’ alert communications** - Can your incident response team help us address the targeted attack notification that we got? diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md index b7c4bf19d6..85af41af47 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md @@ -1,10 +1,10 @@ --- -title: Configure alert notifications that are sent to MSSPs +title: Configure alert notifications that are sent to MSSPs description: Configure alert notifications that are sent to MSSPs keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,21 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Configure alert notifications that are sent to MSSPs +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) >[!NOTE] @@ -43,4 +47,4 @@ These check boxes must be checked: ## Related topics - [Grant MSSP access to the portal](grant-mssp-access.md) - [Access the MSSP customer portal](access-mssp-portal.md) -- [Fetch alerts from customer tenant](fetch-alerts-mssp.md) \ No newline at end of file +- [Fetch alerts from customer tenant](fetch-alerts-mssp.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md index 98599b9d18..37eaf566e9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md @@ -1,10 +1,10 @@ --- title: Configure managed security service provider support -description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP +description: Take the necessary steps to configure the MSSP integration with the Microsoft Defender ATP keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,17 +13,21 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Configure managed security service provider integration +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] @@ -41,7 +45,7 @@ The integration will allow MSSPs to take the following actions: - Get email notifications, and - Fetch alerts through security information and event management (SIEM) tools -Before MSSPs can take these actions, the MSSP customer will need to grant access to their Microsoft Defender ATP tenant so that the MSSP can access the portal. +Before MSSPs can take these actions, the MSSP customer will need to grant access to their Defender for Endpoint tenant so that the MSSP can access the portal. Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP. @@ -51,7 +55,7 @@ In general, the following configuration steps need to be taken: - **Grant the MSSP access to Microsoft Defender Security Center**
    -This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Microsoft Defender ATP tenant. +This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Defender for Endpoint tenant. - **Configure alert notifications sent to MSSPs**
    @@ -63,6 +67,8 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools. - **Fetch alerts from MSSP customer's tenant using APIs**
    This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs. +## Multi-tenant access for MSSPs +For information on how to implement a multi-tenant delegated access, see [Multi-tenant access for Managed Security Service Providers](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/multi-tenant-access-for-managed-security-service-providers/ba-p/1533440). diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 18707f606c..045a8be7bd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -4,7 +4,7 @@ description: Configure the Microsoft Defender ATP proxy and internet settings to keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,21 +13,27 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Configure device proxy and Internet connectivity settings +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) -The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. +The Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Defender for Endpoint service. -The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender ATP cloud service. +The embedded Defender for Endpoint sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Defender for Endpoint cloud service. >[!TIP] >For organizations that use forward proxies as a gateway to the Internet, you can use network protection to investigate behind a proxy. For more information, see [Investigate connection events that occur behind forward proxies](investigate-behind-proxy.md). @@ -39,7 +45,7 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe - Web Proxy Auto-discovery Protocol (WPAD) > [!NOTE] - > If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). + > If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Defender for Endpoint URL exclusions in the proxy, see [Enable access to Defender for Endpoint service URLs in the proxy server](#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). - Manual static proxy configuration: - Registry based configuration @@ -47,16 +53,16 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe ## Configure the proxy server manually using a registry-based static proxy -Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the Internet. +Configure a registry-based static proxy to allow only Defender for Endpoint sensor to report diagnostic data and communicate with Defender for Endpoint services if a computer is not be permitted to connect to the Internet. The static proxy is configurable through Group Policy (GP). The group policy can be found under: - Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service - Set it to **Enabled** and select **Disable Authenticated Proxy usage**: - ![Image of Group Policy setting](images/atp-gpo-proxy1.png) + ![Image of Group Policy setting1](images/atp-gpo-proxy1.png) - **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**: - Configure the proxy:
    - ![Image of Group Policy setting](images/atp-gpo-proxy2.png) + ![Image of Group Policy setting2](images/atp-gpo-proxy2.png) The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`. @@ -100,18 +106,19 @@ netsh winhttp reset proxy See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/windows-server/networking/technologies/netsh/netsh-contexts) to learn more. -## Enable access to Microsoft Defender ATP service URLs in the proxy server +## Enable access to Microsoft Defender for Endpoint service URLs in the proxy server If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed in the downloadable sheet to the allowed domains list. +The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them. -|**Item**|**Description**| +|**Spreadsheet of domains list**|**Description**| |:-----|:-----| -|[![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)
    [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS. +|![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)
    | Spreadsheet of specific DNS records for service locations, geographic locations, and OS.

    [Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) -If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed below from HTTPS scanning. +If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning. > [!NOTE] > settings-win.data.microsoft.com is only needed if you have Windows 10 devices running version 1803 or earlier.
    @@ -122,11 +129,11 @@ If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the > [!NOTE] -> If you are using Microsoft Defender Antivirus in your environment, please refer to the following article for details on allowing connections to the Microsoft Defender Antivirus cloud service: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus +> If you are using Microsoft Defender Antivirus in your environment, see [Configure network connections to the Microsoft Defender Antivirus cloud service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus). -If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs. +If a proxy or firewall is blocking anonymous traffic, as Defender for Endpoint sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs. -### Log analytics agent requirements +### Microsoft Monitoring Agent (MMA) - proxy and firewall requirements for older versions of Windows client or Windows Server The information below list the proxy and firewall configuration information required to communicate with Log Analytics agent (often referred to as Microsoft Monitoring Agent) for the previous versions of Windows such as Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016. @@ -134,32 +141,39 @@ The information below list the proxy and firewall configuration information requ |------|---------|--------|--------| |*.ods.opinsights.azure.com |Port 443 |Outbound|Yes | |*.oms.opinsights.azure.com |Port 443 |Outbound|Yes | -|*.blob.core.windows.net |Port 443 |Outbound|Yes | +|*.blob.core.windows.net |Port 443 |Outbound|Yes | +|*.azure-automation.net |Port 443 |Outbound|Yes | -## Microsoft Defender ATP service backend IP range - -If your network devices don't support the URLs added to an "allow" list in the prior section, you can use the following information. - -Microsoft Defender ATP is built on Azure cloud, deployed in the following regions: - -- \+\ -- \+\ -- \+\ -- \+\ -- \+\ -- \+\ -- \+\ - -You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653). > [!NOTE] > As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting. +## Confirm Microsoft Monitoring Agent (MMA) Service URL Requirements + +Please see the following guidance to eliminate the wildcard (*) requirement for your specific environment when using the Microsoft Monitoring Agent (MMA) for previous versions of Windows. + +1. Onboard a previous operating system with the Microsoft Monitoring Agent (MMA) into Defender for Endpoint (for more information, see [Onboard previous versions of Windows on Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2010326) and [Onboard Windows servers](configure-server-endpoints.md#windows-server-2008-r2-sp1-windows-server-2012-r2-and-windows-server-2016). + +2. Ensure the machine is successfully reporting into the Microsoft Defender Security Center portal. + +3. Run the TestCloudConnection.exe tool from “C:\Program Files\Microsoft Monitoring Agent\Agent” to validate the connectivity and to see the required URLs for your specific workspace. + +4. Check the Microsoft Defender for Endpoint URLs list for the complete list of requirements for your region (please refer to the Service URLs [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)). + +![Image of administrator in Windows PowerShell](images/admin-powershell.png) + +The wildcards (*) used in *.ods.opinsights.azure.com, *.oms.opinsights.azure.com, and *.agentsvc.azure-automation.net URL endpoints can be replaced with your specific Workspace ID. The Workspace ID is specific to your environment and workspace and can be found in the Onboarding section of your tenant within the Microsoft Defender Security Center portal. + +The *.blob.core.windows.net URL endpoint can be replaced with the URLs shown in the “Firewall Rule: *.blob.core.windows.net” section of the test results. + +> [!NOTE] +> In the case of onboarding via Azure Security Center (ASC), multiple workspaces maybe used. You will need to perform the TestCloudConnection.exe procedure above on an onboarded machine from each workspace (to determine if there are any changes to the *.blob.core.windows.net URLs between the workspaces). + ## Verify client connectivity to Microsoft Defender ATP service URLs -Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs. +Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Defender for Endpoint service URLs. -1. Download the [MDATP Client Analyzer tool](https://aka.ms/mdatpanalyzer) to the PC where Microsoft Defender ATP sensor is running on. +1. Download the [MDATP Client Analyzer tool](https://aka.ms/mdatpanalyzer) to the PC where Defender for Endpoint sensor is running on. 2. Extract the contents of MDATPClientAnalyzer.zip on the device. @@ -184,7 +198,7 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover 5. Extract the *MDATPClientAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*. 6. Open *MDATPClientAnalyzerResult.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.

    - The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *MDATPClientAnalyzerResult.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For example: + The tool checks the connectivity of Defender for Endpoint service URLs that Defender for Endpoint client is configured to interact with. It then prints the results into the *MDATPClientAnalyzerResult.txt* file for each URL that can potentially be used to communicate with the Defender for Endpoint services. For example: ```text Testing URL : https://xxx.microsoft.com/xxx @@ -195,18 +209,18 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover 5 - Command line proxy: Doesn't exist ``` -If at least one of the connectivity options returns a (200) status, then the Microsoft Defender ATP client can communicate with the tested URL properly using this connectivity method.

    +If at least one of the connectivity options returns a (200) status, then the Defender for Endpoint client can communicate with the tested URL properly using this connectivity method.

