diff --git a/.acrolinx-config.edn b/.acrolinx-config.edn index db312c63cd..4a22e37c62 100644 --- a/.acrolinx-config.edn +++ b/.acrolinx-config.edn @@ -3,7 +3,7 @@ :acrolinx-check-settings { "languageId" "en" - "ruleSetName" "Standard Commercial" + "ruleSetName" "Standard" "requestedFlagTypes" ["SPELLING" "GRAMMAR" "STYLE" "TERMINOLOGY_DEPRECATED" "TERMINOLOGY_VALID" diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 3f358d9288..b79b7c666a 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,6 +1,16 @@ { "redirections": [ { +"source_path": "security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-whats-new.md", +"redirect_url": "https://docs.microsoft.com/hololens/hololens-release-notes", +"redirect_document_id": true +}, +{ "source_path": "devices/hololens/hololens-upgrade-enterprise.md", "redirect_url": "https://docs.microsoft.com/hololens/hololens-requirements#upgrade-to-windows-holographic-for-business", "redirect_document_id": true @@ -1377,11 +1387,6 @@ "redirect_document_id": true }, { -"source_path": "windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score", -"redirect_document_id": true -}, -{ "source_path": "windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -1707,6 +1712,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/microsoft-defender-atp/overview.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection", +"redirect_document_id": false +}, +{ "source_path": "windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction", "redirect_document_id": true @@ -1727,17 +1737,12 @@ "redirect_document_id": false }, { -"source_path": "windows/security/threat-protection/windows-defender-atp/microsoft-defender-atp/overview-secure-score.md", +"source_path": "windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", "redirect_document_id": true }, { -"source_path": "windows/security/threat-protection/windows-defender-atp/microsoft-defender-atp/secure-score-dashboard.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", -"redirect_document_id": false -}, -{ -"source_path": "windows/security/threat-protection/windows-defender-atp/microsoft-defender-atp/enable-secure-score.md", +"source_path": "windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score", "redirect_document_id": false }, @@ -15567,6 +15572,16 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/microsoft-defender-atp/product-brief.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/licensing.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment", +"redirect_document_id": true +}, +{ "source_path": "windows/release-information/status-windows-10-1703.yml", "redirect_url": "https://docs.microsoft.com/windows/release-information/windows-message-center", "redirect_document_id": true diff --git a/.vscode/settings.json b/.vscode/settings.json index e7f59d08ec..9c0086e560 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,5 +1,6 @@ { "cSpell.words": [ + "intune", "kovter", "kovter's", "poshspy" diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index c93f45cfd9..8547f7cf59 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -1,6 +1,6 @@ -# [HoloLens overview](index.md) +# [Microsoft HoloLens](index.md) -# Get Started with HoloLens 2 +# Get started with HoloLens 2 ## [HoloLens 2 hardware](hololens2-hardware.md) ## [Get your HoloLens 2 ready to use](hololens2-setup.md) ## [Set up your HoloLens 2](hololens2-start.md) @@ -16,56 +16,56 @@ ## [Install localized version of HoloLens (1st gen)](hololens1-install-localized.md) ## [Getting around HoloLens (1st gen)](hololens1-basic-usage.md) -# Deploying HoloLens and Mixed Reality Apps in Commercial Environments -## [Deployment planning](hololens-requirements.md) -## [Commercial feature overview](hololens-commercial-features.md) -## [Lincense Requriements](hololens-licenses-requirements.md) -## [Commercial Infrastructure Guidance](hololens-commercial-infrastructure.md) +# Deploy HoloLens and mixed-reality apps in commercial environments +## [Commercial features](hololens-commercial-features.md) +## [Deploy HoloLens in a commercial environment](hololens-requirements.md) +## [Determine what licenses you need](hololens-licenses-requirements.md) +## [Configure your network for HoloLens](hololens-commercial-infrastructure.md) ## [Unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md) -## [Configure HoloLens using a provisioning package](hololens-provisioning.md) +## [Use a provisioning package to configure HoloLens](hololens-provisioning.md) ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md) -## [Set up ring based updates for HoloLens](hololens-updates.md) +## [Manage HoloLens updates](hololens-updates.md) ## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) # Navigating Windows Holographic ## [Start menu and mixed reality home](holographic-home.md) ## [Use your voice with HoloLens](hololens-cortana.md) -## [Find and save files](holographic-data.md) -## [Create, share, and view photos and video](holographic-photos-and-videos.md) +## [Find, open, and save files](holographic-data.md) +## [Create mixed reality photos and videos](holographic-photos-and-videos.md) # User management and access management -## [Accounts on HoloLens](hololens-identity.md) +## [Manage user identity and sign-in for HoloLens](hololens-identity.md) ## [Share your HoloLens with multiple people](hololens-multiple-users.md) -## [Set up HoloLens as a kiosk (single application access)](hololens-kiosk.md) -## [Set up limited application access](hololens-kiosk.md) +## [Set up HoloLens as a kiosk for specific applications](hololens-kiosk.md) -# Holographic Applications -## [Try 3D Viewer](holographic-3d-viewer-beta.md) +# Holographic applications +## [Use 3D Viewer on HoloLens](holographic-3d-viewer-beta.md) ## [Find, install, and uninstall applications](holographic-store-apps.md) -## [Install and uninstall custom applications](holographic-custom-apps.md) +## [Manage custom apps for HoloLens](holographic-custom-apps.md) # Accessories and connectivity ## [Connect to Bluetooth and USB-C devices](hololens-connect-devices.md) ## [Use the HoloLens (1st gen) clicker](hololens1-clicker.md) ## [Connect to a network](hololens-network.md) -## [Use HoloLens offline](hololens-offline.md) +## [Manage connection endpoints for HoloLens](hololens-offline.md) # Hologram optics and placement in space -## [Tips for viewing clear Holograms](hololens-calibration.md) +## [Improve visual quality and comfort](hololens-calibration.md) ## [Environment considerations for HoloLens](hololens-environment-considerations.md) -## [Spatial mapping on HoloLens](hololens-spaces.md) +## [Map physical spaces with HoloLens](hololens-spaces.md) # Update, troubleshoot, or recover HoloLens ## [Update HoloLens](hololens-update-hololens.md) -## [Restart, reset, or recover](hololens-recovery.md) -## [Troubleshoot HoloLens](hololens-troubleshooting.md) -## [Known issues](hololens-known-issues.md) +## [Restart, reset, or recover HoloLens](hololens-recovery.md) +## [Troubleshoot HoloLens issues](hololens-troubleshooting.md) +## [Known issues for HoloLens](hololens-known-issues.md) ## [Frequently asked questions](hololens-faq.md) ## [Frequently asked security questions](hololens-faq-security.md) -## [Hololens services status](hololens-status.md) -## [SCEP Whitepaper](scep-whitepaper.md) +## [Status of the HoloLens services](hololens-status.md) +## [Get support](https://support.microsoft.com/supportforbusiness/productselection?sapid=3ec35c62-022f-466b-3a1e-dbbb7b9a55fb) +## [SCEP whitepaper](scep-whitepaper.md) -# [Release Notes](hololens-release-notes.md) +# [HoloLens release notes](hololens-release-notes.md) # [Give us feedback](hololens-feedback.md) -# [Join the Windows Insider program](hololens-insider.md) +# [Insider preview for Microsoft HoloLens](hololens-insider.md) # [Change history for Microsoft HoloLens documentation](change-history-hololens.md) diff --git a/devices/hololens/holographic-custom-apps.md b/devices/hololens/holographic-custom-apps.md index 0a86a7b37a..3cc01691d6 100644 --- a/devices/hololens/holographic-custom-apps.md +++ b/devices/hololens/holographic-custom-apps.md @@ -1,6 +1,6 @@ --- title: Manage custom apps for HoloLens -description: Side load custom apps on HoloLens. Learn more about installing, and uninstalling holographic apps. +description: Side load custom apps on HoloLens. Learn more about installing, and uninstalling holographic apps. ms.assetid: 6bd124c4-731c-4bcc-86c7-23f9b67ff616 ms.date: 07/01/2019 manager: v-miegge @@ -11,12 +11,15 @@ author: mattzmsft ms.author: mazeller ms.topic: article ms.localizationpriority: medium +ms.custom: +- CI 111456 +- CSSTroubleshooting appliesto: - HoloLens (1st gen) - HoloLens 2 --- -# Install and manage custom applications (non-store) +# Manage custom apps for HoloLens HoloLens supports many existing applications from the Microsoft Store, as well as new apps built specifically for HoloLens. This article focuses on custom holographic applications. diff --git a/devices/hololens/hololens-FAQ.md b/devices/hololens/hololens-FAQ.md index 8cc17b758c..38964c7a7d 100644 --- a/devices/hololens/hololens-FAQ.md +++ b/devices/hololens/hololens-FAQ.md @@ -207,7 +207,7 @@ You can pair other Bluetooth HID and GATT devices together with your HoloLens. H Use the [clicker](hololens1-clicker.md) to select, scroll, move, and resize holograms. Individial apps may support additional clicker gestures. -If you're having trouble using the clicker, make sure that it's charged and paired with your HoloLens. If the battery is low, the indicator light blinks amber. To verify that the clicker is paired, go to **Settings** > **Devices** and see if it shows up there. For more information, see [Pair the clicker](hololens-connect-devices.md#pair-the-clicker). +If you're having trouble using the clicker, make sure that it's charged and paired with your HoloLens. If the battery is low, the indicator light blinks amber. To verify that the clicker is paired, go to **Settings** > **Devices** and see if it shows up there. For more information, see [Pair the clicker](hololens-connect-devices.md#hololens-1st-gen-pair-the-clicker). If the clicker is charged and paired and you're still having problems, reset it by holding down the main button and the pairing button for 15 seconds. Then pair the clicker with your HoloLens again. diff --git a/devices/hololens/hololens-calibration.md b/devices/hololens/hololens-calibration.md index cfc55d1070..dcba528079 100644 --- a/devices/hololens/hololens-calibration.md +++ b/devices/hololens/hololens-calibration.md @@ -33,7 +33,8 @@ HoloLens 2 prompts a user to calibrate the device under the following circumstan - The user previously opted out of the calibration process - The calibration process did not succeed the last time the user used the device - The user has deleted their calibration profiles -- The visor is raised and the lowered and any of the above circumstances apply (this may be disabled in **Settings > System > Calibration**.) +- The device is taken off and put back on and any of the above circumstances apply + ![Calibration prompt](./images/07-et-adjust-for-your-eyes.png) diff --git a/devices/hololens/hololens-commercial-features.md b/devices/hololens/hololens-commercial-features.md index 309d81e904..f53558ec75 100644 --- a/devices/hololens/hololens-commercial-features.md +++ b/devices/hololens/hololens-commercial-features.md @@ -5,6 +5,9 @@ keywords: HoloLens, commercial, features, mdm, mobile device management, kiosk m author: scooley ms.author: scooley ms.date: 08/26/2019 +ms.custom: +- CI 111456 +- CSSTroubleshooting ms.topic: article audience: ITPro ms.prod: hololens @@ -40,7 +43,7 @@ HoloLens (1st gen) came with two licensing options, the developer license and a - **Windows Update for Business.** Windows Update for Business provides controlled operating system updates to devices and support for the long-term servicing channel. - **Data security.** BitLocker data encryption is enabled on HoloLens to provide the same level of security protection as any other Windows device. - **Work access.** Anyone in your organization can remotely connect to the corporate network through virtual private network (VPN) on a HoloLens. HoloLens can also access Wi-Fi networks that require credentials. -- **Microsoft Store for Business.** Your IT department can also set up an enterprise private store, containing only your company’s apps for your specific HoloLens usage. Securely distribute your enterprise software to selected group of enterprise users. +- **Microsoft Store for Business.** Your IT department can also set up an enterprise private store, containing only your company's apps for your specific HoloLens usage. Securely distribute your enterprise software to selected group of enterprise users. ## Feature comparison between editions @@ -48,7 +51,7 @@ HoloLens (1st gen) came with two licensing options, the developer license and a |---|:---:|:---:|:---:| |Device Encryption (BitLocker) | |✔️ |✔️ | |Virtual Private Network (VPN) | |✔️ |✔️ | -|[Kiosk mode](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal#kiosk-mode) | |✔️ |✔️ | +|[Kiosk mode](hololens-kiosk.md) | |✔️ |✔️ | |**Management and deployment** | | | | |Mobile Device Management (MDM) | |✔️ |✔️ | |Ability to block unenrollment | |✔️ |✔️ | @@ -67,12 +70,12 @@ HoloLens (1st gen) came with two licensing options, the developer license and a ## Enabling commercial features -Your organization's IT admin can set up commercial features such as Microsoft Store for Business, kiosk mode, and enterprise Wi-Fi access. The [Microsoft HoloLens](https://docs.microsoft.com/hololens) documentation provides step-by-step instructions for enrolling devices and installing apps from Microsoft Store for Business. +Your organization's IT admin can set up commercial features such as Microsoft Store for Business, kiosk mode, and enterprise Wi-Fi access. The [Microsoft HoloLens](index.md) documentation provides step-by-step instructions for enrolling devices and installing apps from Microsoft Store for Business. ## See also -- [Microsoft HoloLens](https://docs.microsoft.com/hololens) -- [Kiosk mode](/windows/mixed-reality/using-the-windows-device-portal.md#kiosk-mode) +- [Microsoft HoloLens](index.md) +- [Kiosk mode](hololens-kiosk.md) - [CSPs supported in HoloLens devices](/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) - [Microsoft Store For Business and line of business applications](https://blogs.technet.microsoft.com/sbucci/2016/04/13/windows-store-for-business-and-line-of-business-applications/) - [Working with line-of-business apps](/microsoft-store/working-with-line-of-business-apps) diff --git a/devices/hololens/hololens-connect-devices.md b/devices/hololens/hololens-connect-devices.md index bbe2dad4d3..fd770fd0cc 100644 --- a/devices/hololens/hololens-connect-devices.md +++ b/devices/hololens/hololens-connect-devices.md @@ -8,7 +8,7 @@ author: Teresa-Motiv ms.author: v-tea ms.topic: article ms.localizationpriority: high -ms.date: 09/13/2019 +ms.date: 03/11/2020 manager: jarrettr appliesto: - HoloLens (1st gen) @@ -19,56 +19,58 @@ appliesto: ## Pair Bluetooth devices -Pair a Bluetooth mouse and keyboard with HoloLens, then use them to interact with holograms and to type anywhere you'd use the holographic keyboard. - -Classes of Bluetooth devices supported by HoloLens 2: +HoloLens 2 supports the following classes of Bluetooth devices: - Mouse - Keyboard - Bluetooth audio output (A2DP) devices -Classes of Bluetooth devices supported by HoloLens (1st gen): +HoloLens (1st gen) supports the following classes of Bluetooth devices: - Mouse - Keyboard - HoloLens (1st gen) clicker > [!NOTE] -> Other types of Bluetooth devices, such as speakers, headsets, smartphones, and game pads, may appear as available in HoloLens settings, but aren't supported on HoloLens (1st gen). [Learn more](https://go.microsoft.com/fwlink/p/?LinkId=746660). +> Other types of Bluetooth devices, such as speakers, headsets, smartphones, and game pads, may be listed as available in HoloLens settings. However, these devices aren't supported on HoloLens (1st gen). For more information, see [I'm having problems pairing or using a Bluetooth device](hololens-FAQ.md#im-having-problems-pairing-or-using-a-bluetooth-device). ### Pair a Bluetooth keyboard or mouse -1. Turn on your keyboard or mouse and make it discoverable. The way you make it discoverable depends on the device. To learn how to do this, check the device or visit the manufacturer's website. +1. Turn on your keyboard or mouse, and make it discoverable. To learn how to make the device discoverable, look for information on the device (or its documentation) or visit the manufacturer's website. -1. Use the bloom gesture (HoloLens (1st gen) or the start gesture (HoloLens 2) to go to **Start**, then select **Settings**. -1. Select **Devices** and make sure that Bluetooth is on. When you see the device name, select **Pair** and follow the instructions. +1. Use the bloom gesture (HoloLens (1st gen)) or the start gesture (HoloLens 2) to go to **Start**, and then select **Settings**. +1. Select **Devices**, and make sure that Bluetooth is on. +1. When you see the device name, select **Pair**, and then follow the instructions. -### Pair the clicker +### HoloLens (1st gen): Pair the clicker -> Applies to HoloLens (1st gen) only. - -1. Use the bloom gesture to go to **Start**, then select **Settings**. - -1. Select **Devices** and make sure that Bluetooth is on. -1. Use the tip of a pen to press and hold the clicker's pairing button until the status light blinks white. Make sure to hold the button down until the light starts blinking. [Where's the pairing button?](hololens1-clicker.md) +1. Use the bloom gesture to go to **Start**, and then select **Settings**. +1. Select **Devices**, and make sure that Bluetooth is on. +1. Use the tip of a pen to press and hold the clicker pairing button until the clicker status light blinks white. Make sure to hold down the button until the light starts blinking. + The pairing button is on the underside of the clicker, next to the finger loop. + ![The pairing button is beside the finger loop](images/use-hololens-clicker-1.png) 1. On the pairing screen, select **Clicker** > **Pair**. -## Connect USB-C devices +## HoloLens 2: Connect USB-C devices -> Applies to HoloLens 2 only. - -HoloLens 2 lets you connect a wide range of USB-C devices. - -HoloLens 2 supports the following devices classes: +HoloLens 2 supports the following classes of USB-C devices: - Mass storage devices (such as thumb drives) -- Ethernet adapters (including ethernet with charging) -- USB-C to 3.5mm digital audio adapters -- USB-C digital audio headsets (including headset adapters with charging) +- Ethernet adapters (including ethernet plus charging) +- USB-C-to-3.5mm digital audio adapters +- USB-C digital audio headsets (including headset adapters plus charging) - Wired mouse - Wired keyboard -- Combination PD hubs (USB A + PD charging) +- Combination PD hubs (USB A plus PD charging) ## Connect to Miracast -Use Miracast by opening the **Start** menu and selecting the display icon or saying "Connect" while gazing at the **Start** menu. Choose an available device from the list that appears and complete pairing to begin projection. +To use Miracast, follow these steps: + +1. Do one of the following: + + - Open the **Start** menu, and select the display icon. + - Say "Connect" while you gaze at the **Start** menu. + +1. On the list of devices that appears, select an available device. +1. Complete the pairing to begin projecting. diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index 05d9a46105..369602ca12 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -2,13 +2,13 @@ title: Use your voice with HoloLens description: Cortana can help you do all kinds of things on your HoloLens ms.assetid: fd96fb0e-6759-4dbe-be1f-58bedad66fed -ms.date: 11/8/2019 +ms.date: 03/10/2020 keywords: hololens ms.prod: hololens ms.sitesec: library -author: v-miegge +author: Teresa-Motiv audience: ITPro -ms.author: v-miegge +ms.author: v-tea ms.topic: article manager: jarrettr ms.localizationpriority: high @@ -63,11 +63,11 @@ To use these commands, gaze at a 3D object, hologram, or app window. ### See it, say it -Many buttons and other elements on HoloLens also respond to your voice—for example, **Follow me** and **Close** on the app bar, or the **Back** button in Edge. To find out if a button is voice-enabled, rest your **gaze cursor** on it for a moment to see a voice tip. +Many buttons and other elements on HoloLens also respond to your voice—for example, **Follow me** and **Close** on the app bar, or the **Back** button in Edge. To find out if a button is voice-enabled, rest your **gaze cursor**,**touch cursor** or one **hand ray** on it for a moment. If the button is voice-enabled, you'll see a voice tip. ### Dictation mode -Tired of typing? Switch to dictation mode any time that the holographic keyboard is active. To get started, select the microphone button or say "Start dictating." To stop dictating, select the button again or say "Stop dictating." To delete what you just dictated, say "Delete that." +Tired of typing? Switch to dictation mode any time that the holographic keyboard is active. To get started, select the microphone button or say "Start dictating." To stop dictating, select the button again or say "Stop dictating." To delete what you just dictated, say "Delete that." > [!NOTE] > To use dictation mode, you have to have an internet connection. diff --git a/devices/hololens/hololens-faq-security.md b/devices/hololens/hololens-faq-security.md index b56e555f7d..78dacbb581 100644 --- a/devices/hololens/hololens-faq-security.md +++ b/devices/hololens/hololens-faq-security.md @@ -11,15 +11,18 @@ ms.sitesec: library ms.topic: article audience: ITPro ms.localizationpriority: high +ms.custom: +- CI 111456 +- CSSTroubleshooting manager: bradke appliesto: - HoloLens 1 (1st gen) - HoloLens 2 --- -# Frequently Asked Security Questions +# Frequently asked questions about HoloLens security -## HoloLens 1st Gen Security Questions +## HoloLens (1st gen) Security Questions 1. **What type of wireless is used?** 1. 802.11ac and Bluetooth 4.1 LE @@ -67,9 +70,9 @@ appliesto: 1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version. 1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?** 1. No -1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it’s only on that device, unique to that device, and can’t be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** - 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that’s sent to the client. - 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn’t be verified on a different device, rendering the certs/key unusable on different devices. +1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** + 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client. + 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices. 1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?** 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities. @@ -87,7 +90,7 @@ appliesto: 1. **Can the device blacklist or white list specific frequencies?** 1. This is not controllable by the user/device 1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?** - 1. Wireless power levels depend on the channel of operation. Devices are calibrated to perform at the highest power levels allowed based on the region’s regulatory rules. + 1. Wireless power levels depend on the channel of operation. Devices are calibrated to perform at the highest power levels allowed based on the region's regulatory rules. 1. **What is the duty cycle/lifetime for normal operation?** 1. *Currently unavailable.* 1. **What is transmit and receive behavior when a tool is not in range?** @@ -119,8 +122,8 @@ appliesto: 1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version. 1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?** 1. No -1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it’s only on that device, unique to that device, and can’t be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** - 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that’s sent to the client. - 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn’t be verified on a different device, rendering the certs/key unusable on different devices. +1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it's only on that device, unique to that device, and can't be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** + 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that's sent to the client. + 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn't be verified on a different device, rendering the certs/key unusable on different devices. 1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?** 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities. diff --git a/devices/hololens/hololens-identity.md b/devices/hololens/hololens-identity.md index 3cc6cc4cfc..e1fab33818 100644 --- a/devices/hololens/hololens-identity.md +++ b/devices/hololens/hololens-identity.md @@ -1,12 +1,15 @@ --- -title: Managing user identity and login on HoloLens -description: Manage user identity, security, and login on HoloLens. +title: Manage user identity and sign-in for HoloLens +description: Manage user identity, security, and sign-in for HoloLens. keywords: HoloLens, user, account, aad, adfs, microsoft account, msa, credentials, reference ms.assetid: 728cfff2-81ce-4eb8-9aaa-0a3c3304660e author: scooley ms.author: scooley -ms.date: 1/6/2019 +ms.date: 1/6/2020 ms.prod: hololens +ms.custom: +- CI 111456 +- CSSTroubleshooting ms.topic: article ms.sitesec: library ms.topic: article @@ -18,7 +21,7 @@ appliesto: - HoloLens 2 --- -# User identity and signin +# Manage user identity and sign-in for HoloLens > [!NOTE] > This article is a technical reference for IT Pros and tech enthusiasts. If you're looking for HoloLens set up instructions, read "[Setting up your HoloLens (1st gen)](hololens1-start.md)" or "[Setting up your HoloLens 2](hololens2-start.md)". diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index 5adbb7b0ca..1f4858772e 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -1,11 +1,14 @@ --- -title: Insider preview for Microsoft HoloLens (HoloLens) -description: It’s simple to get started with Insider builds and to provide valuable feedback for our next major operating system update for HoloLens. +title: Insider preview for Microsoft HoloLens +description: It's simple to get started with Insider builds and to provide valuable feedback for our next major operating system update for HoloLens. ms.prod: hololens ms.sitesec: library author: scooley ms.author: scooley ms.topic: article +ms.custom: +- CI 111456 +- CSSTroubleshooting ms.localizationpriority: medium audience: ITPro ms.date: 1/6/2020 @@ -17,13 +20,13 @@ appliesto: # Insider preview for Microsoft HoloLens -Welcome to the latest Insider Preview builds for HoloLens! It’s simple to get started and provide valuable feedback for our next major operating system update for HoloLens. +Welcome to the latest Insider Preview builds for HoloLens! It's simple to get started and provide valuable feedback for our next major operating system update for HoloLens. ## Start receiving Insider builds On a HoloLens 2 device go to **Settings** -> **Update & Security** -> **Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider. -Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms. +Then, select **Active development of Windows**, choose whether you'd like to receive **Fast** or **Slow** builds, and review the program terms. Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build. @@ -46,7 +49,7 @@ To opt out of Insider builds: Please use [the Feedback Hub app](hololens-feedback.md) on your HoloLens to provide feedback and report issues. Using Feedback Hub ensures that all necessary diagnostics information is included to help our engineers quickly debug and resolve the problem. Issues with the Chinese and Japanese version of HoloLens should be reported the same way. > [!NOTE] -> Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted). +> Be sure to accept the prompt that asks whether you'd like Feedback Hub to access your Documents folder (select **Yes** when prompted). ## Note for developers @@ -68,7 +71,7 @@ Here's a quick summary of what's new: - Performance and stability improvements across the product - More information in settings on HoloLens about the policy pushed to the device -Once you’ve had a chance to explore these new capabilities, use the Feedback Hub app to let us know what you think. Feedback you provide in the Feedback Hub goes directly to our engineers. +Once you've had a chance to explore these new capabilities, use the Feedback Hub app to let us know what you think. Feedback you provide in the Feedback Hub goes directly to our engineers. ### FIDO 2 support Many of you share a HoloLens with lots of people in a work or school environment. Whether devices are shared between students in a classroom or they're checked out from a device locker, it's important to be able to change users quickly and easily without typing long user names and passwords. FIDO lets anyone in your organization (AAD tenant) seamlessly sign in to HoloLens without entering a username or password. diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index e895069d36..aab93e1b8a 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -1,5 +1,5 @@ --- -title: Set up HoloLens in kiosk mode (HoloLens) +title: Set up HoloLens as a kiosk for specific applications description: Use a kiosk configuration to lock down the apps on HoloLens. ms.prod: hololens ms.sitesec: library @@ -8,15 +8,21 @@ ms.author: dansimp ms.topic: article ms.localizationpriority: medium ms.date: 11/13/2018 +ms.custom: +- CI 111456 +- CSSTroubleshooting ms.reviewer: manager: dansimp +appliesto: +- HoloLens (1st gen) +- HoloLens 2 --- -# Set up HoloLens in kiosk mode +# Set up HoloLens as a kiosk for specific applications In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks. You can also configure guest access for a HoloLens kiosk device by [designating a SpecialGroup account in your XML file.](#add-guest-access-to-the-kiosk-configuration-optional) -When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. +When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don't need to access. Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the [start gestures](https://docs.microsoft.com/hololens/hololens2-basic-usage#start-gesture) (including [Bloom](https://docs.microsoft.com/hololens/hololens1-basic-usage) on HoloLens (1st Gen)) and Cortana are disabled, and placed apps aren't shown in the user's surroundings. diff --git a/devices/hololens/hololens-known-issues.md b/devices/hololens/hololens-known-issues.md index c508f805e5..e3ac50bec3 100644 --- a/devices/hololens/hololens-known-issues.md +++ b/devices/hololens/hololens-known-issues.md @@ -1,11 +1,14 @@ --- -title: HoloLens known issues +title: Known issues for HoloLens description: This is the list of known issues that may affect HoloLens developers. keywords: troubleshoot, known issue, help author: mattzmsft ms.author: mazeller ms.date: 8/30/2019 ms.topic: article +ms.custom: +- CI 111456 +- CSSTroubleshooting HoloLens and holograms: Frequently asked questions manager: jarrettr ms.prod: hololens @@ -13,7 +16,7 @@ appliesto: - HoloLens 1 --- -# HoloLens known issues +# Known issues for HoloLens This is the current list of known issues for HoloLens that affect developers. Check here first if you are seeing an odd behavior. This list will be kept updated as new issues are discovered or reported, or as issues are addressed in future HoloLens software updates. @@ -70,7 +73,7 @@ Our team is currently working on a fix. In the meantime, you can use the followi 1. Select **Build** > **Build Solution**. 1. Open a Command Prompt Window and cd to the folder that contains the compiled .exe file (for example, C:\MyProjects\HoloLensDeploymentFix\bin\Debug) -1. Run the executable and provide the device's IP address as a command-line argument. (If connected using USB, you can use 127.0.0.1, otherwise use the device’s Wi-Fi IP address.) For example, "HoloLensDeploymentFix 127.0.0.1" +1. Run the executable and provide the device's IP address as a command-line argument. (If connected using USB, you can use 127.0.0.1, otherwise use the device's Wi-Fi IP address.) For example, "HoloLensDeploymentFix 127.0.0.1" 1. After the tool has exited without any messages (this should only take a few seconds), you will now be able to deploy and debug from Visual Studio 2017 or newer. Continued use of the tool is not necessary. @@ -84,9 +87,9 @@ We will provide further updates as they become available. You may experience issues when trying to launch the Microsoft Store and apps on HoloLens. We've determined that the issue occurs when background app updates deploy a newer version of framework packages in specific sequences while one or more of their dependent apps are still running. In this case, an automatic app update delivered a new version of the .NET Native Framework (version 10.0.25531 to 10.0.27413) caused the apps that are running to not correctly update for all running apps consuming the prior version of the framework. The flow for framework update is as follows: 1. The new framework package is downloaded from the store and installed -1. All apps using the older framework are ‘updated’ to use the newer version +1. All apps using the older framework are 'updated' to use the newer version -If step 2 is interrupted before completion then any apps for which the newer framework wasn’t registered will fail to launch from the start menu. We believe any app on HoloLens could be affected by this issue. +If step 2 is interrupted before completion then any apps for which the newer framework wasn't registered will fail to launch from the start menu. We believe any app on HoloLens could be affected by this issue. Some users have reported that closing hung apps and launching other apps such as Feedback Hub, 3D Viewer or Photos resolves the issue for them—however, this does not work 100% of the time. @@ -112,10 +115,10 @@ If you would not like to take the update, we have released a new version of the If your device is still unable to load apps, you can sideload a version of the .NET Native Framework and Runtime through the download center by following these steps: 1. Please download [this zip file](https://download.microsoft.com/download/8/5/C/85C23745-794C-419D-B8D7-115FBCCD6DA7/netfx_1.7.zip) from the Microsoft Download Center. Unzipping will produce two files. Microsoft.NET.Native.Runtime.1.7.appx and Microsoft.NET.Native.Framework.1.7.appx -1. Please verify that your device is dev unlocked. If you haven’t done that before the instructions to do that are [here](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal). +1. Please verify that your device is dev unlocked. If you haven't done that before the instructions to do that are [here](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal). 1. You then want to get into the Windows Device Portal. Our recommendation is to do this over USB and you would do that by typing http://127.0.0.1:10080 into your browser. -1. After you have the Windows Device Portal up we need you to “side load” the two files that you downloaded. To do that you need to go down the left side bar until you get to the **Apps** section and select **Apps**. -1. You will then see a screen that is similar to the below. You want to go to the section that says **Install App** and browse to where you unzipped those two APPX files. You can only do one at a time, so after you select the first one, then click on “Go” under the Deploy section. Then do this for the second APPX file. +1. After you have the Windows Device Portal up we need you to "side load" the two files that you downloaded. To do that you need to go down the left side bar until you get to the **Apps** section and select **Apps**. +1. You will then see a screen that is similar to the below. You want to go to the section that says **Install App** and browse to where you unzipped those two APPX files. You can only do one at a time, so after you select the first one, then click on "Go" under the Deploy section. Then do this for the second APPX file. ![Windows Device Portal to Install Side-Loaded app](images/20190322-DevicePortal.png) 1. At this point we believe your applications should start working again and that you can also get to the Store. diff --git a/devices/hololens/hololens-licenses-requirements.md b/devices/hololens/hololens-licenses-requirements.md index c89587c100..ef727bfc77 100644 --- a/devices/hololens/hololens-licenses-requirements.md +++ b/devices/hololens/hololens-licenses-requirements.md @@ -23,7 +23,7 @@ appliesto: If you plan on managing your HoloLens devices, you will need Azure AD and an MDM. Active Director (AD) cannot be used to manage HoloLens devices. If you plan on using an MDM other than Intune, an [Azure Active Directory Licenses](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) is required. -If you plan on using Intune as your MDM, you can acquire an [Enterprise Mobility + Security (EMS) suite (E3 or E5) licenses](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing). **Please note that Azure AD is included in both suites.** +If you plan on using Intune as your MDM, [here](https://docs.microsoft.com/intune/fundamentals/licenses) are a list of suites that includes Intune licenses. **Please note that Azure AD is included in the majority of these suites.** ## Identify the licenses needed for your scenario and products @@ -44,6 +44,8 @@ Make sure you have the required licensing and device. Updated licensing and prod 1. [Teams Freemium/Teams](https://products.office.com/microsoft-teams/free) 1. [Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) +If you plan on implementing **[this cross-tenant scenario](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/cross-tenant-overview#scenario-2-leasing-services-to-other-tenants)**, you may need an Information Barriers license. Please see [this article](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/cross-tenant-licensing-implementation#step-1-determine-if-information-barriers-are-necessary) to determine if an Information Barrier License is required. + ### Guides License Requirements Updated licensing and device requirements can be found [here](https://docs.microsoft.com/dynamics365/mixed-reality/guides/requirements). diff --git a/devices/hololens/hololens-offline.md b/devices/hololens/hololens-offline.md index e3b11960b1..b9ee084421 100644 --- a/devices/hololens/hololens-offline.md +++ b/devices/hololens/hololens-offline.md @@ -5,9 +5,12 @@ keywords: hololens, offline, OOBE audience: ITPro ms.date: 07/01/2019 ms.assetid: b86f603c-d25f-409b-b055-4bbc6edcd301 -author: v-miegge -ms.author: v-miegge -manager: v-miegge +author: Teresa-Motiv +ms.author: v-tea +ms.custom: +- CI 111456 +- CSSTroubleshooting +manager: jarrettr ms.topic: article ms.prod: hololens ms.sitesec: library @@ -17,9 +20,9 @@ appliesto: - HoloLens 2 --- -# Manage connection endpoints for HoloLens +# Manage connection endpoints for HoloLens -Some HoloLens components, apps, and related services transfer data to Microsoft network endpoints. This article lists different endpoints and URLs that need to be whitelisted in your network configuratiion (e.g. proxy or firewall) for those components to be functional. +Some HoloLens components, apps, and related services transfer data to Microsoft network endpoints. This article lists different endpoints and URLs that need to be whitelisted in your network configuration (e.g. proxy or firewall) for those components to be functional. ## Near-offline setup diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md index 4e0cf676b1..70edc38d5e 100644 --- a/devices/hololens/hololens-provisioning.md +++ b/devices/hololens/hololens-provisioning.md @@ -1,22 +1,32 @@ --- -title: Configure HoloLens using a provisioning package (HoloLens) +title: Configure HoloLens by using a provisioning package (HoloLens) + description: Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. ms.prod: hololens ms.sitesec: library +ms.custom: +- CI 111456 +- CSSTroubleshooting author: dansimp ms.author: dansimp ms.topic: article +ms.custom: +- CI 115190 +- CSSTroubleshooting ms.localizationpriority: medium -ms.date: 11/13/2018 -ms.reviewer: +ms.date: 03/10/2020 +ms.reviewer: Teresa-Motiv manager: dansimp +appliesto: +- HoloLens (1st gen) +- HoloLens 2 --- -# Configure HoloLens using a provisioning package +# Configure HoloLens by using a provisioning package [Windows provisioning](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages) makes it easy for IT administrators to configure end-user devices without imaging. Windows Configuration Designer is a tool for configuring images and runtime settings which are then built into provisioning packages. -Some of the HoloLens configurations that you can apply in a provisioning package: +Some of the HoloLens configurations that you can apply in a provisioning package include the following: - Upgrade to Windows Holographic for Business [here](hololens1-upgrade-enterprise.md) - Set up a local account @@ -32,43 +42,42 @@ The HoloLens wizard helps you configure the following settings in a provisioning - Upgrade to the enterprise edition > [!NOTE] - > This should only be used for HoloLens 1st Gen devices. Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md). + > This should only be used for HoloLens 1st gen devices. Settings in a provisioning package are only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md). - Configure the HoloLens first experience (OOBE) -- Configure Wi-Fi network -- Enroll device in Azure Active Directory or create a local account +- Configure the Wi-Fi network +- Enroll the device in Azure Active Directory, or create a local account - Add certificates - Enable Developer Mode -- Configure kiosk mode. (Detailed instructions for configuring kiosk mode can be found [here](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803)). +- Configure kiosk mode (for detailed instructions,see [Set up kiosk mode using a provisioning package](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) > [!WARNING] > You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. -Provisioning packages can include management instructions and policies, customization of network connections and policies, and more. +Provisioning packages can include management instructions and policies, custom network connections and policies, and more. > [!TIP] > Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. -## Steps for Creating Provisioning Packages +## Steps for creating provisioning packages -### 1. Install Windows Configuration Designer on your PC. (There are two ways to do this). +1. **Option 1:** [From Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). This includes HoloLens 2 capabilities. +2. **Option 2:** [From the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configuration Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box. This option does not include HoloLens 2 capabilities. -1. **Option 1:** [From Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) -2. **Option 2:** [From the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box. -### 2. Create the Provisioning Package +### 2. Create the provisioning package Use the Windows Configuration Designer tool to create a provisioning package. 1. Open Windows Configuration Designer (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). -2. Click **Provision HoloLens devices**. +2. Select **Provision HoloLens devices**. ![ICD start options](images/icd-create-options-1703.png) -3. Name your project and click **Finish**. +3. Name your project and select **Finish**. -4. Read the instructions on the **Getting started** page and select **Next**. The pages for desktop provisioning will walk you through the following steps. +4. Read the instructions on the **Getting started** page and select **Next**. The pages for desktop provisioning walk you through the following steps. > [!IMPORTANT] > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. @@ -77,108 +86,110 @@ Use the Windows Configuration Designer tool to create a provisioning package. - - + +
step oneset up device

Browse to and select the enterprise license file to upgrade the HoloLens edition.

You can also toggle Yes or No to hide parts of the first experience.

To set up the device without the need to connect to a Wi-Fi network, toggle Skip Wi-Fi setup to On.

Select a region and timezone in which the device will be used. 		Select enterprise licence file and configure OOBE
step two set up network

In this section, you can enter the details of the Wi-Fi wireless network that the device should connect to automatically. To do this, select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.		Enter network SSID and type
step three account management

You can enroll the device in Azure Active Directory, or create a local account on the device

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.

To create a local account, select that option and enter a user name and password.

Important: (For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		join Azure AD or create a local account
step two set up network

In this section, you can enter the details of the Wi-Fi wireless network that the device should automatically connect to. To do this, select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.		Enter network SSID and type
step three account management

You can enroll the device in Azure Active Directory, or create a local account on the device

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Select Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Select Accept to give Windows Configuration Designer the necessary permissions.

To create a local account, select that option and enter a user name and password.