    -However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure. +However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Defender for Endpoint service URLs in the proxy server](#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure. > [!NOTE] > The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool. > [!NOTE] -> When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy. +> When the TelemetryProxyServer is set, in Registry or via Group Policy, Defender for Endpoint will fall back to direct if it can't access the defined proxy. ## Related topics - [Onboard Windows 10 devices](configure-endpoints.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index ed06fd8042..ebb9189935 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -1,10 +1,10 @@ --- -title: Onboard Windows servers to the Microsoft Defender ATP service -description: Onboard Windows servers so that they can send sensor data to the Microsoft Defender ATP sensor. -keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, device management, configure Windows ATP servers, onboard Microsoft Defender Advanced Threat Protection servers +title: Onboard Windows servers to the Microsoft Defender for Endpoint service +description: Onboard Windows servers so that they can send sensor data to the Microsoft Defender for Endpoint sensor. +keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, device management, configure Windows ATP servers, onboard Microsoft Defender Advanced Threat Protection servers, onboard Microsoft Defender for Endpoint servers search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,13 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- -# Onboard Windows servers to the Microsoft Defender ATP service +# Onboard Windows servers to the Microsoft Defender for Endpoint service + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** @@ -27,40 +31,53 @@ ms.topic: article - Windows Server (SAC) version 1803 and later - Windows Server 2019 and later - Windows Server 2019 core edition -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink) -Microsoft Defender ATP extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console. +Defender for Endpoint extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console. -The service supports the onboarding of the following Windows servers: -- Windows Server 2008 R2 SP1 -- Windows Server 2012 R2 -- Windows Server 2016 -- Windows Server (SAC) version 1803 and later -- Windows Server 2019 and later -- Windows Server 2019 core edition - -For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). +For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Defender for Endpoint](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines). +
    ## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 -You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 to Microsoft Defender ATP by using any of the following options: +You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 to Defender for Endpoint by using any of the following options: -- **Option 1**: [Onboard through Microsoft Defender Security Center](#option-1-onboard-windows-servers-through-microsoft-defender-security-center) +- **Option 1**: [Onboard by installing and configuring Microsoft Monitoring Agent (MMA)](#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma) - **Option 2**: [Onboard through Azure Security Center](#option-2-onboard-windows-servers-through-azure-security-center) -- **Option 3**: [Onboard through Microsoft Endpoint Configuration Manager version 2002 and later (only for Windows Server 2012 R2 and Windows Server 2016)](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later) +- **Option 3**: [Onboard through Microsoft Endpoint Manager version 2002 and later](#option-3-onboard-windows-servers-through-microsoft-endpoint-manager-version-2002-and-later) + + +After completing the onboarding steps using any of the provided options, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). + > [!NOTE] -> Microsoft defender ATP standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). +> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Monitoring Agent (Option 1), or through Microsoft Endpoint Manager (Option 3). Alternatively, an Azure Defender for Servers license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). -### Option 1: Onboard Windows servers through Microsoft Defender Security Center -Perform the following steps to onboard Windows servers through Microsoft Defender Security Center: +### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA) +You'll need to install and configure MMA for Windows servers to report sensor data to Defender for Endpoint. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). + +If you're already using System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support. + +In general, you'll need to take the following steps: +1. Fulfill the onboarding requirements outlined in **Before you begin** section. +2. Turn on server monitoring from Microsoft Defender Security center. +3. Install and configure MMA for the server to report sensor data to Defender for Endpoint. +4. Configure and update System Center Endpoint Protection clients. + + +> [!TIP] +> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint endpoint](run-detection-test.md). + + +#### Before you begin +Perform the following steps to fulfill the onboarding requirements: - For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix: - [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) @@ -74,54 +91,36 @@ Perform the following steps to onboard Windows servers through Microsoft Defende > [!NOTE] > This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2. - - [Turn on server monitoring from Microsoft Defender Security Center](#turn-on-server-monitoring-from-the-microsoft-defender-security-center-portal). - - - If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. - - Otherwise, [install and configure MMA to report sensor data to Microsoft Defender ATP](#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp). For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). - -> [!TIP] -> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). - -### Configure and update System Center Endpoint Protection clients - -Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. - -The following steps are required to enable this integration: -- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie). - -- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting. - - -### Turn on Server monitoring from the Microsoft Defender Security Center portal - -1. In the navigation pane, select **Settings** > **Device management** > **Onboarding**. - -2. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system. - -3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. -### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP +### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender for Endpoint 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603). 2. Using the Workspace ID and Workspace key obtained in the previous procedure, choose any of the following installation methods to install the agent on the Windows server: - - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup)
    + - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard).
    On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). + - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line). + - [Configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation). -3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](configure-proxy-internet.md). +> [!NOTE] +> If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1. -Once completed, you should see onboarded Windows servers in the portal within an hour. -### Configure Windows server proxy and Internet connectivity settings +### Configure Windows server proxy and Internet connectivity settings if needed +If your servers need to use a proxy to communicate with Defender for Endpoint, use one of the following methods to configure the MMA to use the proxy server: -- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the OMS Gateway. -- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). + +- [Configure the MMA to use a proxy server](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#install-agent-using-setup-wizard) + +- [Configure Windows to use a proxy server for all connections](configure-proxy-internet.md) + +If a proxy or firewall is in use, please ensure that servers can access all of the Microsoft Defender for Endpoint service URLs directly and without SSL interception. For more information, see [enable access to Defender for Endpoint service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). Use of SSL interception will prevent the system from communicating with the Defender for Endpoint service. + +Once completed, you should see onboarded Windows servers in the portal within an hour. ### Option 2: Onboard Windows servers through Azure Security Center 1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Device management** > **Onboarding**. @@ -130,10 +129,22 @@ Once completed, you should see onboarded Windows servers in the portal within an 3. Click **Onboard Servers in Azure Security Center**. -4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). +4. Follow the onboarding instructions in [Microsoft Defender for Endpoint with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). -### Option 3: Onboard Windows servers through Microsoft Endpoint Configuration Manager version 2002 and later -You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Configuration Manager version 2002 and later. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection). +After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). + +> [!NOTE] +> - For onboarding via Azure Defender for Servers (previously Azure Security Center Standard Edition) to work as expected, the server must have an appropriate workspace and key configured within the Microsoft Monitoring Agent (MMA) settings. +> - Once configured, the appropriate cloud management pack is deployed on the machine and the sensor process (MsSenseS.exe) will be deployed and started. +> - This is also required if the server is configured to use an OMS Gateway server as proxy. + +### Option 3: Onboard Windows servers through Microsoft Endpoint Manager version 2002 and later +You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Manager version 2002 and later. For more information, see [Microsoft Defender for Endpoint + in Microsoft Endpoint Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection). + +After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). + +
    ## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods: @@ -145,12 +156,12 @@ You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windo - [VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md) > [!NOTE] -> - The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs). +> - The Onboarding package for Windows Server 2019 through Microsoft Endpoint Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs). > - A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. -Support for Windows Server, provide deeper insight into activities happening on the Windows server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. +Support for Windows Server provides deeper insight into server activities, coverage for kernel and memory attack detection, and enables response actions. -1. Configure Microsoft Defender ATP onboarding settings on the Windows server. For more information, see [Onboard Windows 10 devices](configure-endpoints.md). +1. Configure Defender for Endpoint onboarding settings on the Windows server using the same tools and methods for Windows 10 devices. For more information, see [Onboard Windows 10 devices](configure-endpoints.md). 2. If you're running a third-party antimalware solution, you'll need to apply the following Microsoft Defender AV passive mode settings. Verify that it was configured correctly: @@ -174,57 +185,71 @@ Support for Windows Server, provide deeper insight into activities happening on ```sc.exe query Windefend``` - If the result is 'The specified service does not exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). + If the result is 'The specified service doesn't exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus). +
    + ## Integration with Azure Security Center -Microsoft Defender ATP can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers. +Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can use the power of Defender for Endpoint to provide improved threat detection for Windows Servers. The following capabilities are included in this integration: -- Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). +- Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). > [!NOTE] > Automated onboarding is only applicable for Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016. -- Windows servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console. +- Windows servers monitored by Azure Security Center will also be available in Defender for Endpoint - Azure Security Center seamlessly connects to the Defender for Endpoint tenant, providing a single view across clients and servers. In addition, Defender for Endpoint alerts will be available in the Azure Security Center console. - Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach. > [!IMPORTANT] -> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created (in the US for US users, in the EU for European and UK users).
    -Data collected by Microsoft Defender ATP is stored in the geo-location of the tenant as identified during provisioning. -> - If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. +> - When you use Azure Security Center to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European and UK users).
    +Data collected by Defender for Endpoint is stored in the geo-location of the tenant as identified during provisioning. +> - If you use Defender for Endpoint before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. > - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant.
    Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers. +
    + +## Configure and update System Center Endpoint Protection clients + +Defender for Endpoint integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. + +The following steps are required to enable this integration: +- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie). + +- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting. + +
    ## Offboard Windows servers You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices. For other Windows server versions, you have two options to offboard Windows servers from the service: - Uninstall the MMA agent -- Remove the Microsoft Defender ATP workspace configuration +- Remove the Defender for Endpoint workspace configuration > [!NOTE] > Offboarding causes the Windows server to stop sending sensor data to the portal but data from the Windows server, including reference to any alerts it has had will be retained for up to 6 months. ### Uninstall Windows servers by uninstalling the MMA agent -To offboard the Windows server, you can uninstall the MMA agent from the Windows server or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the Windows server will no longer send sensor data to Microsoft Defender ATP. +To offboard the Windows server, you can uninstall the MMA agent from the Windows server or detach it from reporting to your Defender for Endpoint workspace. After offboarding the agent, the Windows server will no longer send sensor data to Defender for Endpoint. For more information, see [To disable an agent](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent). -### Remove the Microsoft Defender ATP workspace configuration +### Remove the Defender for Endpoint workspace configuration To offboard the Windows server, you can use either of the following methods: -- Remove the Microsoft Defender ATP workspace configuration from the MMA agent +- Remove the Defender for Endpoint workspace configuration from the MMA agent - Run a PowerShell command to remove the configuration -#### Remove the Microsoft Defender ATP workspace configuration from the MMA agent +#### Remove the Defender for Endpoint workspace configuration from the MMA agent 1. In the **Microsoft Monitoring Agent Properties**, select the **Azure Log Analytics (OMS)** tab. -2. Select the Microsoft Defender ATP workspace, and click **Remove**. +2. Select the Defender for Endpoint workspace, and click **Remove**. - ![Image of Microsoft Monitoring Agen Properties](images/atp-mma.png) + ![Image of Microsoft Monitoring Agent Properties](images/atp-mma.png) #### Run a PowerShell command to remove the configuration @@ -239,16 +264,21 @@ To offboard the Windows server, you can use either of the following methods: 2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`: ```powershell + $ErrorActionPreference = "SilentlyContinue" # Load agent scripting object $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg # Remove OMS Workspace - $AgentCfg.RemoveCloudWorkspace($WorkspaceID) + $AgentCfg.RemoveCloudWorkspace("WorkspaceID") # Reload the configuration and apply changes $AgentCfg.ReloadConfiguration() + ``` + +
    + ## Related topics - [Onboard Windows 10 devices](configure-endpoints.md) - [Onboard non-Windows devices](configure-endpoints-non-windows.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md) -- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md) +- [Troubleshooting Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index a72dbb0a7b..0cbb7b36c2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -4,7 +4,7 @@ description: Learn how to use REST API and configure supported security informat keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,43 +13,46 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Pull detections to your SIEM tools +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) ## Pull detections using security information and events management (SIEM) tools >[!NOTE] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. ->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. ->-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). +>- [Microsoft Defender for Endpoint Alert](alerts.md) is composed from one or more detections. +>- [Microsoft Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. +>-The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). -Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. +Defender for Endpoint supports security information and event management (SIEM) tools to pull detections. Defender for Endpoint exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. - -Microsoft Defender ATP currently supports the following specific SIEM solution tools through a dedicated SIEM integration model: +Defender for Endpoint currently supports the following specific SIEM solution tools through a dedicated SIEM integration model: - IBM QRadar - Micro Focus ArcSight -Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://df.securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details. +Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details. -To use either of these supported SIEM tools you'll need to: +To use either of these supported SIEM tools, you'll need to: -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) +- [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md) - Configure the supported SIEM tool: - - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) - - Configure IBM QRadar to pull Microsoft Defender ATP detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). + - [Configure HP ArcSight to pull Defender for Endpoint detections](configure-arcsight.md) + - Configure IBM QRadar to pull Defender for Endpoint detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). -For more information on the list of fields exposed in the Detection API see, [Microsoft Defender ATP Detection fields](api-portal-mapping.md). +For more information on the list of fields exposed in the Detection API see, [Defender for Endpoint Detection fields](api-portal-mapping.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md new file mode 100644 index 0000000000..3a5a17455d --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md @@ -0,0 +1,93 @@ +--- +title: Configure vulnerability email notifications in Microsoft Defender for Endpoint +description: Use Microsoft Defender for Endpoint to configure email notification settings for vulnerability events. +keywords: email notifications, configure alert notifications, microsoft defender atp notifications, microsoft defender atp alerts, windows 10 enterprise, windows 10 education +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Configure vulnerability email notifications in Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-emailconfig-abovefoldlink) + +Configure Microsoft Defender for Endpoint to send email notifications to specified recipients for new vulnerability events. This feature enables you to identify a group of individuals who will immediately be informed and can act on the notifications based on the event. The vulnerability information comes from Defender for Endpoint's [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) capability. + +> [!NOTE] +> Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. [Learn more about permission options](user-roles.md) + +The notification rules allow you to set the vulnerability events that trigger notifications, and add or remove email notification recipients. New recipients get notified about vulnerabilities after they are added. + +If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule. +Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups. + +The email notification includes basic information about the vulnerability event. There are also links to filtered views in the threat and vulnerability management [Security recommendations](tvm-security-recommendation.md) and [Weaknesses](tvm-weaknesses.md) pages in the portal so you can further investigate. For example, you could get a list of all exposed devices or get additional details about the vulnerability. + +## Create rules for alert notifications + +Create a notification rule to send an email when there are certain exploit or vulnerability events, such as a new public exploit. For each rule, multiple event types can be selected. + +1. In the navigation pane, go to **Settings** > **Email notifications** > **Vulnerabilities**. + +2. Select **Add notification rule**. + +3. Name the email notification rule and include a description. + +4. Check **Notification enabled** to activate the notification. Select **Next** + +5. Fill in the notification settings. Then select **Next** + + - Choose device groups to get notifications for. + - Choose the vulnerability event(s) that you want to be notified about when they affect your organization. + - Options: new vulnerability found (including severity threshold), new public exploit, exploit added to an exploit kit, exploit was verified. + - Include organization name if you want the organization name in the email + +6. Enter the recipient email address then select **Add**. You can add multiple email addresses. + +7. Review the settings for the new email notification rule and select **Create rule** when you're ready to create it. + +## Edit a notification rule + +1. Select the notification rule you'd like to edit. + +2. Select the **Edit rule** button next to the pencil icon in the flyout. Make sure you have permission to edit or delete the rule. + +## Delete notification rule + +1. Select the notification rule you'd like to delete. + +2. Select the **Delete** button next to the trash can icon in the flyout. Make sure you have permission to edit or delete the rule. + +## Troubleshoot email notifications for alerts + +This section lists various issues that you may encounter when using email notifications for alerts. + +**Problem:** Intended recipients report they are not getting the notifications. + +**Solution:** Make sure that the notifications are not blocked by email filters: + +1. Check that the Defender for Endpoint email notifications are not sent to the Junk Email folder. Mark them as Not junk. +2. Check that your email security product is not blocking the email notifications from Defender for Endpoint. +3. Check your email application rules that might be catching and moving your Defender for Endpoint email notifications. + +## Related topics + +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) +- [Security recommendations](tvm-security-recommendation.md) +- [Weaknesses](tvm-weaknesses.md) +- [Event timeline](threat-and-vuln-mgt-event-timeline.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md index bc7f7201e2..20a639bb51 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md @@ -1,11 +1,11 @@ --- -title: Connected applications in Microsoft Defender ATP +title: Connected applications in Microsoft Defender ATP ms.reviewer: description: View connected partner applications that use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender ATP APIs. keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,18 +14,22 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- -# Connected applications in Microsoft Defender ATP +# Connected applications in Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -Connected applications integrates with the Microsoft Defender ATP platform using APIs. +Connected applications integrates with the Defender for Endpoint platform using APIs. -Applications use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender ATP APIs. In addition, Azure Active Directory (Azure AD) applications allow tenant admins to set explicit control over which APIs can be accessed using the corresponding app. +Applications use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender for Endpoint APIs. In addition, Azure Active Directory (Azure AD) applications allow tenant admins to set explicit control over which APIs can be accessed using the corresponding app. You'll need to follow [these steps](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro) to use the APIs with the connected application. @@ -34,7 +38,7 @@ From the left navigation menu, select **Partners & APIs** > **Connected AAD appl ## View connected application details -The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender ATP in your organization. You can review the usage of the connected applications: last seen, number of requests in the past 24 hours, and request trends in the last 30 days. +The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender for Endpoint in your organization. You can review the usage of the connected applications: last seen, number of requests in the past 24 hours, and request trends in the last 30 days. ![Image of connected apps](images/connected-apps.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/contact-support-usgov.md b/windows/security/threat-protection/microsoft-defender-atp/contact-support-usgov.md new file mode 100644 index 0000000000..95f0488aa4 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/contact-support-usgov.md @@ -0,0 +1,45 @@ +--- +title: Contact Microsoft Defender for Endpoint support for US Government customers +description: Learn how to contact Microsoft Defender for Endpoint support for US Government customers +keywords: support, contact, premier support, solutions, problems, case, government, gcc, gcc-m, gcc-h, defender, endpoint, mdatp, mde +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ROBOTS: noindex,nofollow +ms.technology: mde +--- + +# Contact Microsoft Defender for Endpoint support for US Government customers + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +Defender for Endpoint has recently upgraded the support process to offer a more modern and advanced support experience. + +## Using the right portal +In order to open a support case, you will need to login to your Microsoft Defender for Endpoint portal: + +Environment | Portal URL +:---|:--- +GCC-M on Commercial | [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) +GCC-M | [https://gcc.securitycenter.microsoft.us](https://gcc.securitycenter.microsoft.us) +GCC-H | [https://securitycenter.microsoft.us](https://securitycenter.microsoft.us) +DoD | [https://securitycenter.microsoft.us](https://securitycenter.microsoft.us) + +If you are unable to login to the portal, you can also open a support case using the [phone](https://docs.microsoft.com/microsoft-365/admin/contact-support-for-business-products?view=o365-worldwide&tabs=phone&preserve-view=true). + +## Opening a support case +For prerequisites and instructions, see [Contact Microsoft Defender for Endpoint support](contact-support.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/contact-support.md b/windows/security/threat-protection/microsoft-defender-atp/contact-support.md new file mode 100644 index 0000000000..4082593706 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/contact-support.md @@ -0,0 +1,91 @@ +--- +title: Contact Microsoft Defender ATP support +description: Learn how to contact Microsoft Defender ATP support +keywords: support, contact, premier support, solutions, problems, case +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.technology: mde +--- + +# Contact Microsoft Defender for Endpoint support + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** +- [Microsoft Defender for Endpoint](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +Defender for Endpoint has recently upgraded the support process to offer a more modern and advanced support experience. + +The new widget allows customers to: +- Find solutions to common problems +- Submit a support case to the Microsoft support team + +## Prerequisites +It's important to know the specific roles that have permission to open support cases. + +At a minimum, you must have a Service Support Administrator **OR** Helpdesk Administrator role. + + +For more information on which roles have permission see, [Security Administrator permissions](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles#security-administrator-permissions). Roles that include the action `microsoft.office365.supportTickets/allEntities/allTasks` can submit a case. + +For general information on admin roles, see [About admin roles](https://docs.microsoft.com/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide). + + +## Access the widget +Accessing the new support widget can be done in one of two ways: + +1. Clicking on the question mark on the top right of the portal and then clicking on "Microsoft support": + + ![Image of widget when question mark is selected](images/support-widget.png) + +2. Clicking on the **Need help?** button in the bottom right of the Microsoft Defender Security Center: + + + ![Image of the need help button](images/need-help.png) + +In the widget you will be offered two options: + +- Find solutions to common problems +- Open a service request + +## Find solutions to common problems +This option includes articles that might be related to the question you may ask. Just start typing the question in the search box and articles related to your search will be surfaced. + +![Image of need help widget](images/Support3.png) + +In case the suggested articles are not sufficient, you can open a service request. + +## Open a service request + +Learn how to open support tickets by contacting Defender for Endpoint support. + + + + +### Contact support +This option is available by clicking the icon that looks like a headset. You will then get the following page to submit your support case: + +![Image of the open a service request widget](images/Support4.png) + +1. Fill in a title and description for the issue you are facing, as well as a phone number and email address where we may reach you. + +2. (Optional) Include up to five attachments that are relevant to the issue in order to provide additional context for the support case. + +3. Select your time zone and an alternative language, if applicable. The request will be sent to Microsoft Support Team. The team will respond to your service request shortly. + + +## Related topics +- [Troubleshoot service issues](troubleshoot-mdatp.md) +- [Check service health](service-status.