Important:
(For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		join Azure AD or create a local account
step four add certificates

To provision the device with a certificate, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.		add a certificate
step five Developer Setup

Toggle Yes or No to enable Developer Mode on the HoloLens. Learn more about Developer Mode.		Enable Developer Mode
step six finish

Do not set a password to protect your provisioning package. If the provisioning package is protected by a password, provisioning the HoloLens device will fail.		Protect your package
-After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. +After you're done, select **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. -### 3. Create a provisioning package for HoloLens using advanced provisioning +### 3. Create a provisioning package for HoloLens by using advanced provisioning > [!NOTE] -> Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md). +> A provisioning package that you create in **Advanced provisioning** does not need to include an edition upgrade license to Windows Holographic for Business to succesfully apply to a HoloLens (1st gen). [See more on Windows Holographic for Business for HoloLens (1st gen)](hololens1-upgrade-enterprise.md). 1. On the Windows Configuration Designer start page, select **Advanced provisioning**. 2. In the **Enter project details** window, specify a name for your project and the location for your project. Optionally, enter a brief description to describe your project. -3. Click **Next**. +3. Select **Next**. -4. In the **Choose which settings to view and configure** window, select **Windows 10 Holographic**, and then click **Next**. +4. In the **Choose which settings to view and configure** window, select **Windows 10 Holographic**, and then select **Next**. -6. Click **Finish**. +5. Select **Finish**. -7. Expand **Runtime settings** and customize the package with any of the settings [described below](#what-you-can-configure). +6. Expand **Runtime settings** and customize the package by using any of the settings [described later in this article](#what-you-can-configure). > [!IMPORTANT] > (For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. If the user account is locked out, you must [perform a full device recovery](https://developer.microsoft.com/windows/mixed-reality/reset_or_recover_your_hololens#perform_a_full_device_recovery). -8. On the **File** menu, click **Save**. +7. Select **File** > **Save**. -4. Read the warning that project files may contain sensitive information, and click **OK**. +8. Read the warning that project files may contain sensitive information, and select **OK**. > [!IMPORTANT] > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. -3. On the **Export** menu, click **Provisioning package**. +9. Select **Export** > **Provisioning package**. -4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next**. +10. Change **Owner** to **IT Admin**. This sets the precedence of this provisioning package higher than provisioning packages applied to this device from other sources. Select **Next**. -5. Set a value for **Package Version**. +11. Set a value for **Package Version**. > [!TIP] > You can make changes to existing packages and change the version number to update previously applied packages. -6. On the **Select security details for the provisioning package**, click **Next**. +12. On the **Select security details for the provisioning package**, select **Next**. > [!WARNING] > If you encrypt the provisioning package, provisioning the HoloLens device will fail. -7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows Configuration Designer uses the project folder as the output location. +13. Select **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows Configuration Designer uses the project folder as the output location. - Optionally, you can click **Browse** to change the default output location. + Optionally, you can select **Browse** to change the default output location. -8. Click **Next**. +14. Select **Next**. -9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status. +15. Select **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status. -10. When the build completes, click **Finish**. +16. When the build completes, select **Finish**. ## Apply a provisioning package to HoloLens during setup -1. Connect the device via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box). +1. Use the USB cable to connect the device to a PC, and then start the device. Do not continue past the **First interactable moment** page of OOBE. + - On HoloLens (1st gen), this page contains a blue box. + - On HoloLens 2, this page contains the hummingbird. -2. Briefly press and release the **Volume Down** and **Power** buttons simultaneously. (This step isn't needed in Windows 10, version 1803.) +2. Briefly press and release the **Volume Down** and **Power** buttons simultaneously. -3. HoloLens will show up as a device in File Explorer on the PC. +3. HoloLens shows up as a device in File Explorer on the PC. 4. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage. 5. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the **fit** page. -6. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package. +6. The device asks you if you trust the package and would like to apply it. Confirm that you trust the package. 7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE. > [!NOTE] -> If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. +> If the device was purchased before August 2016, you will need to sign in to the device by using a Microsoft account, get the latest operating system update, and then reset the operating system in order to apply the provisioning package. ### 4. Apply a provisioning package to HoloLens after setup > [!NOTE] -> Windows 10, version 1809 only +> These steps apply only toWindows 10, version 1809. -On your PC: +On your PC, follow these steps: 1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md). -2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC. +2. Connect the HoloLens device to a PC by using a USB cable. HoloLens shows up as a device in File Explorer on the PC. 3. Drag and drop the provisioning package to the Documents folder on the HoloLens. -On your HoloLens: -1. Go to **Settings > Accounts > Access work or school**. +On your HoloLens, follow these steps: +1. Go to **Settings** > **Accounts** > **Access work or school**. 2. In **Related Settings**, select **Add or remove a provisioning package**. 3. On the next page, select **Add a package** to launch the file picker and select your provisioning package. If the folder is empty, make sure you select **This Device** and select **Documents**. -After your package has been applied, it will show in the list of **Installed packages**. To view package details or to remove the package from the device, select the listed package. +After your package has been applied, it shows up in the list of **Installed packages**. To view the package details or to remove the package from the device, select the listed package. ## What you can configure -Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers). +Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://docs.microsoft.com/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers). -In Windows Configuration Designer, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens). The following table describes settings that you might want to configure for HoloLens. +In Windows Configuration Designer, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices). The following table describes settings that you might want to configure for HoloLens. ![Common runtime settings for HoloLens](images/icd-settings.png) @@ -187,9 +198,9 @@ In Windows Configuration Designer, when you create a provisioning package for Wi | **Certificates** | Deploy a certificate to HoloLens. | | **ConnectivityProfiles** | Deploy a Wi-Fi profile to HoloLens. | | **EditionUpgrade** | [Upgrade to Windows Holographic for Business.](hololens1-upgrade-enterprise.md) | -| **Policies** | Allow or prevent developer mode on HoloLens. [Policies supported by Windows Holographic for Business](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#hololenspolicies) | +| **Policies** | Allow or prevent developer mode on HoloLens. [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#hololenspolicies) | > [!NOTE] -> App installation (**UniversalAppInstall**) using a provisioning package is not currently supported for HoloLens. +> HoloLens does not currently support installing apps (**UniversalAppInstall**) by using a provisioning package. ## Next Step: [Enroll your device](hololens-enroll-mdm.md) diff --git a/devices/hololens/hololens-recovery.md b/devices/hololens/hololens-recovery.md index ef751d84d5..60d46d7e1c 100644 --- a/devices/hololens/hololens-recovery.md +++ b/devices/hololens/hololens-recovery.md @@ -1,5 +1,5 @@ --- -title: Reset or recover your HoloLens +title: Restart, reset, or recover HoloLens ms.reviewer: Both basic and advanced instructions for rebooting or resetting your HoloLens. description: How to use Advanced Recovery Companion to flash an image to HoloLens 2. keywords: how-to, reboot, reset, recover, hard reset, soft reset, power cycle, HoloLens, shut down, arc, advanced recovery companion @@ -8,6 +8,9 @@ ms.sitesec: library author: mattzmsft ms.author: mazeller ms.date: 08/30/2019 +ms.custom: +- CI 111456 +- CSSTroubleshooting ms.topic: article ms.localizationpriority: high manager: jarrettr @@ -18,9 +21,9 @@ appliesto: # Restart, reset, or recover HoloLens -If you’re experiencing problems with your HoloLens you may want to try a restart, reset, or even re-flash with device recovery. +If you're experiencing problems with your HoloLens you may want to try a restart, reset, or even re-flash with device recovery. -Here are some things to try if your HoloLens isn’t running well. This article will guide you through the recommended recovery steps in succession. +Here are some things to try if your HoloLens isn't running well. This article will guide you through the recommended recovery steps in succession. This article focuses on the HoloLens device and software, if your holograms don't look right, [this article](hololens-environment-considerations.md) talks about environmental factors that improve hologram quality. @@ -33,9 +36,9 @@ First, try restarting the device. The safest way to restart the HoloLens is by using Cortana. This is generally a great first-step when experiencing an issue with HoloLens: 1. Put on your device -1. Make sure it’s powered on, a user is logged in, and the device is not waiting for a password to unlock it. -1. Say “Hey Cortana, reboot” or "Hey Cortana, restart." -1. When she acknowledges she will ask you for confirmation. Wait a second for a sound to play after she has finished her question, indicating she is listening to you and then say “Yes.” +1. Make sure it's powered on, a user is logged in, and the device is not waiting for a password to unlock it. +1. Say "Hey Cortana, reboot" or "Hey Cortana, restart." +1. When she acknowledges she will ask you for confirmation. Wait a second for a sound to play after she has finished her question, indicating she is listening to you and then say "Yes." 1. The device will now restart. ### Perform a safe restart by using the power button @@ -45,7 +48,7 @@ If you still can't restart your device, you can try to restart it by using the p 1. Press and hold the power button for five seconds. 1. After one second, you will see all five LEDs illuminate, then slowly turn off from right to left. 1. After five seconds, all LEDs will be off, indicating the shutdown command was issued successfully. - 1. Note that it’s important to stop pressing the button immediately after all the LEDs have turned off. + 1. Note that it's important to stop pressing the button immediately after all the LEDs have turned off. 1. Wait one minute for the shutdown to cleanly succeed. Note that the shutdown may still be in progress even if the displays are turned off. 1. Power on the device again by pressing and holding the power button for one second. @@ -66,18 +69,18 @@ If none of the previous methods are able to successfully restart your device, yo 1. Press and hold the power button for at least 10 seconds. - - It’s okay to hold the button for longer than 10 seconds. - - It’s safe to ignore any LED activity. + - It's okay to hold the button for longer than 10 seconds. + - It's safe to ignore any LED activity. 1. Release the button and wait for two or three seconds. 1. Power on the device again by pressing and holding the power button for one second. -If you’re still having problems, press the power button for 4 seconds, until all of the battery indicators fade out and the screen stops displaying holograms. Wait 1 minute, then press the power button again to turn on the device. +If you're still having problems, press the power button for 4 seconds, until all of the battery indicators fade out and the screen stops displaying holograms. Wait 1 minute, then press the power button again to turn on the device. ## Reset to factory settings > [!NOTE] > The battery needs at least 40 percent charge to reset. -If your HoloLens is still experiencing issues after restarting, try resetting it to factory state. Resetting your HoloLens keeps the version of the Windows Holographic software that’s installed on it and returns everything else to factory settings. +If your HoloLens is still experiencing issues after restarting, try resetting it to factory state. Resetting your HoloLens keeps the version of the Windows Holographic software that's installed on it and returns everything else to factory settings. If you reset your device, all your personal data, apps, and settings will be erased. Resetting will only install the latest installed version of Windows Holographic and you will have to redo all the initialization steps (calibrate, connect to Wi-Fi, create a user account, download apps, and so forth). @@ -109,10 +112,10 @@ The Advanced Recovery Companion is a new app in Microsoft Store restore the oper > [!TIP] > In the event that a HoloLens 2 gets into a state where Advanced Recovery Companion cannot recognize the device, and it does not boot, try forcing the device into Flashing Mode and recovering it with Advanced Recovery Companion: -1. Connect the HoloLens 2 to a PC with Advanced Recovery Companion installed. -1. Press and hold the **Volume Up and Power buttons** until the device reboots. Release the Power button, but continue to hold the Volume Up button until the third LED is lit. -1. The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device. -1. Launch Advanced Recovery Companion, and follow the on-screen prompts to reflash the OS to the HoloLens 2. +1. Connect the HoloLens 2 to a PC with Advanced Recovery Companion installed. +1. Press and hold the **Volume Up and Power buttons** until the device reboots. Release the Power button, but continue to hold the Volume Up button until the third LED is lit. +1. The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device. +1. Launch Advanced Recovery Companion, and follow the on-screen prompts to reflash the OS to the HoloLens 2. ### HoloLens (1st gen) @@ -120,7 +123,7 @@ If necessary, you can install a completely new operating system on your HoloLens Before you use this tool, determine if restarting or resetting your HoloLens fixes the problem. The recovery process may take some time. When you're done, the latest version of the Windows Holographic software approved for your HoloLens will be installed. -To use the tool, you’ll need a computer running Windows 10 or later, with at least 4 GB of free storage space. Please note that you can’t run this tool on a virtual machine. +To use the tool, you'll need a computer running Windows 10 or later, with at least 4 GB of free storage space. Please note that you can't run this tool on a virtual machine. To recover your HoloLens @@ -128,4 +131,4 @@ To recover your HoloLens 1. Connect the HoloLens (1st gen) to your computer using the Micro USB cable that came with your HoloLens. 1. Run the Windows Device Recovery Tool and follow the instructions. -If the HoloLens (1st gen) isn’t automatically detected, select **My device was not detected** and follow the instructions to put your device into recovery mode. +If the HoloLens (1st gen) isn't automatically detected, select **My device was not detected** and follow the instructions to put your device into recovery mode. diff --git a/devices/hololens/hololens-release-notes.md b/devices/hololens/hololens-release-notes.md index f2a5d92512..737b6bcc0e 100644 --- a/devices/hololens/hololens-release-notes.md +++ b/devices/hololens/hololens-release-notes.md @@ -1,5 +1,5 @@ --- -title: What's new in Microsoft HoloLens +title: HoloLens release notes description: Learn about updates in each new HoloLens release. author: scooley ms.author: scooley @@ -9,6 +9,9 @@ ms.sitesec: library ms.topic: article ms.localizationpriority: medium ms.date: 12/02/2019 +ms.custom: +- CI 111456 +- CSSTroubleshooting audience: ITPro appliesto: - HoloLens 1 @@ -16,7 +19,7 @@ appliesto: --- -# HoloLens Release Notes +# HoloLens release notes ## HoloLens 2 @@ -57,12 +60,12 @@ appliesto: | Feature | Details | |---|---| | **Quick actions menu** | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app.
See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.

![sample of the Quick actions menu](images/minimenu.png) | -| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.) | +| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, you'll be able to stop recording from the same place. (Don't forget, you can always do this with voice commands too.) | | **Project to a Miracast-enabled device** | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. | -| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture). | -| **HoloLens overlays**
(file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. | -| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level. | -| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo. | +| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you're in an immersive experience, use the bloom gesture). | +| **HoloLens overlays**
(file picker, keyboard, dialogs, etc.) | You'll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. | +| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens you'll see a visual display of the volume level. | +| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it's between the "Hello" message and the Windows boot logo. | | **Nearby sharing** | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. | | **Share from Microsoft Edge** | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. | diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md index 6c370939da..6cfcb281b0 100644 --- a/devices/hololens/hololens-requirements.md +++ b/devices/hololens/hololens-requirements.md @@ -33,7 +33,7 @@ This document also assumes that the HoloLens has been evaluated by security team Before deploying the HoloLens in your environment, it is important to first determine what features, apps, and type of identities are needed. It is also important to ensure that your security team has approved of the use of the HoloLens on the company's network. Please see [Frequently ask security questions](hololens-faq-security.md) for additional security information. -### Type of identity +### Type of Identity Determine the type of identity that will be used to sign into the device. @@ -41,6 +41,8 @@ Determine the type of identity that will be used to sign into the device. 2. **MSA:** This is a personal account (like outlook, hotmail, gmail, yahoo, etc.) This will allow only 1 user to log into the device. 3. **Azure Active Directory (Azure AD) accounts:** This is an account created in Azure AD. This grants your corporation the ability to manage the HoloLens device. This will allow multiple users to log into the HoloLens 1st Gen Commercial Suite/the HoloLens 2 device. +For more detailed information about identity types, please visit our [HoloLens Identity](hololens-identity.md) article. + ### Type of Features Your feature requirements will determine which HoloLens you need. One popular feature that we see deployed in customer environments frequently is Kiosk Mode. A list of HoloLens key features, and the editions of HoloLens that support them, can be found [here](hololens-commercial-features.md). @@ -66,13 +68,15 @@ There are two types of Kiosk Modes: Single app and multi-app. Single app kiosk m There are two main ways ([provisioning packages](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) and [MDM](hololens-kiosk.md#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803)) to deploy kiosk mode for HoloLens. These options will be discussed later in the document; however, you can use the links above to jump to the respective sections in this doc. -### Apps +### Apps and App Specific Scenarios The majority of the steps found in this document will also apply to the following apps: -1. Remote Assist -2. Guides -3. Customer Apps +| App | App Specific Scenarios | +| --- | --- | +| Remote Assist | [Cross Tenant Communication](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/cross-tenant-overview)| +| Guides | *Coming Soon* | +|Custom Apps | *Coming Soon* | ### Determine your enrollment method diff --git a/devices/hololens/hololens-spaces.md b/devices/hololens/hololens-spaces.md index 26790eacca..485e56773e 100644 --- a/devices/hololens/hololens-spaces.md +++ b/devices/hololens/hololens-spaces.md @@ -1,9 +1,12 @@ --- -title: Mapping physical spaces with HoloLens +title: Map physical spaces with HoloLens description: HoloLens learns what a space looks like over time. Users can facilitate this process by moving the HoloLens in certain ways through the space. ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b author: dorreneb ms.author: dobrown +ms.custom: +- CI 111456 +- CSSTroubleshooting ms.date: 09/16/2019 keywords: hololens, Windows Mixed Reality, design, spatial mapping, HoloLens, surface reconstruction, mesh, head tracking, mapping ms.prod: hololens @@ -15,14 +18,14 @@ appliesto: - HoloLens 2 --- -# Mapping physical spaces with HoloLens +# Map physical spaces with HoloLens HoloLens blends holograms with your physical world. To do that, HoloLens has to learn about the physical world around you and remember where you place holograms within that space. Over time, the HoloLens builds up a *spatial map* of the environment that it has seen. HoloLens updates the map as the environment changes. As long as you are logged in and the device is turned on, HoloLens creates and updates your spatial maps. If you hold or wear the device with the cameras pointed at a space, the HoloLens tries to map the area. While the HoloLens learns a space naturally over time, there are ways in which you can help HoloLens map your space more quickly and efficiently. > [!NOTE] -> If your HoloLens can’t map your space or is out of calibration, HoloLens may enter Limited mode. In Limited mode, you won’t be able to place holograms in your surroundings. +> If your HoloLens can't map your space or is out of calibration, HoloLens may enter Limited mode. In Limited mode, you won't be able to place holograms in your surroundings. This article explains how HoloLens maps spaces, how to improve spatial mapping, and how to manage the spatial data that HoloLens collects. diff --git a/devices/hololens/hololens-status.md b/devices/hololens/hololens-status.md index e6ccdbd207..a1209dd3c8 100644 --- a/devices/hololens/hololens-status.md +++ b/devices/hololens/hololens-status.md @@ -1,18 +1,21 @@ --- -title: HoloLens status +title: Status of the HoloLens services description: Shows the status of HoloLens online services. -author: todmccoy -ms.author: v-todmc +author: Teresa-Motiv +ms.author: v-tea ms.reviewer: luoreill manager: jarrettr audience: Admin +ms.custom: +- CI 111456 +- CSSTroubleshooting ms.topic: article ms.prod: hololens ms.localizationpriority: high ms.sitesec: library --- -# HoloLens status +# Status of the HoloLens services ✔️ **All services are active** diff --git a/devices/hololens/hololens-troubleshooting.md b/devices/hololens/hololens-troubleshooting.md index 7102984f4c..b4d107902a 100644 --- a/devices/hololens/hololens-troubleshooting.md +++ b/devices/hololens/hololens-troubleshooting.md @@ -1,5 +1,5 @@ --- -title: HoloLens troubleshooting +title: Troubleshoot HoloLens issues description: Solutions for common HoloLens issues. author: mattzmsft ms.author: mazeller @@ -11,16 +11,19 @@ audience: ITPro ms.localizationpriority: medium keywords: issues, bug, troubleshoot, fix, help, support, HoloLens manager: jarrettr +ms.custom: +- CI 111456 +- CSSTroubleshooting appliesto: - HoloLens (1st gen) - HoloLens 2 --- -# Troubleshooting HoloLens issues +# Troubleshoot HoloLens issues This article describes how to resolve several common HoloLens issues. -## My HoloLens is unresponsive or won’t start +## My HoloLens is unresponsive or won't start If your HoloLens won't start: @@ -35,59 +38,59 @@ If these steps don't work, you can try [recovering your device](hololens-recover ## Holograms don't look good -If your holograms are unstable, jumpy, or don’t look right, try: +If your holograms are unstable, jumpy, or don't look right, try: - Cleaning your device visor and sensor bar on the front of your HoloLens. - Increasing the light in your room. - Walking around and looking at your surroundings so that HoloLens can scan them more completely. - Calibrating your HoloLens for your eyes. Go to **Settings** > **System** > **Utilities**. Under **Calibration**, select **Open Calibration**. -## HoloLens doesn’t respond to gestures +## HoloLens doesn't respond to gestures To make sure that HoloLens can see your gestures. Keep your hand in the gesture frame - when HoloLens can see your hand, the cursor changes from a dot to a ring. Learn more about using gestures on [HoloLens (1st gen)](hololens1-basic-usage.md#use-hololens-with-your-hands) or [HoloLens 2](hololens2-basic-usage.md#the-hand-tracking-frame). -If your environment is too dark, HoloLens might not see your hand, so make sure that there’s enough light. +If your environment is too dark, HoloLens might not see your hand, so make sure that there's enough light. If your visor has fingerprints or smudges, use the microfiber cleaning cloth that came with the HoloLens to clean your visor gently. -## HoloLens doesn’t respond to my voice commands +## HoloLens doesn't respond to my voice commands -If Cortana isn’t responding to your voice commands, make sure Cortana is turned on. On the All apps list, select **Cortana** > **Menu** > **Notebook** > **Settings** to make changes. To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md). +If Cortana isn't responding to your voice commands, make sure Cortana is turned on. On the All apps list, select **Cortana** > **Menu** > **Notebook** > **Settings** to make changes. To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md). -## I can’t place holograms or see holograms that I previously placed +## I can't place holograms or see holograms that I previously placed -If HoloLens can’t map or load your space, it enters Limited mode and you won’t be able to place holograms or see holograms that you’ve placed. Here are some things to try: +If HoloLens can't map or load your space, it enters Limited mode and you won't be able to place holograms or see holograms that you've placed. Here are some things to try: -- Make sure that there’s enough light in your environment so HoloLens can see and map the space. -- Make sure that you’re connected to a Wi-Fi network. If you’re not connected to Wi-Fi, HoloLens can’t identify and load a known space. +- Make sure that there's enough light in your environment so HoloLens can see and map the space. +- Make sure that you're connected to a Wi-Fi network. If you're not connected to Wi-Fi, HoloLens can't identify and load a known space. - If you need to create a new space, connect to Wi-Fi, then restart your HoloLens. - To see if the correct space is active, or to manually load a space, go to **Settings** > **System** > **Spaces**. -- If the correct space is loaded and you’re still having problems, the space may be corrupt. To fix this issue, select the space, then select **Remove**. After you remove the space, HoloLens starts to map your surroundings and create a new space. +- If the correct space is loaded and you're still having problems, the space may be corrupt. To fix this issue, select the space, then select **Remove**. After you remove the space, HoloLens starts to map your surroundings and create a new space. -## My HoloLens can’t tell what space I’m in +## My HoloLens can't tell what space I'm in -If your HoloLens can’t identify and load the space you’re in automatically, check the following factors: +If your HoloLens can't identify and load the space you're in automatically, check the following factors: -- Make sure that you’re connected to Wi-Fi -- Make sure that there’s plenty of light in the room -- Make sure that there haven’t been any major changes to the surroundings. +- Make sure that you're connected to Wi-Fi +- Make sure that there's plenty of light in the room +- Make sure that there haven't been any major changes to the surroundings. You can also load a space manually or manage your spaces by going to **Settings** > **System** > **Spaces**. -## I’m getting a “low disk space” error +## I'm getting a "low disk space" error -You’ll need to free up some storage space by doing one or more of the following: +You'll need to free up some storage space by doing one or more of the following: - Delete some unused spaces. Go to **Settings** > **System** > **Spaces**, select a space that you no longer need, and then select **Remove**. -- Remove some of the holograms that you’ve placed. +- Remove some of the holograms that you've placed. - Delete some pictures and videos from the Photos app. - Uninstall some apps from your HoloLens. In the **All apps** list, tap and hold the app you want to uninstall, and then select **Uninstall**. -## My HoloLens can’t create a new space +## My HoloLens can't create a new space -The most likely problem is that you’re running low on storage space. Try one of the [previous tips](#im-getting-a-low-disk-space-error) to free up some disk space. +The most likely problem is that you're running low on storage space. Try one of the [previous tips](#im-getting-a-low-disk-space-error) to free up some disk space. ## The HoloLens emulators isn't working diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md index f07302aa07..561eb79861 100644 --- a/devices/hololens/hololens-updates.md +++ b/devices/hololens/hololens-updates.md @@ -1,5 +1,5 @@ --- -title: Managing updates to HoloLens +title: Manage HoloLens updates description: Administrators can use mobile device management to manage updates to HoloLens devices. ms.prod: hololens ms.sitesec: library @@ -11,12 +11,15 @@ ms.localizationpriority: high ms.date: 11/7/2019 ms.reviewer: jarrettr manager: jarrettr +ms.custom: +- CI 111456 +- CSSTroubleshooting appliesto: - HoloLens (1st gen) - HoloLens 2 --- -# Managing HoloLens updates +# Manage HoloLens updates HoloLens uses Windows Update, just like other Windows 10 devices. When an update is available, it will be automatically downloaded and installed the next time your device is plugged in and connected to the Internet. diff --git a/devices/hololens/hololens-whats-new.md b/devices/hololens/hololens-whats-new.md deleted file mode 100644 index 064d470afc..0000000000 --- a/devices/hololens/hololens-whats-new.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: What's new in Microsoft HoloLens (HoloLens) -description: Windows Holographic for Business gets new features in Windows 10, version 1809. -ms.prod: hololens -ms.sitesec: library -author: dansimp -ms.author: dansimp -ms.topic: article -ms.localizationpriority: medium -ms.date: 11/13/2018 -ms.reviewer: -manager: dansimp ---- - -# What's new in Microsoft HoloLens - -## Windows 10, version 1809 for Microsoft HoloLens - -> **Applies to:** Hololens (1st gen) - -### For everyone - -| Feature | Details | -|---|---| -| **Quick actions menu** | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app.
See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.

![sample of the Quick actions menu](images/minimenu.png) | -| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.) | -| **Project to a Miracast-enabled device** | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. | -| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture). | -| **HoloLens overlays**
(file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. | -| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level. | -| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo. | -| **Nearby sharing** | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. | -| **Share from Microsoft Edge** | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. | - -### For administrators - -| Feature | Details | -|---|----| -| [Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**. | -| Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. | -| PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**.  | -| Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in.  | -| Read device hardware info through MDM so devices can be tracked by serial # | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer to your MDM documentation for feature availability and instructions. | -| Set HoloLens device name through MDM (rename) |  IT administrators can see and rename HoloLens devices in their MDM console. Refer to your MDM documentation for feature availability and instructions. | - -### For international customers - -Feature | Details ---- | --- -Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands. -Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English. - -[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens1-install-localized.md) - -## Windows 10, version 1803 for Microsoft HoloLens - -> **Applies to:** Hololens (1st gen) - -Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes: - -- Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md). - -- You can view the operating system build number in device properties in the File Explorer app and in the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq). - -- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#provisioning-package-hololens-wizard). - - ![Provisioning HoloLens devices](images/provision-hololens-devices.png) - -- When you create a local account in a provisioning package, the password no longer expires every 42 days. - -- You can [configure HoloLens as a single-app or multi-app kiosk](hololens-kiosk.md). Multi-app kiosk mode lets you set up a HoloLens to only run the apps that you specify, and prevents users from making changes. - -- Media Transfer Protocol (MTP) is enabled so that you can connect the HoloLens device to a PC by USB and transfer files between HoloLens and the PC. You can also use the File Explorer app to move and delete files from within HoloLens. - -- Previously, after you signed in to the device with an Azure Active Directory (Azure AD) account, you then had to **Add work access** in **Settings** to get access to corporate resources. Now, you sign in with an Azure AD account and enrollment happens automatically. - -- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business. - -- You can now easily [share HoloLens with multiple people](hololens-multiple-users.md) using Azure AD accounts. - -- When setup or sign-in fails, choose the new **Collect info** option to get diagnostic logs for troubleshooting. - -- Individual users can sync their corporate email without enrolling their device in mobile device management (MDM). You can use the device with a Microsoft Account, download and install the Mail app, and add an email account directly. - -- You can check the MDM sync status for a device in **Settings** > **Accounts** > **Access Work or School** > **Info**. In the **Device sync status** section, you can start a sync, see areas managed by MDM, and create and export an advanced diagnostics report. diff --git a/devices/hololens/hololens2-language-support.md b/devices/hololens/hololens2-language-support.md index 9c56ec9d8c..955eec82e6 100644 --- a/devices/hololens/hololens2-language-support.md +++ b/devices/hololens/hololens2-language-support.md @@ -7,7 +7,11 @@ author: Teresa-Motiv ms.author: v-tea ms.topic: article ms.localizationpriority: medium -ms.date: 9/12/2019 +ms.custom: +- CI 115225 +- CSSTroubleshooting +keywords: localize, language support, display language, keyboard language, IME, keyboard layout +ms.date: 03/12/2020 audience: ITPro ms.reviewer: jarrettr manager: jarrettr @@ -17,7 +21,7 @@ appliesto: # Supported languages for HoloLens 2 -HoloLens 2 supports the following languages, including voice commands and dictation features, keyboard layouts, and OCR recognition within apps. +HoloLens 2 is localized into the following languages. The localization features include speech commands and dictation, keyboard layouts, and OCR recognition within apps. - Chinese Simplified (China) - English (Australia) @@ -31,43 +35,43 @@ HoloLens 2 supports the following languages, including voice commands and dictat - Japanese (Japan) - Spanish (Spain) -HoloLens 2 is also available in the following languages. However, this support does not include speech commands or dictation features. +HoloLens 2 also supports the following languages. However, this support does not include speech commands or dictation features. - Chinese Traditional (Taiwan and Hong Kong) - Dutch (Netherlands) - Korean (Korea) -## Changing language or keyboard - -The setup process configures your HoloLens for a region and language. You can change this configuration by using the **Time & language** section of **Settings**. - -> [!NOTE] -> Your speech and dictation language depends on the Windows display language. - -## To change the Windows display language - -1. Go to the **Start** menu, and then select **Settings** > **Time and language** > **Language**. -2. Select **Windows display language**, and then select a language. - -If the supported language you’re looking for is not in the menu, follow these steps: - -1. Under **Preferred languages** select **Add a language**. -2. Search for and add the language. -3. Select the **Windows display language** menu again and choose the language you added. - -The Windows display language affects the following settings for Windows and for apps that support localization: +Some features of HoloLens 2 use the Windows display language. The Windows display language affects the following settings for Windows and for apps that support localization: - The user interface text language. - The speech language. - The default layout of the on-screen keyboard. -## To change the keyboard layout +## Change the language or keyboard layout -To add or remove a keyboard layout, open the **Start** menu and then select **Settings** > **Time & language** > **Keyboard**. +The setup process configures your HoloLens for a specific region and language. You can change this configuration by using the **Time & language** section of **Settings**. + +> [!NOTE] +> Your speech and dictation language depends on (and is the same as) the Windows display language. + +### To change the Windows display language + +1. Open the **Start** menu, and then select **Settings** > **Time and language** > **Language**. +2. Select **Windows display language**, and then select a language. + +If the supported language that you're looking for is not in the menu, follow these steps: + +1. Under **Preferred languages**, select **Add a language**. +2. Locater and add the language. +3. Select the **Windows display language** menu again, and then select the language that you added in the previous step. + +### To change the keyboard layout + +To add or remove a keyboard layout, open the **Start** menu, and then select **Settings** > **Time & language** > **Keyboard**. If your HoloLens has more than one keyboard layout, use the **Layout** key to switch between them. The **Layout** key is in the lower right corner of the on-screen keyboard. -> [!NOTE] +> [!NOTE] > The on-screen keyboard can use Input Method Editor (IME) to enter characters in languages such as Chinese. However, HoloLens does not support external Bluetooth keyboards that use IME. -> -> While you use IME with the on-screen keyboard, you can continue to use a Bluetooth keyboard to type in English. To switch between keyboards, press ~. +> +> While you use IME together with the on-screen keyboard, you can continue to use a Bluetooth keyboard to type in English. To switch between keyboards, press the tilde character button (**~**). diff --git a/devices/hololens/index.md b/devices/hololens/index.md index 0bebe66485..47862d7138 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -1,6 +1,6 @@ --- title: Microsoft HoloLens -description: Landing page Microsoft HoloLens. +description: Landing page for Microsoft HoloLens. ms.prod: hololens ms.sitesec: library ms.assetid: 0947f5b3-8f0f-42f0-aa27-6d2cad51d040 @@ -10,8 +10,11 @@ ms.topic: article ms.localizationpriority: medium ms.date: 10/14/2019 audience: ITPro +ms.custom: +- CI 111456 +- CSSTroubleshooting appliesto: -- HoloLens 1 +- HoloLens (1st gen) - HoloLens 2 --- diff --git a/devices/hololens/scep-whitepaper.md b/devices/hololens/scep-whitepaper.md index 06b7527960..ee0915b54b 100644 --- a/devices/hololens/scep-whitepaper.md +++ b/devices/hololens/scep-whitepaper.md @@ -11,20 +11,23 @@ ms.sitesec: library ms.topic: article audience: ITPro ms.localizationpriority: high +ms.custom: +- CI 111456 +- CSSTroubleshooting appliesto: - HoloLens 1 (1st gen) - HoloLens 2 --- -# SCEP Whitepaper +# SCEP whitepaper ## High Level ### How the SCEP Challenge PW is secured -We work around the weakness of the SCEP protocol by generating custom challenges in Intune itself. The challenge string we create is signed/encrypted, and contains the information we’ve configured in Intune for certificate issuance into the challenge blob. This means the blob used as the challenge string contains the expected CSR information like the Subject Name, Subject Alternative Name, and other attributes. +We work around the weakness of the SCEP protocol by generating custom challenges in Intune itself. The challenge string we create is signed/encrypted, and contains the information we've configured in Intune for certificate issuance into the challenge blob. This means the blob used as the challenge string contains the expected CSR information like the Subject Name, Subject Alternative Name, and other attributes. -We then pass that to the device and then the device generates it’s CSR and passes it, and the blob to the SCEP URL it received in the MDM profile. On NDES servers running the Intune SCEP module we perform a custom challenge validation that validates the signature on the blob, decrypts the challenge blob itself, compare it to the CSR received, and then determine if we should issue the cert. If any portion of this check fails then the certificate request is rejected. +We then pass that to the device and then the device generates it's CSR and passes it, and the blob to the SCEP URL it received in the MDM profile. On NDES servers running the Intune SCEP module we perform a custom challenge validation that validates the signature on the blob, decrypts the challenge blob itself, compare it to the CSR received, and then determine if we should issue the cert. If any portion of this check fails then the certificate request is rejected. ## Behind the scenes @@ -72,6 +75,6 @@ We then pass that to the device and then the device generates it’s CSR and pas 1. 1st time configuration of the connector: Authentication to AAD during the initial connector setup. - 1. Connector checks in with Intune, and will process and any cert revocation transactions (i.e, if the Intune tenant admin issues a remote wipe – full or partial, also If a user unenrolls their device from Intune), reporting on issued certs, renewing the connectors’ SC_Online_Issuing certificate from Intune. Also note: the NDES Intune connector has shared PKCS cert functionality (if you decide to issue PKCS/PFX based certs) so the connector checks to Intune for PKCS cert requests even though there won’t be any requests to process. We are splitting that functionality out, so this connector just handles SCEP, but no ETA yet. + 1. Connector checks in with Intune, and will process and any cert revocation transactions (i.e, if the Intune tenant admin issues a remote wipe – full or partial, also If a user unenrolls their device from Intune), reporting on issued certs, renewing the connectors' SC_Online_Issuing certificate from Intune. Also note: the NDES Intune connector has shared PKCS cert functionality (if you decide to issue PKCS/PFX based certs) so the connector checks to Intune for PKCS cert requests even though there won't be any requests to process. We are splitting that functionality out, so this connector just handles SCEP, but no ETA yet. 1. [Here](https://docs.microsoft.com/intune/intune-endpoints#microsoft-intune-certificate-connector) is a reference for Intune NDES connector network communications. diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md index 6d7d33415f..d8d0269900 100644 --- a/devices/surface-hub/device-reset-surface-hub.md +++ b/devices/surface-hub/device-reset-surface-hub.md @@ -90,7 +90,7 @@ On rare occasions, a Surface Hub may encounter an error while cleaning up user a 1. Use the power switch to turn the Surface Hub back on. The device starts and displays the Surface Hub Logo screen. When you see spinning dots under the Surface Hub Logo, use the power switch to turn the Surface Hub off again. -1. Repeat step 3 three times, or until the Surface Hub displays the “Preparing Automatic Repair” message. After it displays this message, the Surface Hub displays the Windows RE screen. +1. Repeat step 3 three times, or until the Surface Hub displays the "Preparing Automatic Repair" message. After it displays this message, the Surface Hub displays the Windows RE screen. 1. Select **Advanced Options**. @@ -115,6 +115,12 @@ On rare occasions, a Surface Hub may encounter an error while cleaning up user a ![downloading 97&](images/recover-progress.png) When the download finishes, the recovery process restores the Surface Hub according to the options that you selected. + + +## Contact Support + +If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection). + ## Related topics diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md deleted file mode 100644 index f60588a000..0000000000 --- a/devices/surface-hub/index.md +++ /dev/null @@ -1,182 +0,0 @@ ---- -title: Surface Hub -author: greg-lindsay -ms.author: greglin -manager: laurawi -layout: LandingPage -ms.prod: surface-hub -ms.tgt_pltfrm: na -ms.devlang: na -ms.topic: landing-page -description: "Get started with Microsoft Surface Hub." -ms.localizationpriority: High ---- -# Get started with Surface Hub - -Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device that brings the power of Windows 10 to team collaboration. Use the links below to learn how to plan, deploy, manage, and support your Surface Hub devices. - - - - - ---- - - \ No newline at end of file diff --git a/devices/surface-hub/index.yml b/devices/surface-hub/index.yml new file mode 100644 index 0000000000..7f4e46228a --- /dev/null +++ b/devices/surface-hub/index.yml @@ -0,0 +1,127 @@ +### YamlMime:Hub + +title: Surface Hub documentation # < 60 chars +summary: Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device. # < 160 chars +# brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-bi | power-platform | sql | sql-server | vs | visual-studio | windows | xamarin +brand: windows + +metadata: + title: Surface Hub documentation # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Get started with Microsoft Surface Hub. # Required; article description that is displayed in search results. < 160 chars. + services: product-insights + ms.service: product-insights #Required; service per approved list. service slug assigned to your service by ACOM. + ms.topic: hub-page # Required + ms.prod: surface-hub + ms.technology: windows + audience: ITPro + ms.localizationpriority: medium + author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. + ms.author: greglin #Required; microsoft alias of author; optional team alias. + manager: laurawi + +# highlightedContent section (optional) +# Maximum of 8 items +highlightedContent: +# itemType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new + items: + # Card + - title: What is Surface Hub 2S? + itemType: overview + url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Behind-the-design-Surface-Hub-2S/ba-p/464099 + # Card + - title: What's new in Surface Hub 2S? + itemType: whats-new + url: surface-hub-2s-whats-new.md + # Card + - title: Operating system essentials + itemType: learn + url: differences-between-surface-hub-and-windows-10-enterprise.md + # Card + - title: Surface Hub 2S Site Readiness Guide + itemType: learn + url: surface-hub-2s-site-readiness-guide.md + # Card + - title: Install and mount Surface Hub 2S + itemType: how-to-guide + url: surface-hub-2s-install-mount.md + # Card + - title: Customize Surface Hub 2S installation + itemType: how-to-guide + url: surface-hub-2s-custom-install.md + +# productDirectory section (optional) +productDirectory: + title: Deploy, manage, and support your Surface Hub devices # < 60 chars (optional) + summary: Find related links to deploy, manage and support your Surface Hub devices. # < 160 chars (optional) + items: + # Card + - title: Deploy + # imageSrc should be square in ratio with no whitespace + imageSrc: https://docs.microsoft.com/office/media/icons/deploy-blue.svg + links: + - url: surface-hub-2s-adoption-kit.md + text: Surface Hub 2S adoption and training + - url: surface-hub-2s-deploy-checklist.md + text: Surface Hub 2S deployment checklist + - url: surface-hub-2s-account.md + text: Create device account + # Card + - title: Manage + imageSrc: https://docs.microsoft.com/office/media/icons/process-flow-blue.svg + links: + - url: surface-hub-2s-manage-intune.md + text: Manage with Intune + - url: local-management-surface-hub-settings.md + text: Manage local settings + # Card + - title: Secure + imageSrc: https://docs.microsoft.com/office/media/icons/security-blue.svg + links: + - url: surface-hub-2s-secure-with-uefi-semm.md + text: Secure with UEFI and SEMM + - url: surface-hub-wifi-direct.md + text: Wi-Fi security considerations + # Card + - title: Troubleshoot + imageSrc: https://docs.microsoft.com/office/media/icons/connector-blue.svg + links: + - url: https://support.microsoft.com/help/4493926 + text: Service and warranty + - url: surface-hub-2s-recover-reset.md + text: Recover & reset Surface Hub 2S + - url: support-solutions-surface-hub.md + text: Surface Hub support solutions + - url: https://support.office.com/article/Enable-Microsoft-Whiteboard-on-Surface-Hub-b5df4539-f735-42ff-b22a-0f5e21be7627 + text: Enable Microsoft Whiteboard on Surface Hub + +# additionalContent section (optional) +# Card with links style +additionalContent: + # Supports up to 3 sections + sections: + - title: Other content # < 60 chars (optional) + summary: Find related links for videos, community and support. # < 160 chars (optional) + items: + # Card + - title: Get ready for Surface Hub 2S + links: + - text: Ordering Surface Hub 2S + url: https://www.microsoft.com/p/surface-hub-2S/8P62MW6BN9G4?activetab=pivot:overviewtab + - text: Prepare your environment for Surface Hub 2S + url: surface-hub-2s-prepare-environment.md + # Card + - title: Surface Hub 2S Videos + links: + - text: Adoption and training videos + url: surface-hub-2s-adoption-videos.md + - text: Surface Hub 2S with Teams + url: https://www.youtube.com/watch?v=CH2seLS5Wb0 + - text: Surface Hub 2S with Microsoft 365 + url: https://www.youtube.com/watch?v=I4N2lQX4WyI&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ&index=7 + # Card + - title: Community + links: + - text: Join the Surface Hub Technical Community + url: https://techcommunity.microsoft.com/t5/Surface-Hub/bd-p/SurfaceHub + - text: Join the Surface Devices Technical Community + url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices diff --git a/devices/surface-hub/miracast-troubleshooting.md b/devices/surface-hub/miracast-troubleshooting.md index 9517857676..eb33f483d6 100644 --- a/devices/surface-hub/miracast-troubleshooting.md +++ b/devices/surface-hub/miracast-troubleshooting.md @@ -21,13 +21,13 @@ In traditional Miracast, the projecting device will connect the access point set - The first step is an initial connection using 2.4GHz. - After that initial handshake, the projecting device sends traffic to the monitor using the wireless channel settings on the monitor. If Surface Hub is connected to a Wi-Fi network, the access point, it will use the same channel as the connected network, otherwise it will use the Miracast channel from Settings. -There are generally two types of issues with Miracast to Surface Hub: [connection](#connect-issues) and [performance](#performance-issues). In either case, it is a good idea to get a general picture of wireless network activity in the Surface Hub’s location. Running a network scanning tool will show you the available networks and channel usage in the environment. +There are generally two types of issues with Miracast to Surface Hub: [connection](#connect-issues) and [performance](#performance-issues). In either case, it is a good idea to get a general picture of wireless network activity in the Surface Hub's location. Running a network scanning tool will show you the available networks and channel usage in the environment. ## Connect issues Ensure both Wi-Fi and Miracast are both enabled in Settings on Surface Hub. -If you ran a network scan, you should see Surface Hub Miracast listed as an access point. If Surface Hub’s Miracast network shows up on the scan, but you cannot not see it as an available device, you can try to adjust the Miracast channel used by Surface Hub. +If you ran a network scan, you should see Surface Hub Miracast listed as an access point. If Surface Hub's Miracast network shows up on the scan, but you cannot not see it as an available device, you can try to adjust the Miracast channel used by Surface Hub. When Surface Hub is connected to a Wi-Fi network it will use the same channel settings as the Wi-Fi access point for its Miracast access point. For troubleshooting purposes, disconnect Surface Hub from any Wi-Fi networks (but keep Wi-Fi enabled), so you can control the channel used for Miracast. You can manually select the Miracast channel in Settings. You will need to restart Surface Hub after each change. Generally speaking, you will want to use channels that do not show heavy utilization from the network scan. @@ -42,7 +42,7 @@ It is also a good idea to ensure the latest drivers and updates are installed on Next, ensure Miracast is supported on the device. 1. Press Windows Key + R and type `dxdiag`. -2. Click “Save all information”. +2. Click "Save all information". 3. Open the saved dxdiag.txt and find **Miracast**. It should say **Available, with HDCP**. ### Check firewall @@ -63,7 +63,7 @@ On domain-joined devices, Group Policy can also block Miracast. ### Check event logs -The last place to check is in the Event logs. Miracast events will be logged to **Wlanautoconfig**. This is true on both Surface Hub and the projecting device. If you export Surface Hub logs, you can view Surface Hub’s Wlanautoconfig in the **WindowsEventLog** folder. Errors in the event log can provide some additional details on where the connection fails. +The last place to check is in the Event logs. Miracast events will be logged to **Wlanautoconfig**. This is true on both Surface Hub and the projecting device. If you export Surface Hub logs, you can view Surface Hub's Wlanautoconfig in the **WindowsEventLog** folder. Errors in the event log can provide some additional details on where the connection fails. ## Performance issues @@ -75,7 +75,10 @@ Channel switching is caused when the Wi-Fi adapter needs to send traffic to mult If Surface Hub and the projecting device are both connected to Wi-Fi but using different access points with different channels, this will force Surface Hub and the projecting device to channel switch while Miracast is connected. This will result in both poor wireless project and poor network performance over Wi-Fi. The channel switching will affect the performance of all wireless traffic, not just wireless projection. -Channel switching will also occur if the projecting device is connected to an Wi-Fi network using a different channel than the channel that Surface Hub uses for Miracast. So, a best practice is to set Surface Hub’s Miracast channel to the same channel as the most commonly used access point. +Channel switching will also occur if the projecting device is connected to an Wi-Fi network using a different channel than the channel that Surface Hub uses for Miracast. So, a best practice is to set Surface Hub's Miracast channel to the same channel as the most commonly used access point. If there are multiple Wi-Fi networks or access points in the environment, some channel switching is unavoidable. This is best addressed by ensuring all Wi-Fi drivers are up to date. +## Contact Support + +If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection). diff --git a/devices/surface-hub/surface-hub-2s-manage-intune.md b/devices/surface-hub/surface-hub-2s-manage-intune.md index 1aaeb331ee..c36d53f1f6 100644 --- a/devices/surface-hub/surface-hub-2s-manage-intune.md +++ b/devices/surface-hub/surface-hub-2s-manage-intune.md @@ -50,22 +50,26 @@ To ensure optimal video and audio quality on Surface Hub 2S, add the following Q |**Name**|**Description**|**OMA-URI**|**Type**|**Value**| |:------ |:------------- |:--------- |:------ |:------- | -|**Audio Ports**| Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DestinationPortMatchCondition | String | 3478-3479 | -|**Audio DSCP**| Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DSCPAction | Integer | 46 | -|**Video Ports**| Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DestinationPortMatchCondition | String | 3480 | -|**Video DSCP**| Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DSCPAction | Integer | 34 | +|**Audio Ports**| Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsAudio/DestinationPortMatchCondition | String | 3478-3479 | +|**Audio DSCP**| Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsAudio/DSCPAction | Integer | 46 | +|**Video Port**| Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsVideo/DestinationPortMatchCondition | String | 3480 | +|**Video DSCP**| Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsVideo/DSCPAction | Integer | 34 | +|**P2P Audio Ports**| Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsP2PAudio/DestinationPortMatchCondition | String | 50000-50019 | +|**P2P Audio DSCP**| Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsP2PAudio/DSCPAction | Integer | 46 | +|**P2P Video Ports**| Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsP2PVideo/DestinationPortMatchCondition | String | 50020-50039 | +|**P2P Video DSCP**| Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/TeamsP2PVideo/DSCPAction | Integer | 34 | ### Skype for Business QoS settings | Name | Description | OMA-URI | Type | Value | | ------------------ | ------------------- | ------------------------------------------------------------------------ | ------- | ------------------------------ | -| Audio Ports | Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/SourcePortMatchCondition | String | 50000-50019 | -| Audio DSCP | Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DSCPAction | Integer | 46 | -| Audio Media Source | Skype App name | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/AppPathNameMatchCondition | String | Microsoft.PPISkype.Windows.exe | -| Video Ports | Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/SourcePortMatchCondition | String | 50020-50039 | -| Video DSCP | Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DSCPAction | Integer | 34 | -| Video Media Source | Skype App name | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/AppPathNameMatchCondition | String | Microsoft.PPISkype.Windows.exe | +| Audio Ports | Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBAudio/SourcePortMatchCondition | String | 50000-50019 | +| Audio DSCP | Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBAudio/DSCPAction | Integer | 46 | +| Audio Media Source | Skype App name | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBAudio/AppPathNameMatchCondition | String | Microsoft.PPISkype.Windows.exe | +| Video Ports | Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBVideo/SourcePortMatchCondition | String | 50020-50039 | +| Video DSCP | Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBVideo/DSCPAction | Integer | 34 | +| Video Media Source | Skype App name | ./Device/Vendor/MSFT/NetworkQoSPolicy/SfBVideo/AppPathNameMatchCondition | String | Microsoft.PPISkype.Windows.exe | > [!NOTE] > Both tables show default port ranges. Administrators may change the port ranges in the Skype for Business and Teams control panel. diff --git a/devices/surface-hub/surface-hub-2s-recover-reset.md b/devices/surface-hub/surface-hub-2s-recover-reset.md index 1f0e98f92b..7493e10c3c 100644 --- a/devices/surface-hub/surface-hub-2s-recover-reset.md +++ b/devices/surface-hub/surface-hub-2s-recover-reset.md @@ -69,3 +69,7 @@ At the end of a session, Surface Hub 2S may occasionally encounter an error duri > [!NOTE] > To enter recovery mode, unplug the power cord and plug it in again three times. + +## Contact Support + +If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection). diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md index af6809a477..cf02da1a6e 100644 --- a/devices/surface-hub/troubleshoot-surface-hub.md +++ b/devices/surface-hub/troubleshoot-surface-hub.md @@ -456,15 +456,15 @@ This section lists status codes, mapping, user messages, and actions an admin ca

0x80072EFD

WININET_E_CANNOT_CONNECT

-

Can’t connect to the server right now. Wait a while and try again, or check the account settings.

+

Can't connect to the server right now. Wait a while and try again, or check the account settings.

Verify that the server name is correct and reachable. Verify that the device is connected to the network.

0x86000C29

-

E_NEXUS_STATUS_DEVICE_NOTPROVISIONED (policies don’t match)

+

E_NEXUS_STATUS_DEVICE_NOTPROVISIONED (policies don't match)

The account is configured with policies not compatible with Surface Hub.

Disable the PasswordEnabled policy for this account.

-

We have a bug were we may surface policy errors if the account doesn’t receive any server notifications within the policy refresh interval.

+

We have a bug were we may surface policy errors if the account doesn't receive any server notifications within the policy refresh interval.

0x86000C4C

@@ -475,7 +475,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca

0x86000C0A

E_NEXUS_STATUS_SERVERERROR_RETRYLATER

-

Can’t connect to the server right now.

+

Can't connect to the server right now.

Wait until the server comes back online. If the issue persists, re-provision the account.

@@ -487,7 +487,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca

0x8505000D

E_AIRSYNC_RESET_RETRY

-

Can’t connect to the server right now. Wait a while or check the account’s settings.

+

Can't connect to the server right now. Wait a while or check the account's settings.

This is normally a transient error but if the issue persists check the number of devices associated with the account and delete some of them if the number is large.

@@ -499,13 +499,13 @@ This section lists status codes, mapping, user messages, and actions an admin ca

0x85010004

E_HTTP_FORBIDDEN

-

Can’t connect to the server right now. Wait a while and try again, or check the account’s settings.

+

Can't connect to the server right now. Wait a while and try again, or check the account's settings.

Verify the server name to make sure it is correct. If the account is using cert based authentication make sure the certificate is still valid and update it if not.

0x85030028

E_ACTIVESYNC_PASSWORD_OR_GETCERT

-

The account’s password or client certificate are missing or invalid.

+

The account's password or client certificate are missing or invalid.

Update the password and/or deploy the client certificate.

@@ -523,7 +523,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca

0x80072EE2

WININET_E_TIMEOUT

-

The network doesn’t support the minimum idle timeout required to receive server notification, or the server is offline.

+

The network doesn't support the minimum idle timeout required to receive server notification, or the server is offline.

Verify that the server is running. Verify the NAT settings.

@@ -535,13 +535,13 @@ This section lists status codes, mapping, user messages, and actions an admin ca

0x85010017

E_HTTP_SERVICE_UNAVAIL

-

Can’t connect to the server right now. Wait a while or check the account’s settings.

+

Can't connect to the server right now. Wait a while or check the account's settings.

Verify the server name to make sure it is correct. Wait until the server comes back online. If the issue persists, re-provision the account.

0x86000C0D

E_NEXUS_STATUS_MAILBOX_SERVEROFFLINE

-

Can’t connect to the server right now. Wait a while or check the account’s settings.

+

Can't connect to the server right now. Wait a while or check the account's settings.

Verify the server name to make sure it is correct. Wait until the server comes back online. If the issue persists, re-provision the account.

@@ -555,7 +555,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca

E_NEXUS_STATUS_INVALID_POLICYKEY

The account is configured with policies not compatible with Surface Hub.

Disable the PasswordEnabled policy for this account.

-

We have a bug were we may surface policy errors if the account doesn’t receive any server notifications within the policy refresh interval.

+

We have a bug were we may surface policy errors if the account doesn't receive any server notifications within the policy refresh interval.

0x85010005

@@ -566,7 +566,7 @@ This section lists status codes, mapping, user messages, and actions an admin ca

0x85010014

E_HTTP_SERVER_ERROR

-

Can’t connect to the server.

+

Can't connect to the server.

Verify the server name to make sure it is correct. Trigger a sync and, if the issue persists, re-provision the account.

@@ -602,7 +602,10 @@ This section lists status codes, mapping, user messages, and actions an admin ca -  +## Contact Support + +If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection). +   ## Related content diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 86ad0dd85e..7245176edd 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -1,6 +1,6 @@ # [Surface](index.yml) -## [Get started](get-started.md) +## [Surface devices documentation](get-started.yml) ## Overview diff --git a/devices/surface/get-started.md b/devices/surface/get-started.md deleted file mode 100644 index c81e994d70..0000000000 --- a/devices/surface/get-started.md +++ /dev/null @@ -1,169 +0,0 @@ ---- -title: Get started with Surface devices -author: greg-lindsay -ms.author: greglin -manager: laurawi -layout: LandingPage -ms.assetid: -ms.audience: itpro -ms.tgt_pltfrm: na -ms.devlang: na -ms.topic: landing-page -description: "Get started with Microsoft Surface devices" -ms.localizationpriority: High ---- -# Get started with Surface devices - -Harness the power of Surface, Windows, and Office connected together through the cloud. Find tools, step-by-step guides, and other resources to help you plan, deploy, and manage Surface for Business devices in your organization. - - - - ---- - - \ No newline at end of file diff --git a/devices/surface/get-started.yml b/devices/surface/get-started.yml new file mode 100644 index 0000000000..edb22aac8c --- /dev/null +++ b/devices/surface/get-started.yml @@ -0,0 +1,122 @@ +### YamlMime:Landing + +title: Surface devices documentation # < 60 chars +summary: Harness the power of Surface, Windows, and Office connected together through the cloud. # < 160 chars + +metadata: + title: Surface devices documentation # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Get started with Microsoft Surface devices # Required; article description that is displayed in search results. < 160 chars. + ms.service: product-insights #Required; service per approved list. service slug assigned to your service by ACOM. + ms.topic: landing-page # Required + manager: laurawi + author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. + ms.author: greglin #Required; microsoft alias of author; optional team alias. + audience: itpro + ms.localizationpriority: High + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Surface devices + linkLists: + - linkListType: overview + links: + - text: Surface Pro 7 for Business + url: https://www.microsoft.com/surface/business/surface-pro-7 + - text: Surface Pro X for Business + url: https://www.microsoft.com/surface/business/surface-pro-x + - text: Surface Laptop 3 for Business + url: https://www.microsoft.com/surface/business/surface-laptop-3 + - text: Surface Book 2 for Business + url: https://www.microsoft.com/surface/business/surface-book-2 + - text: Surface Studio 2 for Business + url: https://www.microsoft.com/surface/business/surface-studio-2 + - text: Surface Go + url: https://www.microsoft.com/surface/business/surface-go + - linkListType: video + links: + - text: Microsoft Mechanics Surface videos + url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ + + # Card (optional) + - title: Get started + linkLists: + - linkListType: get-started + links: + - text: Surface and Endpoint Configuration Manager considerations + url: considerations-for-surface-and-system-center-configuration-manager.md + - text: Wake On LAN for Surface devices + url: wake-on-lan-for-surface-devices.md + + # Card + - title: Deploy Surface devices + linkLists: + - linkListType: deploy + links: + - text: Manage and deploy Surface driver and firmware updates + url: manage-surface-driver-and-firmware-updates.md + - text: Autopilot and Surface devices + url: windows-autopilot-and-surface-devices.md + - text: Deploying, managing, and servicing Surface Pro X + url: surface-pro-arm-app-management.md + + # Card + - title: Manage Surface devices + linkLists: + - linkListType: how-to-guide + links: + - text: Optimize Wi-Fi connectivity for Surface devices + url: surface-wireless-connect.md + - text: Best practice power settings for Surface devices + url: maintain-optimal-power-settings-on-Surface-devices.md + - text: Manage battery limit with UEFI + url: battery-limit.md + + # Card + - title: Secure Surface devices + linkLists: + - linkListType: how-to-guide + links: + - text: Intune management of Surface UEFI settings + url: surface-manage-dfci-guide.md + - text: Surface Enterprise Management Mode (SEMM) + url: surface-enterprise-management-mode.md + - text: Surface Data Eraser tool + url: microsoft-surface-data-eraser.md + + # Card + - title: Discover Surface tools + linkLists: + - linkListType: how-to-guide + links: + - text: Surface Dock Firmware Update + url: surface-dock-firmware-update.md + - text: Surface Diagnostic Toolkit for Business + url: surface-diagnostic-toolkit-for-business-intro.md + - text: SEMM and UEFI + url: surface-enterprise-management-mode.md + - text: Surface Brightness Control + url: microsoft-surface-brightness-control.md + - text: Battery Limit setting + url: battery-limit.md + + # Card + - title: Support and community + linkLists: + - linkListType: learn + links: + - text: Top support solutions + url: support-solutions-surface.md + - text: Maximize your Surface battery life + url: https://support.microsoft.com/help/4483194/maximize-surface-battery-life + - text: Troubleshoot Surface Dock and docking stations + url: https://support.microsoft.com/help/4023468/surface-troubleshoot-surface-dock-and-docking-stations + - linkListType: reference + links: + - text: Surface IT Pro blog + url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro + - text: Surface Devices Tech Community + url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices diff --git a/devices/surface/manage-surface-driver-and-firmware-updates.md b/devices/surface/manage-surface-driver-and-firmware-updates.md index df0d5c2874..e2913ed910 100644 --- a/devices/surface/manage-surface-driver-and-firmware-updates.md +++ b/devices/surface/manage-surface-driver-and-firmware-updates.md @@ -14,18 +14,17 @@ author: dansimp ms.author: dansimp ms.topic: article ms.audience: itpro -ms.date: 01/24/2020 +ms.date: 03/10/2020 --- # Manage and deploy Surface driver and firmware updates - -How you manage Surface driver and firmware updates varies depending on your environment and organizational requirements. On Surface devices, firmware is exposed to the operating system as a driver and is visible in Device Manager, enabling device firmware and drivers to be automatically updated using Windows Update or Windows Update for Business. Although this simplified approach may be feasible for startups and small or medium-sized businesses, larger organizations typically need IT admins to distributing updates internally. This may involve comprehensive planning, application compatibility testing, piloting and validating updates, before final approval and distribution across the network. +How you manage Surface driver and firmware updates varies depending on your environment and organizational requirements. On Surface devices, firmware is exposed to the operating system as a driver and is visible in Device Manager, enabling device firmware and drivers to be automatically updated using Windows Update or Windows Update for Business. Although this simplified approach may be feasible for startups and small or medium-sized businesses, larger organizations typically need IT admins to distribute updates internally. This may involve comprehensive planning, application compatibility testing, piloting and validating updates, before final approval and distribution across the network. > [!NOTE] > This article is intended for technical support agents and IT professionals and applies to Surface devices only. If you're looking for help to install Surface updates or firmware on a home device, see [Update Surface firmware and Windows 10](https://support.microsoft.com/help/4023505). -While enterprise-grade software distribution solutions continue to evolve, the business rationale for centrally managing updates remains the same: Maintain the security of Surface devices and keep them updated with the latest operating system and feature improvements. This is essential for maintaining the stability of your production environment and enabling users to stay productive. This article provides an overview of recommended tools and processes for larger organizations to accomplish these goals. +While enterprise-grade software distribution solutions continue to evolve, the business rationale for centrally managing updates remains the same: Maintain the security of Surface devices and keep them updated with the latest operating system and feature improvements. This is essential for sustaining a stable production environment and ensuring users aren't blocked from being productive. This article provides an overview of recommended tools and processes for larger organizations to accomplish these goals. ## Central update management in commercial environments @@ -33,7 +32,7 @@ Microsoft has streamlined tools for managing devices – including driver and fi ### Manage updates with Configuration Manager and Intune -Microsoft Endpoint Configuration Manager allows you to synchronize and deploy Surface firmware and driver updates with the Configuration Manager client. Integration with Microsoft Intune lets you see all your managed, co-managed and partner-managed devices in one place. This is the recommended solution for large organizations to manage Surface updates. +Microsoft Endpoint Configuration Manager allows you to synchronize and deploy Surface firmware and driver updates with the Configuration Manager client. Integration with Microsoft Intune lets you see all your managed, co-managed, and partner-managed devices in one place. This is the recommended solution for large organizations to manage Surface updates. For detailed steps, see the following resources: @@ -44,38 +43,42 @@ For detailed steps, see the following resources: ### Manage updates with Microsoft Deployment Toolkit -Included in Microsoft Endpoint Configuration Manager, the Microsoft Deployment Toolkit (MDT) contains optional deployment tools that you may wish to use depending on your environment. MDT includes the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), and User State Migration Tool (USMT). You can download the latest version of MDT from the [Microsoft Deployment Toolkit download page](https://www.microsoft.com/download/details.aspx?id=54259). +Included in Endpoint Configuration Manager, the Microsoft Deployment Toolkit (MDT) contains optional deployment tools that you may wish to use depending on your environment. These include the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), and User State Migration Tool (USMT). You can download the latest version of MDT from the [Microsoft Deployment Toolkit download page](https://www.microsoft.com/download/details.aspx?id=54259). For detailed steps, see the following resources: -Surface driver and firmware updates are packaged as Windows Installer (MSI) files. To deploy these Windows Installer packages, you can use application deployment utilities such as the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. Such solutions provide the means for administrators to test and review updates before deploying them, and to centralize deployment. For each device, it is important to select the correct MSI file for the device and its operating system. For more information see [Deploy the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md). - -For instructions on how to deploy updates by using Microsoft Endpoint Configuration Manager refer to [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). For instructions on how to deploy updates by using MDT, see [Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt). - [Microsoft Deployment Toolkit documentation](https://docs.microsoft.com/configmgr/mdt/) - [Deploy Windows 10 with the Microsoft Deployment Toolkit](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit) -- [Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit](https://docs.microsoft.com/surface/deploy-windows-10-to-surface-devices-with-mdt) +- [Deploy Windows 10 to Surface devices with Microsoft Deployment Toolkit](https://docs.microsoft.com/surface/deploy-windows-10-to-surface-devices-with-mdt) + +Surface driver and firmware updates are packaged as Windows Installer (*.msi) files. To deploy these Windows Installer packages, you can use Endpoint Configuration Manager or MDT. For information about selecting the correct .msi file for a device and operating system, refer to the guidance below about downloading .msi files. + +For instructions on how to deploy updates by using Endpoint Configuration Manager refer to [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). For instructions on how to deploy updates by using MDT, see [Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt). + **WindowsPE and Surface firmware and drivers** -Microsoft Endpoint Configuration Manager and MDT both use the Windows Preinstallation Environment (WindowsPE) during the deployment process. WindowsPE only supports a limited set of basic drivers such as those for network adapters and storage controllers. Drivers for Windows components that are not part of WindowsPE might produce errors. As a best practice, you can prevent such errors by configuring the deployment process to use only the required drivers during the WindowsPE phase. +Endpoint Configuration Manager and MDT both use the Windows Preinstallation Environment (WindowsPE) during the deployment process. WindowsPE only supports a limited set of basic drivers such as those for network adapters and storage controllers. Drivers for Windows components that are not part of WindowsPE might produce errors. As a best practice, you can prevent such errors by configuring the deployment process to use only the required drivers during the WindowsPE phase. -### Microsoft Endpoint Configuration Manager +### Endpoint Configuration Manager + +Starting in Endpoint Configuration Manager, you can synchronize and deploy Microsoft Surface firmware and driver updates by using the Configuration Manager client. For additional information, see KB 4098906, [How to manage Surface driver updates in Configuration Manager](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager). -Starting in Microsoft Endpoint Configuration Manager, you can synchronize and deploy Microsoft Surface firmware and driver updates by using the Configuration Manager client. The process resembles that for deploying regular updates. For additional information, see KB 4098906, [How to manage Surface driver updates in Configuration Manager](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager). ## Supported devices -Downloadable MSI files are available for Surface devices from Surface Pro 2 and later. Information about MSI files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3 will be available from this page upon release. + +Downloadable .msi files are available for Surface devices from Surface Pro 2 and later. Information about .msi files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3 will be available from this page upon release. ## Managing firmware with DFCI + With Device Firmware Configuration Interface (DFCI) profiles built into Intune (now available in [public preview](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows)), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals, and lays the groundwork for advanced security scenarios in the future. For more information, see: - - [Intune management of Surface UEFI settings](https://docs.microsoft.com/surface/surface-manage-dfci-guide) - [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333). ## Best practices for update deployment processes -To maintain a stable environment and keep users productive, it’s strongly recommended to maintain parity with the most recent version of Windows 10. For best practice recommendations, see [Build deployment rings for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). +To maintain a stable environment, it's strongly recommended to maintain parity with the most recent version of Windows 10. For best practice recommendations, see [Build deployment rings for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates). ## Downloadable Surface update packages @@ -93,6 +96,7 @@ Specific versions of Windows 10 have separate .msi files, each containing all re ### Downloading .msi files + 1. Browse to [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware) on the Microsoft Download Center. 2. Select the .msi file name that matches the Surface model and version of Windows. The .msi file name includes the minimum supported Windows build number required to install the drivers and firmware. For example, as shown in the following figure, to update a Surface Book 2 with build 18362 of Windows 10, choose **SurfaceBook2_Win10_18362_19.101.13994.msi.** For a Surface Book 2 with build 16299 of Windows 10, choose **SurfaceBook2_Win10_16299_1803509_3.msi**. @@ -102,6 +106,7 @@ Specific versions of Windows 10 have separate .msi files, each containing all re ### Surface .msi naming convention + Since August 2019, .msi files have used the following naming convention: - *Product*_*Windows release*_*Windows build number*_*Version number*_*Revision of version number (typically zero)*. diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md index dbcb9648b0..f74ee76e83 100644 --- a/devices/surface/surface-system-sku-reference.md +++ b/devices/surface/surface-system-sku-reference.md @@ -9,7 +9,7 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 10/31/2019 +ms.date: 03/09/2020 ms.reviewer: manager: dansimp ms.localizationpriority: medium @@ -24,18 +24,15 @@ System Model and System SKU are variables that are stored in the System Manageme | Device | System Model | System SKU | | ---------- | ----------- | -------------- | -| AMD Surface Laptop 3 | Surface 3 | Surface_Laptop_3_1873 | -| Surface Laptop 3 | Surface 3 | Surface_Laptop_3_1867:1868 | -| Surface Laptop 3 | Surface 3 | Surface_3 | Surface 3 WiFI | Surface 3 | Surface_3 | | Surface 3 LTE AT&T | Surface 3 | Surface_3_US1 | | Surface 3 LTE Verizon | Surface 3 | Surface_3_US2 | | Surface 3 LTE North America | Surface 3 | Surface_3_NAG | -| Surface 3 LTE Outside of North America and Y!mobile In Japan | Surface 3 | Surface_3_ROW | +| Surface 3 LTE outside of North America and Y!mobile in Japan | Surface 3 | Surface_3_ROW | | Surface Pro | Surface Pro | Surface_Pro_1796 | | Surface Pro with LTE Advanced | Surface Pro | Surface_Pro_1807 | -| Surface Book 2 13inch | Surface Book 2 | Surface_Book_1832 | -| Surface Book 2 15inch | Surface Book 2 | Surface_Book_1793 | +| Surface Book 2 13" | Surface Book 2 | Surface_Book_1832 | +| Surface Book 2 15" | Surface Book 2 | Surface_Book_1793 | | Surface Go LTE Consumer | Surface Go | Surface_Go_1825_Consumer | | Surface Go LTE Commercial | System Go | Surface_Go_1825_Commercial | | Surface Go Consumer | Surface Go | Surface_Go_1824_Consumer | diff --git a/mdop/appv-v5/about-app-v-51-reporting.md b/mdop/appv-v5/about-app-v-51-reporting.md index b37f88f1db..381a1231a7 100644 --- a/mdop/appv-v5/about-app-v-51-reporting.md +++ b/mdop/appv-v5/about-app-v-51-reporting.md @@ -16,36 +16,32 @@ ms.date: 08/30/2016 # About App-V 5.1 Reporting - Microsoft Application Virtualization (App-V) 5.1 includes a built-in reporting feature that helps you collect information about computers running the App-V 5.1 client as well as information about virtual application package usage. You can use this information to generate reports from a centralized database. ## App-V 5.1 Reporting Overview - The following list displays the end–to-end high-level workflow for reporting in App-V 5.1. -1. The App-V 5.1 Reporting server has the following prerequisites: +1. The App-V 5.1 Reporting server has the following prerequisites: - - Internet Information Service (IIS) web server role + - Internet Information Service (IIS) web server role - - Windows Authentication role (under **IIS / Security**) + - Windows Authentication role (under **IIS / Security**) - - SQL Server installed and running with SQL Server Reporting Services (SSRS) + - SQL Server installed and running with SQL Server Reporting Services (SSRS) To confirm SQL Server Reporting Services is running, view `http://localhost/Reports` in a web browser as administrator on the server that will host App-V 5.1 Reporting. The SQL Server Reporting Services Home page should display. -2. Install the App-V 5.1 reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md). Configure the time when the computer running the App-V 5.1 client should send data to the reporting server. +2. Install the App-V 5.1 reporting server and associated database. For more information about installing the reporting server see [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md). Configure the time when the computer running the App-V 5.1 client should send data to the reporting server. -3. If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined appvshort Reports from the Download Center at . +3. If you are not using an electronic software distribution system such as Configuration Manager to view reports then you can define reports in SQL Server Reporting Service. Download predefined SSRS Reports from the [Download Center](https://go.microsoft.com/fwlink/?LinkId=397255). - **Note**   - If you are using the Configuration Manager integration with App-V 5.1, most reports are generated from Configuration Manager rather than from App-V 5.1. + > [!NOTE] + > If you are using the Configuration Manager integration with App-V 5.1, most reports are generated from Configuration Manager rather than from App-V 5.1. - +4. After importing the App-V 5.1 PowerShell module using `Import-Module AppvClient` as administrator, enable the App-V 5.1 client. This sample PowerShell cmdlet enables App-V 5.1 reporting: -4. After importing the App-V 5.1 PowerShell module using `Import-Module AppvClient` as administrator, enable the App-V 5.1 client. This sample PowerShell cmdlet enables App-V 5.1 reporting: - - ``` syntax + ```powershell Set-AppvClientConfiguration –reportingserverurl : -reportingenabled 1 – ReportingStartTime <0-23> - ReportingRandomDelay <#min> ``` @@ -53,18 +49,14 @@ The following list displays the end–to-end high-level workflow for reporting i For more information about installing the App-V 5.1 client with reporting enabled see [About Client Configuration Settings](about-client-configuration-settings51.md). To administer App-V 5.1 Reporting with Windows PowerShell, see [How to Enable Reporting on the App-V 5.1 Client by Using PowerShell](how-to-enable-reporting-on-the-app-v-51-client-by-using-powershell.md). -5. After the reporting server receives the data from the App-V 5.1 client it sends the data to the reporting database. When the database receives and processes the client data, a successful reply is sent to the reporting server and then a notification is sent to the App-V 5.1 client. +5. After the reporting server receives the data from the App-V 5.1 client it sends the data to the reporting database. When the database receives and processes the client data, a successful reply is sent to the reporting server and then a notification is sent to the App-V 5.1 client. -6. When the App-V 5.1 client receives the success notification, it empties the data cache to conserve space. +6. When the App-V 5.1 client receives the success notification, it empties the data cache to conserve space. - **Note**   - By default the cache is cleared after the server confirms receipt of data. You can manually configure the client to save the data cache. + > [!NOTE] + > By default the cache is cleared after the server confirms receipt of data. You can manually configure the client to save the data cache. - - -~~~ If the App-V 5.1 client device does not receive a success notification from the server, it retains data in the cache and tries to resend data at the next configured interval. Clients continue to collect data and add it to the cache. -~~~ ### App-V 5.1 reporting server frequently asked questions @@ -121,52 +113,50 @@ The following table displays answers to common questions about App-V 5.1 reporti Note

Group Policy settings override local settings configured using PowerShell.

-
- - ## App-V 5.1 Client Reporting - To use App-V 5.1 reporting you must install and configure the App-V 5.1 client. After the client has been installed, use the **Set-AppVClientConfiguration** PowerShell cmdlet or the **ADMX Template** to configure reporting. The reporting feature cmdlets are available by using the following link and are prefaced by **Reporting**. For a complete list of client configuration settings see [About Client Configuration Settings](about-client-configuration-settings51.md). The following section provides examples of App-V 5.1 client reporting configuration using PowerShell. ### Configuring App-V Client reporting using PowerShell The following examples show how PowerShell parameters can configure the reporting features of the App-V 5.1 client. -**Note** -The following configuration task can also be configured using Group Policy settings in the App-V 5.1 ADMX template. For more information about using the ADMX template, see [How to Modify App-V 5.1 Client Configuration Using the ADMX Template and Group Policy](how-to-modify-app-v-51-client-configuration-using-the-admx-template-and-group-policy.md). - - +> [!NOTE] +> The following configuration task can also be configured using Group Policy settings in the App-V 5.1 ADMX template. For more information about using the ADMX template, see [How to Modify App-V 5.1 Client Configuration Using the ADMX Template and Group Policy](how-to-modify-app-v-51-client-configuration-using-the-admx-template-and-group-policy.md). **To enable reporting and to initiate data collection on the computer running the App-V 5.1 client**: -`Set-AppVClientConfiguration –ReportingEnabled 1` +```powershell +Set-AppVClientConfiguration –ReportingEnabled 1 +``` **To configure the client to automatically send data to a specific reporting server**: -``` syntax -Set-AppVClientConfiguration –ReportingServerURL http://MyReportingServer:MyPort/ -ReportingStartTime 20 -ReportingInterval 1 -ReportingRandomDelay 30 +```powershell +Set-AppVClientConfiguration –ReportingServerURL http://MyReportingServer:MyPort/ -ReportingStartTime 20 -ReportingInterval 1 -ReportingRandomDelay 30 -ReportingInterval 1 -ReportingRandomDelay 30 ``` -`-ReportingInterval 1 -ReportingRandomDelay 30` - -This example configures the client to automatically send the reporting data to the reporting server URL http://MyReportingServer:MyPort/. Additionally, the reporting data will be sent daily between 8:00 and 8:30 PM, depending on the random delay generated for the session. +This example configures the client to automatically send the reporting data to the reporting server URL **http://MyReportingServer:MyPort/**. Additionally, the reporting data will be sent daily between 8:00 and 8:30 PM, depending on the random delay generated for the session. **To limit the size of the data cache on the client**: -`Set-AppvClientConfiguration –ReportingDataCacheLimit 100` +```powershell +Set-AppvClientConfiguration –ReportingDataCacheLimit 100 +``` Configures the maximum size of the reporting cache on the computer running the App-V 5.1 client to 100 MB. If the cache limit is reached before the data is sent to the server, then the log rolls over and data will be overwritten as necessary. **To configure the data block size transmitted across the network between the client and the server**: -`Set-AppvClientConfiguration –ReportingDataBlockSize 10240` +```powershell +Set-AppvClientConfiguration –ReportingDataBlockSize 10240 +``` Specifies the maximum data block that the client sends to 10240 MB. @@ -174,59 +164,15 @@ Specifies the maximum data block that the client sends to 10240 MB. The following table displays the types of information you can collect by using App-V 5.1 reporting. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Client InformationPackage InformationApplication Usage

Host Name

Package Name

Start and End Times

App-V 5.1 Client Version

Package Version

Run Status

Processor Architecture

Package Source

Shutdown State

Operating System Version

Percent Cached

Application Name

Service Pack Level

Application Version

Operating System Type

Username

Connection Group

- - +|Client Information |Package Information |Application Usage | +|---------|---------|---------| +|Host Name |Package Name|Start and End Times| +|App-V 5.1 Client Version |Package Version|Run Status| +|Processor Architecture |Package Source|Shutdown State| +|Operating System Version|Percent Cached|Application Name| +|Service Pack Level| |Application Version| +|Operating System Type| |Username| +| | |Connection Group| The client collects and saves this data in an **.xml** format. The data cache is hidden by default and requires administrator rights to open the XML file. @@ -234,19 +180,17 @@ The client collects and saves this data in an **.xml** format. The data cache is You can configure the computer that is running the App-V 5.1 client to automatically send data to the specified reporting server. To specify the server use the **Set-AppvClientConfiguration** cmdlet with the following settings: -- ReportingEnabled - -- ReportingServerURL - -- ReportingStartTime - -- ReportingInterval - -- ReportingRandomDelay +- ReportingEnabled +- ReportingServerURL +- ReportingStartTime +- ReportingInterval +- ReportingRandomDelay After you configure the previous settings, you must create a scheduled task. The scheduled task will contact the server specified by the **ReportingServerURL** setting and will initiate the transfer. If you want to manually send data outside of the scheduled times, use the following PowerShell cmdlet: -`Send-AppVClientReport –URL http://MyReportingServer:MyPort/ -DeleteOnSuccess` +```powershell +Send-AppVClientReport –URL http://MyReportingServer:MyPort/ -DeleteOnSuccess +``` If the reporting server has been previously configured, then the **–URL** parameter can be omitted. Alternatively, if the data should be sent to an alternate location, specify a different URL to override the configured **ReportingServerURL** for this data collection. @@ -277,23 +221,20 @@ You can also use the **Send-AppVClientReport** cmdlet to manually collect data. Note

If a location other than the Reporting Server is specified, the data is sent using .xml format with no additional processing.