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index d48749b987..2d9797f525 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -1,9 +1,9 @@ --- -title: Prevent ransomware and threats from encrypting and changing files -description: Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware from encrypting your files. +title: Protect important folders from ransomware from encrypting your files with controlled folder access +description: Files in default folders can be protected from being changed by malicious apps. Prevent ransomware from encrypting your files. keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,47 +11,83 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb audience: ITPro -ms.date: 08/05/2019 +ms.date: 02/03/2021 ms.reviewer: v-maave manager: dansimp ms.custom: asr +ms.technology: mde --- # Protect important folders with controlled folder access +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from the Microsoft Endpoint Configuration Manager and Intune, for managed devices. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +## What is controlled folder access? -Controlled folder access works by only allowing apps to access protected folders if the app is included on a list of trusted software. If an app isn't on the list, Controlled folder access will block it from making changes to files inside protected folders. +Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices). -Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and automatically added to the list. +> [!NOTE] +> Scripting engines are not trusted and you cannot allow them access to controlled protected folders. For example, PowerShell is not trusted by controlled folder access, even if you add it as an application you trust or allow with [certificate and file indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates). -Apps can also be manually added to the trusted list via Configuration Manager and Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for the app, can be performed from the Security Center Console. +Controlled folder access works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. +> [!TIP] +> Controlled folder access blocks don't generate alerts in the [Alerts queue](../microsoft-defender-atp/alerts-queue.md). However, you can view information about controlled folder access blocks in the [device timeline view](../microsoft-defender-atp/investigate-machines.md), while using [advanced hunting](../microsoft-defender-atp/advanced-hunting-overview.md), or with [custom detection rules](../microsoft-defender-atp/custom-detection-rules.md). -With Controlled folder access in place, a notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. +## How does controlled folder access work? -The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. +Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders. -You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +Controlled folder access works with a list of trusted apps. Apps that are included in the list of trusted software work as expected. Apps that are not included in the list are prevented from making any changes to files inside protected folders. -Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019. +Apps are added to the list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization and that have never displayed any behavior deemed malicious are considered trustworthy. Those apps are added to the list automatically. -## Requirements +Apps can also be added manually to the trusted list by using Configuration Manager or Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for an app, can be performed from the Security Center Console. + +## Why controlled folder access is important + +Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. + +The [protected folders](#review-controlled-folder-access-events-in-windows-event-viewer) include common system folders (including boot sectors), and you can [add more folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. + +You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. + +Controlled folder access is supported on the following versions of Windows: +- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) and later +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) + +## Windows system folders are protected by default + +Windows system folders are protected by default, along with several other folders: + +- `c:\Users\\Documents` +- `c:\Users\Public\Documents` +- `c:\Users\\Pictures` +- `c:\Users\Public\Pictures` +- `c:\Users\Public\Videos` +- `c:\Users\\Videos` +- `c:\Users\\Music` +- `c:\Users\Public\Music` +- `c:\Users\\Favorites` + +> [!NOTE] +> You can configure additional folders as protected, but you cannot remove the Windows system folders that are protected by default. + +## Requirements for controlled folder access Controlled folder access requires enabling [Microsoft Defender Antivirus real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md). -## Review controlled folder access events in the Microsoft Defender ATP Security Center +## Review controlled folder access events in the Microsoft Defender Security Center -Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +Defender for Endpoint provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. +You can query Microsoft Defender for Endpoint data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use [advanced hunting](advanced-hunting-overview.md) to see how controlled folder access settings would affect your environment if they were enabled. -Here is an example query +Example query: ```PowerShell DeviceEvents @@ -63,27 +99,36 @@ DeviceEvents You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app: 1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device. - 2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. - -3. On the left panel, under **Actions**, click **Import custom view...**. - +3. On the left panel, under **Actions**, select **Import custom view...**. 4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views.md). +5. Select **OK**. -5. Click **OK**. +The following table shows events related to controlled folder access: -This will create a custom view that filters to only show the following events related to controlled folder access: +|Event ID | Description | +|:---|:---| +|5007 | Event when settings are changed | +|1124 | Audited controlled folder access event | +|1123 | Blocked controlled folder access event | -Event ID | Description --|- -5007 | Event when settings are changed -1124 | Audited controlled folder access event -1123 | Blocked controlled folder access event +## View or change the list of protected folders -## In this section +You can use the Windows Security app to view the list of folders that are protected by controlled folder access. -Topic | Description --|- -[Evaluate controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created. -[Enable controlled folder access](enable-controlled-folders.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network -[Customize controlled folder access](customize-controlled-folders.md) | Add additional protected folders, and allow specified apps to access protected folders. +1. On your Windows 10 device, open the Windows Security app. +2. Select **Virus & threat protection**. +3. Under **Ransomware protection**, select **Manage ransomware protection**. +4. If controlled folder access is turned off, you'll need to turn it on. Select **protected folders**. +5. Do one of the following steps: + - To add a folder, select **+ Add a protected folder**. + - To remove a folder, select it, and then select **Remove**. + +> [!NOTE] +> [Windows system folders](#windows-system-folders-are-protected-by-default) are protected by default, and you cannot remove them from the list. + +## See also + +- [Evaluate controlled folder access](evaluate-controlled-folder-access.md) +- [Customize controlled folder access](customize-controlled-folders.md) +- [Protect more folders](customize-controlled-folders.md#protect-additional-folders) diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md index d08c4e2bba..a5d808e9a8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md @@ -1,9 +1,9 @@ --- title: Create alert from event API -description: Creates an alert using event details +description: Learn how to use the Create alert API to create a new Alert on top of Event in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, get, alert, information, id search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,20 +12,28 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create alert API -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description Creates new [Alert](alerts.md) on top of **Event**. -
    **Microsoft Defender ATP Event** is required for the alert creation. +
    **Microsoft Defender for Endpoint Event** is required for the alert creation.
    You will need to supply 3 parameters from the Event in the request: **Event Time**, **Machine ID** and **Report ID**. See example below.
    You can use an event found in Advanced Hunting API or Portal.
    If there existing an open alert on the same Device with the same Title, the new created alert will be merged with it. @@ -38,7 +46,7 @@ Creates new [Alert](alerts.md) on top of **Event**. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -53,7 +61,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' ## HTTP request ``` -POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference +POST https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference ``` ## Request headers @@ -88,11 +96,10 @@ If successful, this method returns 200 OK, and a new [alert](alerts.md) object i Here is an example of the request. -[!include[Improve request performance](../../includes/improve-request-performance.md)] +```http +POST https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference +``` -``` -POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference -``` ```json { "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 6021933e52..8baab3e6c4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -5,7 +5,7 @@ description: Learn how to create custom detection rules based on advanced huntin keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,36 +14,47 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.date: 09/20/2020 +ms.technology: mde --- # Create custom detection rules + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. -Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md). +Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md). -## 1. Check required permissions +> [!NOTE] +> To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. -To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. - -## 2. Prepare the query +## 1. Prepare the query. In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results. >[!IMPORTANT] >To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity. - ### Required columns in the query results -To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. -There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device. +To use a query for a custom detection rule, the query must return the following columns: -The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this count to find only the devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. +- `Timestamp` +- `DeviceId` +- `ReportId` + +Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. + +There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device. + +The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this to find only those devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. ```kusto DeviceEvents @@ -53,7 +64,10 @@ DeviceEvents | where count_ > 5 ``` -## 3. Create new rule and provide alert details +> [!TIP] +> For better query performance, set a time filter that matches your intended run frequency for the rule. Since the least frequent run is every 24 hours, filtering for the past day will cover all new data. + +## 2. Create a new rule and provide alert details. With the query in the query editor, select **Create detection rule** and specify the following alert details: @@ -64,36 +78,57 @@ With the query in the query editor, select **Create detection rule** and specify - **Category**—type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories) - **MITRE ATT&CK techniques**—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is not available with certain alert categories, such as malware, ransomware, suspicious activity, and unwanted software - **Description**—more information about the component or activity identified by the rule -- **Recommended actions**—additional actions that responders might take in response to an alert +- **Recommended actions**—additional actions that responders might take in response to an alert For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md). ### Rule frequency -When saved, a new or edited custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose: + +When saved, a new custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose: - **Every 24 hours**—runs every 24 hours, checking data from the past 30 days - **Every 12 hours**—runs every 12 hours, checking data from the past 24 hours - **Every 3 hours**—runs every 3 hours, checking data from the past 6 hours - **Every hour**—runs hourly, checking data from the past 2 hours +> [!TIP] +> Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored. + Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts. -## 4. Specify actions on files or devices +## 3. Choose the impacted entities. + +Identify the columns in your query results where you expect to find the main affected or impacted entity. For example, a query might return both device and user IDs. Identifying which of these columns represent the main impacted entity helps the service aggregate relevant alerts, correlate incidents, and target response actions. + +You can select only one column for each entity type. Columns that are not returned by your query can't be selected. + +## 4. Specify actions. + Your custom detection rule can automatically take actions on files or devices that are returned by the query. ### Actions on devices + These actions are applied to devices in the `DeviceId` column of the query results: -- **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network) + +- **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Defender for Endpoint service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network) - **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices) - **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device - **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device +- **Restrict app execution**—sets restrictions on the device to allow only files that are signed with a Microsoft-issued certificate to run. [Learn more about restricting app execution](respond-machine-alerts.md#restrict-app-execution) ### Actions on files + These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results: + - **Allow/Block**—automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule. - **Quarantine file**—deletes the file from its current location and places a copy in quarantine -## 5. Set the rule scope +### Actions on users + +- **Mark user as compromised**—sets the user's risk level to "high" in Azure Active Directory, triggering the corresponding [identity protection policies](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection#risk-levels). + +## 5. Set the rule scope. + Set the scope to specify which devices are covered by the rule: - All devices @@ -101,12 +136,15 @@ Set the scope to specify which devices are covered by the rule: Only data from devices in scope will be queried. Also, actions will be taken only on those devices. -## 6. Review and turn on the rule +## 6. Review and turn on the rule. + After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions. +You can [view and manage custom detection rules](custom-detections-manage.md), check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it. ## Related topics -- [View and manage detection rules](custom-detections-manage.md) + +- [View and manage custom detection rules](custom-detections-manage.md) - [Custom detections overview](overview-custom-detections.md) - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the advanced hunting query language](advanced-hunting-query-language.