-
- - ### Creating Reports To retrieve report information and create reports using App-V 5.1 you must use one of the following methods: -- **Microsoft SQL Server Reporting Services (SSRS)** - Microsoft SQL Server Reporting Services is available with Microsoft SQL Server. SSRS is not installed when you install the App-V 5.1 reporting server. It must be deployed separately to generate the associated reports. +- **Microsoft SQL Server Reporting Services (SSRS)** - Microsoft SQL Server Reporting Services is available with Microsoft SQL Server. SSRS is not installed when you install the App-V 5.1 reporting server. It must be deployed separately to generate the associated reports. Use the following link for more information about using [Microsoft SQL Server Reporting Services](https://go.microsoft.com/fwlink/?LinkId=285596). -- **Scripting** – You can generate reports by scripting directly against the App-V 5.1 reporting database. For example: +- **Scripting** – You can generate reports by scripting directly against the App-V 5.1 reporting database. For example: **Stored Procedure:** @@ -303,25 +244,10 @@ To retrieve report information and create reports using App-V 5.1 you must use o The stored procedure is also created when using the App-V 5.1 database scripts. -You should also ensure that the reporting server web service’s **Maximum Concurrent Connections** is set to a value that the server will be able to manage without impacting availability. The recommended number of **Maximum Concurrent Connections** for the **Reporting Web Service** is **10,000**. - - - - - +You should also ensure that the reporting server web service's **Maximum Concurrent Connections** is set to a value that the server will be able to manage without impacting availability. The recommended number of **Maximum Concurrent Connections** for the **Reporting Web Service** is **10,000**. ## Related topics - [Deploying the App-V 5.1 Server](deploying-the-app-v-51-server.md) [How to install the Reporting Server on a Standalone Computer and Connect it to the Database](how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md) - - - - - - - - - diff --git a/mdop/appv-v5/app-v-51-planning-checklist.md b/mdop/appv-v5/app-v-51-planning-checklist.md index 52ac3984ce..e1f8ef66b6 100644 --- a/mdop/appv-v5/app-v-51-planning-checklist.md +++ b/mdop/appv-v5/app-v-51-planning-checklist.md @@ -16,86 +16,21 @@ ms.date: 06/16/2016 # App-V 5.1 Planning Checklist - This checklist can be used to help you plan for preparing your computing environment for Microsoft Application Virtualization (App-V) 5.1 deployment. -**Note**   -This checklist outlines the recommended steps and a high-level list of items to consider when planning for an App-V 5.1 deployment. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use. - - - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TaskReferencesNotes
Checklist box

Review the getting started information about App-V 5.1 to gain a basic understanding of the product before beginning deployment planning.

Getting Started with App-V 5.1

Checklist box

Plan for App-V 5.1 1.0 Deployment Prerequisites and prepare your computing environment.

App-V 5.1 Prerequisites

Checklist box

If you plan to use the App-V 5.1 management server, plan for the required roles.

Planning for the App-V 5.1 Server Deployment

Checklist box

Plan for the App-V 5.1 sequencer and client so you to create and run virtualized applications.

Planning for the App-V 5.1 Sequencer and Client Deployment

Checklist box

If applicable, review the options and steps for migrating from a previous version of App-V.

Planning for Migrating from a Previous Version of App-V

Checklist box

Plan for running App-V 5.1 clients using in shared content store mode.