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md index bae067bcec..a7420db883 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md @@ -5,7 +5,7 @@ description: Learn how to view and manage custom detection rules keywords: custom detections, view, manage, alerts, edit, run on demand, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,14 +14,18 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # View and manage custom detection rules + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) Manage your existing [custom detection rules](custom-detection-rules.md) to ensure they are effectively finding threats and taking actions. Explore how to view the list of rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it. diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md index 8a8bf44962..ed03adcaa1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md @@ -3,7 +3,7 @@ title: Customize attack surface reduction rules description: Individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from attack surface reduction rules keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,13 +12,17 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Customize attack surface reduction rules +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) > [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md index 0659908d5c..f36e8da07a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md @@ -1,60 +1,69 @@ --- title: Customize controlled folder access -description: Add additional folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files. +description: Add other folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files. keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, allow, add executable search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium audience: ITPro -author: levinec -ms.author: ellevin -ms.reviewer: +author: denisebmsft +ms.author: deniseb +ms.reviewer: jcedola, dbodorin, vladiso, nixanm, anvascon manager: dansimp +ms.date: 01/06/2021 +ms.technology: mde --- # Customize controlled folder access +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients. -This article describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). +This article describes how to customize controlled folder access capabilities, and includes the following sections: -* [Add additional folders to be protected](#protect-additional-folders) -* [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders) +- [Protect additional folders](#protect-additional-folders) +- [Add apps that should be allowed to access protected folders](#allow-specific-apps-to-make-changes-to-controlled-folders) +- [Allow signed executable files to access protected folders](#allow-signed-executable-files-to-access-protected-folders) +- [Customize the notification](#customize-the-notification) -> [!WARNING] -> Controlled folder access monitors apps for activities that may be malicious. Sometimes it might block a legitimate app from making legitimate changes to your files. -> -> This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender.md) to fully assess the feature's impact. +> [!IMPORTANT] +> Controlled folder access monitors apps for activities that are detected as malicious. Sometimes, legitimate apps are blocked from making changes to your files. If controlled folder access impacts your organization's productivity, you might consider running this feature in [audit mode](audit-windows-defender.md) to fully assess the impact. ## Protect additional folders -Controlled folder access applies to a number of system folders and default locations, such as Documents, Pictures, Movies, and Desktop. You can add additional folders to be protected, but you can't remove the default folders in the default list. +Controlled folder access applies to many system folders and default locations, including folders such as **Documents**, **Pictures**, and **Movies**. You can add additional folders to be protected, but you cannot remove the default folders in the default list. -Adding other folders to controlled folder access can be useful. Some use-cases include if you don't store files in the default Windows libraries, or you've changed the location of the libraries away from the defaults. +Adding other folders to controlled folder access can be helpful for cases when you don't store files in the default Windows libraries, or you've changed the default location of your libraries. -You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). +You can also specify network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). -You can use the Windows Security app or Group Policy to add and remove additional protected folders. +You can use the Windows Security app, Group Policy, PowerShell cmdlets, or mobile device management configuration service providers to add and remove additional protected folders. ### Use the Windows Security app to protect additional folders -1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Security**. -2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**. +2. Select **Virus & threat protection**, and then scroll down to the **Ransomware protection** section. -3. Under the **Controlled folder access** section, select **Protected folders**. +3. Select **Manage ransomware protection** to open the **Ransomware protection** pane. -4. Select **Add a protected folder** and follow the prompts to add apps. +4. Under the **Controlled folder access** section, select **Protected folders**. + +5. Choose **Yes** on the **User Access Control** prompt. The **Protected folders** pane displays. + +4. Select **Add a protected folder** and follow the prompts to add folders. ### Use Group Policy to protect additional folders -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)?preserve=true), right-click the Group Policy Object you want to configure, and then and select **Edit**. 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. @@ -64,16 +73,16 @@ You can use the Windows Security app or Group Policy to add and remove additiona ### Use PowerShell to protect additional folders -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** +1. Type **PowerShell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** + 2. Enter the following cmdlet: ```PowerShell Add-MpPreference -ControlledFolderAccessProtectedFolders "" ``` +3. Repeat step 2 until you have added all the folders you want to protect. Folders that are added are visible in the Windows Security app. -Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Security app. - -![Screenshot of a PowerShell window with the cmdlet above entered](../images/cfa-allow-folder-ps.png) + ![Screenshot of a PowerShell window with the cmdlet above entered](../images/cfa-allow-folder-ps.png) > [!IMPORTANT] > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. @@ -87,8 +96,7 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m You can specify if certain apps are always considered safe and give write access to files in protected folders. Allowing apps can be useful if a particular app you know and trust is being blocked by the controlled folder access feature. > [!IMPORTANT] -> By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets. -> You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness. +> By default, Windows adds apps that are considered friendly to the allowed list. Such apps that are added automatically are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets. You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness. When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders. If the app (with the same name) is in a different location, it will not be added to the allow list and may be blocked by controlled folder access. @@ -96,9 +104,9 @@ An allowed application or service only has write access to a controlled folder a ### Use the Windows Defender Security app to allow specific apps -1. Open the Windows Security by selecting the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by searching the start menu for **Security**. -2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Ransomware protection**. +2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then select **Manage ransomware protection**. 3. Under the **Controlled folder access** section, select **Allow an app through Controlled folder access** @@ -108,7 +116,7 @@ An allowed application or service only has write access to a controlled folder a ### Use Group Policy to allow specific apps -1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. +1. On your Group Policy management device, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)?preserve=true), right-click the Group Policy Object you want to configure and select **Edit**. 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. @@ -118,7 +126,7 @@ An allowed application or service only has write access to a controlled folder a ### Use PowerShell to allow specific apps -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** +1. Type **PowerShell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** 2. Enter the following cmdlet: ```PowerShell @@ -142,12 +150,16 @@ An allowed application or service only has write access to a controlled folder a Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders. +## Allow signed executable files to access protected folders + +Microsoft Defender for Endpoint certificate and file indicators can allow signed executable files to access protected folders. For implementation details, see [Create indicators based on certificates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates). + ## Customize the notification -For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center). +For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Configure alert notifications in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications). -## Related topics +## See also -* [Protect important folders with controlled folder access](controlled-folders.md) -* [Enable controlled folder access](enable-controlled-folders.md) -* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) +- [Protect important folders with controlled folder access](controlled-folders.md) +- [Enable controlled folder access](enable-controlled-folders.md) +- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md index 55552af86b..196e15e48c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md @@ -3,7 +3,7 @@ title: Customize exploit protection keywords: Exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr description: You can enable or disable specific mitigations used by exploit protection using the Windows Security app or PowerShell. You can also audit mitigations and export configurations. search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,13 +12,17 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Customize exploit protection +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. @@ -43,44 +47,44 @@ The **Use default** configuration for each of the mitigation settings indicates For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this article. -Mitigation | Description | Can be applied to | Audit mode available --|-|-|- -Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] -Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] -Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] -Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] -Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] -Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] -Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] -Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] -Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] -Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] -Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] -Don't allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] -Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] -Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] +| Mitigation | Description | Can be applied to | Audit mode available | +| ---------- | ----------- | ----------------- | -------------------- | +| Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | ![Check mark no](../images/svg/check-no.svg) | +| Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | ![Check mark yes](../images/svg/check-yes.svg)| +| Block remote images | Prevents loading of images from remote devices. | App-level only | ![Check mark no](../images/svg/check-no.svg | +| Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | !include[Check mark yes](../images/svg/check-yes.svg) | +| Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | ![Check mark no](../images/svg/check-no.svg) | +| Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Don't allow child processes | Prevents an app from creating child processes. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | +| Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | ![Check mark no](../images/svg/check-no.svg) | +| Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | ![Check mark no](../images/svg/check-no.svg) | +| Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG | App-level only | ![Check mark yes](../images/svg/check-yes.svg) | > [!IMPORTANT] > If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: > > -> Enabled in **Program settings** | Enabled in **System settings** | Behavior -> -|-|- -> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** -> [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** -> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** -> [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option +> | Enabled in **Program settings** | Enabled in **System settings** | Behavior | +> | ------------------------------- | ------------------------------ | -------- | +> | ![Check mark yes](../images/svg/check-yes.svg) | ![Check mark no](../images/svg/check-no.svg) | As defined in **Program settings** | +> | ![Check mark yes](../images/svg/check-yes.svg) | ![Check mark yes](../images/svg/check-yes.svg) | As defined in **Program settings** | +> | ![Check mark no](../images/svg/check-no.svg) | ![Check mark yes](../images/svg/check-yes.svg) | As defined in **System settings** | +> | ![Check mark no](../images/svg/check-no.svg) | ![Check mark yes](../images/svg/check-yes.svg) | Default as defined in **Use default** option | > > > -> * **Example 1** +> * **Example 1** > > Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**. > @@ -113,10 +117,10 @@ Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redir * **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section * **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation - >[!NOTE] - >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting. + > [!NOTE] + > You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting. - Changing some settings may require a restart. + Changing some settings may require a restart. 4. Repeat this for all the system-level mitigations you want to configure. @@ -124,8 +128,8 @@ Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redir 1. If the app you want to configure is already listed, select it and then select **Edit** 2. If the app isn't listed, at the top of the list select **Add program to customize** and then choose how you want to add the app: - * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + * Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + * Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 6. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, select the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. @@ -137,14 +141,14 @@ Exporting the configuration as an XML file allows you to copy the configuration ## PowerShell reference - You can use the Windows Security app to configure Exploit protection, or you can use PowerShell cmdlets. +You can use the Windows Security app to configure Exploit protection, or you can use PowerShell cmdlets. - The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Security. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply. +The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Security. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply. - >[!IMPORTANT] - >Any changes that are deployed to a device through Group Policy will override the local configuration. When setting up an initial configuration, use a device that will not have a Group Policy configuration applied to ensure your changes aren't overridden. +> [!IMPORTANT] +> Any changes that are deployed to a device through Group Policy will override the local configuration. When setting up an initial configuration, use a device that will not have a Group Policy configuration applied to ensure your changes aren't overridden. - You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app: +You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app: ```PowerShell Get-ProcessMitigation -Name processName.exe @@ -161,7 +165,7 @@ Get-ProcessMitigation -Name processName.exe Use `Set` to configure each mitigation in the following format: - ```PowerShell +```PowerShell Set-ProcessMitigation - - ,, ``` @@ -176,34 +180,34 @@ Where: * \: * The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma. - For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command: +For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command: - ```PowerShell - Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation - ``` +```PowerShell +Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAtlThunks, DisallowChildProcessCreation +``` - > [!IMPORTANT] - > Separate each mitigation option with commas. +> [!IMPORTANT] +> Separate each mitigation option with commas. - If you wanted to apply DEP at the system level, you'd use the following command: +If you wanted to apply DEP at the system level, you'd use the following command: - ```PowerShell - Set-Processmitigation -System -Enable DEP - ``` +```PowerShell +Set-Processmitigation -System -Enable DEP +``` - To disable mitigations, you can replace `-Enable` with `-Disable`. However, for app-level mitigations, this will force the mitigation to be disabled only for that app. +To disable mitigations, you can replace `-Enable` with `-Disable`. However, for app-level mitigations, this will force the mitigation to be disabled only for that app. - If you need to restore the mitigation back to the system default, you need to include the `-Remove` cmdlet as well, as in the following example: +If you need to restore the mitigation back to the system default, you need to include the `-Remove` cmdlet as well, as in the following example: - ```PowerShell - Set-Processmitigation -Name test.exe -Remove -Disable DEP - ``` +```PowerShell +Set-Processmitigation -Name test.exe -Remove -Disable DEP +``` - You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below. +You can also set some mitigations to audit mode. Instead of using the PowerShell cmdlet for the mitigation, use the **Audit mode** cmdlet as specified in the [mitigation cmdlets table](#cmdlets-table) below. - For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used previously, you'd use the following command: +For