How to Install the App-V 5.1 Client for Shared Content Store Mode

- - - - - - +> [!NOTE] +> This checklist outlines the recommended steps and a high-level list of items to consider when planning for an App-V 5.1 deployment. It is recommended that you copy this checklist into a spreadsheet program and customize it for your use. +| |Task |References | +|-|-|-| +|![Checklist box](images/checklistbox.gif) |Review the getting started information about App-V 5.1 to gain a basic understanding of the product before beginning deployment planning.|[Getting Started with App-V 5.1](getting-started-with-app-v-51.md)| +|![Checklist box](images/checklistbox.gif) |Plan for App-V 5.1 1.0 Deployment Prerequisites and prepare your computing environment.|[App-V 5.1 Prerequisites](app-v-51-prerequisites.md)| +|![Checklist box](images/checklistbox.gif) |If you plan to use the App-V 5.1 management server, plan for the required roles.|[Planning for the App-V 5.1 Server Deployment](planning-for-the-app-v-51-server-deployment.md)| +|![Checklist box](images/checklistbox.gif) |Plan for the App-V 5.1 sequencer and client so you to create and run virtualized applications.|[Planning for the App-V 5.1 Sequencer and Client Deployment](planning-for-the-app-v-51-sequencer-and-client-deployment.md)| +|![Checklist box](images/checklistbox.gif) |If applicable, review the options and steps for migrating from a previous version of App-V.|[Planning for Migrating from a Previous Version of App-V](planning-for-migrating-from-a-previous-version-of-app-v51.md)| +|![Checklist box](images/checklistbox.gif) |Plan for running App-V 5.1 clients using in shared content store mode.|[How to Install the App-V 5.1 Client for Shared Content Store Mode](how-to-install-the-app-v-51-client-for-shared-content-store-mode.md)| +|![Checklist box](images/checklistbox.gif) | | | ## Related topics - [Planning for App-V 5.1](planning-for-app-v-51.md) - - - - - - - - - diff --git a/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md b/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md index 4d6223aabf..b74f0be3c2 100644 --- a/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md +++ b/mdop/appv-v5/how-to-install-the-reporting-server-on-a-standalone-computer-and-connect-it-to-the-database51.md @@ -16,63 +16,46 @@ ms.date: 06/16/2016 # How to install the Reporting Server on a Standalone Computer and Connect it to the Database - Use the following procedure to install the reporting server on a standalone computer and connect it to the database. -**Important** +**Important** Before performing the following procedure you should read and understand [About App-V 5.1 Reporting](about-app-v-51-reporting.md). +## To install the reporting server on a standalone computer and connect it to the database +1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**. -**To install the reporting server on a standalone computer and connect it to the database** +2. On the **Getting Started** page, review and accept the license terms, and click **Next**. -1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**. +3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don't want to use Microsoft Update**. Click **Next**. -2. On the **Getting Started** page, review and accept the license terms, and click **Next**. +4. On the **Feature Selection** page, select the **Reporting Server** checkbox and click **Next**. -3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**. +5. On the **Installation Location** page, accept the default location and click **Next**. -4. On the **Feature Selection** page, select the **Reporting Server** checkbox and click **Next**. +6. On the **Configure Existing Reporting Database** page, select **Use a remote SQL Server**, and type the machine name of the computer running Microsoft SQL Server, for example **SqlServerMachine**. -5. On the **Installation Location** page, accept the default location and click **Next**. + > [!NOTE] + > If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**. -6. On the **Configure Existing Reporting Database** page, select **Use a remote SQL Server**, and type the machine name of the computer running Microsoft SQL Server, for example **SqlServerMachine**. + For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance. - **Note** - If the Microsoft SQL Server is deployed on the same server, select **Use local SQL Server**. - - - -~~~ -For the SQL Server Instance, select **Use the default instance**. If you are using a custom Microsoft SQL Server instance, you must select **Use a custom instance** and then type the name of the instance. - -Specify the **SQL Server Database name** that this reporting server will use, for example **AppvReporting**. -~~~ + Specify the **SQL Server Database name** that this reporting server will use, for example **AppvReporting**. 7. On the **Configure Reporting Server Configuration** page. - - Specify the Website Name that you want to use for the Reporting Service. Leave the default unchanged if you do not have a custom name. + - Specify the Website Name that you want to use for the Reporting Service. Leave the default unchanged if you do not have a custom name. - - For the **Port binding**, specify a unique port number that will be used by App-V 5.1, for example **55555**. You should also ensure that the port specified is not being used by another website. + - For the **Port binding**, specify a unique port number that will be used by App-V 5.1, for example **55555**. You should also ensure that the port specified is not being used by another website. 8. Click **Install**. - **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). +**Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). ## Related topics - [About App-V 5.1 Reporting](about-app-v-51-reporting.md) [Deploying App-V 5.1](deploying-app-v-51.md) [How to Enable Reporting on the App-V 5.1 Client by Using PowerShell](how-to-enable-reporting-on-the-app-v-51-client-by-using-powershell.md) - - - - - - - - - diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 1539c913c4..d691487aa2 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -1725,9 +1725,9 @@ Valid values: 0–90 This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. -If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. +If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. -If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off. +If you enable this setting, catch-up scans for scheduled full scans will be disabled. Supported values: diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 475db540e0..ceef7004b4 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 09/27/2019 +ms.date: 03/12/2020 ms.reviewer: manager: dansimp --- @@ -76,7 +76,8 @@ manager: dansimp This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group. -Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. +> [!CAUTION] +> If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution. diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 9d98a92f10..52098ee14c 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1233,8 +1233,8 @@ The following list shows the supported values: -Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. +Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. ADMX Info: @@ -1304,7 +1304,8 @@ Default value is 7. -Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. + +Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. ADMX Info: @@ -1374,7 +1375,9 @@ Default value is 7. -Added in Windows 10, version 1903. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies. + +Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies. + ADMX Info: @@ -1444,7 +1447,8 @@ Default value is 2. -Added in Windows 10, version 1903. If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart. + +Added in Windows 10, version 1903. Also available in Windows 10, versions 1809, 1803, and 1709. If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart. When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline. @@ -4170,7 +4174,7 @@ The following list shows the supported values: -Display options for update notifications. This policy allows you to define what Windows Update notifications users see. This policy doesn’t control how and when updates are downloaded and installed. +Display options for update notifications. This policy allows you to define what Windows Update notifications users see. This policy doesn't control how and when updates are downloaded and installed. Options: @@ -4179,7 +4183,7 @@ Options: - 2 – Turn off all notifications, including restart warnings > [!IMPORTANT] -> If you choose not to get update notifications and also define other Group policies so that devices aren’t automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk. +> If you choose not to get update notifications and also define other Group policies so that devices aren't automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk. diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index 4b2d75eae6..3276da608a 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -64,3 +64,4 @@ The features described below are no longer being actively developed, and might b |TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](https://docs.microsoft.com/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 | |TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](https://docs.microsoft.com/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 | |IPsec Task Offload| [IPsec Task Offload](https://docs.microsoft.com/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and should not be used. | 1703 | +|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quite switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
Applies to Windows Server 2016 and Windows Server 2019 as well.| diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index b058f9e711..6c8417f572 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -36,7 +36,7 @@ Windows as a service provides a new way to think about building, deploying, and | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. | | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates. | | [Assign devices to servicing branches for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-servicing-channels-windows-10-updates) | Explains how to assign devices to the Semi-Annual Channel for feature and quality updates, and how to enroll devices in Windows Insider. | -| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Windows Analytics: Update Compliance to monitor and manage Windows Updates on devices in your organization. | +| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Update Compliance to monitor and manage Windows Updates on devices in your organization. | | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. | | [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. | | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. | diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 6f79f71c7e..c981469bef 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -8,7 +8,7 @@ itproauthor: jaimeo author: SteveDiAcetis ms.localizationpriority: medium ms.author: jaimeo -ms.reviewer: +ms.reviewer: manager: laurawi ms.collection: M365-modern-desktop ms.topic: article @@ -88,7 +88,7 @@ The main operating system file (install.wim) contains multiple editions of Windo ### Additional languages and features -You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image. +You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image. Optional Components, along with the .Net feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that will result in a larger install.wim. Another option is to install the .Net and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you will have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month). @@ -108,7 +108,7 @@ These examples are for illustration only, and therefore lack error handling. The The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there is a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they are not read-only. ``` -function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) } +function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) } Write-Host "$(Get-TS): Starting media refresh" @@ -121,19 +121,19 @@ $LANG = "ja-jp" $LANG_FONT_CAPABILITY = "jpan" # Declare Dynamic Update packages -$LCU_PATH = “C:\mediaRefresh\packages\LCU.msu” -$SSU_PATH = “C:\mediaRefresh\packages\SSU_DU.msu” +$LCU_PATH = "C:\mediaRefresh\packages\LCU.msu" +$SSU_PATH = "C:\mediaRefresh\packages\SSU_DU.msu" $SETUP_DU_PATH = "C:\mediaRefresh\packages\Setup_DU.cab" -$SAFE_OS_DU_PATH = “C:\mediaRefresh\packages\SafeOS_DU.cab” -$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu” +$SAFE_OS_DU_PATH = "C:\mediaRefresh\packages\SafeOS_DU.cab" +$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu" # Declare folders for mounted images and temp files $WORKING_PATH = "C:\mediaRefresh\temp" $MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia" $MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia" -$MAIN_OS_MOUNT = $WORKING_PATH + "\MainOSMount” -$WINRE_MOUNT = $WORKING_PATH + "\WinREMount” -$WINPE_MOUNT = $WORKING_PATH + "\WinPEMount” +$MAIN_OS_MOUNT = $WORKING_PATH + "\MainOSMount" +$WINRE_MOUNT = $WORKING_PATH + "\WinREMount" +$WINPE_MOUNT = $WORKING_PATH + "\WinPEMount" # Mount the language pack ISO Write-Host "$(Get-TS): Mounting LP ISO" @@ -152,7 +152,7 @@ $OS_LP_PATH = $LP_ISO_DRIVE_LETTER + ":\x64\langpacks\" + "Microsoft-Windows-Cli # Mount the Features on Demand ISO Write-Host "$(Get-TS): Mounting FOD ISO" $FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter -$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\" +$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\" # Create folders for mounting images and storing temporary files New-Item -ItemType directory -Path $WORKING_PATH -ErrorAction Stop | Out-Null @@ -162,7 +162,7 @@ New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null # Keep the original media, make a copy of it for the new, updateed media. Write-Host "$(Get-TS): Copying original media to new media path" -Copy-Item -Path $MEDIA_OLD_PATH“\*” -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null +Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false } ``` ### Update WinRE @@ -177,14 +177,14 @@ It finishes by cleaning and exporting the image to reduce the image size. ``` # Mount the main operating system, used throughout the script Write-Host "$(Get-TS): Mounting main OS" -Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim” -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null +Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null # # update Windows Recovery Environment (WinRE) # -Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim” -Destination $WORKING_PATH"\winre.wim” -Force -Recurse -ErrorAction stop | Out-Null +Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null Write-Host "$(Get-TS): Mounting WinRE" -Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim” -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null +Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null # Add servicing stack update Write-Host "$(Get-TS): Adding package $SSU_PATH" @@ -226,10 +226,10 @@ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) { # Add TTS support for the new language if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) { if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) { - + Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH" Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null - + Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH" Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null } @@ -244,35 +244,35 @@ Write-Host "$(Get-TS): Performing image cleanup on WinRE" DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null # Dismount -Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null +Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null # Export -Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim” -Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim” -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim” -ErrorAction stop | Out-Null -Move-Item -Path $WORKING_PATH"\winre2.wim” -Destination $WORKING_PATH"\winre.wim” -Force -ErrorAction stop | Out-Null +Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim" +Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim" -ErrorAction stop | Out-Null +Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null ``` ### Update WinPE This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. Finally, it cleans and exports Boot.wim, and copies it back to the new media. ``` -# +# # update Windows Preinstallation Environment (WinPE) -# +# # Get the list of images contained within WinPE -$WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH“\sources\boot.wim” +$WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" Foreach ($IMAGE in $WINPE_IMAGES) { # update WinPE Write-Host "$(Get-TS): Mounting WinPE" - Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH“\sources\boot.wim” -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null + Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null # Add SSU Write-Host "$(Get-TS): Adding package $SSU_PATH" Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null - + # Install lp.cab cab Write-Host "$(Get-TS): Adding package $WINPE_OC_LP_PATH" Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null @@ -287,7 +287,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) { $INDEX = $PACKAGE.PackageName.IndexOf("-Package") if ($INDEX -ge 0) { - + $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab" if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) { $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB @@ -307,10 +307,10 @@ Foreach ($IMAGE in $WINPE_IMAGES) { # Add TTS support for the new language if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) { if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) { - + Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH" Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null - + Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH" Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null } @@ -321,7 +321,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) { Write-Host "$(Get-TS): Updating lang.ini" DISM /image:$WINPE_MOUNT /Gen-LangINI /distribution:$WINPE_MOUNT | Out-Null } - + # Add latest cumulative update Write-Host "$(Get-TS): Adding package $LCU_PATH" Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null @@ -331,28 +331,28 @@ Foreach ($IMAGE in $WINPE_IMAGES) { DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null # Dismount - Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null + Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null #Export WinPE - Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim” - Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH“\sources\boot.wim” -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null + Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim" + Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null } -Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH“\sources\boot.wim” -Force -ErrorAction stop | Out-Null +Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\boot.wim" -Force -ErrorAction stop | Out-Null ``` ### Update the main operating system For this next phase, there is no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it leverages `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod). Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .Net), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image. - + You can install Optional Components, along with the .Net feature, offline, but that will require the device to be restarted. This is why the script installs .Net and Optional Components after cleanup and before export. ``` -# +# # update Main OS -# +# # Add servicing stack update Write-Host "$(Get-TS): Adding package $SSU_PATH" @@ -385,20 +385,20 @@ Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOU # Add latest cumulative update Write-Host "$(Get-TS): Adding package $LCU_PATH" -Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null +Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null # Copy our updated recovery image from earlier into the main OS -# Note: If I were updating more than 1 edition, I'd want to copy the same recovery image file +# Note: If I were updating more than 1 edition, I'd want to copy the same recovery image file # into each edition to enable single instancing -Copy-Item -Path $WORKING_PATH"\winre.wim” -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim” -Force -Recurse -ErrorAction stop | Out-Null +Copy-Item -Path $WORKING_PATH"\winre.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null # Perform image cleanup Write-Host "$(Get-TS): Performing image cleanup on main OS" DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null # -# Note: If I wanted to enable additional Optional Components, I'd add these here. -# In addition, we'll add .Net 3.5 here as well. Both .Net and Optional Components might require +# Note: If I wanted to enable additional Optional Components, I'd add these here. +# In addition, we'll add .Net 3.5 here as well. Both .Net and Optional Components might require # the image to be booted, and thus if we tried to cleanup after installation, it would fail. # @@ -413,9 +413,9 @@ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorActio Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Save -ErrorAction stop | Out-Null # Export -Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim” -Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH“\sources\install.wim” -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\install2.wim” -ErrorAction stop | Out-Null -Move-Item -Path $WORKING_PATH"\install2.wim” -Destination $MEDIA_NEW_PATH“\sources\install.wim” -Force -ErrorAction stop | Out-Null +Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim" +Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null +Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null ``` ### Update remaining media files @@ -446,8 +446,7 @@ Remove-Item -Path $WORKING_PATH -Recurse -Force -ErrorAction stop | Out-Null # Dismount ISO images Write-Host "$(Get-TS): Dismounting ISO images" Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null -Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null +Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null Write-Host "$(Get-TS): Media refresh completed!" ``` - diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index 612c44e92a..c3c6abb633 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -17,7 +17,7 @@ ms.topic: article # Delivery Optimization in Update Compliance ![DO status](images/UC_workspace_DO_status.png) -The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. +The Update Compliance solution provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. ## Delivery Optimization Status diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 731828c027..e1e7e102cc 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -17,6 +17,11 @@ ms.topic: article # Monitor Windows Updates with Update Compliance +> [!IMPORTANT] +> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal; however, please note the following updates: +> +> * On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates. +> * The Perspectives feature of Update Compliance will also be removed on March 31, 2020 in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. ## Introduction @@ -46,8 +51,8 @@ The Update Compliance architecture and data flow follows this process: 4. Diagnostic data is available in the Update Compliance solution. ->[!NOTE] ->This process assumes that Windows diagnostic data is enabled and data sharing is enabled as outlined in the enrollment section of [Get started with Update Compliance](update-compliance-get-started.md). +> [!NOTE] +> This process assumes that Windows diagnostic data is enabled and data sharing is enabled as outlined in the enrollment section of [Get started with Update Compliance](update-compliance-get-started.md). @@ -55,4 +60,4 @@ The Update Compliance architecture and data flow follows this process: ## Related topics [Get started with Update Compliance](update-compliance-get-started.md)
-[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) \ No newline at end of file +[Use Update Compliance to monitor Windows Updates](update-compliance-using.md) diff --git a/windows/deployment/update/update-compliance-perspectives.md b/windows/deployment/update/update-compliance-perspectives.md index b38df5c5af..b07741ffeb 100644 --- a/windows/deployment/update/update-compliance-perspectives.md +++ b/windows/deployment/update/update-compliance-perspectives.md @@ -16,6 +16,10 @@ ms.topic: article # Perspectives +> [!IMPORTANT] +> On March 31, 2020, the Perspectives feature of Update Compliance will be removed in favor of a better experience. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. + + ![Perspectives data view](images/uc-perspectiveupdatedeploymentstatus.png) Perspectives are elaborations on specific queries hand-crafted by developers which data views that provide deeper insight into your data. Perspectives are loaded whenever clicking into more detailed views from both the Security Update Status section and Feature Update Status section of Update Compliance. @@ -33,10 +37,10 @@ The third blade is the **Deployment Status** blade. This defines how many days i | State | Description | | --- | --- | | Update Completed | When a device has finished the update process and is on the queried update, it will display here as Update completed. | -| In Progress | Devices that report they are “In Progress” are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. | -| Deferred | When a device’s Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. | -| Progress stalled | Devices that report as “Progress stalled” have been stuck at “In progress” for more than 7 days. | -| Cancelled | The update was cancelled. | +| In Progress | Devices that report they are "In Progress" are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. | +| Deferred | When a device's Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. | +| Progress stalled | Devices that report as "Progress stalled" have been stuck at "In progress" for more than 7 days. | +| Cancelled | The update was canceled. | | Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. | | Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. | | Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. | @@ -48,19 +52,19 @@ The final blade is the **Detailed Deployment Status** blade. This blade breaks d | State | Description | | --- | --- | -| Update deferred | When a device’s Windows Update for Business policy dictates the update is deferred. | -| Update paused | The device’s Windows Update for Business policy dictates the update is paused from being offered. | +| Update deferred | When a device's Windows Update for Business policy dictates the update is deferred. | +| Update paused | The device's Windows Update for Business policy dictates the update is paused from being offered. | | Update offered | The device has been offered the update, but has not begun downloading it. | | Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. | | Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) | | Download Started | The update has begun downloading on the device. | | Download Succeeded | The update has successfully completed downloading. | | Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. | -| Install Started | Installation of the update has begun. | -| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed. +| Install Started | Installation of the update has begun. | +| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed. | Reboot Pending | The device has a scheduled reboot to apply the update. | | Reboot Initiated | The scheduled reboot has been initiated. | -| Update Completed/Commit | The update has successfully installed. | +| Update Completed/Commit | The update has successfully installed. | ->[!NOTE] ->Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking “Not configured (-1)” devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar. +> [!NOTE] +> Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking "Not configured (-1)" devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar. diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md index edc9156531..881410e578 100644 --- a/windows/deployment/update/update-compliance-wd-av-status.md +++ b/windows/deployment/update/update-compliance-wd-av-status.md @@ -16,12 +16,16 @@ ms.topic: article # Windows Defender AV Status + +> [!IMPORTANT] +> On March 31, 2020, the Windows Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates. + ![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png) The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus. ->[!NOTE] ->Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx). +> [!NOTE] +> Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx). ## Windows Defender AV Status sections The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query. diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index 61a6af8b7c..ac14bcf549 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -6,7 +6,6 @@ description: Delivery Optimization is a new peer-to-peer distribution method in keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 ms.mktglfcycl: deploy - audience: itpro author: jaimeo ms.localizationpriority: medium @@ -183,7 +182,7 @@ Log entries are written to the PowerShell pipeline as objects. To dump logs to a ### Monitor with Update Compliance -The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. +Update Compliance provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. ![DO status](images/UC_workspace_DO_status.png) diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md index c7be3666ed..b23dfbb017 100644 --- a/windows/deployment/update/waas-morenews.md +++ b/windows/deployment/update/waas-morenews.md @@ -45,7 +45,6 @@ Here's more news about [Windows as a service](windows-as-a-service.md):
  • Reducing Windows 10 Package Size Downloads for x64 Systems - September 26, 2018
  • Windows 7 Servicing Stack Updates: Managing Change and Appreciating Cumulative Updates - September 21, 2018
  • Helping customers shift to a modern desktop - September 6, 2018
    • -
  • Windows Update for Business & Windows Analytics: a real-world experience - September 5, 2018
  • What's next for Windows 10 and Windows Server quality updates - August 16, 2018
  • Windows 10 monthly updates - August 1, 2018 (video)
  • Windows 10 update servicing cadence - August 1, 2018
    • diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index 613250332f..6dca369b35 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -1,8 +1,8 @@ --- title: Windows as a service -ms.prod: windows-10 +ms.prod: w10 ms.topic: landing-page -ms.manager: elizapo +ms.manager: laurawi audience: itpro itproauthor: jaimeo author: jaimeo @@ -73,7 +73,6 @@ Learn more about Windows as a service and its value to your organization. Quick guide to Windows as a service -Windows Analytics overview What's new in Windows 10 deployment @@ -117,7 +116,6 @@ Secure your organization's deployment investment. Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. -[BRK2417: What’s new in Windows Analytics: An Intro to Desktop Analytics](https://myignite.techcommunity.microsoft.com/sessions/64324#ignite-html-anchor) [BRK3018: Deploying Windows 10 in the enterprise using traditional and modern techniques](https://myignite.techcommunity.microsoft.com/sessions/64509#ignite-html-anchor) diff --git a/windows/deployment/update/wufb-basics.md b/windows/deployment/update/wufb-basics.md index 11483f0c9b..719b115f4f 100644 --- a/windows/deployment/update/wufb-basics.md +++ b/windows/deployment/update/wufb-basics.md @@ -9,14 +9,13 @@ author: jaimeo ms.localizationprioauthor: jaimeo ms.audience: itpro author: jaimeo -ms.date: 06/20/2018 ms.reviewer: manager: laurawi ms.topic: article --- # Configure the Basic group policy for Windows Update for Business -For Windows Update for Business configurations to work, devices need to be configured with minimum [diagnostic data](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization) level of "Basic." Additionally, compliance reporting for configured devices is obtained using [Update Compliance in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). To view your data in Update Compliance [diagnostics data must be enabled](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#set-diagnostic-data-levels) and the devices must be configured with a commercial ID, a unique GUID created for an enterprise at the time of onboarding to the Windows Analytics solution. +For Windows Update for Business configurations to work, devices need to be configured with minimum [diagnostic data](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization) level of "Basic." Additionally, compliance reporting for configured devices is obtained using [Monitor Windows Update with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). To view your data in Update Compliance [diagnostics data must be enabled](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#set-diagnostic-data-levels) and the devices must be configured with a commercial ID, a unique GUID created for an enterprise at the time of onboarding. |Policy name|Description | |-|-| @@ -28,4 +27,4 @@ For Windows Update for Business configurations to work, devices need to be confi |Policy|Location|Suggested configuration| |-|-|-| |Allow Telemetry |GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Telemetry |State: Enabled
    **Option**: 1-Basic| -|Configure Commercial ID|GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Commercial ID |State: Enabled
    **Commercial ID**: The GUID created for you at the time of onboarding to Windows Analytics| +|Configure Commercial ID|GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Commercial ID |State: Enabled
    **Commercial ID**: The GUID created for you at the time of onboarding| diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md index df08dd3caa..41edd21e70 100644 --- a/windows/deployment/update/wufb-compliancedeadlines.md +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -16,15 +16,15 @@ ms.topic: article Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions. -The compliance options have changed with the release of Windows 10, version 1903: +The compliance options have changed for devices on Windows 10, version 1709 and above: -- [Starting with Windows 10, version 1903](#starting-with-windows-10-version-1903) -- [Prior to Windows 10, version 1903](#prior-to-windows-10-version-1903) +- [For Windows 10, version 1709 and above](#for-windows-10-version-1709-and-above) +- [For prior to Windows 10, version 1709](#prior-to-windows-10-version-1709) -## Starting with Windows 10, version 1903 +## For Windows 10, version 1709 and above -With a current version of Windows 10, it's best to use the new policy introduced in Windows 10, version 1903: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as four separate settings: +With a current version of Windows 10, it's best to use the new policy introduced in June 2019 to Windows 10, version 1709 and above: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as four separate settings: - Update/ConfigureDeadlineForFeatureUpdates - Update/ConfigureDeadlineForQualityUpdates @@ -43,7 +43,7 @@ Further, the policy includes the option to opt out of automatic restarts until t |Policy|Description | |-|-| -| (starting in Windows 10, version 1903) Specify deadlines for automatic updates and restarts | Similar to the older "Specify deadline before auto-restart for update installation," but starts the deadline countdown from when the update was published. Also introduces a configurable grace period and the option to opt out of automatic restarts until the deadline is reached. | +| (For Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | Similar to the older "Specify deadline before auto-restart for update installation," but starts the deadline countdown from when the update was published. Also introduces a configurable grace period and the option to opt out of automatic restarts until the deadline is reached. | @@ -51,31 +51,34 @@ Further, the policy includes the option to opt out of automatic restarts until t |Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days| |-|-|-|-|-| -|(starting in Windows 10, version 1903) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 7 | 2 | +|(For Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 7 | 2 | -When **Specify deadlines for automatic updates and restarts** is set (starting in Windows 10, version 1903): +When **Specify deadlines for automatic updates and restarts** is set (For Windows 10, version 1709 and above): -**While restart is pending, before the deadline occurs:** -- For the first few days, the user receives a toast notification -- After this period, the user receives this dialog: + - **While restart is pending, before the deadline occurs:** -![The notification users get for an impending restart prior to deadline](images/wufb-update-deadline-warning.png) -- If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur: + - For the first few days, the user receives a toast notification -![The notification users get for an impending restart 15 minutes prior to restart](images/wufb-restart-imminent-warning.png) + - After this period, the user receives this dialog: -**If the restart is still pending after the deadline passes:** -- Within 12 hours before the deadline passes, the user receives this notification that the deadline is approaching: + ![The notification users get for an impending restart prior to deadline](images/wufb-update-deadline-warning.png) -![The notification users get for an approaching restart deadline](images/wufb-pastdeadline-restart-warning.png) -- Once the deadline has passed, the user is forced to restart to keep their devices in compliance and receives this notification: + - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur: -![The notification users get for an imminent restart after the deadline](images/wufb-pastdeadline-restartnow.png) + ![The notification users get for an impending restart 15 minutes prior to restart](images/wufb-restart-imminent-warning.png) + + - **If the restart is still pending after the deadline passes:** + + - Within 12 hours before the deadline passes, the user receives this notification that the deadline is approaching: + + ![The notification users get for an approaching restart deadline](images/wufb-pastdeadline-restart-warning.png) + + - Once the deadline has passed, the user is forced to restart to keep their devices in compliance and receives this notification: + + ![The notification users get for an imminent restart after the deadline](images/wufb-pastdeadline-restartnow.png) - - -## Prior to Windows 10, version 1903 +## Prior to Windows 10, version 1709 Two compliance flows are available: @@ -119,9 +122,11 @@ Once the device is in the pending restart state, it will attempt to restart the #### Notification experience for deadline Notification users get for a quality update deadline: + ![The notification users get for an impending quality update deadline](images/wufb-quality-notification.png) Notification users get for a feature update deadline: + ![The notification users get for an impending feature update deadline](images/wufb-feature-notification.png) ### Deadline with user engagement diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md index e54f6338f1..092f297bb9 100644 --- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md +++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md @@ -18,11 +18,14 @@ ms.topic: article # Use VAMT in Windows PowerShell The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to perform the same functions as the Vamt.exe command-line tool. + **To install PowerShell 3.0** - VAMT PowerShell cmdlets require Windows PowerShell, which is included in Windows 10, Windows 8 and Windows Server® 2012. You can download PowerShell for Windows 7 or other operating systems from the [Microsoft Download Center](https://go.microsoft.com/fwlink/p/?LinkId=218356). - **To install the Windows Assessment and Deployment Kit** + +**To install the Windows Assessment and Deployment Kit** - In addition to PowerShell, you must import the VAMT PowerShell module. The module is included in the VAMT 3.0 folder after you install the Windows Assessment and Deployment Kit (Windows ADK). - **To prepare the VAMT PowerShell environment** + +**To prepare the VAMT PowerShell environment** - To open PowerShell with administrative credentials, click **Start** and type “PowerShell” to locate the program. Right-click **Windows PowerShell**, and then click **Run as administrator**. To open PowerShell in Windows 7, click **Start**, click **All Programs**, click **Accessories**, click **Windows PowerShell**, right-click **Windows PowerShell**, and then click **Run as administrator**. **Important** diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index bdb8c230c4..d953b17ab2 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -89,7 +89,7 @@ For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 E If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/) -#### Muti-factor authentication +#### Multi-factor authentication An issue has been identified with Hybrid Azure AD joined devices that have enabled [multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription. diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md index 8a7020e6c9..81d649c077 100644 --- a/windows/deployment/windows-autopilot/existing-devices.md +++ b/windows/deployment/windows-autopilot/existing-devices.md @@ -251,6 +251,9 @@ See the following examples. 25. Click **OK** to close the Task Sequence Editor. +> [!NOTE] +> On Windows 10 1903 and 1909, the **AutopilotConfigurationFile.json** is deleted by the **Prepare Windows for Capture** step. See [Windows Autopilot - known issues](https://docs.microsoft.com/windows/deployment/windows-autopilot/known-issues) for more information and a workaround. + ### Deploy Content to Distribution Points Next, ensure that all content required for the task sequence is deployed to distribution points. diff --git a/windows/deployment/windows-autopilot/known-issues.md b/windows/deployment/windows-autopilot/known-issues.md index fe874d593f..162db9fe0e 100644 --- a/windows/deployment/windows-autopilot/known-issues.md +++ b/windows/deployment/windows-autopilot/known-issues.md @@ -26,15 +26,18 @@ ms.topic: article + + - diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 291b0a7d56..ce948dbf85 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -23,6 +23,10 @@ ms.date: 9/10/2019 This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier ([OMA URI](https://docs.microsoft.com/intune/custom-settings-windows-10)) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. +Note: The 1903 settings in the Windows Restricted Traffic Limited Functionality Baseline package are applicable to 1909 Windows Enterprise devices. + +Note: If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied to in order re-restrict the device. Also, egress traffic may occur during the period leading up to the re-applications of the Restricted Traffic Limited Functionality Baseline settings. + >[!IMPORTANT] >- The Allowed Traffic endpoints for an MDM configuration are here: [Allowed Traffic](#bkmk-mdm-allowedtraffic) > - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index a7532b9ecf..036ce84b5d 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -25,7 +25,7 @@ ms.reviewer: ## Enable Windows Defender Credential Guard -Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Windows Defender Device Guard and Windows Defender Credential Guard [hardware readiness tool](#hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. +Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Windows Defender Device Guard and Windows Defender Credential Guard [hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines. diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 4ddcb35964..a3a94da88d 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -23,10 +23,8 @@ ms.reviewer: **Requirements:** * Windows Hello for Business deployment (Hybrid or On-premises) -* Azure AD joined device (Cloud and Hybrid deployments) -* Hybrid Azure AD joined (Hybrid deployments) -* Domain Joined (on-premises deployments) -* Windows 10, version 1709 +* Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments) +* Windows 10, version 1709 or newer * Bluetooth, Bluetooth capable phone - optional Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system. diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index 013c2a4130..16be1aa6bc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -26,7 +26,7 @@ ms.reviewer: - Key trust > [!NOTE] ->There was an issue with key trust on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044). +>There was an issue with key trust authentication on Windows Server 2019. To fix it, refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044). ## How many is adequate diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index c0e102cb90..6bc04cd39f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -15,7 +15,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 +ms.date: 03/05/2020 --- # Windows Hello biometrics in the enterprise @@ -28,34 +28,36 @@ Windows Hello is the biometric authentication feature that helps strengthen auth >[!NOTE] >When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. -Because we realize your employees are going to want to use this new technology in your enterprise, we’ve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization. +Because we realize your employees are going to want to use this new technology in your enterprise, we've been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization. ## How does Windows Hello work? Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials. -The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn’t roam among devices, isn’t shared with a server, and can’t easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device. +The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn't roam among devices, isn't shared with a server, and can't easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device. ## Why should I let my employees use Windows Hello? Windows Hello provides many benefits, including: -- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it’s much more difficult to gain access without the employee’s knowledge. +- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it's much more difficult to gain access without the employee's knowledge. -- Employees get a simple authentication method (backed up with a PIN) that’s always with them, so there’s nothing to lose. No more forgetting passwords! +- Employees get a simple authentication method (backed up with a PIN) that's always with them, so there's nothing to lose. No more forgetting passwords! - Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
    For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic. ## Where is Windows Hello data stored? -The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor. +The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor. + +Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file. ## Has Microsoft set any device requirements for Windows Hello? -We’ve been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements: +We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements: - **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regards to the security of the biometric algorithm. - **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection. ### Fingerprint sensor requirements -To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee’s unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required). +To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee's unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required). **Acceptable performance range for small to large size touch sensors** @@ -70,7 +72,7 @@ To allow fingerprint matching, you must have devices with fingerprint sensors an - Effective, real world FRR with Anti-spoofing or liveness detection: <10% ### Facial recognition sensors -To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee’s facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional). +To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee's facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional). - False Accept Rate (FAR): <0.001% diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index d1efe88759..7189408b7b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -42,7 +42,7 @@ Do not begin your deployment until the hosting servers and infrastructure (not r ## Deployment and trust models -Windows Hello for Business has two deployment models: Hybrid and On-premises. Each deployment model has two trust models: *Key trust* or *certificate trust*. +Windows Hello for Business has three deployment models: Cloud, hybrid, and on-premises. Hybrid and on-premises deployment models have two trust models: *Key trust* and *certificate trust*. Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest. diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 7de79a7f47..72cba7a12e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -285,7 +285,7 @@ A TPM implements controls that meet the specification described by the Trusted C - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard. - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015. -Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948). +Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-recommendations). Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index 6ab596d350..c7b2eca8b7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -37,7 +37,10 @@ New installations are considerably more involved than existing implementations b The new installation baseline begins with a basic Active Directory deployment and enterprise PKI. ## Active Directory -This document expects you have Active Directory deployed with an _adequate_ number of Windows Server 2016 domain controllers for each site. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. +This document expects you have Active Directory deployed with an _adequate_ number of Windows Server 2016 or later domain controllers for each site. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. + +> [!NOTE] +>There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue. Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting issue, such as Active Directory replication, which is unrelated to activity's goal. @@ -93,7 +96,7 @@ If you do not have an existing public key infrastructure, please review [Certifi > * Highly available certificate revocation list (Azure AD Joined devices). ## Azure Active Directory -You’ve prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities. +You've prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities. The next step of the deployment is to follow the [Creating an Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index d2b1de480f..016bf3f7d8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -41,6 +41,9 @@ Hybrid Windows Hello for Business needs two directories: on-premises Active Dire A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription. You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 or later domain controllers at each site where users authenticate using Windows Hello for Business. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. + +> [!NOTE] +>There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue. Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs. @@ -112,7 +115,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication. -Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD. +Hybrid Windows Hello for Business deployments can use Azure's Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD. ### Section Review > [!div class="checklist"] diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md index 42d9d4b606..93ca09aa2f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -25,7 +25,10 @@ ms.reviewer: - Key trust -Key trust deployments need an adequate number of 2016 domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section. +Key trust deployments need an adequate number of 2016 or later domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section. + +> [!NOTE] +>There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue. The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2. diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 30d604bb53..0b032dbbdc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -44,19 +44,12 @@ As an administrator in an enterprise or educational organization, you can create ## Biometric sign-in - Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don’t currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users’ credentials. + Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don't currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users' credentials. - **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. - **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10. -Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. - -## From Windows 10 version 1803, the Windows Hello feature can be used as a safe and secure sign-in method. -Fingerprint scan can be enabled on laptop computers using a built-in fingerprint reader or an external USB fingerprint reader, as follows: -1. Go to **Settings** > **Accounts** > **Sign-in-options** > **Windows Hello Fingerprint** > **Add fingerprint** -2. Users will need to add a PIN after adding their fingerprint(s) to the reader configuration. -3. Windows Biometric data is located in the `C:\Windows\System32\WinBioDatabase\` folder (fingerprint data is stored with the .DAT file name extension). -4. If you are unable to sign in with previously registered fingerprints, delete the entire content of this folder and register your fingerprints again. +Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. For more information about biometric authentication with Windows Hello for Business, see [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md). ## The difference between Windows Hello and Windows Hello for Business diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 17f9e5e49f..24172f6859 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -23,13 +23,13 @@ ms.reviewer: Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure. -This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you’ll use that information to select the correct deployment guide for your needs. +This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs. ## Using this guide -There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex, however, most organization will realize they’ve already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It is important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization. +There are many options from which you can choose when deploying Windows Hello for Business. Providing multiple options ensures nearly every organization can deploy Windows Hello for Business. Providing many options makes the deployment appear complex, however, most organization will realize they've already implemented most of the infrastructure on which the Windows Hello for Business deployment depends. It is important to understand that Windows Hello for Business is a distributed system and does take proper planning across multiple teams within an organization. -This guide removes the appearance of complexity by helping you make decisions on each aspect of your Windows Hello for Business deployment and the options you’ll need to consider. Using this guide also identifies the information needed to help you make decisions about the deployment that best suits your environment. Download the [Windows Hello for Business planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514) from the Microsoft Download Center to help track your progress and make your planning easier. +This guide removes the appearance of complexity by helping you make decisions on each aspect of your Windows Hello for Business deployment and the options you'll need to consider. Using this guide also identifies the information needed to help you make decisions about the deployment that best suits your environment. Download the [Windows Hello for Business planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514) from the Microsoft Download Center to help track your progress and make your planning easier. ### How to Proceed @@ -80,13 +80,13 @@ The on-premises deployment model is for organizations that do not have cloud ide > Reset above lock screen - Windows 10, version 1709, Professional
    > Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 -It’s fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure. +It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure. #### Trust types -A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. +A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. -The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. +The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. @@ -99,14 +99,14 @@ All devices included in the Windows Hello for Business deployment must go throug #### Key registration -The built-in Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user’s credentials. The private key is protected by the device’s security modules; however, the credential is a user key (not a device key). The provisioning experience registers the user’s public key with the identity provider. For cloud only and hybrid deployments, the identity provider is Azure Active Directory. For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role. +The built-in Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user's credentials. The private key is protected by the device's security modules; however, the credential is a user key (not a device key). The provisioning experience registers the user's public key with the identity provider. For cloud only and hybrid deployments, the identity provider is Azure Active Directory. For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role. #### Multifactor authentication > [!IMPORTANT] > As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multi-factor authentication for their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfaserver-deploy) for more details. -The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication. The built-in provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential. +The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential. Cloud only and hybrid deployments provide many choices for multi-factor authentication. On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information). > [!NOTE] @@ -156,9 +156,9 @@ Some deployment combinations require an Azure account, and some require Azure Ac ## Planning a Deployment -Planning your Windows Hello for Business deployment begins with choosing a deployment type. Like all distributed systems, Windows Hello for Business depends on multiple components within your organization’s infrastructure. +Planning your Windows Hello for Business deployment begins with choosing a deployment type. Like all distributed systems, Windows Hello for Business depends on multiple components within your organization's infrastructure. -Use the remainder of this guide to help with planning your deployment. As you make decisions, write the results of those decisions in your planning worksheet. When finished, you’ll have all the information needed to complete the planning process and the appropriate deployment guide that best helps you with your deployment. +Use the remainder of this guide to help with planning your deployment. As you make decisions, write the results of those decisions in your planning worksheet. When finished, you'll have all the information needed to complete the planning process and the appropriate deployment guide that best helps you with your deployment. ### Deployment Model @@ -170,8 +170,8 @@ If your organization is federated with Azure or uses any online service, such as If your organization does not have cloud resources, write **On-Premises** in box **1a** on your planning worksheet. > [!NOTE] -> If you’re unsure if your organization is federated, run the following Active Directory Windows PowerShell command from an elevated Windows PowerShell prompt and evaluate the results. -> ```Get-AdObject “CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com" -Properties keywords``` +> If you're unsure if your organization is federated, run the following Active Directory Windows PowerShell command from an elevated Windows PowerShell prompt and evaluate the results. +> ```Get-AdObject "CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=[forest_root_CN_name],DC=com" -Properties keywords``` > * If the command returns an error stating it could not find the object, then you have yet to configured AAD Connect or on-premises Device Registration Services using AD FS. Ensure the name is accurate and validate the object does not exist with another Active Directory Management tool such as **ADSIEdit.msc**. If the object truly does not exist, then your environment does not bind you to a specific deployment or require changes to accommodate the desired deployment type. > * If the command returns a value, compare that value with the values below. The value indicates the deployment model you should implement > * If the value begins with **azureADName:** – write **Hybrid** in box **1a**on your planning worksheet. @@ -209,13 +209,13 @@ If box **1a** on your planning worksheet reads **on-premises**, write **AD FS** ### Directory Synchronization -Windows Hello for Business is strong user authentication, which usually means there is an identity (a user or username) and a credential (typically a key pair). Some operations require writing or reading user data to or from the directory. For example, reading the user’s phone number to perform multi-factor authentication during provisioning or writing the user’s public key. +Windows Hello for Business is strong user authentication, which usually means there is an identity (a user or username) and a credential (typically a key pair). Some operations require writing or reading user data to or from the directory. For example, reading the user's phone number to perform multi-factor authentication during provisioning or writing the user's public key. If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **1e**. User information is written directly to Azure Active Directory and there is not another directory with which the information must be synchronized. If box **1a** on your planning worksheet reads **hybrid**, then write **Azure AD Connect** in box **1e** on your planning worksheet. -If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multi-factor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multi-factor authentication while the user’s credentials remain on the on-premises network. +If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multi-factor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multi-factor authentication while the user's credentials remain on the on-premises network. ### Multifactor Authentication @@ -341,6 +341,6 @@ Modern managed devices do not require an Azure AD premium subscription. By forg If boxes **2a** or **2b** read **modern management** and you want devices to automatically enroll in your modern management software, write **Yes** in box **6c** on your planning worksheet. Otherwise, write **No** in box **6c**. -## Congratulations, You’re Done +## Congratulations, You're Done -Your Windows Hello for Business planning worksheet should be complete. This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used. The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment. With this worksheet, you’ll be able to identify key elements of your Windows Hello for Business deployment. +Your Windows Hello for Business planning worksheet should be complete. This guide provided understanding of the components used in the Windows Hello for Business infrastructure and rationalization of why they are used. The worksheet gives you an overview of the requirements needed to continue the next phase of the deployment. With this worksheet, you'll be able to identify key elements of your Windows Hello for Business deployment. diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 2b444785f5..eab2a21708 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -2,112 +2,103 @@ ## [Overview]() ### [What is Microsoft Defender Advanced Threat Protection?](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) -### [Overview of Microsoft Defender ATP capabilities](microsoft-defender-atp/overview.md) -### [Threat & Vulnerability Management]() -#### [Next-generation capabilities](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) -#### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md) -#### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md) -#### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md) -#### [Configuration score](microsoft-defender-atp/configuration-score.md) -#### [Security recommendation](microsoft-defender-atp/tvm-security-recommendation.md) -#### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md) -#### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md) -#### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md) -#### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md) +### [Minimum requirements](microsoft-defender-atp/minimum-requirements.md) +### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) +### [Preview features](microsoft-defender-atp/preview.md) +### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md) +### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md) + +## [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md) + +## [Deployment strategy](microsoft-defender-atp/deployment-strategy.md) + + +## [Deployment guide]() +### [Deployment phases](microsoft-defender-atp/deployment-phases.md) + +### [Phase 1: Prepare](microsoft-defender-atp/prepare-deployment.md) + +### [Phase 2: Setup](microsoft-defender-atp/production-deployment.md) + +### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md) -### [Attack surface reduction]() -#### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md) -#### [Hardware-based isolation]() -##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md) -##### [Application isolation]() -###### [Application guard overview](windows-defender-application-guard/wd-app-guard-overview.md) -###### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md) - -##### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) - -#### [Application control](windows-defender-application-control/windows-defender-application-control.md) -#### [Exploit protection](microsoft-defender-atp/exploit-protection.md) -#### [Network protection](microsoft-defender-atp/network-protection.md) - -#### [Web protection]() -##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md) -##### [Web threat protection]() -###### [Web threat protection overview](microsoft-defender-atp/web-threat-protection.md) -###### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md) -###### [Respond to web threats](microsoft-defender-atp/web-protection-response.md) -##### [Web content filtering](microsoft-defender-atp/web-content-filtering.md) - -#### [Controlled folder access](microsoft-defender-atp/controlled-folders.md) -#### [Attack surface reduction](microsoft-defender-atp/attack-surface-reduction.md) -#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) - -### [Next-generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) -#### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md) -#### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md) - -### [Endpoint detection and response]() -#### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md) -#### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md) - -#### [Incidents queue]() -##### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md) -##### [Manage incidents](microsoft-defender-atp/manage-incidents.md) -##### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md) - -#### [Alerts queue]() -##### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md) -##### [Manage alerts](microsoft-defender-atp/manage-alerts.md) -##### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md) -##### [Investigate files](microsoft-defender-atp/investigate-files.md) -##### [Investigate machines](microsoft-defender-atp/investigate-machines.md) -##### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md) -##### [Investigate a domain](microsoft-defender-atp/investigate-domain.md) -###### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md) -##### [Investigate a user account](microsoft-defender-atp/investigate-user.md) - -#### [Machines list]() -##### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md) -##### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md) +## [Security administration]() +### [Threat & Vulnerability Management overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) +### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md) +### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md) +### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md) +### [Configuration score](microsoft-defender-atp/configuration-score.md) +### [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md) +### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md) +### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md) +### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md) +### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md) -#### [Take response actions]() -##### [Take response actions on a machine]() -###### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md) -###### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags) -###### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation) -###### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session) -###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines) -###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines) -###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution) -###### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network) -###### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert) -###### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center) - -##### [Take response actions on a file]() -###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md) -###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network) -###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine) -###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) -###### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert) -###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center) -###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file) -###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis) -###### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis) -###### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports) -###### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis) -##### [Investigate entities using Live response]() -###### [Investigate entities on machines](microsoft-defender-atp/live-response.md) -###### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md) -### [Automated investigation and remediation (AIR)]() -#### [Overview of AIR](microsoft-defender-atp/automated-investigations.md) -#### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md) -#### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md) +## [Security operations]() +### [Portal overview](microsoft-defender-atp/portal-overview.md) +### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md) + + +### [Incidents queue]() +#### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md) +#### [Manage incidents](microsoft-defender-atp/manage-incidents.md) +#### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md) + +### [Alerts queue]() +#### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md) +#### [Manage alerts](microsoft-defender-atp/manage-alerts.md) +#### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md) +#### [Investigate files](microsoft-defender-atp/investigate-files.md) +#### [Investigate machines](microsoft-defender-atp/investigate-machines.md) +#### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md) +#### [Investigate a domain](microsoft-defender-atp/investigate-domain.md) +##### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md) +#### [Investigate a user account](microsoft-defender-atp/investigate-user.md) + +### [Machines list]() +#### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md) +#### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md) + +### [Take response actions]() +#### [Take response actions on a machine]() +##### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md) +##### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags) +##### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation) +##### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session) +##### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines) +##### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines) +##### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution) +##### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network) +##### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert) +##### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center) + +#### [Take response actions on a file]() +##### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md) +##### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network) +##### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine) +##### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) +##### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert) +##### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center) +##### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file) +##### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis) +##### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis) +##### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports) +##### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis) + +### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md) +#### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md) + + +### [Investigate entities using Live response]() +#### [Investigate entities on machines](microsoft-defender-atp/live-response.md) +#### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md) ### [Threat analytics](microsoft-defender-atp/threat-analytics.md) @@ -134,254 +125,306 @@ ##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md) #### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md) +### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md) + +### [Reporting]() +#### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md) +#### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md) +#### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md) +#### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md) + + + +### [Custom detections]() +#### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md) +#### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md) + + + + + +## [How-to]() +### [Onboard devices to the service]() +#### [Onboard machines to Microsoft Defender ATP](microsoft-defender-atp/onboard-configure.md) +#### [Onboard previous versions of Windows](microsoft-defender-atp/onboard-downlevel.md) +#### [Onboard Windows 10 machines]() +##### [Onboarding tools and methods](microsoft-defender-atp/configure-endpoints.md) +##### [Onboard machines using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md) +##### [Onboard machines using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md) +##### [Onboard machines using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md) +##### [Onboard machines using a local script](microsoft-defender-atp/configure-endpoints-script.md) +##### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](microsoft-defender-atp/configure-endpoints-vdi.md) + +#### [Onboard servers](microsoft-defender-atp/configure-server-endpoints.md) +#### [Onboard non-Windows machines](microsoft-defender-atp/configure-endpoints-non-windows.md) +#### [Onboard machines without Internet access](microsoft-defender-atp/onboard-offline-machines.md) +#### [Run a detection test on a newly onboarded machine](microsoft-defender-atp/run-detection-test.md) +#### [Run simulated attacks on machines](microsoft-defender-atp/attack-simulations.md) +#### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet.md) +#### [Create an onboarding or offboarding notification rule](microsoft-defender-atp/onboarding-notification.md) + +#### [Troubleshoot onboarding issues]() +##### [Troubleshoot issues during onboarding](microsoft-defender-atp/troubleshoot-onboarding.md) +##### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md) + +### [Manage machine configuration]() +#### [Ensure your machines are configured properly](microsoft-defender-atp/configure-machines.md) +#### [Monitor and increase machine onboarding](microsoft-defender-atp/configure-machines-onboarding.md) +#### [Increase compliance to the security baseline](microsoft-defender-atp/configure-machines-security-baseline.md) +#### [Optimize ASR rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md) + +### [Manage capabilities]() + +#### [Configure attack surface reduction]() +##### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md) + +#### [Hardware-based isolation]() +##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) + +##### [Application isolation]() +###### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md) +###### [Application control](windows-defender-application-control/windows-defender-application-control.md) + +##### [Device control]() +###### [Control USB devices](device-control/control-usb-devices-using-intune.md) + +###### [Device Guard]() +####### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) + +####### [Memory integrity]() +######## [Understand memory integrity](device-guard/memory-integrity.md) +######## [Hardware qualifications](device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) +######## [Enable HVCI](device-guard/enable-virtualization-based-protection-of-code-integrity.md) + +##### [Exploit protection]() +###### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md) +###### [Import/export configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md) + +##### [Network protection](microsoft-defender-atp/enable-network-protection.md) +##### [Controlled folder access](microsoft-defender-atp/enable-controlled-folders.md) + +##### [Attack surface reduction controls]() +###### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md) +###### [Customize attack surface reduction](microsoft-defender-atp/customize-attack-surface-reduction.md) + +##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md) + +#### [Configure next-generation protection]() +##### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md) + +##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +###### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) +###### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md) +###### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md) +###### [Prevent security settings changes with tamper protection](windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md) +###### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md) +###### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md) + +##### [Configure behavioral, heuristic, and real-time protection]() +###### [Configuration overview](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md) +###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) +###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) + +##### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md) + +##### [Antivirus compatibility]() +###### [Compatibility charts](windows-defender-antivirus/windows-defender-antivirus-compatibility.md) +###### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md) + +##### [Deploy, manage updates, and report on antivirus]() +###### [Preparing to deploy](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md) +###### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md) +####### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md) + +###### [Report on antivirus protection]() +####### [Review protection status and alerts](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md) +####### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md) + +###### [Manage updates and apply baselines]() +####### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md) +####### [Manage protection and security intelligence updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md) +####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md) +####### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md) +####### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md) +####### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md) + +##### [Customize, initiate, and review the results of scans and remediation]() +###### [Configuration overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md) + +###### [Configure and validate exclusions in antivirus scans]() +####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md) +####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) +####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md) +####### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) + +###### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) +###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) +###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md) +###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md) +###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md) +###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md) + +##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md) + +##### [Manage antivirus in your business]() +###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) +###### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) +###### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) +###### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) +###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) +###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) + +##### [Manage scans and remediation]() +###### [Management overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md) + +###### [Configure and validate exclusions in antivirus scans]() +####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md) +####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) +####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md) +####### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) + +###### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) + +##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) +###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) +###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md) +###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md) +###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md) +###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md) +###### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md) + +##### [Manage next-generation protection in your business]() +###### [Handle false positives/negatives in Windows Defender Antivirus](windows-defender-antivirus/antivirus-false-positives-negatives.md) +###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) +###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) +###### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) +###### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) +###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) +###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) + +#### [Microsoft Defender Advanced Threat Protection for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md) +##### [What's New](microsoft-defender-atp/mac-whatsnew.md) +##### [Deploy]() +###### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md) +###### [JAMF-based deployment](microsoft-defender-atp/mac-install-with-jamf.md) +###### [Deployment with a different Mobile Device Management (MDM) system](microsoft-defender-atp/mac-install-with-other-mdm.md) +###### [Manual deployment](microsoft-defender-atp/mac-install-manually.md) +##### [Update](microsoft-defender-atp/mac-updates.md) +##### [Configure]() +###### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md) +###### [Set preferences](microsoft-defender-atp/mac-preferences.md) +###### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md) +##### [Troubleshoot]() +###### [Troubleshoot installation issues](microsoft-defender-atp/mac-support-install.md) +###### [Troubleshoot performance issues](microsoft-defender-atp/mac-support-perf.md) +###### [Troubleshoot kernel extension issues](microsoft-defender-atp/mac-support-kext.md) +###### [Troubleshoot license issues](microsoft-defender-atp/mac-support-license.md) +##### [Privacy](microsoft-defender-atp/mac-privacy.md) +##### [Resources](microsoft-defender-atp/mac-resources.md) + + +#### [Microsoft Defender Advanced Threat Protection for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md) +##### [Deploy]() +###### [Manual deployment](microsoft-defender-atp/linux-install-manually.md) +###### [Puppet based deployment](microsoft-defender-atp/linux-install-with-puppet.md) +###### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md) +##### [Update](microsoft-defender-atp/linux-updates.md) +##### [Configure]() +###### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md) +###### [Set preferences](microsoft-defender-atp/linux-preferences.md) +##### [Resources](microsoft-defender-atp/linux-resources.md) + + +#### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md) + +### [Configure portal settings]() +#### [Set up preferences](microsoft-defender-atp/preferences-setup.md) +#### [General]() +##### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md) +##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md) +##### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md) +##### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md) +##### [Configure advanced features](microsoft-defender-atp/advanced-features.md) + +#### [Permissions]() +##### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md) +##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md) +###### [Create and manage roles](microsoft-defender-atp/user-roles.md) +###### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md) +####### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md) + +#### [APIs]() +##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) + +#### [Rules]() +##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md) +##### [Manage indicators](microsoft-defender-atp/manage-indicators.md) +##### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md) +##### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md) + +#### [Machine management]() +##### [Onboarding machines](microsoft-defender-atp/onboard-configure.md) +##### [Offboarding machines](microsoft-defender-atp/offboard-machines.md) + +#### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md) + +### [Configure integration with other Microsoft solutions]() +#### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md) +#### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md) +#### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md) + + + + +## Reference +### [Capabilities]() +#### [Threat & Vulnerability Management]() +##### [Next-generation capabilities](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) +##### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md) + +#### [Attack surface reduction]() +##### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md) +##### [Hardware-based isolation]() +###### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md) +###### [Application isolation]() +####### [Application guard overview](windows-defender-application-guard/wd-app-guard-overview.md) +####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md) + +###### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) + +##### [Application control](windows-defender-application-control/windows-defender-application-control.md) +##### [Exploit protection](microsoft-defender-atp/exploit-protection.md) +##### [Network protection](microsoft-defender-atp/network-protection.md) + +##### [Web protection]() +###### [Web protection overview](microsoft-defender-atp/web-protection-overview.md) +###### [Web threat protection]() +####### [Web threat protection overview](microsoft-defender-atp/web-threat-protection.md) +####### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md) +#######[Respond to web threats](microsoft-defender-atp/web-protection-response.md) +###### [Web content filtering](microsoft-defender-atp/web-content-filtering.md) + +##### [Controlled folder access](microsoft-defender-atp/controlled-folders.md) +##### [Attack surface reduction](microsoft-defender-atp/attack-surface-reduction.md) +##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) + +#### [Next-generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) +##### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md) +##### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md) +##### [Shadow protection](windows-defender-antivirus/shadow-protection.md) + + + +#### [Endpoint detection and response](microsoft-defender-atp/overview-endpoint-detection-response.md) + +#### [Overview of AIR](microsoft-defender-atp/automated-investigations.md) + + -#### [Custom detections]() -##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md) -##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md) ### [Management and APIs]() #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md) -### [Integrations]() -#### [Microsoft Defender ATP integrations](microsoft-defender-atp/threat-protection-integration.md) -#### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md) -#### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md) - -### [Information protection in Windows overview]() -#### [Windows integration](microsoft-defender-atp/information-protection-in-windows-overview.md) -#### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md) - -### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md) - -### [Portal overview](microsoft-defender-atp/portal-overview.md) -### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md) - - -## [Deployment guide]() -### [Product brief](microsoft-defender-atp/product-brief.md) -### [Prepare deployment](microsoft-defender-atp/prepare-deployment.md) -### [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md) -### [Production deployment](microsoft-defender-atp/production-deployment.md) -### [Helpful resources](microsoft-defender-atp/helpful-resources.md) - - -## [Get started]() -### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) -### [Minimum requirements](microsoft-defender-atp/minimum-requirements.md) -### [Validate licensing and complete setup](microsoft-defender-atp/licensing.md) -### [Evaluation lab](microsoft-defender-atp/evaluation-lab.md) -### [Preview features](microsoft-defender-atp/preview.md) -### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md) -### [Assign user access to the portal](microsoft-defender-atp/assign-portal-access.md) - - - - -### [Evaluate Microsoft Defender ATP]() -#### [Attack surface reduction and next-generation capability evaluation]() -##### [Attack surface reduction and nex-generation evaluation overview](microsoft-defender-atp/evaluate-atp.md) -##### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md) -##### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md) -##### [Exploit protection](microsoft-defender-atp/evaluate-exploit-protection.md) -##### [Network Protection](microsoft-defender-atp/evaluate-network-protection.md) -##### [Controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md) -##### [Attack surface reduction](microsoft-defender-atp/evaluate-attack-surface-reduction.md) -##### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) -##### [Evaluate next-generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md) - -### [Access the Windows Defender Security Center Community Center](microsoft-defender-atp/community.md) - -## [Configure and manage capabilities]() - -### [Configure attack surface reduction]() -#### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md) - - -### [Hardware-based isolation]() -#### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) - -#### [Application isolation]() -##### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md) -##### [Application control](windows-defender-application-control/windows-defender-application-control.md) - -#### [Device control]() -##### [Control USB devices](device-control/control-usb-devices-using-intune.md) - -##### [Device Guard]() -###### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) - -###### [Memory integrity]() -####### [Understand memory integrity](device-guard/memory-integrity.md) -####### [Hardware qualifications](device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) -####### [Enable HVCI](device-guard/enable-virtualization-based-protection-of-code-integrity.md) - -#### [Exploit protection]() -##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md) -##### [Import/export configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md) - -#### [Network protection](microsoft-defender-atp/enable-network-protection.md) -#### [Controlled folder access](microsoft-defender-atp/enable-controlled-folders.md) - -#### [Attack surface reduction controls]() -##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md) -##### [Customize attack surface reduction](microsoft-defender-atp/customize-attack-surface-reduction.md) - -#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md) - - - - -### [Configure next-generation protection]() -#### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md) - -#### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -##### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) -##### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md) -##### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md) -##### [Prevent security settings changes with tamper protection](windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md) -##### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md) -##### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md) - -#### [Configure behavioral, heuristic, and real-time protection]() -##### [Configuration overview](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md) -##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) -##### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) - -#### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md) - -#### [Antivirus compatibility]() -##### [Compatibility charts](windows-defender-antivirus/windows-defender-antivirus-compatibility.md) -##### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md) - -#### [Deploy, manage updates, and report on antivirus]() -##### [Preparing to deploy](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md) -##### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md) -###### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md) - -##### [Report on antivirus protection]() -###### [Review protection status and alerts](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md) -###### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md) - -##### [Manage updates and apply baselines]() -###### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md) -###### [Manage protection and security intelligence updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md) -###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md) -###### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md) -###### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md) -###### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md) - -#### [Customize, initiate, and review the results of scans and remediation]() -##### [Configuration overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md) - -##### [Configure and validate exclusions in antivirus scans]() -###### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md) -###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) -###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md) -###### [Configure antivirus exclusions Windows Server 2016 and 2019](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) - -##### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) -##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) -##### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md) -##### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md) -##### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md) -##### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md) - -#### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md) - -#### [Manage antivirus in your business]() -##### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) -##### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) -##### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) -##### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) -##### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) -##### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) - -#### [Manage scans and remediation]() -##### [Management overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md) - -##### [Configure and validate exclusions in antivirus scans]() -###### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md) -###### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) -###### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md) -###### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) - -##### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) - -#### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) -##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) -##### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md) -##### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md) -##### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md) -##### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md) -##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md) - -#### [Manage next-generation protection in your business]() -##### [Handle false positives/negatives in Windows Defender Antivirus](windows-defender-antivirus/antivirus-false-positives-negatives.md) -##### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md) -##### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md) -##### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md) -##### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md) -##### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md) -##### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) - -### [Microsoft Defender Advanced Threat Protection for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md) -#### [What's New](microsoft-defender-atp/mac-whatsnew.md) -#### [Deploy]() -##### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md) -##### [JAMF-based deployment](microsoft-defender-atp/mac-install-with-jamf.md) -##### [Deployment with a different Mobile Device Management (MDM) system](microsoft-defender-atp/mac-install-with-other-mdm.md) -##### [Manual deployment](microsoft-defender-atp/mac-install-manually.md) -#### [Update](microsoft-defender-atp/mac-updates.md) -#### [Configure]() -##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md) -##### [Set preferences](microsoft-defender-atp/mac-preferences.md) -##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md) -#### [Troubleshoot]() -##### [Troubleshoot performance issues](microsoft-defender-atp/mac-support-perf.md) -##### [Troubleshoot kernel extension issues](microsoft-defender-atp/mac-support-kext.md) -#### [Privacy](microsoft-defender-atp/mac-privacy.md) -#### [Resources](microsoft-defender-atp/mac-resources.md) - -### [Microsoft Defender Advanced Threat Protection for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md) -#### [Deploy]() -##### [Manual deployment](microsoft-defender-atp/linux-install-manually.md) -##### [Puppet based deployment](microsoft-defender-atp/linux-install-with-puppet.md) -##### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md) -#### [Update](microsoft-defender-atp/linux-updates.md) -#### [Configure]() -##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md) -##### [Set preferences](microsoft-defender-atp/linux-preferences.md) -#### [Resources](microsoft-defender-atp/linux-resources.md) - -### [Configure Secure score dashboard security controls](microsoft-defender-atp/configuration-score.md) - -### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md) - -### [Management and API support]() -#### [Onboard devices to the service]() -##### [Onboard machines to Microsoft Defender ATP](microsoft-defender-atp/onboard-configure.md) -##### [Onboard previous versions of Windows](microsoft-defender-atp/onboard-downlevel.md) -##### [Onboard Windows 10 machines]() -###### [Onboarding tools and methods](microsoft-defender-atp/configure-endpoints.md) -###### [Onboard machines using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md) -###### [Onboard machines using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md) -###### [Onboard machines using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md) -###### [Onboard machines using a local script](microsoft-defender-atp/configure-endpoints-script.md) -###### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](microsoft-defender-atp/configure-endpoints-vdi.md) - -##### [Onboard servers](microsoft-defender-atp/configure-server-endpoints.md) -##### [Onboard non-Windows machines](microsoft-defender-atp/configure-endpoints-non-windows.md) -##### [Onboard machines without Internet access](microsoft-defender-atp/onboard-offline-machines.md) -##### [Run a detection test on a newly onboarded machine](microsoft-defender-atp/run-detection-test.md) -##### [Run simulated attacks on machines](microsoft-defender-atp/attack-simulations.md) -##### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet.md) -##### [Create an onboarding or offboarding notification rule](microsoft-defender-atp/onboarding-notification.md) - - -##### [Troubleshoot onboarding issues]() -###### [Troubleshoot issues during onboarding](microsoft-defender-atp/troubleshoot-onboarding.md) -###### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md) - #### [Microsoft Defender ATP API]() ##### [Get started]() ###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md) @@ -502,19 +545,12 @@ ###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md) ###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md) -#### [Windows updates (KB) info]() -##### [Get KbInfo collection](microsoft-defender-atp/get-kbinfo-collection.md) -#### [Common Vulnerabilities and Exposures (CVE) to KB map]() -##### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection.md) - -#### [Pull detections to your SIEM tools]() #### [Raw data streaming API]() ##### [Raw data streaming](microsoft-defender-atp/raw-data-export.md) ##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md) ##### [Stream advanced hunting events to your storage account](microsoft-defender-atp/raw-data-export-storage.md) - #### [SIEM integration]() ##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md) ##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md) @@ -524,27 +560,13 @@ ##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md) ##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md) ##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md) - - -#### [Reporting]() -##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md) -##### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md) -##### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md) -##### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md) + #### [Partners & APIs]() ##### [Partner applications](microsoft-defender-atp/partner-applications.md) ##### [Connected applications](microsoft-defender-atp/connected-applications.md) ##### [API explorer](microsoft-defender-atp/api-explorer.md) - -#### [Manage machine configuration]() -##### [Ensure your machines are configured properly](microsoft-defender-atp/configure-machines.md) -##### [Monitor and increase machine onboarding](microsoft-defender-atp/configure-machines-onboarding.md) -##### [Increase compliance to the security baseline](microsoft-defender-atp/configure-machines-security-baseline.md) -##### [Optimize ASR rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md) - - #### [Role-based access control]() ##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md) ##### [Create and manage roles](microsoft-defender-atp/user-roles.md) @@ -554,47 +576,65 @@ #### [Configure managed security service provider (MSSP) integration](microsoft-defender-atp/configure-mssp-support.md) -## [Partner integration scenarios]() -### [Technical partner opportunities](microsoft-defender-atp/partner-integration.md) -### [Managed security service provider opportunity](microsoft-defender-atp/mssp-support.md) -### [Become a Microsoft Defender ATP partner](microsoft-defender-atp/get-started-partner-integration.md) +### [Partner integration scenarios]() +#### [Technical partner opportunities](microsoft-defender-atp/partner-integration.md) +#### [Managed security service provider opportunity](microsoft-defender-atp/mssp-support.md) +#### [Become a Microsoft Defender ATP partner](microsoft-defender-atp/get-started-partner-integration.md) -## [Configure Microsoft threat protection integration]() -### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md) -### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md) -### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md) +### [Integrations]() +#### [Microsoft Defender ATP integrations](microsoft-defender-atp/threat-protection-integration.md) +#### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md) +#### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md) -## [Configure portal settings]() -### [Set up preferences](microsoft-defender-atp/preferences-setup.md) -### [General]() -#### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md) -#### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md) -#### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md) -#### [Configure advanced features](microsoft-defender-atp/advanced-features.md) -### [Permissions]() -#### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md) -#### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md) -##### [Create and manage roles](microsoft-defender-atp/user-roles.md) -##### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md) -###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md) +### [Information protection in Windows overview]() +#### [Windows integration](microsoft-defender-atp/information-protection-in-windows-overview.md) +#### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md) -### [APIs]() -#### [Enable Threat intel (Deprecated)](microsoft-defender-atp/enable-custom-ti.md) -#### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) + +### [Evaluate Microsoft Defender ATP]() +#### [Attack surface reduction and next-generation capability evaluation]() +##### [Attack surface reduction and nex-generation evaluation overview](microsoft-defender-atp/evaluate-atp.md) +##### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md) +##### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md) +##### [Exploit protection](microsoft-defender-atp/evaluate-exploit-protection.md) +##### [Network Protection](microsoft-defender-atp/evaluate-network-protection.md) +##### [Controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md) +##### [Attack surface reduction](microsoft-defender-atp/evaluate-attack-surface-reduction.md) +##### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md) +##### [Evaluate next-generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md) + + + +### [Access the Microsoft Defender ATP Community Center](microsoft-defender-atp/community.md) + + + + +### [Helpful resources](microsoft-defender-atp/helpful-resources.md) + + + +### [Troubleshoot Microsoft Defender ATP]() +#### [Troubleshoot sensor state]() +##### [Check sensor state](microsoft-defender-atp/check-sensor-status.md) +##### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealthy-sensors.md) +##### [Inactive machines](microsoft-defender-atp/fix-unhealthy-sensors.md#inactive-machines) +##### [Misconfigured machines](microsoft-defender-atp/fix-unhealthy-sensors.md#misconfigured-machines) +##### [Review sensor events and errors on machines with Event Viewer](microsoft-defender-atp/event-error-codes.md) + +#### [Troubleshoot Microsoft Defender ATP service issues]() +##### [Troubleshoot service issues](microsoft-defender-atp/troubleshoot-mdatp.md) +##### [Check service health](microsoft-defender-atp/service-status.md) + +#### [Troubleshoot live response issues](microsoft-defender-atp/troubleshoot-live-response.md) -### [Rules]() -#### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md) -#### [Manage indicators](microsoft-defender-atp/manage-indicators.md) -#### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md) -#### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md) - -### [Machine management]() -#### [Onboarding machines](microsoft-defender-atp/onboard-configure.md) -#### [Offboarding machines](microsoft-defender-atp/offboard-machines.md) - -### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md) +#### [Troubleshoot attack surface reduction issues]() +##### [Network protection](microsoft-defender-atp/troubleshoot-np.md) +##### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md) + +#### [Troubleshoot next-generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md) @@ -602,29 +642,6 @@ -## [Troubleshoot Microsoft Defender ATP]() -### [Troubleshoot sensor state]() -#### [Check sensor state](microsoft-defender-atp/check-sensor-status.md) -#### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealthy-sensors.md) -#### [Inactive machines](microsoft-defender-atp/fix-unhealthy-sensors.md#inactive-machines) -#### [Misconfigured machines](microsoft-defender-atp/fix-unhealthy-sensors.md#misconfigured-machines) -#### [Review sensor events and errors on machines with Event Viewer](microsoft-defender-atp/event-error-codes.md) - -### [Troubleshoot Microsoft Defender ATP service issues]() -#### [Troubleshoot service issues](microsoft-defender-atp/troubleshoot-mdatp.md) -#### [Check service health](microsoft-defender-atp/service-status.md) - -### [Troubleshoot live response issues]() -#### [Troubleshoot issues related to live response](microsoft-defender-atp/troubleshoot-live-response.md) - -### [Troubleshoot attack surface reduction]() -#### [Network protection](microsoft-defender-atp/troubleshoot-np.md) -#### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md) - -### [Troubleshoot next-generation protection](windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md) - - - ## [Security intelligence](intelligence/index.md) ### [Understand malware & other threats](intelligence/understanding-malware.md) #### [Prevent malware infection](intelligence/prevent-malware-infection.md) diff --git a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md index ba4901004c..51cb23c22b 100644 --- a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md +++ b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md @@ -22,40 +22,42 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -This topic for the IT professional describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects. -Central access policies and rules determine access permissions for multiple files on multiple file servers. Therefore, it is important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS), and they can be monitored just like any other object in Active Directory. Central access policies and rules are critical elements in a Dynamic Access Control deployment. These policies and rules are stored in AD DS, so they should be less likely to be tampered with than other network objects. However, it is important to monitor these objects for potential changes in security auditing and to verify that policies are being enforced. +This article for IT professionals describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects. -Use the following procedures to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](https://technet.microsoft.com/library/hh846167.aspx). +Central access policies and rules determine access permissions for files on multiple file servers, so it's important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS). You can monitor them just like any other object in Active Directory. These policies and rules are critical elements in a Dynamic Access Control deployment. They are stored in AD DS, so they're less likely to be tampered with than other network objects. But it's important to monitor them for potential changes in security auditing and to verify that policies are being enforced. ->**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. +Follow the procedures in this article to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you've configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (demonstration steps)](https://technet.microsoft.com/library/hh846167.aspx). + +> [!NOTE] +> Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. -**To configure settings to monitor changes to central access policy and rule definitions** +**Configure settings to monitor central access policy and rule definition changes** 1. Sign in to your domain controller by using domain administrator credentials. -2. In Server Manager, point to **Tools**, and then click **Group Policy Management**. -3. In the console tree, right-click the default domain controller Group Policy Object, and then click **Edit**. -4. Double-click **Computer Configuration**, click **Security Settings**, expand **Advanced Audit Policy Configuration**, expand **System Audit Policies**, click **DS Access**, and then double-click **Audit directory service changes**. -5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**. +2. In Server Manager, point to **Tools** and select **Group Policy Management**. +3. In the console tree, right-click the default domain controller Group Policy Object, and then select **Edit**. +4. Double-click **Computer Configuration** and select **Security Settings**. Expand **Advanced Audit Policy Configuration** and **System Audit Policies**, select **DS Access**, and then double-click **Audit directory service changes**. +5. Select the **Configure the following audit events** and **Success** check boxes (and the **Failure** check box, if you want). Then select **OK**. 6. Close the Group Policy Management Editor. 7. Open the Active Directory Administrative Center. 8. Under Dynamic Access Control, right-click **Central Access Policies**, and then select **Properties**. -9. Click the **Security** tab, click **Advanced** to open the **Advanced Security Settings** dialog box, and then click the **Auditing** tab. -10. Click **Add**, add a security auditing setting for the container, and then close all Security properties dialog boxes. +9. Select the **Security** tab, select **Advanced** to open the **Advanced Security Settings** dialog box, and then select the **Auditing** tab. +10. Select **Add**, add a security auditing setting for the container, and then close all the security properties dialog boxes. After you configure settings to monitor changes to central access policy and central access rule definitions, verify that the changes are being monitored. -**To verify that changes to central access policy and rule definitions are monitored** +**Verify that central access policy and rule definition changes are monitored** 1. Sign in to your domain controller by using domain administrator credentials. 2. Open the Active Directory Administrative Center. -3. Under **Dynamic Access Control**, right-click **Central Access Policies**, and then click **Properties**. -4. Click the **Security** tab, click **Advanced** to open the **Advanced Security Settings** dialog box, and then click the **Auditing** tab. -5. Click **Add**, add a security auditing setting for the container, and then close all Security properties dialog boxes. -6. In the **Central Access Policies** container, add a new central access policy (or select one that exists), click **Properties** in the **Tasks** pane, and then change one or more attributes. -7. Click **OK**, and then close the Active Directory Administrative Center. -8. In Server Manager, click **Tools**, and then click **Event Viewer**. -9. Expand **Windows Logs**, and then click **Security**. Verify that event 4819 appears in the security log. +3. Under **Dynamic Access Control**, right-click **Central Access Policies**, and then select **Properties**. +4. Select the **Security** tab, select **Advanced** to open the **Advanced Security Settings** dialog box, and then select the **Auditing** tab. +5. Select **Add**, add a security auditing setting for the container, and then close all security properties dialog boxes. +6. In the **Central Access Policies** container, add a new central access policy (or select one that already exists). Select **Properties** in the **Tasks** pane, and then change one or more attributes. +7. Select **OK**, and then close the Active Directory Administrative Center. +8. In Server Manager, select **Tools** and then **Event Viewer**. +9. Expand **Windows Logs**, and then select **Security**. Verify that event 4819 appears in the security log. -### Related resource +### Related topics - [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md index c21ba65a4c..bddb29f760 100644 --- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md @@ -1,7 +1,8 @@ --- -title: Planning and deploying advanced security audit policies (Windows 10) -description: Learn which options to consider and tasks to complete, to deploy an effective security audit policy in a network that includes advanced security audit policies. +title: Plan and deploy advanced security audit policies (Windows 10) +description: Learn to deploy an effective security audit policy in a network that includes advanced security audit policies. ms.assetid: 7428e1db-aba8-407b-a39e-509671e5a442 + ms.reviewer: ms.author: dansimp ms.prod: w10 @@ -17,150 +18,153 @@ ms.topic: conceptual ms.date: 04/19/2017 --- -# Planning and deploying advanced security audit policies +# Plan and deploy advanced security audit policies **Applies to** - Windows 10 -This topic for the IT professional explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit -policies. +This article for IT professionals explains the options that security policy planners should consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies. -Organizations invest a large portion of their information technology budgets on security applications and services, such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on your data, you should not consider the job complete unless you have a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them. +Organizations invest heavily in security applications and services, such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on your data, the job isn't complete unless you have a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them. -To be well defined and timely, an auditing strategy must provide useful tracking data for an organization's most important resources, critical behaviors, and potential risks. In a growing number of organizations, it must also provide absolute proof that IT operations comply with corporate and regulatory requirements. +To be well-defined and timely, an auditing strategy must provide useful tracking data for an organization's most important resources, critical behaviors, and potential risks. In many organizations, it must also provide proof that IT operations comply with corporate and regulatory requirements. -Unfortunately, no organization has unlimited resources to monitor every resource and activity on a network. If you do not plan well, you will likely have gaps in your auditing strategy. However, if you try to audit every resource and activity, you may find yourself with far too much monitoring data, including thousands of benign audit entries that an analyst needs to sift through to identify the narrow set of entries that warrant closer examination. This could cause delays or even prevent auditors from identifying suspicious activity. Thus, too much monitoring can leave an organization as vulnerable as not enough monitoring. +No organization has unlimited resources to monitor every resource and activity on a network. If you don't plan well, you'll likely have gaps in your auditing strategy. But if you try to audit every resource and activity, you may gather too much monitoring data, including thousands of benign audit entries that an analyst will have to sift through to identify the narrow set of entries that warrant closer examination. Such volume could delay or prevent auditors from identifying suspicious activity. Too much monitoring can leave an organization as vulnerable as not enough. Here are some features that can help you focus your effort: -- **Advanced audit policy settings**. You can apply and manage detailed audit policy settings through Group Policy. -- **"Reason for access" auditing**. You can specify and identify the permissions that were used to generate a particular object access security event. -- **Global object access auditing**. You can define system access control lists (SACLs) for an entire computer file system or registry. +- **Advanced audit policy settings:** You can apply and manage detailed audit policy settings through Group Policy. +- **"Reason for access" auditing:** You can specify and identify the permissions that were used to generate a particular object access security event. +- **Global object access auditing:** You can define system access control lists (SACLs) for an entire computer file system or registry. To deploy these features and plan an effective security auditing strategy, you need to: -- Identify your most critical resources and the most important activities that need to be tracked. -- Identify the audit settings that can be used to track these activities. +- Identify your most critical resources and the most important activities that you need to track. +- Identify the audit settings that you can use to track these activities. - Assess the advantages and potential costs associated with each. - Test these settings to validate your choices. - Develop plans for deploying and managing your audit policy. ## About this guide -This document will guide you through the steps needed to plan a security auditing policy that uses Windows auditing features. This policy must identify and address vital business needs, including: +This article guides you through the steps to plan a security auditing policy that uses Windows auditing features. The policy must address vital business needs, including: - Network reliability - Regulatory requirements -- Protection of the organization's data and intellectual property +- Protection of data and intellectual property - Users, including employees, contractors, partners, and customers - Client computers and applications - Servers and the applications and services running on those servers -The audit policy also must identify processes for managing audit data after it has been logged, including: +The audit policy also must identify processes for managing audit data after it's been logged, including: -- Collecting, evaluating, and reviewing audit data -- Storing and (if required) disposing of audit data +- Collecting, evaluating, and reviewing data +- Storing and (if necessary) disposing of data By carefully planning, designing, testing, and deploying a solution based on your organization's business requirements, you can provide the standardized functionality, security, and management control that your organization needs. -## Understanding the security audit policy design process +## Understand the security audit policy design process -The process of designing and deploying a Windows security audit policy involves the following tasks, which are described in greater detail throughout this document: +Designing and deploying a Windows security audit policy involves the following tasks, which are described in this document: -- [Identifying your Windows security audit policy deployment goals](#bkmk-1) +- [Identify your Windows security audit policy deployment goals](#bkmk-1) - This section helps define the business objectives that will guide your Windows security audit policy. It also helps you define the resources, users, and computers that will be the focus of your security auditing. + This section helps define the business objectives that will guide your Windows security audit policy. It also helps define the resources, users, and computers that will be the focus of your auditing. -- [Mapping the security audit policy to groups of users, computers, and resources in your organization](#bkmk-2) +- [Map your security audit policy to groups of users, computers, and resources](#bkmk-2) - This section explains how to integrate security audit policy settings with domain Group Policy settings for different groups of users, computers, and resources. In addition, if your network includes multiple versions of Windows client and server operating systems, it also explains when to use basic audit policy settings and when to use advanced security audit policy settings. + This section explains how to integrate security audit policy settings with domain Group Policy settings for different groups of users, computers, and resources. It also explains when to use basic audit policy settings and when to use advanced security audit policy settings. -- [Mapping your security auditing goals to a security audit policy configuration](#bkmk-3) +- [Map your security auditing goals to a security audit policy configuration](#bkmk-3) - This section explains the categories of Windows security auditing settings that are available. It also identifies individual Windows security auditing policy settings that can be of particular value to address auditing scenarios. + This section explains the categories of Windows security auditing settings that are available. It also identifies individual Windows security auditing policy settings to address auditing scenarios. -- [Planning for security audit monitoring and management](#bkmk-4) +- [Plan for security audit monitoring and management](#bkmk-4) - This section helps you plan to collect, analyze, and store Windows audit data. Depending on the number of computers and types of activity that you want to audit, Windows event logs can fill up quickly. In addition, this section explains how auditors can access and aggregate event data from multiple servers and desktop computers. It also explains how to address storage requirements, including how much audit data to store and how it must be stored. + This section helps you plan to collect, analyze, and store Windows audit data. Depending on the number of computers and types of activity that you audit, your Windows event logs can fill up quickly. This section also explains how auditors can access and aggregate event data from multiple servers and desktop computers. It also covers how to address storage requirements. -- [Deploying the security audit policy](#bkmk-5) +- [Deploy the security audit policy](#bkmk-5) - This section provides recommendations and guidelines for the effective deployment of a Windows security audit policy. Configuring and deploying Windows audit policy settings in a test lab environment can help you confirm that the settings you have selected will produce the type of audit data you need. However, only a carefully staged pilot and incremental deployments based on your domain and organizational unit (OU) structure will enable you to confirm that the audit data you generate can be monitored and that it meets your organization's audit needs. + This section provides guidelines for effective deployment of a Windows security audit policy. Deploying Windows audit policy settings in a test lab environment can help you confirm that the settings you've selected will produce the audit data that you need. But only a carefully staged pilot and incremental deployment based on your domain and organizational unit (OU) structure will confirm that the audit data you generate can be monitored and meets your needs. -## Identifying your Windows security audit policy deployment goals +## Identify your Windows security audit policy deployment goals -A security audit policy must support and be a critical and integrated aspect of an organization's overall security design and framework. +A security audit policy must support and be an integrated aspect of an organization's overall security framework. -Every organization has a unique set of data and network assets (such as customer and financial data and trade secrets), physical resources (such as desktop computers, portable computers, and servers), and users (which can include various internal groups such as finance and marketing, and external groups such as partners, customers, and anonymous users on the website). Not all of these assets, resources, and users justify the cost of an audit. Your task is to identify which assets, resources, and users provide the strongest justification for the focus of a security audit. +Every organization has a unique set of data and network assets (such as customer and financial data and trade secrets), physical resources (such as desktop computers, portable computers, and servers), and users (which can include various internal groups such as finance and marketing, and external groups such as partners, customers, and anonymous users on the website). Not all of these assets, resources, and users justify the cost of an audit. Your task is to identify which provide the strongest justification for the focus of a security audit. To create your Windows security audit plan, begin by identifying: -- The overall network environment, including the domains, OUs, and security groups. -- The resources on the network, the users of those resources, and how those resources are being used. -- Regulatory requirements. +- The overall network environment, including the domains, OUs, and security groups +- The resources on the network, the users of those resources, and how those resources are used +- Regulatory requirements ### Network environment -An organization's domain and OU structure provide a fundamental starting point for thinking about how to apply a security audit policy because it likely provides a foundation of Group Policy Objects (GPOs) and logical grouping of resources and activities that you can use to apply the audit settings that you choose. It is also likely that certain portions of your domain and OU structure already provide logical groups of users, resources, and activities that justify the time and resources needed to audit them. For information about how to integrate a security audit policy with your domain and OU structure, see [Mapping security audit policy to groups of users, computers, and resources in your organization](#bkmk-2) later in this document. +An organization's domain and organizational unit (OU) structure provide a fundamental starting point for thinking about how to apply a security audit policy. They likely provide a foundation of Group Policy Objects (GPOs) and logical grouping of resources and activities that you can use to apply the audit settings that you choose. Your domain and OU structure probably already provide logical groups of users, resources, and activities that justify the resources needed to audit them. For information about how to integrate a security audit policy with your domain and OU structure, see [Mapping security audit policy to groups of users, computers, and resources](#bkmk-2) later in this document. -In addition to your domain model, you should also find out whether your organization creates and maintains a systematic threat model. A good threat model can help you identify threats to key components in your infrastructure, so you can define and apply audit settings that enhance the organization's ability to identify and counter those threats. +In addition to your domain model, determine whether your organization maintains a systematic threat model. A good threat model can help identify threats to key components in your infrastructure. Then you can apply audit settings that enhance your ability to identify and counter those threats. ->**Important:**  Including auditing within your organization's security plan also makes it possible to budget your resources on the areas where auditing can achieve the most positive results. - -For additional details about how to complete each of these steps and how to prepare a detailed threat model, download the [IT Infrastructure Threat Modeling Guide](https://go.microsoft.com/fwlink/p/?LinkId=163432). +> [!IMPORTANT] +> Including auditing in your organization's security plan also helps you budget resources to the areas where auditing can achieve the best results. ### Data and resources -For data and resource auditing, you need to identify the most important types of data and resources (such as patient records, accounting data, or marketing plans) that can benefit from the closer monitoring that Windows auditing can provide. Some of these data resources might already be monitored through auditing features in products such as Microsoft SQL Server and Exchange Server. If so, you may want to consider how Windows auditing features can enhance the existing audit strategy. As with the domain and OU structure discussed previously, security auditing should focus on your most critical resources. You also must consider how much audit data you will be able to manage. +For data and resource auditing, you need to identify the most important types of data and resources (such as patient records, accounting data, or marketing plans) that can benefit from the closer monitoring that Windows auditing can provide. Some of your data resources might already be monitored through auditing features in products such as Microsoft SQL Server and Exchange Server. If so, you may want to consider how Windows auditing features can enhance your existing audit strategy. As with the domain and OU structure discussed previously, security auditing should focus on your most critical resources. You also must consider how much audit data you can manage. -You can record if these resources have high business impact, medium business impact, or low business impact, the cost to the organization if these data resources are accessed by unauthorized users, and the risk that this access can pose to the organization. The type of access by users (such as Read, Modify, or Copy) can also pose different levels of risk to an organization. +You can record if these resources have high, medium, or low business impact; the cost to the organization if these data resources are accessed by unauthorized users; and the risks that such access can pose to the organization. The type of access by users (such as *read*, *modify*, or *copy*) can also pose different levels of risk. -Increasingly, data access and use is governed by regulations, and a breach can result in severe penalties and a loss in credibility for the organization. If regulatory compliance plays a role in how you manage your data, be sure to also document this information. +Increasingly, data access and use is governed by regulations, and a breach can result in severe penalties and a loss of credibility for the organization. If regulatory compliance plays a role in how you manage your data, be sure to also document this information. The following table provides an example of a resource analysis for an organization. | Resource class | Where stored | Organizational unit | Business impact | Security or regulatory requirements | | - | - | - | - | - | -| Payroll data| Corp-Finance-1| Accounting: Read/Write on Corp-Finance-1
    Departmental Payroll Managers: Write only on Corp-Finance-1| High| Financial integrity and employee privacy| -| Patient medical records| MedRec-2| Doctors and Nurses: Read/Write on Med/Rec-2
    Lab Assistants: Write only on MedRec-2
    Accounting: Read only on MedRec-2| High| Strict legal and regulatory standards| -| Consumer health information| Web-Ext-1| Public Relations Web Content Creators: Read/Write on Web-Ext-1
    Public: Read only on Web-Ext-1| Low| Public education and corporate image| +| Payroll data| Corp-Finance-1| Accounting: Read/write on Corp-Finance-1
    Departmental Payroll Managers: Write only on Corp-Finance-1| High| Financial integrity and employee privacy| +| Patient medical records| MedRec-2| Doctors and Nurses: Read/write on Med/Rec-2
    Lab Assistants: Write only on MedRec-2
    Accounting: Read only on MedRec-2| High| Strict legal and regulatory standards| +| Consumer health information| Web-Ext-1| Public Relations Web Content Creators: Read/write on Web-Ext-1