example, to enable Arbitrary Code Guard (ACG) in audit mode for the *testing.exe* used previously, you'd use the following command: - ```PowerShell +```PowerShell Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode ``` @@ -215,29 +219,29 @@ This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that -Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet -- | - | - | - -Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available -Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available -Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available -Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available -Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available -Validate heap integrity | System and app-level | TerminateOnError | Audit not available -Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode -Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad -Block remote images | App-level only | BlockRemoteImages | Audit not available -Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly -Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned -Disable extension points | App-level only | ExtensionPoint | Audit not available -Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall -Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess -Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available -Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available -Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available -Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available -Validate handle usage | App-level only | StrictHandle | Audit not available -Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available -Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available +| Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet | +| ---------- | ---------- | ------------------ | ----------------- | +| Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available | +| Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available | +| Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available | +| Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available | +| Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available | +| Validate heap integrity | System and app-level | TerminateOnError | Audit not available | +| Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode | +| Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad | +| Block remote images | App-level only | BlockRemoteImages | Audit not available | +| Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly | +| Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned | +| Disable extension points | App-level only | ExtensionPoint | Audit not available | +| Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall | +| Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess | +| Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\] | +| Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\] | +| Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\] | +| Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\] | +| Validate handle usage | App-level only | StrictHandle | Audit not available | +| Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available | +| Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available\[2\] | \[1\]: Use the following format to enable EAF modules for dlls for a process: @@ -245,14 +249,15 @@ Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll ``` +\[2\]: Audit for this mitigation is not available via PowerShell cmdlets. + ## Customize the notification For more information about customizing the notification when a rule is triggered and blocks an app or file, see [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center). -## See also +## See also: * [Protect devices from exploits](exploit-protection.md) -* [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection.md) * [Evaluate exploit protection](evaluate-exploit-protection.md) * [Enable exploit protection](enable-exploit-protection.md) * [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md index 9cc9cb48ba..f0362df64d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md @@ -1,10 +1,10 @@ --- -title: Verify data storage location and update data retention settings +title: Verify data storage location and update data retention settings description: Verify data storage location and update data retention settings for Microsoft Defender Advanced Threat Protection keywords: data, storage, settings, retention, update search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,20 +13,24 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- -# Verify data storage location and update data retention settings for Microsoft Defender ATP +# Verify data storage location and update data retention settings for Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-gensettings-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-gensettings-abovefoldlink) -During the onboarding process, a wizard takes you through the data storage and retention settings of Microsoft Defender ATP. +During the onboarding process, a wizard takes you through the data storage and retention settings of Defender for Endpoint. After completing the onboarding, you can verify your selection in the data retention settings page. @@ -49,6 +53,5 @@ You can verify the data location by navigating to **Settings** > **Data retentio ## Related topics - [Update data retention settings](data-retention-settings.md) -- [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md) -- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) +- [Configure alert notifications in Defender for Endpoint](configure-email-notifications.md) - [Configure advanced features](advanced-features.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md index 6eb879daae..ec1ee3cba5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md @@ -1,10 +1,10 @@ --- -title: Microsoft Defender ATP data storage and privacy -description: Learn about how Microsoft Defender ATP handles privacy and data that it collects. -keywords: Microsoft Defender ATP data storage and privacy, storage, privacy, licensing, geolocation, data retention, data +title: Microsoft Defender for Endpoint data storage and privacy +description: Learn about how Microsoft Defender for Endpoint handles privacy and data that it collects. +keywords: Microsoft Defender for Endpoint, Microsoft Defender ATP, data storage and privacy, storage, privacy, licensing, geolocation, data retention, data search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,30 +13,35 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- -# Microsoft Defender ATP data storage and privacy +# Microsoft Defender for Endpoint data storage and privacy + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Microsoft Defender for Endpoint](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -This section covers some of the most frequently asked questions regarding privacy and data handling for Microsoft Defender ATP. +This section covers some of the most frequently asked questions regarding privacy and data handling for Defender for Endpoint. > [!NOTE] -> This document explains the data storage and privacy details related to Microsoft Defender ATP. For more information related to Microsoft Defender ATP and other products and services like Microsoft Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information. +> This document explains the data storage and privacy details related to Defender for Endpoint. For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information. -## What data does Microsoft Defender ATP collect? -Microsoft Defender ATP will collect and store information from your configured devices in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes. +## What data does Microsoft Defender for Endpoint collect? + +Microsoft Defender for Endpoint will collect and store information from your configured devices in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes. Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and device details (such as device identifiers, names, and the operating system version). Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578). -This data enables Microsoft Defender ATP to: +This data enables Defender for Endpoint to: - Proactively identify indicators of attack (IOAs) in your organization - Generate alerts if a possible attack was detected - Provide your security operations with a view into devices, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network. @@ -44,16 +49,16 @@ This data enables Microsoft Defender ATP to: Microsoft does not use your data for advertising. ## Data protection and encryption -The Microsoft Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure. +The Defender for Endpoint service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure. -There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Microsoft Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview). +There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Defender for Endpoint service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview). In all scenarios, data is encrypted using 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum. ## Data storage location -Microsoft Defender ATP operates in the Microsoft Azure datacenters in the European Union, the United Kingdom, or in the United States. Customer data collected by the service may be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) if Microsoft Defender ATP uses another Microsoft online service to process such data, the geolocation as defined by the data storage rules of that other online service. +Defender for Endpoint operates in the Microsoft Azure datacenters in the European Union, the United Kingdom, or in the United States. Customer data collected by the service may be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) if Defender for Endpoint uses another Microsoft online service to process such data, the geolocation as defined by the data storage rules of that other online service. Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States. @@ -76,21 +81,22 @@ Access to data for services deployed in Microsoft Azure Government data centers ## Is data shared with other customers? -No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which don’t contain any customer specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides. +No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which don’t contain any customer-specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides. ## How long will Microsoft store my data? What is Microsoft’s data retention policy? **At service onboarding**
    -You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. There’s a flexibility of choosing in the range of 1 month to six months to meet your company’s regulatory compliance needs. +You can choose the data retention policy for your data. This determines how long Window Defender for Endpoint will store your data. There’s a flexibility of choosing in the range of one month to six months to meet your company’s regulatory compliance needs. **At contract termination or expiration**
    Your data will be kept and will be available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration. ## Can Microsoft help us maintain regulatory compliance? -Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Microsoft Defender ATP services against their own legal and regulatory requirements. Microsoft Defender ATP has achieved a number of certifications including ISO, SOC, FedRAMP High, and PCI and continues to pursue additional national, regional and industry-specific certifications. -By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run. +Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Defender for Endpoint services against their own legal and regulatory requirements. Defender for Endpoint has achieved a number of certifications including ISO, SOC, FedRAMP High, and PCI and continues to pursue additional national, regional and industry-specific certifications. -For more information on the Microsoft Defender ATP certification reports, see [Microsoft Trust Center](https://servicetrust.microsoft.com/). +By providing customers with compliant, independently verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run. ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-datastorage-belowfoldlink) +For more information on the Defender for Endpoint certification reports, see [Microsoft Trust Center](https://servicetrust.microsoft.com/). + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-datastorage-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md index 50ce80ff33..abcc6cb3ac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md @@ -1,10 +1,10 @@ --- title: Microsoft Defender Antivirus compatibility with Microsoft Defender ATP -description: Learn about how Windows Defender works with Microsoft Defender ATP and how it functions when a third-party antimalware client is used. +description: Learn about how Windows Defender works with Microsoft Defender ATP and how it functions when a third-party antimalware client is used. keywords: windows defender compatibility, defender, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,29 +13,33 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/24/2018 +ms.technology: mde --- # Microsoft Defender Antivirus compatibility with Microsoft Defender ATP +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + **Applies to:** - Windows Defender -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-defendercompat-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-defendercompat-abovefoldlink) -The Microsoft Defender Advanced Threat Protection agent depends on Microsoft Defender Antivirus for some capabilities such as file scanning. +The Microsoft Defender for Endpoint agent depends on Microsoft Defender Antivirus for some capabilities such as file scanning. >[!IMPORTANT] ->Microsoft Defender ATP does not adhere to the Microsoft Defender Antivirus Exclusions settings. +>Defender for Endpoint does not adhere to the Microsoft Defender Antivirus Exclusions settings. -You must configure Security intelligence updates on the Microsoft Defender ATP devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md). +You must configure Security intelligence updates on the Defender for Endpoint devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md). If an onboarded device is protected by a third-party antimalware client, Microsoft Defender Antivirus on that endpoint will enter into passive mode. @@ -43,4 +47,4 @@ Microsoft Defender Antivirus will continue to receive updates, and the *mspeng.e The Microsoft Defender Antivirus interface will be disabled, and users on the device will not be able to use Microsoft Defender Antivirus to perform on-demand scans or configure most options. -For more information, see the [Microsoft Defender Antivirus and Microsoft Defender ATP compatibility topic](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). +For more information, see the [Microsoft Defender Antivirus and Defender for Endpoint compatibility topic](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md new file mode 100644 index 0000000000..78039bd903 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -0,0 +1,362 @@ +--- +title: Address false positives/negatives in Microsoft Defender for Endpoint +description: Learn how to handle false positives or false negatives in Microsoft Defender for Endpoint. +keywords: alert, exclusion, defender atp, false positive, false negative +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.technology: mde +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.date: 02/11/2021 +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: conceptual +ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree, jcedola +ms.custom: FPFN +--- + +# Address false positives/negatives in Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to** + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) + +In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection). + +![Definition of false positive and negatives in Windows Defender for Endpoints](images/false-positives-overview.png) + +Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address them by using the following process: + +1. [Review and classify alerts](#part-1-review-and-classify-alerts) +2. [Review remediation actions that were taken](#part-2-review-remediation-actions) +3. [Review and define exclusions](#part-3-review-or-define-exclusions) +4. [Submit an entity for analysis](#part-4-submit-a-file-for-analysis) +5. [Review and adjust your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) + +And, you can [get help if you still have issues with false positives/negatives](#still-need-help) after performing the tasks described in this article. + +![Steps to address false positives and negatives](images/false-positives-step-diagram.png) + +> [!NOTE] +> This article is intended as guidance for security operators and security administrators who are using [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md). + +## Part 1: Review and classify alerts + +If you see an [alert](alerts.md) that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well. + +Managing your alerts and classifying true/false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. + +### Determine whether an alert is accurate + +Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the navigation pane, choose **Alerts queue**. +3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) +4. Depending on the alert status, take the steps described in the following table: + +| Alert status | What to do | +|:---|:---| +| The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. | +| The alert is a false positive | 1. [Classify the alert](#classify-an-alert) as a false positive.