    Public: Read only on Web-Ext-1| Low| Public education and corporate image| ### Users -Many organizations find it useful to classify the types of users they have and base permissions on this classification. This same classification can help you identify which user activities should be the subject of security auditing and the amount of audit data they will generate. +Many organizations find it useful to classify the types of users they have and then base permissions on this classification. This classification can help you identify which user activities should be the subject of security auditing and the amount of audit data that they'll generate. -Organizations can create distinctions based on the type of rights and permissions needed by users to perform their jobs. For example, under the classification Administrators, larger organizations might assign local administrator responsibilities for a single computer, for specific applications such as Exchange Server or SQL Server, or for an entire domain. Under Users, permissions and Group Policy settings can apply to as many as all users in an organization or as few as a subset of the employees in a given department. +Organizations can create distinctions based on the type of rights and permissions that users need to do their jobs. Under the classification *administrators*, for example, large organizations might assign local administrator responsibilities for a single computer, for specific applications such as Exchange Server or SQL Server, or for an entire domain. Under *users*, permissions and Group Policy settings can apply to all users in an organization or as few as a subset of employees in a given department. -Also, if your organization is subject to regulatory requirements, user activities such as accessing medical records or financial data may need to be audited to verify that you are complying with these requirements. +Also, if your organization is subject to regulatory requirements, user activities such as accessing medical records or financial data may need to be audited to verify that you're complying with these requirements. -To effectively audit user activity, begin by listing the different types of users in your organization and the types of data they need access to—in addition to the data they should not have access to. +To effectively audit user activity, begin by listing the different types of users in your organization, the types of data they need access to, and the data they shouldn't have access to. -Also, if external users can access any of your organization's data, be sure to identify them, including if they belong to a business partner, customer, or general user, the data they have access to, and the permissions they have to access that data. +Also, if external users can access your organization's data, be sure to identify them. Determine whether they're a business partner, customer, or general user; the data they have access to; and the permissions they have to access that data. -The following table illustrates an analysis of users on a network. Although our example contains a single column titled "Possible auditing considerations," you may want to create additional columns to differentiate between different types of network activity, such as logon hours and permission use. +The following table illustrates an analysis of users on a network. Our example contains only a single column titled "Possible auditing considerations," but you may want to create additional columns to differentiate between different types of network activity, such as logon hours and permission use. | Groups | Data | Possible auditing considerations | | - | - | - | | Account administrators| User accounts and security groups| Account administrators have full privileges to create new user accounts, reset passwords, and modify security group memberships. We need a mechanism to monitor these changes. | -| Members of the Finance OU| Financial records| Users in Finance have Read/Write access to critical financial records, but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements. | -| External partners | Project Z| Employees of partner organizations have Read/Write access to certain project data and servers relating to Project Z, but not to other servers or data on the network.| +| Members of the Finance OU| Financial records| Users in Finance have read/write access to critical financial records but no ability to change permissions on these resources. These financial records are subject to government regulatory compliance requirements. | +| External partners | Project Z| Employees of partner organizations have read/write access to certain project data and servers relating to Project Z but not to other servers or data on the network.| ### Computers Security and auditing requirements and audit event volume can vary considerably for different types of computers in an organization. These requirements can be based on: -- If the computers are servers, desktop computers, or portable computers. -- The important applications the computers run, such as Exchange Server, SQL Server, or Forefront Identity Manager. +- Whether the computers are servers, desktop computers, or portable computers +- The important applications that the computers run, such as Microsoft Exchange Server, SQL Server, or Forefront Identity Manager - >**Note:**  If the server applications (including Exchange Server and SQL Server) have audit settings. For more information about auditing in Exchange Server, see the [Exchange 2010 Security Guide](https://go.microsoft.com/fwlink/p/?linkid=128052). For more information about auditing in SQL Server 2008, see [Auditing (Database Engine)](https://go.microsoft.com/fwlink/p/?LinkId=163434). For SQL Server 2012, see [SQL Server Audit (Database Engine)](https://technet.microsoft.com/library/cc280386.aspx). + > [!NOTE] + > For more information about auditing: + > - In Exchange Server, see [Exchange 2010 Security Guide](https://go.microsoft.com/fwlink/p/?linkid=128052). + > - In SQL Server 2008, see [Auditing (Database Engine)](https://go.microsoft.com/fwlink/p/?LinkId=163434). + > - In SQL Server 2012, see [SQL Server Audit (Database Engine)](https://technet.microsoft.com/library/cc280386.aspx). -- The operating system versions. +- The operating system versions - >**Note:**  The operating system version determines which auditing options are available and the volume of audit event data. + > [!NOTE] + > The operating system version determines which auditing options are available and the volume of audit event data. -- The business value of the data. +- The business value of the data -For example, a web server that is accessed by external users requires different audit settings than a root certification authority (CA) that is never exposed to the public Internet or even to regular users on the organization's network. +For example, a web server that's accessed by external users requires different audit settings than a root certification authority (CA) that's never exposed to the public internet or even to regular users on the organization's network. The following table illustrates an analysis of computers in an organization. @@ -173,137 +177,150 @@ The following table illustrates an analysis of computers in an organization. ### Regulatory requirements -Many industries and locales have strict and specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, there are strict guidelines for who has access to records and how they are used. Many countries have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that can be used to comply with and verify compliance with these regulations. +Many industries and locales have specific requirements for network operations and how resources are protected. In the health care and financial industries, for example, strict guidelines control who can access records and how the records are used. Many countries have strict privacy rules. To identify regulatory requirements, work with your organization's legal department and other departments responsible for these requirements. Then consider the security configuration and auditing options that you can use to comply with these regulations and verify compliance. -For more info, see the [System Center Process Pack for IT GRC](https://technet.microsoft.com/library/dd206732.aspx). +For more information, see the [System Center Process Pack for IT GRC](https://technet.microsoft.com/library/dd206732.aspx). -## Mapping the security audit policy to groups of users, computers, and resources in your organization +## Map your security audit policy to groups of users, computers, and resources -By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and resources. To map a security auditing policy to these defined groups in your organization, you should understand the -following considerations for using Group Policy to apply security audit policy settings: +By using Group Policy, you can apply your security audit policy to defined groups of users, computers, and resources. To map a security auditing policy to these defined groups in your organization, you should understand the following considerations for using Group Policy to apply security audit policy settings: - The policy settings you identify can be applied by using one or more GPOs. To create and edit a GPO, use the Group Policy Management Console (GPMC). By using the GPMC to link a GPO to selected Active Directory sites, domains, and OUs, you apply the policy settings in the GPO to the users and computers in those Active Directory objects. An OU is the lowest-level Active Directory container to which you can assign Group Policy settings. -- For every policy setting that you select, you need to decide whether it should be enforced across the organization, or whether it should apply only to selected users or computers. You can then combine these audit policy settings into GPOs and link them to the appropriate Active Directory containers. -- By default, options set in GPOs that are linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, a GPO that is linked at a lower level can overwrite inherited policies. +- Decide whether every policy setting that you select should be enforced across the organization or apply only to selected users or computers. You can then combine these audit policy settings into GPOs and link them to the appropriate Active Directory containers. +- By default, options set in GPOs that are linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, a GPO that's linked at a lower level can overwrite inherited policies. - For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of additional settings. To accomplish this, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing). + For example, you might use a domain GPO to assign an organization-wide group of audit settings but want a certain OU to get a defined group of additional settings. To do this, you can link a second GPO to that specific lower-level OU. Then, a logon audit setting that's applied at the OU level will override a conflicting logon audit setting that's applied at the domain level, unless you've taken special steps to apply Group Policy loopback processing. -- Audit policies are computer policies. Therefore, they must be applied through GPOs that are applied to computer OUs, not to user OUs. However, in most cases you can apply audit settings for only specified resources and groups of users by configuring SACLs on the relevant objects. This enables auditing for a security group that contains only the users you specify. +- Audit policies are computer policies. Therefore, they must be applied through GPOs that are applied to *computer* OUs, not to *user* OUs. But in most cases, you can apply audit settings for only specified resources and groups of users by configuring SACLs on the relevant objects. This functionality enables auditing for a security group that contains only the users you specify. - For example, you could configure a SACL for a folder called Payroll Data on Accounting Server 1. This can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events. + For example, you could configure a SACL for a folder called *Payroll Data* on Accounting Server 1. You can audit attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1. But, because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder will generate audit events. -- Advanced security audit policy settings were introduced in Windows Server 2008 R2 or Windows 7 and can be applied to those operating systems and later. These advanced audit polices can only be applied by using Group Policy. +- Advanced security audit policy settings were introduced in Windows Server 2008 R2 and Windows 7. These advanced audit policies can only be applied to those operating systems and later versions by using Group Policy. - >**Important:**  Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting. - If you use **Advanced Audit Policy Configuration** settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored. +> [!IMPORTANT] +> Whether you apply advanced audit policies by using Group Policy or logon scripts, don't use both the basic audit policy settings under **Local Policies\Audit Policy** and the advanced settings under **Security Settings\Advanced Audit Policy Configuration**. Using both basic and advanced audit policy settings can cause unexpected results in audit reporting. + +If you use **Advanced Audit Policy Configuration** settings or logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This configuration will prevent conflicts between similar settings by forcing basic security auditing to be ignored. -The following are examples of how audit policies can be applied to an organization's OU structure: +The following examples show how you can apply audit policies to an organization's OU structure: -- Apply data activity settings to an OU that contains file servers. If your organization has servers that contain particularly sensitive data, consider putting them in a separate OU so that you can configure and apply a more precise audit policy to these servers. -- Apply user activity audit policies to an OU that contains all computers in the organization. If your organization places users in OUs based on the department they work in, consider configuring and applying more detailed security permissions on critical resources that are accessed by employees who work in more sensitive areas, such as network administrators or the legal department. +- Apply data activity settings to an OU that contains file servers. If your organization has servers that contain sensitive data, consider putting them in a separate OU. Then you can configure and apply a more precise audit policy to these servers. +- Apply user activity audit policies to an OU that contains all computers in the organization. If your organization places users in OUs by department, consider applying more-detailed security permissions on critical resources that are accessed by employees who work in more-sensitive areas, such as network administrators or the legal department. - Apply network and system activity audit policies to OUs that contain the organization's most critical servers, such as domain controllers, CAs, email servers, or database servers. -## Mapping your security auditing goals to a security audit policy configuration +## Map your security auditing goals to a security audit policy configuration -After you identify your security auditing goals, you can begin to map them to a security audit policy configuration. This audit policy configuration must address your most critical security auditing goals, but it also must address your organization's constraints, such as the number of computers that need to be monitored, the number of activities that you want to audit, the number of audit events that your desired audit configuration will generate, and the number of administrators available to analyze and act upon audit data. +After you identify your security auditing goals, you can map them to a security audit policy configuration. This audit policy configuration must address your security auditing goals. But it also must reflect your organization's constraints, such as the numbers of: +- Computers that need to be monitored +- Activities that you want to audit +- Audit events that your audit configuration will generate +- Administrators available to analyze and act upon audit data To create your audit policy configuration, you need to: -1. Explore all of the audit policy settings that can be used to address your needs. -2. Choose the audit settings that will most effectively address the audit requirements identified in the previous section. -3. Confirm that the settings you choose are compatible with the operating systems running on the computers that you want to monitor. -4. Decide which configuration options (Success, Failure, or both Success and Failure) you want to use for the audit settings. -5. Deploy the audit settings in a lab or test environment to verify that they meet your desired results in terms of volume, supportability, and comprehensiveness. Then deploy the audit settings in a pilot production environment to ensure that your estimates of how much audit data your audit plan will generate are realistic and that you can manage this data. +1. Explore all the audit policy settings that can be used to address your needs. +1. Choose the audit settings that will most effectively address the audit requirements there were identified in the previous section. +1. Confirm that the settings that you choose are compatible with the operating systems running on the computers that you want to monitor. +1. Decide which configuration options (*success*, *failure*, or both *success* and *failure*) you want to use for the audit settings. +1. Deploy the audit settings in a lab or test environment to verify that they meet your desired results for volume, supportability, and comprehensiveness. Then, deploy the audit settings in a pilot production environment to check that your estimates of how much audit data your audit plan will generate are realistic and that you can manage this data. -### Exploring audit policy options +### Explore audit policy options -Security audit policy settings in the supported versions of Windows can be viewed and configured in the following locations: +You can view and configure security audit policy settings in the supported versions of Windows in the following locations: -- **Security Settings\\Local Policies\\Audit Policy**. -- **Security Settings\\Local Policies\\Security Options**. -- **Security Settings\\Advanced Audit Policy Configuration**. For more information, see [Advanced security audit policy settings](advanced-security-audit-policy-settings.md). +- *Security Settings\\Local Policies\\Audit Policy* +- *Security Settings\\Local Policies\\Security Options* +- *Security Settings\\Advanced Audit Policy Configuration* + +For more information, see [Advanced security audit policy settings](advanced-security-audit-policy-settings.md). -### Choosing audit settings to use +### Choose audit settings to use -Depending on your goals, different sets of audit settings may be of particular value to you. For example, some settings under **Security Settings\\Advanced Audit Policy Configuration** can be used to monitor the following types of activity: +Depending on your goals, different sets of audit settings may be of particular value to you. For example, some settings under *Security Settings\\Advanced Audit Policy Configuration* can be used to monitor the following types of activity: - Data and resources - Users - Network ->**Important:**  Settings that are described in the Reference might also provide valuable information about activity audited by another setting. For example, the settings used to monitor user activity and network activity have obvious relevance to protecting your data resources. Likewise, attempts to compromise data resources have huge implications for overall network status, and potentially for how well you are managing the activities of users on the network. - +> [!IMPORTANT] +> Settings that are described in the reference might also provide valuable information about activity audited by another setting. For example, the settings that you use to monitor user activity and network activity have obvious relevance to protecting your data resources. Likewise, attempts to compromise data resources have huge implications for overall network status and potentially for how well you're managing the activities of users on the network. + ### Data and resource activity -For many organizations, compromising the organization's data resources can cause tremendous financial losses, in addition to lost prestige and legal liability. If your organization has critical data resources that need to be -protected against any breach, the following settings can provide extremely valuable monitoring and forensic data: +Compromise to an organization's data resources can cause tremendous financial losses, lost prestige, and legal liability. If your organization has critical data resources that must be protected, the following settings can provide valuable monitoring and forensic data: -- Object Access\\[Audit File Share](audit-file-share.md). This policy setting allows you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access. The volume of event data generated by this setting will vary depending on the number of client computers that attempt to access the file share. On a file server or domain controller, volume may be high due to SYSVOL access by client computers for policy processing. If you do not need to record routine access by client computers that have permissions on the file share, you may want to log audit events only for failed attempts to access the file share. -- Object Access\\[Audit File System](audit-file-system.md). This policy setting determines whether the operating system audits user attempts to access file system objects. Audit events are only generated for objects (such as files and folders) that have configured SACLs, and only if the type of access requested (such as Write, Read, or Modify) and the account that is making the request match the settings in the SACL. +- **Object Access\\[Audit File Share](audit-file-share.md)**: This policy setting enables you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access. The volume of event data generated with this setting will vary depending on the number of client computers that try to access the file share. On a file server or domain controller, volume may be high because of SYSVOL access by client computers for policy processing. If you don't need to record routine access by client computers on the file share, you may want to log audit events only for failed attempts to access the file share. +- **Object Access\\[Audit File System](audit-file-system.md)**: This policy setting determines whether the operating system audits user attempts to access file system objects. Audit events are only generated for objects, such as files and folders, that have configured SACLs, and only if the type of access requested (such as *write*, *read*, or *modify*) and the account that's making the request match the settings in the SACL. - If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL. The amount of audit data generated by the **Audit File System** policy setting can vary considerably, depending on the number of objects that have been configured to be monitored. + If *success* auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If *failure* auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL. The amount of audit data generated by the **Audit File System** policy setting can vary considerably, depending on the number of objects that you configured to be monitored. - >**Note:**  To audit user attempts to access all file system objects on a computer, use the Global Object Access Auditing settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md). + > [!NOTE] + > To audit user attempts to access all file system objects on a computer, use the *Global Object Access Auditing* settings [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md) or [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md). -- Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md). This policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs generate these events, and only if the attempted handle operation matches the SACL. +- **Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md)**: This policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured SACLs generate these events and only if the attempted handle operation matches the SACL. - Event volume can be high, depending on how SACLs are configured. When used together with the **Audit File System** or **Audit Registry** policy settings, the **Audit Handle Manipulation** policy setting can provide an administrator with useful "reason for access" audit data that details the precise permissions on which the audit event is based. For example, if a file is configured as a Read-only resource but a user attempts to save changes to the file, the audit event will log not only the event, but also the permissions that were used (or attempted to be used) to save the file changes. + Event volume can be high, depending on how the SACLs are configured. When used together with the **Audit File System** or **Audit Registry** policy setting, the **Audit Handle Manipulation** policy setting can provide useful "reason for access" audit data that details the precise permissions on which the audit event is based. For example, if a file is configured as a *read-only* resource but a user tries to save changes to the file, the audit event will log the event *and* the permissions that were used (or attempted to be used) to save the file changes. + +- **Global Object Access Auditing**: Many organizations use security auditing to comply with regulatory requirements that govern data security and privacy. But demonstrating that strict controls are being enforced can be difficult. To address this issue, the supported versions of Windows include two **Global Object Access Auditing** policy settings, one for the registry and one for the file system. When you configure these settings, they apply a global system access control SACL on all objects of that class on a system. These settings can't be overridden or circumvented. -- **Global Object Access Auditing**. A growing number of organizations are using security auditing to comply with regulatory requirements that govern data security and privacy. But demonstrating that strict controls are being enforced can be extremely difficult. To address this issue, the supported versions of Windows include two **Global Object Access Auditing** policy settings, one for the registry and one for the file system. When you configure these settings, they apply a global system access control SACL on all objects of that class on a system, which cannot be overridden or circumvented. - >**Important:**  The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category. + > [!IMPORTANT] + > The **Global Object Access Auditing** policy settings must be configured and applied in conjunction with the **Audit File System** and **Audit Registry** audit policy settings in the **Object Access** category. ### User activity -The settings in the previous section relate to activity involving the files, folders, and network shares that are stored on a network, and the settings in this section focus on the users, including employees, partners, and customers, who may try to access those resources. +The settings in the previous section relate to activity involving the files, folders, and network shares that are stored on a network. The settings in this section focus on the users who may try to access those resources, including employees, partners, and customers. -In the majority of cases, these attempts will be legitimate and a network needs to make vital data readily available to legitimate users. However in other cases, employees, partners, and others may attempt to access resources that they have no legitimate reason to access. Security auditing can be used to track a wide variety of user activities on a particular computer to diagnose and resolve problems for legitimate users and identify and address illegitimate activities. The following are a few important settings that you should evaluate to track user activity on your network: +In most cases, these attempts are legitimate, and the network needs to make data readily available to legitimate users. But in other cases, employees, partners, and others may try to access resources that they have no legitimate reason to access. You can use security auditing to track a variety of user activities on a particular computer to diagnose and resolve problems for legitimate users and to identify and address illegitimate activities. The following are important settings that you should evaluate to track user activity on your network: -- Account Logon\\[Audit Credential Validation](audit-credential-validation.md). This is an extremely important policy setting because it enables you to track every successful and unsuccessful attempt to present credentials for a user logon. In particular, a pattern of unsuccessful attempts may indicate that a user or application is using credentials that are no longer valid, or attempting to use a variety of credentials in succession in hope that one of these attempts will eventually be successful. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. -- Detailed Tracking\\[Audit Process Creation](audit-process-creation.md) and Detailed Tracking\\[Audit Process Termination](audit-process-termination.md). These policy settings can enable you to monitor the applications that a user opens and closes on a computer. -- DS Access\\[Audit Directory Service Access](audit-directory-service-access.md) and DS Access\\[Audit Directory Service Changes](audit-directory-service-changes.md). These policy settings provide a detailed audit trail of attempts to access create, modify, delete, move, or undelete objects in Active Directory Domain Services (AD DS). Only domain administrators have permissions to modify AD DS objects, so it is extremely important to identify malicious attempts to modify these objects. In addition, although domain administrators should be among an organization's most trusted employees, the use of **Audit Directory Service Access** and **Audit Directory Service Changes** settings allow you to monitor and verify that only approved changes are made to AD DS. These audit events are logged only on domain controllers. -- Logon/Logoff\\[Audit Account Lockout](audit-account-lockout.md). Another common security scenario occurs when a user attempts to log on with an account that has been locked out. It is important to identify these events and to determine whether the attempt to use an account that has been locked out is malicious. -- Logon/Logoff\\[Audit Logoff](audit-logoff.md) and Logon/Logoff\\[Audit Logon](audit-logon.md). Logon and logoff events are essential to tracking user activity and detecting potential attacks. Logon events are related to the creation of logon sessions, and they occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For network logon, such as accessing a shared resource, events are generated on the computer that hosts the resource that was accessed. Logoff events are generated when logon sessions are terminated. +- **Account Logon\\[Audit Credential Validation](audit-credential-validation.md)**: This setting enables you to track all successful and unsuccessful logon attempts. A pattern of unsuccessful attempts may indicate that a user or application is using credentials that are no longer valid. Or the user or app is trying to use a variety of credentials in succession in hope that one of these attempts will eventually succeed. These events occur on the computer that's authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. +- **Detailed Tracking\\[Audit Process Creation](audit-process-creation.md) and Detailed Tracking\\[Audit Process Termination](audit-process-termination.md)**: These policy settings enable you to monitor the applications that a user opens and close on a computer. +- **DS Access\\[Audit Directory Service Access](audit-directory-service-access.md)** and **DS Access\\[Audit Directory Service Changes](audit-directory-service-changes.md)**: These policy settings provide a detailed audit trail of attempts to access, create, modify, delete, move, or undelete objects in Active Directory Domain Services (AD DS). Only domain administrators have permissions to modify AD DS objects, so it's important to identify malicious attempts to modify these objects. Also, although domain administrators should be among an organization's most trusted employees, the use of the **Audit Directory Service Access** and **Audit Directory Service Changes** settings enable you to monitor and verify that only approved changes are made to AD DS. These audit events are logged only on domain controllers. +- **Logon/Logoff\\[Audit Account Lockout](audit-account-lockout.md)**: Another common security scenario occurs when a user attempts to log on with an account that's been locked out. It's important to identify these events and to determine whether the attempt to use an account that was locked out is malicious. +- **Logon/Logoff\\[Audit Logoff](audit-logoff.md)** and **Logon/Logoff\\[Audit Logon](audit-logon.md)**: Logon and logoff events are essential to tracking user activity and detecting potential attacks. Logon events are related to the creation of logon sessions, and they occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For network logon, such as accessing a shared resource, events are generated on the computer that hosts the resource that was accessed. Logoff events are generated when logon sessions are terminated. - >**Note:**  There is no failure event for logoff activity because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown, and a logoff event is not generated. + > [!NOTE] + > There's no failure event for logoff activity, because failed logoffs (such as when a system abruptly shuts down) don't generate an audit record. Logoff events aren't 100-percent reliable. For example, a computer can be turned off without a proper logoff and shut down, so a logoff event isn't generated. -- Logon/Logoff\\[Audit Special Logon](audit-special-logon.md). A special logon has administrator-equivalent rights and can be used to elevate a process to a higher level. It is recommended to track these types of logons. For more information about this feature, see [article 947223](https://go.microsoft.com/fwlink/p/?linkid=120183) in the Microsoft Knowledge Base. -- Object Access\\[Audit Certification Services](audit-certification-services.md). This policy setting allows you to track and monitor a wide variety of activities on a computer that hosts Active Directory Certificate Services (AD CS) role services to ensure that only authorized users are performing or attempting to perform these tasks, and that only authorized or desired tasks are being performed. -- Object Access\\[Audit File System](audit-file-system.md) and Object Access\\[Audit File Share](audit-file-share.md). These policy settings are described in the previous section. -- Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md). This policy setting and its role in providing "reason for access" audit data is described in the previous section. -- Object Access\\[Audit Registry](audit-registry.md). Monitoring for changes to the registry is one of the most critical means that an administrator has to ensure malicious users do not make changes to essential computer settings. Audit events are only generated for objects that have configured SACLs, and only if the type of access that is requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL. +- **Logon/Logoff\\[Audit Special Logon](audit-special-logon.md)**: A special logon has administrator-equivalent rights and can be used to elevate a process to a higher level. It's recommended to track these types of logons. +- **Object Access\\[Audit Certification Services](audit-certification-services.md)**: This policy setting enables you to monitor activities on a computer that hosts Active Directory Certificate Services (AD CS) role services to ensure that only authorized users do these tasks and only authorized or desirable tasks are done. +- **Object Access\\[Audit File System](audit-file-system.md) and Object Access\\[Audit File Share](audit-file-share.md)**: These policy settings are described in the previous section. +- **Object Access\\[Audit Handle Manipulation](audit-handle-manipulation.md)**: This policy setting and its role in providing "reason for access" audit data is described in the previous section. +- **Object Access\\[Audit Registry](audit-registry.md)**: Monitoring for changes to the registry is one of the best ways for administrators to ensure that malicious users don't make changes to essential computer settings. Audit events are only generated for objects that have configured SACLs and only if the type of access that's requested, such as *write*, *read*, or *modify*, and the account making the request match the settings in the SACL. - >**Important:**  On critical systems where all attempts to change registry settings need to be tracked, you can combine the **Audit Registry** policy setting with the **Global Object Access Auditing** policy settings to ensure that all attempts to modify registry settings on a computer are tracked. + > [!IMPORTANT] + > On critical systems where all attempts to change registry settings should be tracked, you can combine the **Audit Registry** and **Global Object Access Auditing** policy settings to track all attempts to modify registry settings on a computer. -- Object Access\\[Audit SAM](audit-sam.md). The Security Accounts Manager (SAM) is a database that is present on computers running Windows that stores user accounts and security descriptors for users on the local computer. Changes to user and group objects are tracked by the **Account Management** audit category. However, user accounts with the proper user rights could potentially alter the files where the account and password information is stored in the system, bypassing any **Account Management** events. -- Privilege Use\\[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md). **Privilege Use** policy settings and audit events allow you to track the use of certain rights on one or more systems. If you configure this policy setting, an audit event is generated when sensitive rights requests are made. +- **Object Access\\[Audit SAM](audit-sam.md)**: The Security Accounts Manager (SAM) is a database on computers running Windows that stores user accounts and security descriptors for users on the local computer. Changes to user and group objects are tracked by the **Account Management** audit category. However, user accounts with the proper user rights could potentially alter the files where the account and password information is stored in the system, bypassing any **Account Management** events. +- **Privilege Use\\[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)**: These policy settings and audit events enable you to track the use of certain rights on one or more systems. If you configure this policy setting, an audit event is generated when sensitive rights requests are made. ### Network activity -The following network activity policy settings allow you to monitor security-related issues that are not necessarily covered in the data or user activity categories, but that can be equally important for network status and protection. +The following network activity policy settings enable you to monitor security-related issues that aren't necessarily covered in the data or user-activity categories but that can be important for network status and protection. -- **Account Management**. The policy settings in this category can be used to track attempts to create, delete, or modify user or computer accounts, security groups, or distribution groups. Monitoring these activities complements the monitoring strategies you select in the user activity and data activity sections. -- Account Logon\\[Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) and Account Logon\\[Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md). Audit policy settings in the **Account Logon** category monitor activities that relate to the use of domain account credentials. These policy settings complement the policy settings in the **Logon/Logoff** category. The **Audit Kerberos Authentication Service** policy setting allows you to monitor the status of and potential threats to the Kerberos service. The Audit **Kerberos Service Ticket Operations** policy setting allows you to monitor the use of Kerberos service tickets. +- **Account Management**: Use the policy settings in this category to track attempts to create, delete, or modify user or computer accounts, security groups, or distribution groups. Monitoring these activities complements the monitoring strategies you select in the [User activity](#user-activity) and [Data and resource activity](#data-and-resource-activity) sections. +- **Account Logon\\[Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) and Account Logon\\[Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)**: Audit policy settings in the **Account Logon** category monitor activities that relate to the use of domain account credentials. These policy settings complement the policy settings in the **Logon/Logoff** category. The **Audit Kerberos Authentication Service** policy setting enables you to monitor the status of and potential threats to the Kerberos service. The Audit **Kerberos Service Ticket Operations** policy setting enables you to monitor the use of Kerberos service tickets. - >**Note:**  **Account Logon** policy settings apply only to specific domain account activities, regardless of the computer that is accessed, whereas **Logon/Logoff** policy settings apply to the computer that hosts the resources being accessed. + >[!NOTE] + >**Account Logon** policy settings apply only to specific domain account activities, regardless of which computer is accessed. **Logon/Logoff** policy settings apply to the computer that hosts the resources that are accessed. -- Account Logon\\[Audit Other Account Logon Events](audit-other-account-logon-events.md). This policy setting can be used to track a number of different network activities, including attempts to create Remote Desktop connections, wired network connections, and wireless connections. -- **DS Access**. Policy settings in this category allow you to monitor the AD DS role services, which provide account data, validate logons, maintain network access permissions, and provide other services that are critical to the secure and proper functioning of a network. Therefore, auditing the rights to access and modify the configuration of a domain controller can help an organization maintain a secure and reliable network. In addition, one of the key tasks performed by AD DS is the replication of data between domain controllers. -- Logon/Logoff\\[Audit IPsec Extended Mode](audit-ipsec-extended-mode.md), Logon/Logoff\\[Audit IPsec Main Mode](audit-ipsec-main-mode.md), and Logon/Logoff\\[Audit IPsec Quick Mode](audit-ipsec-quick-mode.md). Many networks support large numbers of external users, including remote employees and partners. Because these users are outside the organization's network boundaries, IPsec is often used to help protect communications over the Internet by enabling network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and protection against replay attacks. You can use these settings to ensure that IPsec services are functioning properly. -- Logon/Logoff\\[Audit Network Policy Server](audit-network-policy-server.md). Organizations that use RADIUS (IAS) and Network Access Protection (NAP) to set and maintain security requirements for external users can use this policy setting to monitor the effectiveness of these policies and to determine whether anyone is attempting to circumvent these protections. -- **Policy Change**. These policy settings and events allow you to track changes to important security policies on a local computer or network. Because policies are typically established by administrators to help secure network resources, any changes or attempts to change these policies can be an important aspect of security management for a network. -- Policy Change\\[Audit Audit Policy Change](audit-audit-policy-change.md). This policy setting allows you to monitor changes to the audit policy. If malicious users obtain domain administrator credentials, they can temporarily disable essential security audit policy settings so that their other activities on the network cannot be detected. -- Policy Change\\[Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md). This policy setting can be used to monitor a large variety of changes to an organization's IPsec policies. -- Policy Change\\[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md). This policy setting determines if the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe), which is used by Windows Firewall. Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks. +- **Account Logon\\[Audit Other Account Logon Events](audit-other-account-logon-events.md)**: This policy setting can be used to track various network activities, including attempts to create Remote Desktop connections, wired network connections, and wireless connections. +- **DS Access**: Policy settings in this category enable you to monitor AD DS role services. These services provide account data, validate logons, maintain network access permissions, and provide other functionality that's critical to secure and proper functioning of a network. Therefore, auditing the rights to access and modify the configuration of a domain controller can help an organization maintain a secure and reliable network. One of the key tasks that AD DS performs is replication of data between domain controllers. +- **Logon/Logoff\\[Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)**, **Logon/Logoff\\[Audit IPsec Main Mode](audit-ipsec-main-mode.md)**, and **Logon/Logoff\\[Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)**: Networks often support many external users, including remote employees and partners. Because these users are outside the organization's network boundaries, IPsec is often used to help protect communications over the internet. It enables network-level peer authentication, data origin authentication, data integrity checks, data confidentiality (encryption), and protection against replay attacks. You can use these settings to ensure that IPsec services are functioning properly. +- **Logon/Logoff\\[Audit Network Policy Server](audit-network-policy-server.md)**: Organizations that use RADIUS (IAS) and Network Access Protection (NAP) to set and maintain security requirements for external users can use this policy setting to monitor the effectiveness of these policies and to determine whether anyone is trying to circumvent these protections. +- **Policy Change**: These policy settings and events enable you to track changes to important security policies on a local computer or network. Because policies are typically established by administrators to help secure network resources, monitoring any changes or attempted changes to these policies can be an important aspect of security management for a network. +- **Policy Change\\[Audit Audit Policy Change](audit-audit-policy-change.md)**: This policy setting allows you to monitor changes to the audit policy. If malicious users obtain domain administrator credentials, they can temporarily disable essential security audit policy settings so that their other activities on the network can't be detected. +- **Policy Change\\[Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)**: This policy setting can be used to monitor a variety of changes to an organization's IPsec policies. +- **Policy Change\\[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)**: This policy setting determines if the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe), which is used by Windows Firewall. Changes to firewall rules are important for understanding the security state of the computer and how well it's protected against network attacks. ### Confirm operating system version compatibility -Not all versions of Windows support advanced audit policy settings or the use of Group Policy to apply and manage these settings. For more info, see [Which editions of Windows support advanced audit policy configuration](which-editions-of-windows-support-advanced-audit-policy-configuration.md). +Not all versions of Windows support advanced audit policy settings or the use of Group Policy to manage these settings. For more information, see [Which editions of Windows support advanced audit policy configuration](which-editions-of-windows-support-advanced-audit-policy-configuration.md). -The audit policy settings under **Local Policies\\Audit Policy** overlap with audit policy settings under **Security Settings\\Advanced Audit Policy Configuration**. However, the advanced audit policy categories and subcategories make it possible to focus your auditing efforts on the most critical activities while reducing the amount of audit data that is less important to your organization. +The audit policy settings under **Local Policies\\Audit Policy** overlap with the audit policy settings under **Security Settings\\Advanced Audit Policy Configuration**. However, the advanced audit policy categories and subcategories enable you to focus your auditing efforts on critical activities while reducing the amount of audit data that's less important to your organization. -For example, **Local Policies\\Audit Policy** contains a single setting called [Audit account logon events](https://technet.microsoft.com/library/cc787176.aspx). When this setting is configured, it generates at least 10 types of audit events. +For example, **Local Policies\\Audit Policy** contains a single setting called **[Audit account logon events](https://technet.microsoft.com/library/cc787176.aspx)**. When this setting is configured, it generates at least 10 types of audit events. In comparison, the Account Logon category under **Security Settings\\Advanced Audit Policy Configuration** provides the following advanced settings, which allow you to focus your auditing: @@ -312,49 +329,50 @@ In comparison, the Account Logon category under **Security Settings\\Advanced Au - Kerberos Service Ticket Operations - Other Account Logon Events -These settings allow you to exercise much tighter control over which activities or events generate event data. Some activities and events will be more important to your organization, so define the scope of your security audit policy as narrowly as possible. +These settings enable you to exercise much tighter control over which activities or events generate event data. Some activities and events will be more important to your organization, so define the scope of your security audit policy as narrowly as possible. -### Success, failure, or both +### *Success*, *failure*, or both -Whichever event settings you include in your plan, you also have to decide whether you want to log an event when the activity fails, when an activity succeeds, or both successes and failures. This is an important question, and the answer will be based on the criticality of the event and the implications of the decision on event volume. +Whichever event settings you include in your plan, you also have to decide whether you want to log an event when the activity fails or succeeds or both successes *and* failures. This is an important question. The answer depends on the criticality of the event and the implications of the decision for event volume. -For example, on a file server that is accessed frequently by legitimate users, you may be interested in logging an event only when an unsuccessful attempt to access data takes place, because this could be evidence of an unauthorized or malicious user. And in this instance, logging successful attempts to access the server would quickly fill the event log with benign events. +For example, on a file server that's accessed frequently by legitimate users, you may want to log an event only when an *unsuccessful* attempt to access data takes place, because this could be evidence of an unauthorized or malicious user. In this case, logging *successful* attempts to access the server would quickly fill the event log with benign events. -On the other hand, if the file share has extremely sensitive and valuable information, such as trade secrets, you may want to log every access attempt, whether successful or unsuccessful, so that you have an audit trail of every user who accessed the resource. +But if the file share has sensitive information, such as trade secrets, you may want to log every access attempt so that you have an audit trail of every user who tries to access the resource. -## Planning for security audit monitoring and management +## Plan for security audit monitoring and management -Networks can contain hundreds of servers running critical services or storing critical data, all of which need to be monitored. The number of client computers on the network can easily range into the tens or even hundreds of thousands. This may not be an issue if the ratio of servers or client computers per administrator is low. Even if an administrator who is responsible for auditing security and performance issues has relatively few computers to monitor, you need to decide how an administrator will obtain event data to review. Following are some options for obtaining the event data. +Networks may contain hundreds of servers that run critical services or store critical data, all of which need to be monitored. There may be tens or even hundreds of thousands of computers on the network. These numbers may not be an issue if the ratio of servers or client computers per administrator is low. And even if an administrator who is responsible for auditing security and performance issues has relatively few computers to monitor, you need to decide how the administrator will obtain event data to review. Following are some options for obtaining the event data. -- Will you keep event data on a local computer until an administrator logs on to review this data? If so, then the administrator needs to have physical or remote access to the Event Viewer on each client computer or server, and the remote access and firewall settings on each client computer or server need to be configured to enable this access. In addition, you need to decide how often an administrator can visit each computer, and adjust the size of the audit log so that critical information is not deleted if the log reaches its maximum capacity. -- Will you collect event data so that it can be reviewed from a central console? If so, there are a number of computer management products, such as the Audit Collection Services in Operations Manager 2007 and 2012, which can be used to collect and filter event data. Presumably this solution enables a single administrator to review larger amounts of data than using the local storage option. But in some cases, this can make it more difficult to detect clusters of related events that can occur on a single computer. +- Will you keep event data on a local computer until an administrator logs on to review this data? If so, the administrator needs to have physical or remote access to the Event Viewer on each client computer or server. And the remote access and firewall settings on each client computer or server need to be configured to enable this access. You also need to decide how often the administrator can visit each computer, and adjust the size of the audit log so that critical information isn't deleted if the log reaches capacity. +- Will you collect event data so that it can be reviewed from a central console? If so, there are a number of computer management products, such as the Audit Collection Services in Microsoft Operations Manager 2007 and 2012, that you can use to collect and filter event data. Presumably this solution enables a single administrator to review larger amounts of data than using the local storage option. But in some cases, this method can make it more difficult to detect clusters of related events that can occur on a single computer. -In addition, whether you choose to leave audit data on an individual computer or consolidate it at a central location, you need to decide how large the log file should be and what should happen when the log reaches its maximum size. To configure these options, open Event Viewer, expand **Windows Logs**, right-click **Security**, and click **Properties**. You can configure the following properties: +In addition, whether you choose to leave audit data on an individual computer or consolidate it at a central location, you need to decide how large the log file should be and what happens when the log reaches its maximum size. To configure these options, open Event Viewer, expand **Windows Logs**, right-click **Security**, and select **Properties**. You can configure the following properties: -- **Overwrite events as needed (oldest events first)**. This is the default option, which is an acceptable solution in most situations. -- **Archive the log when full, do not overwrite events**. This option can be used when all log data needs to be saved, but it also suggests that you may not be reviewing audit data frequently enough. -- **Do not overwrite events (Clear logs manually)**. This option stops the collection of audit data when the log file reaches its maximum size. Older data is retained at the expense of the most recent audit events. Use this option only if you do not want to lose any audit data, do not want to create an archive of the event log, and are committed to reviewing data before the maximum log size is reached. +- **Overwrite events as needed (oldest events first)**: This is the default option, which is acceptable in most situations. +- **Archive the log when full, do not overwrite events**: This option can be used when all log data needs to be saved. But the scenario suggests that you may not be reviewing audit data frequently enough. +- **Do not overwrite events (Clear logs manually)**. This option stops the collection of audit data when the log file reaches its maximum size. Older data is retained at the expense of the most recent audit events. Use this option only if you don't want to lose any audit data, don't want to create an archive of the event log, and are committed to reviewing data before the maximum log size is reached. -You can also configure the audit log size and other key management options by using Group Policy settings. You can configure the event log settings in the following locations within the GPMC: **Computer +You can also configure the audit log size and other key management options by using Group Policy settings. You can configure the event log settings in the following location in the GPMC: **Computer Configuration\\Administrative Templates\\Windows Components\\Event Log Service\\Security**. These options include: -- **Maximum Log Size (KB)**. This policy setting specifies the maximum size of the log files. The user interfaces in the Local Group Policy Editor and Event Viewer allow you to enter values as large as 2 TB. If this setting is not configured, event logs have a default maximum size of 20 megabytes. +- **Maximum Log Size (KB)**: This policy setting specifies the maximum size of the log files. In the Local Group Policy Editor and Event Viewer, you can enter values as large as 2 TB. If this setting isn't configured, event logs have a default maximum size of 20 megabytes. -- **Log Access**. This policy setting determines which user accounts have access to log files and what usage rights are granted. -- **Retain old events**. This policy setting controls event log behavior when the log file reaches its maximum size. When this policy setting is enabled and a log file reaches its maximum size, new events are not written to the log and are lost. When this policy setting is disabled and a log file reaches its maximum size, new events overwrite old events. -- **Backup log automatically when full**. This policy setting controls event log behavior when the log file reaches its maximum size and takes effect only if the **Retain old events** policy setting is enabled. If you enable these policy settings, the event log file is automatically closed and renamed when it is full. A new file is then started. If you disable or do not configure this policy setting and the **Retain old events** policy setting is enabled, new events are discarded and the old events are retained. +- **Log Access**: This policy setting determines which user accounts have access to log files and what usage rights are granted. +- **Retain old events**: This policy setting controls event log behavior when the log file reaches its maximum size. When this policy setting is enabled and a log file reaches its maximum size, new events aren't written to the log and are lost. When this policy setting is disabled and a log file reaches its maximum size, new events overwrite old events. +- **Backup log automatically when full**: This policy setting controls event log behavior when the log file reaches its maximum size. It takes effect only if the **Retain old events** policy setting is enabled. If you enable these policy settings, the event log file is automatically closed and renamed when it's full. A new log file is then started. If you disable or don't configure this policy setting and the **Retain old events** policy setting is enabled, new events are discarded, and the old events are retained. -In addition, a growing number of organizations are being required to store archived log files for a number of years. You should consult with regulatory compliance officers in your organization to determine whether such guidelines apply to your organization. For more information, see the [IT Compliance Management Guide](https://go.microsoft.com/fwlink/p/?LinkId=163435). +Many organizations are now required to store archived log files for a number of years. Consult with regulatory compliance officers in your organization to determine whether such guidelines apply to your organization. For more information, see the [IT Compliance Management Guide](https://go.microsoft.com/fwlink/p/?LinkId=163435). -## Deploying the security audit policy +## Deploy the security audit policy -Before deploying the audit policy in a production environment, it is critical that you determine the effects of the policy settings that you have configured. -The first step in assessing your audit policy deployment is to create a test environment in a lab and use it to simulate the various use scenarios that you have identified to confirm that the audit settings you have selected are configured correctly and generate the type of results you intend. +Before deploying the audit policy in a production environment, it's critical that you determine the effects of the policy settings that you've configured. -However, unless you are able to run fairly realistic simulations of network usage patterns, a lab setup cannot provide you with accurate information about the volume of audit data that the audit policy settings you selected will generate and how effective your plan for monitoring audit data will be. To provide this type of information, you need to conduct one or more pilot deployments. These pilot deployments could involve: +The first step in assessing your audit policy deployment is to create a test environment in a lab. Use it to simulate the various use scenarios that you identified to confirm that the audit settings you selected are configured correctly and generate the type of results you want. -- A single OU that contains critical data servers or an OU that contains all desktop computers in a specified location. -- A limited set of security audit policy settings, such as **Logon/Logoff** and **Account Logon**. -- A combination of limited OUs and audit policy settings—for example, targeting servers in only the Accounting OU with **Object Access** policy settings. +However, unless you can run fairly realistic simulations of network usage patterns, a lab setup can't provide accurate information about the volume of audit data that the audit policy settings you selected will generate and how effective your plan for monitoring audit data will be. To provide this type of information, you need to conduct one or more pilot deployments. These pilot deployments could involve: -After you have successfully completed one or more limited deployments, you should confirm that the audit data that is collected is manageable with your management tools and administrators. When you have confirmed that the pilot deployment is effective, you need to confirm that you have the necessary tools and staff to expand the deployment to include additional OUs and sets of audit policy settings until the production deployment is complete. +- A single OU that contains critical data servers or an OU that contains all desktop computers in a specified location +- A limited set of security audit policy settings, such as **Logon/Logoff** and **Account Logon** +- A combination of limited OUs and audit policy settings—for example, targeting servers in only the Accounting OU with **Object Access** policy settings + +After you successfully complete one or more limited deployments, you should confirm that the audit data that's collected is manageable with your management tools and administrators. After you confirm that the pilot deployment is effective, you need to ensure that you have the necessary tools and staff to expand the deployment to include additional OUs and sets of audit policy settings until production deployment is complete. diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index c4257e755a..35ac0e33f0 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -31,7 +31,7 @@ ms.topic: conceptual +
    Centralized configuration and administration, APIs
    @@ -42,9 +42,9 @@ ms.topic: conceptual **[Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**
    -This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. +This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. -- [Risk-based Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) +- [Risk-based Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) - [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md) - [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md) - [Exposure score](microsoft-defender-atp/tvm-exposure-score.md) @@ -74,10 +74,10 @@ The attack surface reduction set of capabilities provide the first line of defen **[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**
    To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats. -- [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) -- [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) +- [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) +- [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) - [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -- [URL Protection](/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus) +- [URL Protection](/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md) - [Automated sandbox service](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md) @@ -97,7 +97,7 @@ Endpoint detection and response capabilities are put in place to detect, investi **[Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)**
    -In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. +In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. - [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md) - [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md) @@ -116,7 +116,7 @@ Microsoft Defender ATP includes a configuration score to help you dynamically as **[Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)**
    -Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. +Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. - [Targeted attack notification](microsoft-defender-atp/microsoft-threat-experts.md) - [Experts-on-demand](microsoft-defender-atp/microsoft-threat-experts.md) @@ -124,7 +124,7 @@ Microsoft Defender ATP's new managed threat hunting service provides proactive h -**[Management and APIs](microsoft-defender-atp/management-apis.md)**
    +**[Centralized configuration and administration, APIs](microsoft-defender-atp/management-apis.md)**
    Integrate Microsoft Defender Advanced Threat Protection into your existing workflows. - [Onboarding](microsoft-defender-atp/onboard-configure.md) - [API and SIEM integration](microsoft-defender-atp/configure-siem.md) @@ -139,7 +139,7 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf - Office 365 ATP - Azure ATP - Azure Security Center -- Skype for Business +- Skype for Business - Microsoft Cloud App Security diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md index 10c8594414..572d4cf705 100644 --- a/windows/security/threat-protection/intelligence/criteria.md +++ b/windows/security/threat-protection/intelligence/criteria.md @@ -18,11 +18,22 @@ search.appverid: met150 # How Microsoft identifies malware and potentially unwanted applications -Microsoft aims to provide a delightful and productive Windows experience by working to ensure you are safe and in control of your devices. When you download, install, and run software, you have access to information and tools to do so safely. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. That information is then compared against criteria described in this article. +Microsoft aims to provide a delightful and productive Windows experience by working to ensure you are safe and in control of your devices. Microsoft helps protect you from potential threats by identifying and analyzing software and online content. When you download, install, and run software, we check the reputation of downloaded programs and ensure you are protected against known threats and warned about software that is unknown to us. -You can participate in this process by [submitting software for analysis](submission-guide.md) to ensure undesirable software is covered by our security solutions. +You can assist Microsoft by [submitting unknown or suspicious software for analysis](https://www.microsoft.com/wdsi/filesubmission/). This will help ensure that unknown or suspicious software is scanned by our system to start establishing reputation. [Learn more about submitting files for analysis](submission-guide.md) -Because new forms of malware and potentially unwanted applications are being developed and distributed rapidly, Microsoft reserves the right to adjust, expand, and update these criteria without prior notice or announcements. +The next sections provide an overview of the classifications we use for applications and the types of behaviors that lead to that classification. + +>[!NOTE] +> New forms of malware and potentially unwanted applications are being developed and distributed rapidly. The following list may not be comprehensive, and Microsoft reserves the right to adjust, expand, and update these without prior notice or announcement. + +## Unknown – Unrecognized software + +No antivirus or protection technology is perfect. It takes time to identify and block malicious sites and applications, or trust newly released programs and certificates.  With almost 2 billion websites on the internet and software continuously being updated and released, it's impossible to have information about every single site and program. + +You can think of Unknown/Uncommonly downloaded warnings as an early warning system for potentially undetected malware, as there is generally a delay from the time new malware is released until it is identified. Not all uncommon programs are malicious, but the risk in the unknown category is significantly higher for the typical user. Warnings for unknown software are not blocks, and users can choose to download and run the application normally if they wish to. + +Once enough data is gathered, Microsoft's security solutions can make a determination. Either no threats are found, or an application or software is categorized as malware or potentially unwanted software. ## Malware @@ -48,7 +59,7 @@ Microsoft classifies most malicious software into one of the following categorie * **Obfuscator:** A type of malware that hides its code and purpose, making it more difficult for security software to detect or remove. -* **Password stealer:** A type of malware that gathers your personal information, such as user names and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit. +* **Password stealer:** A type of malware that gathers your personal information, such as usernames and passwords. It often works along with a keylogger, which collects and sends information about the keys you press and websites you visit. * **Ransomware:** A type of malware that encrypts your files or makes other modifications that can prevent you from using your device. It then displays a ransom note which states you must pay money, complete surveys, or perform other actions before you can use your device again. [See more information about ransomware](ransomware-malware.md). diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md index 2506c860d3..0c3ce01531 100644 --- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md +++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md @@ -2,7 +2,7 @@ title: Top scoring in industry tests (AV-TEST, AV Comparatives, SE Labs, MITRE ATT&CK) ms.reviewer: description: Microsoft Defender ATP consistently achieves high scores in independent tests. View the latest scores and analysis. -keywords: Windows Defender Antivirus, av reviews, antivirus test, av testing, latest av scores, detection scores, security product testing, security industry tests, industry antivirus tests, best antivirus, av-test, av-comparatives, SE labs, MITRE ATT&CK, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows 10, Microsoft Defender Antivirus, WDAV, MDATP, Microsoft Threat Protection, security, malware, av, antivirus, scores, next generation protection +keywords: Windows Defender Antivirus, av reviews, antivirus test, av testing, latest av scores, detection scores, security product testing, security industry tests, industry antivirus tests, best antivirus, av-test, av-comparatives, SE labs, MITRE ATT&CK, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows 10, Microsoft Defender Antivirus, WDAV, MDATP, Microsoft Threat Protection, security, malware, av, antivirus, scores, scoring, next generation protection, ranking, success ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md index 5b876f90b8..d40085138f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md @@ -19,12 +19,13 @@ ms.topic: conceptual # Configuration score **Applies to:** + - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >[!NOTE] > Secure score is now part of Threat & Vulnerability Management as Configuration score. -Your Configuration score is visible in the Threat & Vulnerability Management dashboard of the Microsoft Defender Security Center. It reflects the collective security configuration state of your machines across the following categories: +Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects the collective security configuration state of your machines across the following categories: - Application - Operating system @@ -48,14 +49,29 @@ The data in the configuration score card is the product of meticulous and ongoin From the widget, you'd be able to see which security aspect requires attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can act on them based on security benchmarks. -## Improve your configuration score +## Improve your security configuration -The goal is to remediate the issues in the security recommendations list to improve your configuration score. You can filter the view based on: +You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities. -- **Related component** — **Accounts**, **Application**, **Network**, **OS**, or **Security controls** -- **Remediation type** — **Configuration change** or **Software update** +1. From the Configuration score card in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md), select **Security controls**. The [**Security recommendations**](tvm-security-recommendation.md) page opens to shows the list of recommendations related to security controls. -See how you can [improve your security configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details. +2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select **Remediation options**. + + ![Security controls related security recommendations](images/tvm_security_controls.png) + +3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up. + + >![Request remediation](images/tvm_request_remediation.png). + + You will see a confirmation message that the remediation task has been created. + >![Remediation task creation confirmation](images/tvm_remediation_task_created.png) + +4. Save your CSV file. + ![Save csv file](images/tvm_save_csv_file.png) + +5. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system. + +6. Review the machine **Configuration score** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase. >[!IMPORTANT] >To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network: diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md index ff9e39088c..dea1185d9b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md @@ -1,6 +1,6 @@ --- title: Optimize ASR rule deployment and detections -description: Ensure your attack surface reduction (ASR) rules are fully optimized to identify and prevent typical actions taken by malware during the exploitation phase. +description: Optimize your attack surface reduction (ASR) rules to identify and prevent typical malware exploits. keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -23,33 +23,31 @@ ms.topic: article * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink). -[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives. +[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent typical malware exploits. They control when and how potentially malicious code can run. For example, they can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, and block processes that run from USB drives. ![Attack surface management card](images/secconmgmt_asr_card.png)
    *Attack surface management card* -The **Attack surface management** card is an entry point to tools in Microsoft 365 security center that you can use to: +The *Attack surface management card* is an entry point to tools in Microsoft 365 security center that you can use to: -* Understand how ASR rules are currently deployed in your organization -* Review ASR detections and identify possible incorrect detections -* Analyze the impact of exclusions and generate the list of file paths to exclude +* Understand how ASR rules are currently deployed in your organization. +* Review ASR detections and identify possible incorrect detections. +* Analyze the impact of exclusions and generate the list of file paths to exclude. -Selecting **Go to attack surface management** takes you to **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center. +Select **Go to attack surface management** > **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center. ![Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center](images/secconmgmt_asr_m365exlusions.png)
    -*Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center* +The ***Add exclusions** tab in the Attack surface reduction rules page in Microsoft 365 security center* > [!NOTE] -> To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions) +> To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions). -For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections) +For more information about ASR rule deployment in Microsoft 365 security center, see [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections). -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) - -## Related topics +**Related topics** * [Ensure your machines are configured properly](configure-machines.md) * [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md) -* [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) +* [Monitor compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md new file mode 100644 index 0000000000..a04a30abf0 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md @@ -0,0 +1,62 @@ +--- +title: Deployment phases +description: Learn how deploy Microsoft Defender ATP by preparing, setting up, and onboarding endpoints to that service +keywords: deploy, prepare, setup, onboard, phase, deployment, deploying, adoption, configuring +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Deployment phases +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + +There are three phases in deploying Microsoft Defender ATP: + +|Phase | Desription | +|:-------|:-----| +| ![Phase 1: Prepare](images/prepare.png)
    [Phase 1: Prepare](prepare-deployment.md)| Learn about what you need to consider when deploying Microsoft Defender ATP:

    - Stakeholders and sign-off
    - Environment considerations
    - Access
    - Adoption order +| ![Phase 2: Setup](images/setup.png)
    [Phase 2: Setup](production-deployment.md)| Take the initial steps to access Microsoft Defender Security Center. You'll be guided on:

    - Validating the licensing
    - Completing the setup wizard within the portal
    - Network configuration| +| ![Phase 3: Onboard](images/onboard.png)
    [Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them. You'll be guided on:

    - Using Microsoft Endpoint Configuration Manager to onboard devices
    - Configure capabilities + + + + The deployment guide will guide you through the recommended path in deploying Microsoft Defender ATP. + +There are several methods you can use to onboard to the service. For information on other ways to onboard, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md). + +## In Scope + +The following is in scope for this deployment guide: +- Use of Microsoft Endpoint Configuration Manager to onboard endpoints into the service +- Enabling Microsoft Defender ATP endpoint protection platform (EPP) + capabilities + + - Next Generation Protection + + - Attack Surface Reduction + +- Enabling Microsoft Defender ATP endpoint detection and response (EDR) + capabilities including automatic investigation and remediation + +- Enabling Microsoft Defender ATP threat and vulnerability management (TVM) + + +## Out of scope + +The following are out of scope of this deployment guide: + +- Configuration of third-party solutions that might integrate with Microsoft + Defender ATP + +- Penetration testing in production environment diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md new file mode 100644 index 0000000000..47e19acae2 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md @@ -0,0 +1,47 @@ +--- +title: Plan your Microsoft Defender ATP deployment strategy +description: Select the best Microsoft Defender ATP deployment strategy for your environment +keywords: deploy, plan, deployment strategy, cloud native, management, on prem, evaluation, onboarding, local, group policy, gp, endpoint manager, mem +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Plan your Microsoft Defender ATP deployment strategy +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink) + +Depending on the requirements of your environment, we've put together material to help guide you through the various options you can adopt to deploy Microsoft Defender ATP. + + +You can deploy Microsoft Defender ATP using various management tools. In general the following management tools are supported: + +- Group policy +- Microsoft Endpoint Configuration Manager +- Mobile Device Management tools +- Local script + + +## Microsoft Defender ATP deployment strategy + +Depending on your environment, some tools are better suited for certain architectures. + + +|**Item**|**Description**| +|:-----|:-----| +|[![Thumb image for Microsoft Defender ATP deployment strategy](images/mdatp-deployment-strategy.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)
    [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) \| [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures:
    • Cloud-native
    • Co-management
    • On-premise
    • Evaluation and local onboarding
      • + + +## Related topics +- [Deployment phases](deployment-phases.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf new file mode 100644 index 0000000000..551d7a42e8 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx new file mode 100644 index 0000000000..6cd5defde8 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md index 42ce3aa2b6..702d9e6c4e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md @@ -23,8 +23,7 @@ ms.topic: article Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation. -The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can - focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action. +The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action. When you get started with the lab, you'll be guided through a simple set-up process where you can specify the type of configuration that best suits your needs. diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configure-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/configure-page.png new file mode 100644 index 0000000000..899a5a2312 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/configure-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configure.png b/windows/security/threat-protection/microsoft-defender-atp/images/configure.png new file mode 100644 index 0000000000..a8657fc3aa Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/configure.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-deployment-strategy.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-deployment-strategy.png new file mode 100644 index 0000000000..790f6b8e57 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-deployment-strategy.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/no-license-found.png b/windows/security/threat-protection/microsoft-defender-atp/images/no-license-found.png new file mode 100644 index 0000000000..e2a4573a13 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/no-license-found.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/oboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/oboard.png new file mode 100644 index 0000000000..cd9e16abb8 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/oboard.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/onboard-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-page.png new file mode 100644 index 0000000000..3b6aaed8fa Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/onboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/onboard.png new file mode 100644 index 0000000000..eb6cb9b0aa Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/onboard.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/plan-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/plan-page.png new file mode 100644 index 0000000000..07ff19f20e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/plan-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/plan.png b/windows/security/threat-protection/microsoft-defender-atp/images/plan.png new file mode 100644 index 0000000000..fa484b1d9d Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/plan.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/prepare.png b/windows/security/threat-protection/microsoft-defender-atp/images/prepare.png new file mode 100644 index 0000000000..8b0c46059f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/prepare.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy-flyout500.png b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy-flyout500.png new file mode 100644 index 0000000000..e862c73200 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy-flyout500.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy500.png b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy500.png new file mode 100644 index 0000000000..12f0d72fac Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy500.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secrec_sw_details.png b/windows/security/threat-protection/microsoft-defender-atp/images/secrec_sw_details.png deleted file mode 100644 index 31e550b1e1..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secrec_sw_details.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/setup.png b/windows/security/threat-protection/microsoft-defender-atp/images/setup.png new file mode 100644 index 0000000000..e8402090e6 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/setup.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-report-inaccuracy500.png b/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-report-inaccuracy500.png new file mode 100644 index 0000000000..b299b79238 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-report-inaccuracy500.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations350.png b/windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations350.png new file mode 100644 index 0000000000..ea977eacef Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations350.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tag.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tag.png new file mode 100644 index 0000000000..df675109cc Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tag.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tags-column.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tags-column.png new file mode 100644 index 0000000000..7d80bca932 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tags-column.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png deleted file mode 100644 index 4da702615b..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md index 12d5e36306..800351a160 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md @@ -1,6 +1,6 @@ --- title: Information protection in Windows overview -ms.reviewer: +ms.reviewer: description: Learn about how information protection works in Windows to identify and protect sensitive information keywords: information, protection, dlp, wip, data, loss, prevention, protect search.product: eADQiWindows 10XVcnh @@ -13,60 +13,60 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual --- # Information protection in Windows overview + **Applies to:** + - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease information](../../includes/prerelease.md)] Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. - -Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite. +Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite. >[!TIP] > Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/). - Microsoft Defender ATP applies the following methods to discover, classify, and protect data: + - **Data discovery** - Identify sensitive data on Windows devices at risk - **Data classification** - Automatically classify data based on common Microsoft Information Protection (MIP) policies managed in Office 365 Security & Compliance Center. Auto-classification allows you to protect sensitive data even if the end user hasn’t manually classified it. - **Data protection** - Windows Information Protection (WIP) as outcome of Azure Information Protection label - ## Data discovery and data classification -Microsoft Defender ATP automatically discovers files with sensitivity labels and files that contain sensitive information types. -Sensitivity labels classify and help protect sensitive content. +Microsoft Defender ATP automatically discovers files with sensitivity labels and files that contain sensitive information types. +Sensitivity labels classify and help protect sensitive content. Sensitive information types in the Office 365 data loss prevention (DLP) implementation fall under two categories: + - Default - Custom -Default sensitive information types include information such as bank account numbers, social security numbers, or national IDs. For more information, see [What the sensitive information type look for](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for). +Default sensitive information types include information such as bank account numbers, social security numbers, or national IDs. For more information, see [What the sensitive information type look for](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for). Custom types are ones that you define and is designed to protect a different type of sensitive information (for example, employee IDs or project numbers). For more information see, [Create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type). - -When a file is created or edited on a Windows device, Microsoft Defender ATP scans the content to evaluate if it contains sensitive information. +When a file is created or edited on a Windows device, Microsoft Defender ATP scans the content to evaluate if it contains sensitive information. Turn on the Azure Information Protection integration so that when a file that contains sensitive information is discovered by Microsoft Defender ATP though labels or information types, it is automatically forwarded to Azure Information Protection from the device. ![Image of settings page with Azure Information Protection](images/atp-settings-aip.png) -The reported signals can be viewed on the Azure Information Protection – Data discovery dashboard. +The reported signals can be viewed on the Azure Information Protection – Data discovery dashboard. -## Azure Information Protection - Data discovery dashboard -This dashboard presents a summarized discovery information of data discovered by bothMicrosoft Defender ATP and Azure Information Protection. Data from Microsoft Defender ATP is marked with Location Type - Endpoint. +## Azure Information Protection - Data discovery dashboard + +This dashboard presents a summarized discovery information of data discovered by both Microsoft Defender ATP and Azure Information Protection. Data from Microsoft Defender ATP is marked with Location Type - Endpoint. ![Image of Azure Information Protection - Data discovery](images/azure-data-discovery.png) - Notice the Device Risk column on the right, this device risk is derived directly from Microsoft Defender ATP, indicating the risk level of the security device where the file was discovered, based on the active security threats detected by Microsoft Defender ATP. Click on a device to view a list of files observed on this device, with their sensitivity labels and information types. @@ -74,47 +74,44 @@ Click on a device to view a list of files observed on this device, with their se >[!NOTE] >Please allow approximately 15-20 minutes for the Azure Information Protection Dashboard Discovery to reflect discovered files. +## Log Analytics - - -## Log Analytics Data discovery based on Microsoft Defender ATP is also available in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-overview), where you can perform complex queries over the raw data. -For more information on Azure Information Protection analytics, see [Central reporting for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/reports-aip). +For more information on Azure Information Protection analytics, see [Central reporting for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/reports-aip). -Open Azure Log Analytics in Azure Portal and open a query builder (standard or classic). - -To view Microsoft Defender ATP data, perform a query that contains: +Open Azure Log Analytics in Azure Portal and open a query builder (standard or classic). +To view Microsoft Defender ATP data, perform a query that contains: ``` -InformationProtectionLogs_CL -| where Workload_s == "Windows Defender" +InformationProtectionLogs_CL +| where Workload_s == "Windows Defender" ``` **Prerequisites:** + - Customers must have a subscription for Azure Information Protection. -- Enable Azure Information Protection integration in Microsoft Defender Security Center: +- Enable Azure Information Protection integration in Microsoft Defender Security Center: - Go to **Settings** in Microsoft Defender Security Center, click on **Advanced Settings** under **General**. - -## Data protection +## Data protection ### Endpoint data loss prevention -For data to be protected, they must first be identified through labels. + +For data to be protected, they must first be identified through labels. Sensitivity labels are created in Office 365 Security & Compliance Center. Microsoft Defender ATP then uses the labels to identify endpoints that need Windows Information Protection (WIP) applied on them. -When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Microsoft Defender ATP is the Endpoint data loss prevention. - -For the endpoint data loss prevention, you'll need to turn on the Endpoint Data loss prevention and select Enable Windows end point protection (DLP for devices). +When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Microsoft Defender ATP is the Endpoint data loss prevention. +For the endpoint data loss prevention, you'll need to turn on the Endpoint Data loss prevention and select Enable Windows end point protection (DLP for devices). ![Image of Office 365 Security and Compliance sensitivity label](images/office-scc-label.png) -Once, the policy is set and published, Microsoft Defender ATP automatically enables WIP for labeled files. When a labeled file is created or modified on a Windows device, Microsoft Defender ATP automatically detects it and enables WIP on that file if its label corresponds with Office Security and Compliance (SCC) policy. +Once, the policy is set and published, Microsoft Defender ATP automatically enables WIP for labeled files. When a labeled file is created or modified on a Windows device, Microsoft Defender ATP automatically detects it and enables WIP on that file if its label corresponds with Office Security and Compliance (SCC) policy. -This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin. +This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin. For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md). @@ -127,10 +124,8 @@ Those information types are evaluated against the auto-labeling policy. If a mat > [!NOTE] > Auto-labeling is supported in Office apps only when the Azure Information Protection unified labeling client is installed. When sensitive content is detected in email or documents matching the conditions you choose, a label can automatically be applied or a message can be shown to users recommending they apply it themselves. - - For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md). - ## Related topics + - [How Windows Information Protection protects files with a sensitivity label](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md index 379a0c8d3e..664d337477 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md @@ -30,6 +30,9 @@ When you investigate an incident, you'll see: - Incident comments and actions - Tabs (alerts, machines, investigations, evidence, graph) +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUV] + + ## Analyze incident details Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph). diff --git a/windows/security/threat-protection/microsoft-defender-atp/licensing.md b/windows/security/threat-protection/microsoft-defender-atp/licensing.md deleted file mode 100644 index c86b827fd6..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/licensing.md +++ /dev/null @@ -1,123 +0,0 @@ ---- -title: Validate licensing provisioning and complete Microsoft Defender ATP set up -description: Validating licensing provisioning, setting up initial preferences, and completing the user set up for Microsoft Defender Advanced Threat Protection portal. -keywords: license, licensing, account, set up, validating licensing, windows defender atp -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Validate licensing provisioning and complete set up for Microsoft Defender ATP - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-validatelicense-abovefoldlink) - -## Check license state - -Checking for the license state and whether it got properly provisioned, can be done through the admin center or through the **Microsoft Azure portal**. - -1. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products). - - ![Image of Azure Licensing page](images/atp-licensing-azure-portal.png) - -1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**. - - - On the screen you will see all the provisioned licenses and their current **Status**. - - ![Image of billing licenses](images/atp-billing-subscriptions.png) - - -## Cloud Service Provider validation - -To gain access into which licenses are provisioned to your company, and to check the state of the licenses, go to the admin center. - -1. From the **Partner portal**, click on the **Administer services > Office 365**. - -2. Clicking on the **Partner portal** link will leverage the **Admin on behalf** option and will give you access to the customer admin center. - - ![Image of O365 admin portal](images/atp-O365-admin-portal-customer.png) - -## Access Microsoft Defender Security Center for the first time - -When accessing [Microsoft Defender Security Center](https://SecurityCenter.Windows.com) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. - -1. Each time you access the portal you will need to validate that you are authorized to access the product. This **Set up your permissions** step will only be available if you are not currently authorized to access the product. - - ![Image of Set up your permissions for Microsoft Defender ATP](images/atp-setup-permissions-wdatp-portal.png) - - Once the authorization step is completed, the **Welcome** screen will be displayed. - -2. The **Welcome** screen will provide some details as to what is about to occur during the set up wizard. - - ![Image of Welcome screen for portal set up](images/welcome1.png) - - You will need to set up your preferences for Microsoft Defender Security Center. - -3. Set up preferences - - ![Image of geographic location in set up](images/setup-preferences.png) - - 1. **Select data storage location**
      When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the United States, the European Union, or the United Kingdom. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation. - - > [!WARNING] - > This option cannot be changed without completely offboarding from Microsoft Defender ATP and completing a new enrollment process. - - 2. **Select the data retention policy**
      Microsoft Defender ATP will store data up to a period of 6 months in your cloud instance, however, you have the option to set the data retention period for a shorter timeframe during this step of the set up process. - - > [!NOTE] - > This option can be changed at a later time. - - 3. **Select the size of your organization**
      You will need to indicate the size of your organization based on an estimate of the number of employees currently employed. - - > [!NOTE] - > The **organization size** question is not related to how many licenses were purchased for your organization. It is used by the service to optimize the creation of the data cluster for your organization. - - 4. **Turn on preview features**
      Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on **Preview features**. - - You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available. - - - Toggle the setting between On and Off to choose **Preview features**. - - > [!NOTE] - > This option can be changed at a later time. - -4. You will receive a warning notifying you that you won't be able to change some of your preferences once you click **Continue**. - - > [!NOTE] - > Some of these options can be changed at a later time in Microsoft Defender Security Center. - - ![Image of final preference set up](images/setup-preferences2.png) - -5. A dedicated cloud instance of Microsoft Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete. - -6. You are almost done. Before you can start using Microsoft Defender ATP you'll need to: - - - [Onboard Windows 10 machines](configure-endpoints.md) - - - Run detection test (optional) - - ![Image of Onboard machines and run detection test](images/atp-onboard-endpoints-run-detection-test.png) - - > [!IMPORTANT] - > If you click **Start using Microsoft Defender ATP** before onboarding machines you will receive the following notification: - > ![Image of setup imcomplete](images/atp-setup-incomplete.png) - -7. After onboarding machines you can click **Start using Microsoft Defender ATP**. You will now launch Microsoft Defender ATP for the first time. - -## Related topics -- [Onboard machines to the Microsoft Defender Advanced Threat Protection service](onboard-configure.md) -- [Troubleshoot onboarding process and portal access issues](troubleshoot-onboarding-error-messages.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 7353351968..d6714f727e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -43,14 +43,14 @@ The choice of the channel determines the type and frequency of updates that are In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*. -### RHEL and variants (CentOS and Oracle EL) +### RHEL and variants (CentOS and Oracle Linux) - Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`. In the below commands, replace *[distro]* and *[version]* with the information you've identified: > [!NOTE] - > In case of Oracle EL and CentOS 8, replace *[distro]* with “rhel”. + > In case of Oracle Linux, replace *[distro]* with “rhel”. ```bash sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo @@ -153,7 +153,7 @@ In order to preview new features and provide early feedback, it is recommended t - Install the Microsoft GPG public key: ```bash - curl https://packages.microsoft.com/keys/microsoft.asc | apt-key add - + curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add - ``` - Install the https driver if it's not already present: @@ -170,7 +170,7 @@ In order to preview new features and provide early feedback, it is recommended t ## Application installation -- RHEL and variants (CentOS and Oracle EL): +- RHEL and variants (CentOS and Oracle Linux): ```bash sudo yum install mdatp diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md index bdba284676..b344a91976 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -1,6 +1,6 @@ --- title: Deploy Microsoft Defender ATP for Linux with Ansible -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for Linux using Ansible. keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh @@ -14,7 +14,7 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual --- @@ -36,14 +36,14 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Ansibl Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version. - Ansible needs to be installed on at least on one computer (we will call it the master). -- Passwordless SSH must be configured for the root user between the master and all clients. +- SSH must be configured for an administrator account between the master and all clients, and it is recommended be configured with public key authentication. - The following software must be installed on all clients: - - Python-apt - - Curl - - Unzip + - curl + - python-apt + - unzip - All hosts must be listed in the following format in the `/etc/ansible/hosts` file: - + ```bash [servers] host1 ansible_ssh_host=10.171.134.39 @@ -67,7 +67,7 @@ Download the onboarding package from Microsoft Defender Security Center: ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux-2.png) 4. From a command prompt, verify that you have the file. Extract the contents of the archive: - + ```bash $ ls -l total 8 @@ -79,12 +79,11 @@ Download the onboarding package from Microsoft Defender Security Center: ## Create Ansible YAML files -Create subtask or role files that contribute to an actual task. Create the following files under the `/etc/ansible/roles` directory. +Create subtask or role files that contribute to an actual task. First create the `copy_onboarding_pkg.yml` file under the `/etc/ansible/roles` directory: - Copy the onboarding package to all client machines: ```bash - $ cat /etc/ansible/roles/copy_onboarding_pkg.yml - name: Copy the zip file copy: src: /root/WindowsDefenderATPOnboardingPackage.zip @@ -92,29 +91,33 @@ Create subtask or role files that contribute to an actual task. Create the follo owner: root group: root mode: '0644' + + - name: Add Microsoft apt signing key + apt_key: + url: https://packages.microsoft.com/keys/microsoft.asc + state: present + when: ansible_os_family == "Debian" ``` -- Create a `setup.sh` script that operates on the onboarding file: +- Create the `setup.sh` script that operates on the onboarding file, in this example located in the `/root` directory: ```bash - $ cat /root/setup.sh - #!/bin/bash - + # We assume WindowsDefenderATPOnboardingPackage.zip is stored in /root + cd /root || exit 1 # Unzip the archive and create the onboarding file mkdir -p /etc/opt/microsoft/mdatp/ unzip WindowsDefenderATPOnboardingPackage.zip cp mdatp_onboard.json /etc/opt/microsoft/mdatp/mdatp_onboard.json - - # get the GPG key - curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg - sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/ ``` -- Create the onboarding file: +- Create the onboarding task, `onboarding_setup.yml`, under the `/etc/ansible/roles` directory: ```bash - $ cat setup_blob.yml + - name: Register mdatp_onboard.json + stat: path=/etc/opt/microsoft/mdatp/mdatp_onboard.json + register: mdatp_onboard + - name: Copy the setup script file copy: src: /root/setup.sh @@ -124,7 +127,8 @@ Create subtask or role files that contribute to an actual task. Create the follo mode: '0744' - name: Run a script to create the onboarding file - script: /root/setup.sh + script: /root/setup.sh + when: not mdatp_onboard.stat.exists ``` - Add the Microsoft Defender ATP repository and key. @@ -140,30 +144,24 @@ Create subtask or role files that contribute to an actual task. Create the follo In the following commands, replace *[distro]* and *[version]* with the information you've identified. > [!NOTE] - > In case of Oracle EL and CentOS 8, replace *[distro]* with “rhel”. - - - For apt-based distributions use the following YAML file: + > In case of Oracle Linux, replace *[distro]* with “rhel”. ```bash - $ cat add_apt_repo.yml - - name: Add Microsoft repository for MDATP + - name: Add Microsoft apt repository for MDATP apt_repository: repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main update_cache: yes state: present filename: microsoft-[channel].list + when: ansible_os_family == "Debian" - name: Add Microsoft APT key - apt_key: - keyserver: https://packages.microsoft.com/ - id: BC528686B50D79E339D3721CEB3E94ADBE1229C - ``` + apt_key: + keyserver: https://packages.microsoft.com/ + id: BC528686B50D79E339D3721CEB3E94ADBE1229C + when: ansible_os_family == "Debian" - - For yum-based distributions use the following YAML file: - - ```bash - $ cat add_yum_repo.yml - - name: Add Microsoft repository for MDATP + - name: Add Microsoft yum repository for MDATP yum_repository: name: packages-microsoft-com-prod-[channel] description: Microsoft Defender ATP @@ -171,6 +169,7 @@ Create subtask or role files that contribute to an actual task. Create the follo baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/ gpgcheck: yes enabled: Yes + when: ansible_os_family == "RedHat" ``` - Create the actual install/uninstall YAML files under `/etc/ansible/playbooks`. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index 177ef802de..89133920ec 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -89,7 +89,7 @@ Note your distribution and version and identify the closest entry for it under ` In the below commands, replace *[distro]* and *[version]* with the information you've identified: > [!NOTE] -> In case of Oracle EL and CentOS 8, replace *[distro]* with “rhel”. +> In case of Oracle Linux, replace *[distro]* with “rhel”. ```puppet class install_mdatp { diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md index 256186213a..537883114e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md @@ -35,7 +35,7 @@ This topic describes the structure of this profile (including a recommended prof The configuration profile is a .json file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can be simple, such as a numerical value, or complex, such as a nested list of preferences. -Typically, you would use a configuration management tool to push a file with the name ```mdatp_maanged.json``` at the location ```/etc/opt/microsoft/mdatp/managed/```. +Typically, you would use a configuration management tool to push a file with the name ```mdatp_managed.json``` at the location ```/etc/opt/microsoft/mdatp/managed/```. The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections. @@ -51,7 +51,7 @@ The *antivirusEngine* section of the configuration profile is used to manage the #### Enable / disable real-time protection -Detemines whether real-time protection (scan files as they are accessed) is enabled or not. +Determines whether real-time protection (scan files as they are accessed) is enabled or not. ||| |:---|:---| @@ -61,7 +61,7 @@ Detemines whether real-time protection (scan files as they are accessed) is enab #### Enable / disable passive mode -Detemines whether the antivirus engine runs in passive mode or not. In passive mode: +Determines whether the antivirus engine runs in passive mode or not. In passive mode: - Real-time protection is turned off. - On-demand scanning is turned on. - Automatic threat remediation is turned off. @@ -351,6 +351,16 @@ The following configuration profile contains entries for all settings described } ``` +## Configuration profile validation + +The configuration profile must be a valid JSON-formatted file. There are a number of tools that can be used to verify this. For example, if you have `python` installed on your device: + +```bash +$ python -m json.tool mdatp_managed.json +``` + +If the JSON is well-formed, the above command outputs it back to the Terminal and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`. + ## Configuration profile deployment Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Microsoft Defender ATP for Linux reads the managed configuration from the */etc/opt/microsoft/mdatp/managed/mdatp_managed.json* file. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md index 388b235ac3..adc92e7c31 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md @@ -68,7 +68,7 @@ There are several ways to uninstall Microsoft Defender ATP for Linux. If you are ### Manual uninstallation -- ```sudo yum remove mdatp``` for RHEL and variants(CentOS and Oracle EL). +- ```sudo yum remove mdatp``` for RHEL and variants(CentOS and Oracle Linux). - ```sudo zypper remove mdatp``` for SLES and variants. - ```sudo apt-get purge mdatp``` for Ubuntu and Debian systems. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md index 43330660a0..c2505dae33 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md @@ -33,7 +33,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t - The ```HTTPS_PROXY``` variable is defined in ```/etc/environment``` with the following line: ```bash - HTTPS_PROXY=”http://proxy.server:port/” + HTTPS_PROXY="http://proxy.server:port/" ``` - The `HTTPS_PROXY` variable is defined in the package manager global configuration. For example, in Ubuntu 18.04, you can add the following line to `/etc/apt/apt.conf.d/proxy.conf`: @@ -48,7 +48,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t - The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender ATP: ```bash - $ HTTPS_PROXY=”http://proxy.server:port/" apt install mdatp + $ HTTPS_PROXY="http://proxy.server:port/" apt install mdatp ``` > [!NOTE] @@ -62,12 +62,12 @@ Note that installation and uninstallation will not necessarily fail if a proxy i After installation, the `HTTPS_PROXY` environment variable must be defined in the Microsoft Defender ATP service file. To do this, open `/lib/systemd/system/mdatp.service` in a text editor while running as the root user. You can then propagate the variable to the service in one of two ways: -- Uncomment the line `#Environment=HTTPS_PROXY="http://address:port”` and specify your static proxy address. +- Uncomment the line `#Environment="HTTPS_PROXY=http://address:port"` and specify your static proxy address. - Add a line `EnvironmentFile=/path/to/env/file`. This path can point to `/etc/environment` or a custom file, either of which needs to add the following line: ```bash - HTTPS_PROXY=”http://proxy.server:port/” + HTTPS_PROXY="http://proxy.server:port/" ``` After modifying the `mdatp.service` file, save and close it. Restart the service so the changes can be applied. In Ubuntu, this involves two commands: diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md index 74979b6c15..37b668c4f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md @@ -28,7 +28,7 @@ Microsoft regularly publishes software updates to improve performance, security, To update Microsoft Defender ATP for Linux manually, execute one of the following commands: -## RHEL and variants (CentOS and Oracle EL) +## RHEL and variants (CentOS and Oracle Linux) ```bash sudo yum update mdatp diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index ddd34985a3..80231ef03d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -27,6 +27,8 @@ Live response is a capability that gives you instantaneous access to a machine u Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats. +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUW] + With live response, analysts will have the ability to: - Run basic and advanced commands to do investigative work - Download files such as malware samples and outcomes of PowerShell scripts diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md index 84b0a77870..76875534f3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md @@ -356,6 +356,10 @@ Specifies the value of tag | **Data type** | String | | **Possible values** | any string | +> [!IMPORTANT] +> - Only one value per tag type can be set. +> - Type of tags are unique, and should not be repeated in the same configuration profile. + ## Recommended configuration profile To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides. @@ -730,13 +734,24 @@ The following configuration profile contains entries for all settings described ``` +## Configuration profile validation + +The configuration profile must be a valid *.plist* file. This can be checked by executing: + +```bash +$ plutil -lint com.microsoft.wdav.plist +com.microsoft.wdav.plist: OK +``` + +If the configuration profile is well-formed, the above command outputs `OK` and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`. + ## Configuration profile deployment Once you've built the configuration profile for your enterprise, you can deploy it through the management console that your enterprise is using. The following sections provide instructions on how to deploy this profile using JAMF and Intune. ### JAMF deployment -From the JAMF console, open **Computers** > **Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. Create an entry with `com.microsoft.wdav` as the preference domain and upload the .plist produced earlier. +From the JAMF console, open **Computers** > **Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. Create an entry with `com.microsoft.wdav` as the preference domain and upload the *.plist* produced earlier. >[!CAUTION] >You must enter the correct preference domain (`com.microsoft.wdav`); otherwise, the preferences will not be recognized by Microsoft Defender ATP. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md new file mode 100644 index 0000000000..564bfecdbd --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md @@ -0,0 +1,54 @@ +--- +title: Troubleshoot installation issues for Microsoft Defender ATP for Mac +description: Troubleshoot installation issues in Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, install +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Troubleshoot installation issues for Microsoft Defender ATP for Mac + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +## Installation failed + +For manual installation, it is Summary page of the installation wizard that says "An error occurred during installation. The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance". For MDM deployments it would be exposed as a generic installation failure as well. + +While we do not expose exact error to the end user, we keep a log file with installation progress in `/Library/Logs/Microsoft/mdatp/install.log`. Each installation session appends to this log file, you can use `sed` to output the last installation session only: + +```bash +$ sed -n 'H; /^preinstall com.microsoft.wdav begin/h; ${g;p;}' /Library/Logs/Microsoft/mdatp/install.log + +preinstall com.microsoft.wdav begin [2020-03-11 13:08:49 -0700] 804 +INSTALLER_SECURE_TEMP=/Library/InstallerSandboxes/.PKInstallSandboxManager/CB509765-70FC-4679-866D-8A14AD3F13CC.activeSandbox/89FA879B-971B-42BF-B4EA-7F5BB7CB5695 +correlation id=CB509765-70FC-4679-866D-8A14AD3F13CC +[ERROR] Downgrade from 100.88.54 to 100.87.80 is not permitted +preinstall com.microsoft.wdav end [2020-03-11 13:08:49 -0700] 804 => 1 +``` + +In the example above the actual reason is prefixed with `[ERROR]`. +The installation failed because a downgrade between these versions is not supported. + +## No MDATP's install log + +In rare cases installation leaves no trace in MDATP's /Library/Logs/Microsoft/mdatp/install.log file. +You can verify that installation happened and analyze possible errors by querying macOS logs (this can be helpful in case of MDM deployment, when there is no client UI). It is recommended to have a narrow time window to query and filter by the logging process name, as there will be huge amount of information; + +```bash +grep '^2020-03-11 13:08' /var/log/install.log + +log show --start '2020-03-11 13:00:00' --end '2020-03-11 13:08:50' --info --debug --source --predicate 'processImagePath CONTAINS[C] "install"' --style syslog +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md new file mode 100644 index 0000000000..3a6c85369b --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md @@ -0,0 +1,46 @@ +--- +title: Troubleshoot license issues for Microsoft Defender ATP for Mac +description: Troubleshoot license issues in Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, performance +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Troubleshoot license issues for Microsoft Defender ATP for Mac + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +While you are going through [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md) and [Manual deployment](mac-install-manually.md) testing or a Proof Of Concept (PoC), you might get the following error: + +![Image of license error](images/no-license-found.png) + +**Message:** + +No license found + +Looks like your organization does not have a license for Microsoft 365 Enterprise subscription. + +Contact your administrator for help. + +**Cause:** + +You deployed and/or installed the MDATP for macOS package ("Download installation package") but you might have run the configuration script ("Download onboarding package"). + +**Solution:** + +Follow the WindowsDefenderATPOnboarding.py instructions documented here: +[Client configuration](mac-install-manually.md#client-configuration) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index ebad1005b3..d23525631d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -26,6 +26,13 @@ ms.topic: conceptual > > If you have previously whitelisted the kernel extension as part of your remote deployment, that warning should not be presented to the end user. If you have not previously deployed a policy to whitelist the kernel extension, your users will be presented with the warning. To proactively silence the warning, you can still deploy a configuration to whitelist the kernel extension. Refer to the instructions in the [JAMF-based deployment](mac-install-with-jamf.md#approved-kernel-extension) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics. +## 100.86.92 + +- Improvements around compatibility with Time Machine +- Addressed an issue where the product was sometimes not cleaning all files under `/Library/Application Support/Microsoft/Defender` during uninstallation +- Reduced the CPU utilization of the product when Microsoft products are updated through Microsoft AutoUpdate +- Other performance improvements & bug fixes + ## 100.86.91 > [!CAUTION] diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md index b005d81545..1dd8377db2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md @@ -34,6 +34,9 @@ Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution th Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Microsoft Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity. +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4yQ] + + The integration provides the following major improvements to the existing Cloud App Security discovery: - Available everywhere - Since the network activity is collected directly from the endpoint, it's available wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the enterprise firewall or proxy servers. diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md index 9c596b4ec9..a4991649d4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md @@ -24,6 +24,7 @@ ms.topic: conceptual > For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy). Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. +

      > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq] @@ -58,7 +59,7 @@ Microsoft Defender ATP uses the following combination of technology built into W
    +
    Centralized configuration and administration, APIs
    @@ -115,7 +116,7 @@ Microsoft Defender ATP's new managed threat hunting service provides proactive h -**[Management and APIs](management-apis.md)**
    +**[Centralized configuration and administration, APIs](management-apis.md)**
    Integrate Microsoft Defender Advanced Threat Protection into your existing workflows. @@ -132,15 +133,6 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf **[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
    With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks. -## In this section -To help you maximize the effectiveness of the security platform, you can configure individual capabilities that surface in Microsoft Defender Security Center. - -Topic | Description -:---|:--- -[Overview](overview.md) | Understand the concepts behind the capabilities in Microsoft Defender ATP so you take full advantage of the complete threat protection platform. -[Minimum requirements](minimum-requirements.md) | Learn about the requirements of the platform and the initial steps you need to take to get started with Microsoft Defender ATP. -[Configure and manage capabilities](onboard.md)| Configure and manage the individual capabilities in Microsoft Defender ATP. -[Troubleshoot Microsoft Defender ATP](troubleshoot-mdatp.md) | Learn how to address issues that you might encounter while using the platform. ## Related topic [Microsoft Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index ad38c483b0..96bb2dc3c9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -82,7 +82,7 @@ In general you need to take the following steps: - Ubuntu 16.04 LTS or higher LTS - Debian 9 or higher - SUSE Linux Enterprise Server 12 or higher - - Oracle Enterprise Linux 7 + - Oracle Linux 7 - Minimum kernel version 2.6.38 - The `fanotify` kernel option must be enabled diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md index ff425c7895..235ddd3611 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md @@ -24,7 +24,11 @@ ms.topic: conceptual Microsoft Threat Experts is a managed threat hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed. -This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand. +This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand. + +Watch this video for a quick overview of Microsoft Threat Experts. + +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qZ0B] ## Before you begin diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 5c52a93ff5..eed0fc1ca1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -28,7 +28,7 @@ There are some minimum requirements for onboarding machines to the service. Lear >[!TIP] ->- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Learn about the latest enhancements in Microsoft Defender ATP:[Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced). >- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). ## Licensing requirements @@ -37,8 +37,10 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr - Windows 10 Enterprise E5 - Windows 10 Education A5 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 +- Microsoft 365 E5 Security - Microsoft 365 A5 (M365 A5) +For detailed licensing information, see the [Product terms page](https://www.microsoft.com/en-us/licensing/product-licensing/products) and work with your account team to learn the detailed terms and conditions for the product. For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare). @@ -72,7 +74,7 @@ Access to Microsoft Defender ATP is done through a browser, supporting the follo - Windows Server 2008 R2 SP1 - Windows Server 2012 R2 - Windows Server 2016 - - Windows Server 2016, version 1803 + - Windows Server, version 1803 or later - Windows Server 2019 Machines on your network must be running one of these editions. diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index 09dea1ee83..0f48e4e5e4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -1,15 +1,15 @@ --- title: Threat & Vulnerability Management description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. -keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration asessment, windows defender atp, microsoft defender atp, endpoint vulnerabilities +keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, windows defender atp, microsoft defender atp, endpoint vulnerabilities, next generation search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor +ms.author: ellevin +author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -18,52 +18,83 @@ ms.topic: conceptual --- # Threat & Vulnerability Management + **Applies to:** + - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience. +Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience. It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context. -Watch this video for a quick overview of Threat & Vulnerability Management. +Watch this video for a quick overview of Threat & Vulnerability Management. >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4mLsn] -## Next-generation capabilities -Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase. +## Next-generation capabilities + +Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base. It is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft Microsoft Endpoint Configuration Manager. -It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication. +It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication. + - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities - Linked machine vulnerability and security configuration assessment data in the context of exposure discovery -- Built-in remediation processes through Microsoft Intune and Configuration Manager +- Built-in remediation processes through Microsoft Intune and Configuration Manager ### Real-time discovery - + To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides: + - Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard. -- Visibility into software and vulnerabilities. Optics into the organization’s software inventory, and software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications. +- Visibility into software and vulnerabilities. Optics into the organization's software inventory, and software changes like installations, uninstalls, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications. - Application runtime context. Visibility on application usage patterns for better prioritization and decision-making. - Configuration posture. Visibility into organizational security configuration or misconfigurations. Issues are reported in the dashboard with actionable security recommendations. - + ### Intelligence-driven prioritization - + Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context: + - Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk. - Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization. -- Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to identify the exposed machines with business-critical applications, confidential data, or high-value users. - +- Protecting high-value assets. Microsoft Defender ATP's integration with Azure Information Protection allows Threat & Vulnerability Management to identify the exposed machines with business-critical applications, confidential data, or high-value users. + ### Seamless remediation - -Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues. -- Remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms. + +Microsoft Defender ATP's Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues. + +- Remediation requests to IT. Through Microsoft Defender ATP's integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms. - Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities. - Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization. +## Before you begin + +Ensure that your machines: + +- Are onboarded to Microsoft Defender Advanced Threat Protection +- Run with Windows 10 1709 (Fall Creators Update) or later + +>[!NOTE] +>Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday. + +- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates: + +> Release | Security update KB number and link +> :---|:--- +> RS3 customers | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) +> RS4 customers| [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) +> RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) +> 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) + +- Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version. +- Have at least one security recommendation that can be viewed in the machine page +- Are tagged or marked as co-managed + ## Related topics + - [Supported operating systems and platforms](tvm-supported-os.md) - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) @@ -79,4 +110,4 @@ Microsoft Defender ATP’s Threat & Vulnerability Management allows security adm - [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software) - [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine) - [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) -- [BLOG: Microsoft’s Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/) +- [BLOG: Microsoft's Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/) diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md index ab3dd486d7..5b7477d473 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md @@ -28,11 +28,14 @@ Offboard machine from Microsoft Defender ATP. ## Limitations -1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + - Rate limitations for this API are 100 calls per minute and 1500 calls per hour. [!include[Machine actions note](../../includes/machineactionsnote.md)] +>[!Note] +> This does not support offboarding macOS Devices. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -83,4 +86,4 @@ Content-type: application/json { "Comment": "Offboard machine by automation" } -``` \ No newline at end of file +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md new file mode 100644 index 0000000000..2e8bae4127 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md @@ -0,0 +1,458 @@ +--- +title: Onboard to the Micrsoft Defender ATP service +description: +keywords: +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Onboard to the Micrsoft Defender ATP service +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + +Deploying Microsoft Defender ATP is a three-phase process: + +
    +
    IssueMore information +
    Windows Autopilot user-driven Hybrid Azure AD deployments do not grant users Administrator rights even when specified in the Windows Autopilot profile.This will occur when there is another user on the device that already has Administrator rights. For example, a PowerShell script or policy could create an additional local account that is a member of the Administrators group. To ensure this works properly, do not create an additional account until after the Windows Autopilot process has completed.
    Windows Autopilot device provisioning can fail with TPM attestation errors or ESP timeouts on devices where the real-time clock is off by a significant amount of time (e.g. several minutes or more). To fix this issue:
    1. Boot the device to the start of the out-of-box experience (OOBE).
    2. Establish a network connection (wired or wireless).
    3. Run the command w32tm /resync /force to sync the time with the default time server (time.windows.com).
    Windows Autopilot for existing devices does not work for Windows 10, version 1903; you see screens that you've disabled in your Windows Autopilot profile, such as the Windows 10 License Agreement screen. +
    Windows Autopilot for existing devices does not work for Windows 10, version 1903 or 1909; you see screens that you've disabled in your Windows Autopilot profile, such as the Windows 10 License Agreement screen.
     
    -This happens because Windows 10, version 1903 deletes the AutopilotConfigurationFile.json file. +This happens because Windows 10, version 1903 and 1909 deletes the AutopilotConfigurationFile.json file.     		To fix this issue:
    1. Edit the Configuration Manager task sequence and disable the Prepare Windows for Capture step.
    2. Add a new Run command line step that runs c:\windows\system32\sysprep\sysprep.exe /oobe /reboot.
    More information
    -
    Management and APIs
    Microsoft Threat Protection
    -
    Management and APIs
    Microsoft Threat Protection
    + + + + + + + +
    + + Prepare to deploy Microsoft Defender ATP +
    Phase 1: Prepare
    +     		+ + Setup the Microsoft Defender ATP service +
    Phase 2: Setup
    +     		+ + Onboard +
    Phase 3: Onboard
    +
    +You are currently in the onboarding phase. + + + +To deploy Microsoft Defender ATP, you'll need to onboard devices to the service. Depending on the architecture of your environment, you'll need to use the appropriate management tool that best suites your requirements. + +The deployment guide uses Microsoft Endpoint Configuration Manager as the management tool to demonstrate an end-to-end deployment. + +This article will guide you on: +- Setting up Microsoft Endpoint Configuration Manager +- Endpoint detection and response configuration +- Next-generation protection configuration +- Attack surface reduction configuration + +## Onboarding using Microsoft Endpoint Configuration Manager +### Collection creation +To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the +deployment can target either and existing collection or a new collection can be +created for testing. The onboarding like group policy or manual method does +not install any agent on the system. Within the Configuration Manager console +the onboarding process will be configured as part of the compliance settings +within the console. Any system that receives this required configuration will +maintain that configuration for as long as the Configuration Manager client +continues to receive this policy from the management point. Follow the steps +below to onboard systems with Configuration Manager. + +1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**. + + ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-device-collections.png) + +2. Right Click **Device Collection** and select **Create Device Collection**. + + ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-create-device-collection.png) + +3. Provide a **Name** and **Limiting Collection**, then select **Next**. + + ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-limiting-collection.png) + +4. Select **Add Rule** and choose **Query Rule**. + + ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-query-rule.png) + +5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**. + + ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-direct-membership.png) + +6. Select **Criteria** and then choose the star icon. + + ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-criteria.png) + +7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is equal to** and value **10240** and click on **OK**. + + ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-simple-value.png) + +8. Select **Next** and **Close**. + + ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-membership-rules.png) + +9. Select **Next**. + + ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-confirm.png) + +After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment. + +## Endpoint detection and response +### Windows 10 +From within the Microsoft Defender Security Center it is possible to download +the '.onboarding' policy that can be used to create the policy in System Center Configuration +Manager and deploy that policy to Windows 10 devices. + +1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding). + + + +2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager **. + + ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-onboarding-wizard.png) + +3. Select **Download package**. + + ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-download-package.png) + +4. Save the package to an accessible location. +5. In Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**. + +6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**. + + ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-create-policy.png) + +7. Enter the name and description, verify **Onboarding** is selected, then select **Next**. + + ![Image of Microsoft Endpoint Configuration Manager wizard](images/sccm-policy-name.png) + +8. Click **Browse**. + +9. Navigate to the location of the downloaded file from step 4 above. + + ![Image of configuration settings](images/1b9f85316170cfe24b46330afa8517d5.png) + +10. Click **Next**. +11. Configure the Agent with the appropriate samples (**None** or **All file types**). + + ![Image of configuration settings](images/1b9f85316170cfe24b46330afa8517d5.png) + +12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**. + + ![Image of configuration settings](images/13201b477bc9a9ae0020814915fe80cc.png) + +14. Verify the configuration, then click **Next**. + + ![Image of configuration settings](images/adc17988b0984ca2aa3ff8f41ddacaf9.png) + +15. Click **Close** when the Wizard completes. + +16. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**. + + ![Image of configuration settings](images/4a37f3687e6ff53a593d3670b1dad3aa.png) + +17. On the right panel, select the previously created collection and click **OK**. + + ![Image of configuration settings](images/26efa2711bca78f6b6d73712f86b5bd9.png) + + +### Previous versions of Windows Client (Windows 7 and Windows 8.1) +Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows. + +1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**. + +2. Under operating system choose **Windows 7 SP1 and 8.1**. + + ![Image of onboarding](images/91b738e4b97c4272fd6d438d8c2d5269.png) + +3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process. + +Before the systems can be onboarded into the workspace, the deployment scripts need to be updated to contain the correct information. Failure to do so will result in the systems not being properly onboarded. Depending on the deployment method, this step may have already been completed. + +Edit the InstallMMA.cmd with a text editor, such as notepad and update the +following lines and save the file: + + ![Image of onboarding](images/a22081b675da83e8f62a046ae6922b0d.png) + +Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file: + + ![Image of onboarding](images/09833d16df7f37eda97ea1d5009b651a.png) + +Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating +Systems: + +- Server SKUs: Windows Server 2008 SP1 or Newer + +- Client SKUs: Windows 7 SP1 and later + +The MMA agent will need to be installed on Windows devices. To install the +agent, some systems will need to download the [Update for customer experience +and diagnostic +telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) +in order to collect the data with MMA. These system versions include but may not +be limited to: + +- Windows 8.1 + +- Windows 7 + +- Windows Server 2016 + +- Windows Server 2012 R2 + +- Windows Server 2008 R2 + +Specifically, for Windows 7 SP1, the following patches must be installed: + +- Install + [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) + +- Install either [.NET Framework + 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or + later) **or** + [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework). + Do not install both on the same system. + +To deploy the MMA with Microsoft Endpoint Configuration Manager, follow the steps +below to utilize the provided batch files to onboard the systems. The CMD file +when executed, will require the system to copy files from a network share by the +System, the System will install MMA, Install the DependencyAgent, and configure +MMA for enrollment into the workspace. + + +1. In Microsoft Endpoint Configuration Manager console, navigate to **Software + Library**. + +2. Expand **Application Management**. + +3. Right-click **Packages** then select **Create Package**. + +4. Provide a Name for the package, then click **Next** + + ![Image of Microsoft Endpoint Configuration Manager console](images/e156a7ef87ea6472d57a3dc594bf08c2.png) + +5. Verify **Standard Program** is selected. + + ![Image of Microsoft Endpoint Configuration Manager console](images/227f249bcb6e7f29c4d43aa1ffaccd20.png) + +6. Click **Next**. + + ![Image of Microsoft Endpoint Configuration Manager console](images/2c7f9d05a2ebd19607cc76b6933b945b.png) + +7. Enter a program name. + +8. Browse to the location of the InstallMMA.cmd. + +9. Set Run to **Hidden**. + +10. Set **Program can run** to **Whether or not a user is logged on**. + +11. Click **Next**. + +12. Set the **Maximum allowed run time** to 720. + +13. Click **Next**. + + ![Image of Microsoft Endpoint Configuration Manager console](images/262a41839704d6da2bbd72ed6b4a826a.png) + +14. Verify the configuration, then click **Next**. + + ![Image of Microsoft Endpoint Configuration Manager console](images/a9d3cd78aa5ca90d3c2fbd2e57618faf.png) + +15. Click **Next**. + +16. Click **Close**. + +17. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP + Onboarding Package just created and select **Deploy**. + +18. On the right panel select the appropriate collection. + +19. Click **OK**. + +## Next generation protection +Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. + +1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**. + + ![Image of antimalware policy](images/9736e0358e86bc778ce1bd4c516adb8b.png) + +2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**. + + ![Image of next generation protection pane](images/1566ad81bae3d714cc9e0d47575a8cbd.png) + + In certain industries or some select enterprise customers might have specific +needs on how Antivirus is configured. + + + [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan) + + For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework) + + + ![Image of next generation protection pane](images/cd7daeb392ad5a36f2d3a15d650f1e96.png) + + ![Image of next generation protection pane](images/36c7c2ed737f2f4b54918a4f20791d4b.png) + + ![Image of next generation protection pane](images/a28afc02c1940d5220b233640364970c.png) + + ![Image of next generation protection pane](images/5420a8790c550f39f189830775a6d4c9.png) + + ![Image of next generation protection pane](images/33f08a38f2f4dd12a364f8eac95e8c6b.png) + + ![Image of next generation protection pane](images/41b9a023bc96364062c2041a8f5c344e.png) + + ![Image of next generation protection