    2. [Suppress the alert](#suppress-an-alert).
    3. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.
    4. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). | +| The alert is accurate, but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). | + +### Classify an alert + +Alerts can be classified as false positives or true positives in the Microsoft Defender Security Center. Classifying alerts helps train Microsoft Defender for Endpoint so that, over time, you'll see more true alerts and fewer false alerts. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. Select **Alerts queue**, and then select an alert. +3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens. +4. In the **Manage alert** section, select either **True alert** or **False alert**. (Use **False alert** to classify a false positive.) + +> [!TIP] +> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). And, if your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too. + +### Suppress an alert + +If you have alerts that are either false positives or that are true positives but for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. Suppressing alerts helps reduce noise in your security operations dashboard. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the navigation pane, select **Alerts queue**. +3. Select an alert that you want to suppress to open its **Details** pane. +4. In the **Details** pane, choose the ellipsis (**...**), and then **Create a suppression rule**. +5. Specify all the settings for your suppression rule, and then choose **Save**. + +> [!TIP] +> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule). + +## Part 2: Review remediation actions + +[Remediation actions](manage-auto-investigation.md#remediation-actions), such as sending a file to quarantine or stopping a process, are taken on entities (such as files) that are detected as threats. Several types of remediation actions occur automatically through automated investigation and Microsoft Defender Antivirus: +- Quarantine a file +- Remove a registry key +- Kill a process +- Stop a service +- Disable a driver +- Remove a scheduled task + +Other actions, such as starting an antivirus scan or collecting an investigation package, occur manually or through [Live Response](live-response.md). Actions taken through Live Response cannot be undone. + +After you have reviewed your alerts, your next step is to [review remediation actions](manage-auto-investigation.md). If any actions were taken as a result of false positives, you can undo most kinds of remediation actions. Specifically, you can: +- [Undo one action at a time](#undo-an-action); +- [Undo multiple actions at one time](#undo-multiple-actions-at-one-time); and +- [Remove a file from quarantine across multiple devices](#remove-a-file-from-quarantine-across-multiple-devices). + +When you're done reviewing and undoing actions that were taken as a result of false positives, proceed to [review or define exclusions](#part-3-review-or-define-exclusions). + +### Review completed actions + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. Select the **History** tab to view a list of actions that were taken. +3. Select an item to view more details about the remediation action that was taken. + +### Undo an action + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. On the **History** tab, select an action that you want to undo. +3. In the flyout pane, select **Undo**. If the action cannot be undone with this method, you will not see an **Undo** button. (To learn more, see [Undo completed actions](manage-auto-investigation.md#undo-completed-actions).) + +### Undo multiple actions at one time + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. On the **History** tab, select the actions that you want to undo. +3. In the pane on the right side of the screen, select **Undo**. + +### Remove a file from quarantine across multiple devices + +![Quarantine file](images/autoir-quarantine-file-1.png) + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. On the **History** tab, select a file that has the Action type **Quarantine file**. +3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**. + +## Part 3: Review or define exclusions + +An exclusion is an entity, such as a file or URL, that you specify as an exception to remediation actions. The excluded entity can still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. + +To define exclusions across Microsoft Defender for Endpoint, perform the following tasks: +- [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus) +- [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint) + +> [!NOTE] +> Microsoft Defender Antivirus exclusions apply only to antivirus protection, not across other Microsoft Defender for Endpoint capabilities. To exclude files broadly, use exclusions for Microsoft Defender Antivirus and [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) for Microsoft Defender for Endpoint. + +The procedures in this section describe how to define exclusions and indicators. + +### Exclusions for Microsoft Defender Antivirus + +In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to define or edit your antivirus exclusions; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)). + +> [!TIP] +> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). + +#### Use Microsoft Endpoint Manager to manage antivirus exclusions (for existing policies) + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)). +3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**. +4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions. +5. Choose **Review + save**, and then choose **Save**. + +#### Use Microsoft Endpoint Manager to create a new antivirus policy with exclusions + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. +3. Select a platform (such as **Windows 10 and later**, **macOS**, or **Windows 10 and Windows Server**). +4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**. +5. Specify a name and description for the profile, and then choose **Next**. +6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. +7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) +8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) +9. On the **Review + create** tab, review the settings, and then choose **Create**. + +### Indicators for Microsoft Defender for Endpoint + +[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, you can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. + +To specify entities as exclusions for Microsoft Defender for Endpoint, create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10), [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), and [automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). + +"Allow" indicators can be created for: + +- [Files](#indicators-for-files) +- [IP addresses, URLs, and domains](#indicators-for-ip-addresses-urls-or-domains) +- [Application certificates](#indicators-for-application-certificates) + +![Indicator types diagram](images/false-positives-indicators.png) + +#### Indicators for files + +When you [create an "allow" indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file), it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as `.exe` and `.dll` files. + +Before you create indicators for files, make sure the following requirements are met: +- Microsoft Defender Antivirus is configured with cloud-based protection enabled (see [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus)) +- Antimalware client version is 4.18.1901.x or later +- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019 +- The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) + +#### Indicators for IP addresses, URLs, or domains + +When you [create an "allow" indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain), it helps prevent the sites or IP addresses your organization uses from being blocked. + +Before you create indicators for IP addresses, URLs, or domains, make sure the following requirements are met: +- Network protection in Defender for Endpoint is enabled in block mode (see [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection)) +- Antimalware client version is 4.18.1906.x or later +- Devices are running Windows 10, version 1709, or later + +Custom network indicators are turned on in the Microsoft Defender Security Center (see [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features)) + +#### Indicators for application certificates + +When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates), it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. `.CER` or `.PEM` file extensions are supported. + +Before you create indicators for application certificates, make sure the following requirements are met: +- Microsoft Defender Antivirus is configured with cloud-based protection enabled (see [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus)) +- Antimalware client version is 4.18.1901.x or later +- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019 +- Virus and threat protection definitions are up to date + +> [!TIP] +> When you create indicators, you can define them one by one, or import multiple items at once. Keep in mind there's a limit of 15,000 indicators for a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). + +## Part 4: Submit a file for analysis + +You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions, and their results help inform Microsoft Defender for Endpoint threat protection capabilities. When you sign in at the submission site, you can track your submissions. + +### Submit a file for analysis + +If you have a file that was either wrongly detected as malicious or was missed, follow these steps to submit the file for analysis. + +1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). +2. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your file(s). + +### Submit a fileless detection for analysis + +If something was detected as malware based on behavior, and you don’t have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the *.cab* file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool on Windows 10. + +1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run `MpCmdRun.exe` as an administrator. +2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**. + A .cab file is generated that contains various diagnostic logs. The location of the file is specified in the output of the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`. +3. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). +4. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your .cab files. + +### What happens after a file is submitted? + +Your submission is immediately scanned by our systems to give you the latest determination even before an analyst starts handling your case. It’s possible that a file might have already been submitted and processed by an analyst. In those cases, a determination is made quickly. + +For submissions that were not already processed, they are prioritized for analysis as follows: + +- Prevalent files with the potential to impact large numbers of computers are given a higher priority. +- Authenticated customers, especially enterprise customers with valid [Software Assurance IDs (SAIDs)](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default.aspx), are given a higher priority. +- Submissions flagged as high priority by SAID holders are given immediate attention. + +To check for updates regarding your submission, sign in at the [Microsoft Security Intelligence submission site](https://www.microsoft.com/wdsi/filesubmission). + +> [!TIP] +> To learn more, see [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide#how-does-microsoft-prioritize-submissions). + +## Part 5: Review and adjust your threat protection settings + +Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to: + +- [Cloud-delivered protection](#cloud-delivered-protection) +- [Remediation for potentially unwanted applications](#remediation-for-potentially-unwanted-applications) +- [Automated investigation and remediation](#automated-investigation-and-remediation) + +### Cloud-delivered protection + +Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, cloud-delivered protection is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. + +> [!TIP] +> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus). + +We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to edit or set your cloud-delivered protection settings; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)). + +#### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings (for existing policies) + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-policy)). +3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. +4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting cloud-delivered protection to **Not configured**, which provides strong protection while reducing the chances of getting false positives. +5. Choose **Review + save**, and then **Save**. + +#### Use Microsoft Endpoint Manager to set cloud-delivered protection settings (for a new policy) + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** > **+ Create policy**. +3. For **Platform**, select an option, and then for **Profile**, select **Antivirus** or **Microsoft Defender Antivirus** (the specific option depends on what you selected for **Platform**.) Then choose **Create**. +4. On the **Basics** tab, specify a name and description for the policy. Then choose **Next**. +5. On the **Configuration settings** tab, expand **Cloud protection**, and specify the following settings: + - Set **Turn on cloud-delivered protection** to **Yes**. + - Set **Cloud-delivered protection level** to **Not configured**. (This level provides a strong level of protection by default while reducing the chances of getting false positives.) +6. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) +8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) +9. On the **Review + create** tab, review the settings, and then choose **Create**. + +### Remediation for potentially unwanted applications + +Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA is not considered malware, some kinds of software are PUA based on their behavior and reputation. + +> [!TIP] +> To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). + +Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If necessary, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. + +We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to edit or set PUA protection settings; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)). + +#### Use Microsoft Endpoint Manager to edit PUA protection (for existing configuration profiles) + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile).) +3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**. +4. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. +5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) +6. Choose **Review + save**, and then choose **Save**. + +#### Use Microsoft Endpoint Manager to set PUA protection (for a new configuration profile) + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Devices** > **Configuration profiles** > **+ Create profile**. +3. For the **Platform**, choose **Windows 10 and later**, and for **Profile**, select **Device restrictions**. +4. On the **Basics** tab, specify a name and description for your policy. Then choose **Next**. +5. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. +6. Set **Detect potentially unwanted applications** to **Audit**, and then choose **Next**. (You can turn off PUA protection, but by using audit mode, you will be able to see detections.) +7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) +8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. +9. On the **Review + create** tab, review your settings, and, and then choose **Create**. + +### Automated investigation and remediation + +[Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. + +Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization and other security settings, remediation actions are taken on artifacts that are considered to be *Malicious* or *Suspicious*. In some cases, remediation actions occur automatically; in other cases, remediation actions are taken manually or only upon approval by your security operations team. + +- [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then +- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation). + +> [!IMPORTANT] +> We recommend using *Full automation* for automated investigation and remediation. Don't turn these capabilities off because of a false positive. Instead, use ["allow" indicators to define exceptions](#indicators-for-microsoft-defender-for-endpoint), and keep automated investigation and remediation set to take appropriate actions automatically. Following [this guidance](automation-levels.md#levels-of-automation) helps reduce the number of alerts your security operations team must handle. + +## Still need help? + +If you have worked through all the steps in this article and still need help, contact technical support. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the upper right corner, select the question mark (**?**), and then select **Microsoft support**. +3. In the Support Assistant window, describe your issue, and then send your message. From there, you can open a service request. + +## See also + +[Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md) + +[Overview of Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use) diff --git a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md index 1c03a39e93..4ce6869f61 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md @@ -1,9 +1,9 @@ --- title: Delete Indicator API. -description: Deletes Indicator entity by ID. +description: Learn how to use the Delete Indicator API to delete an Indicator entity by ID in Microsoft Defender Advanced Threat Protection. keywords: apis, public api, supported apis, delete, ti indicator, entity, id search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,15 +12,23 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Delete Indicator API -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description @@ -42,12 +50,9 @@ Application | Ti.ReadWrite.All | 'Read and write Indicators' ## HTTP request ``` -Delete https://api.securitycenter.windows.com/api/indicators/{id} +Delete https://api.securitycenter.microsoft.com/api/indicators/{id} ``` -[!include[Improve request performance](../../includes/improve-request-performance.md)] - - ## Request headers Name | Type | Description @@ -68,6 +73,6 @@ If Indicator with the specified id was not found - 404 Not Found. Here is an example of the request. -``` -DELETE https://api.securitycenter.windows.com/api/indicators/995 +```http +DELETE https://api.securitycenter.microsoft.com/api/indicators/995 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md index 3a379ea946..0c40043116 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md +++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md @@ -1,9 +1,9 @@ --- title: Deployment phases -description: Learn how deploy Microsoft Defender ATP by preparing, setting up, and onboarding endpoints to that service +description: Learn how to deploy Microsoft Defender ATP by preparing, setting up, and onboarding endpoints to that service keywords: deploy, prepare, setup, onboard, phase, deployment, deploying, adoption, configuring search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,55 +13,96 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-endpointprotect -- m365solution-overview + - M365-security-compliance + - m365solution-endpointprotect + - m365solution-overview ms.topic: article +ms.technology: mde --- # Deployment phases + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -There are three phases in deploying Microsoft Defender ATP: +Learn how to deploy Microsoft Defender for Endpoint so that your enterprise can take advantage of preventative protection, post-breach detection, automated investigation, and response. -|Phase | Desription | + +This guide helps you work across stakeholders to prepare your environment and then onboard devices in a methodical way, moving from evaluation, to a meaningful pilot, to full deployment. + +Each section corresponds to a separate article in this solution. + +![Image of deployment phases with details from table](images/deployment-guide-phases.png) + + +![Summary of deployment phases: prepare, setup, onboard](images/phase-diagrams/deployment-phases.png) + +|Phase | Description | |:-------|:-----| -| ![Phase 1: Prepare](images/prepare.png)
    [Phase 1: Prepare](prepare-deployment.md)| Learn about what you need to consider when deploying Microsoft Defender ATP:

    - Stakeholders and sign-off
    - Environment considerations
    - Access
    - Adoption order -| ![Phase 2: Setup](images/setup.png)
    [Phase 2: Setup](production-deployment.md)| Take the initial steps to access Microsoft Defender Security Center. You'll be guided on:

    - Validating the licensing
    - Completing the setup wizard within the portal
    - Network configuration| -| ![Phase 3: Onboard](images/onboard.png)
    [Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them. You'll be guided on:

    - Using Microsoft Endpoint Configuration Manager to onboard devices
    - Configure capabilities +| [Phase 1: Prepare](prepare-deployment.md)| Learn about what you need to consider when deploying Defender for Endpoint such as stakeholder approvals, environment considerations, access permissions, and adoption order of capabilities. +| [Phase 2: Setup](production-deployment.md)| Get guidance on the initial steps you need to take so that you can access the portal such as validating licensing, completing the setup wizard, and network configuration. +| [Phase 3: Onboard](onboarding.md) | Learn how to make use of deployment rings, supported onboarding tools based on the type of endpoint, and configuring available capabilities. + + +After you've completed this guide, you'll be setup with the right access permissions, your endpoints will be onboarded and reporting sensor data to the service, and capabilities such as next-generation protection and attack surface reduction will be in place. - The deployment guide will guide you through the recommended path in deploying Microsoft Defender ATP. +Regardless of the environment architecture and method of deployment you choose outlined in the [Plan deployment](deployment-strategy.md) guidance, this guide is going to support you in onboarding endpoints. -There are several methods you can use to onboard to the service. For information on other ways to onboard, see [Onboard devices to Microsoft Defender ATP](onboard-configure.md). -## In Scope -The following is in scope for this deployment guide: -- Use of Microsoft Endpoint Configuration Manager to onboard endpoints into the service -- Enabling Microsoft Defender ATP endpoint protection platform (EPP) + + + +## Key capabilities + +While Microsoft Defender for Endpoint provides many capabilities, the primary purpose of this deployment guide is to get you started by onboarding devices. In addition to onboarding, this guidance gets you started with the following capabilities. + + + +Capability | Description +:---|:--- +Endpoint detection and response | Endpoint detection and response capabilities are put in place to detect, investigate, and respond to intrusion attempts and active breaches. +Next-generation protection | To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats. +Attack surface reduction | Provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. + +All these capabilities are available for Microsoft Defender for Endpoint license holders. For more information, see [Licensing requirements](minimum-requirements.md#licensing-requirements). + +## Scope + +### In scope + +- Use of Microsoft Endpoint Manager and Microsoft Endpoint Manager to onboard endpoints into the service and configure capabilities + +- Enabling Defender for Endpoint endpoint detection and response (EDR) capabilities + +- Enabling Defender for Endpoint endpoint protection platform (EPP) capabilities - Next-generation protection - Attack surface reduction -- Enabling Microsoft Defender ATP endpoint detection and response (EDR) - capabilities including automatic investigation and remediation -- Enabling Microsoft Defender ATP threat and vulnerability management (TVM) - - -## Out of scope +### Out of scope The following are out of scope of this deployment guide: -- Configuration of third-party solutions that might integrate with Microsoft - Defender ATP +- Configuration of third-party solutions that might integrate with Defender for Endpoint - Penetration testing in production environment + + + + +## See also +- [Phase 1: Prepare](prepare-deployment.md) +- [Phase 2: Set up](production-deployment.md) +- [Phase 3: Onboard](onboarding.md) +- [Plan deployment](deployment-strategy.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-rings.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-rings.md new file mode 100644 index 0000000000..2be4c51120 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-rings.md @@ -0,0 +1,122 @@ +--- +title: Deploy Microsoft Defender ATP in rings +description: Learn how to deploy Microsoft Defender ATP in rings +keywords: deploy, rings, evaluate, pilot, insider fast, insider slow, setup, onboard, phase, deployment, deploying, adoption, configuring +search.product: eADQiWindows 10XVcnh +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: + - M365-security-compliance + - m365solution-endpointprotect + - m365solution-overview +ms.topic: article +ms.technology: mde +--- + +# Deploy Microsoft Defender ATP in rings + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/?linkid=2154037) + + +Deploying Microsoft Defender ATP can be done using a ring-based deployment approach. + +The deployment rings can be applied in the following scenarios: +- [New deployments](#new-deployments) +- [Existing deployments](#existing-deployments) + +## New deployments + +![Image of deployment rings](images/deployment-rings.png) + + +A ring-based approach is a method of identifying a set of endpoints to onboard and verifying that certain criteria is met before proceeding to deploy the service to a larger set of devices. You can define the exit criteria for each ring and ensure that they are satisfied before moving on to the next ring. + +Adopting a ring-based deployment helps reduce potential issues that could arise while rolling out the service. By piloting a certain number of devices first, you can identify potential issues and mitigate potential risks that might arise. + + +Table 1 provides an example of the deployment rings you might use. + +**Table 1** + +|**Deployment ring**|**Description**| +|:-----|:-----| +Evaluate | Ring 1: Identify 50 systems for pilot testing +Pilot | Ring 2: Identify the next 50-100 endpoints in production environment
    +Full deployment | Ring 3: Roll out service to the rest of environment in larger increments + + + +### Exit criteria +An example set of exit criteria for these rings can include: +- Devices show up in the device inventory list +- Alerts appear in dashboard +- [Run a detection test](run-detection-test.md) +- [Run a simulated attack on a device](attack-simulations.md) + +### Evaluate +Identify a small number of test machines in your environment to onboard to the service. Ideally, these machines would be fewer than 50 endpoints. + + +### Pilot +Microsoft Defender ATP supports a variety of endpoints that you can onboard to the service. In this ring, identify several devices to onboard and based on the exit criteria you define, decide to proceed to the next deployment ring. + +The following table shows the supported endpoints and the corresponding tool you can use to onboard devices to the service. + +| Endpoint | Deployment tool | +|--------------|------------------------------------------| +| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md)
    NOTE: If you want to deploy more than 10 devices in a production environment, use the Group Policy method instead or the other supported tools listed below.
    [Group Policy](configure-endpoints-gp.md)
    [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md)
    [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
    [VDI scripts](configure-endpoints-vdi.md) | +| **macOS** | [Local script](mac-install-manually.md)
    [Microsoft Endpoint Manager](mac-install-with-intune.md)
    [JAMF Pro](mac-install-with-jamf.md)
    [Mobile Device Management](mac-install-with-other-mdm.md) | +| **Linux Server** | [Local script](linux-install-manually.md)
    [Puppet](linux-install-with-puppet.md)
    [Ansible](linux-install-with-ansible.md)| +| **iOS** | [App-based](ios-install.md) | +| **Android** | [Microsoft Endpoint Manager](android-intune.md) | + + + + +### Full deployment +At this stage, you can use the [Plan deployment](deployment-strategy.md) material to help you plan your deployment. + + +Use the following material to select the appropriate Microsoft Defender ATP architecture that best suites your organization. + +|**Item**|**Description**| +|:-----|:-----| +|[![Thumb image for Microsoft Defender ATP deployment strategy](images/mdatp-deployment-strategy.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)
    [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) \| [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures: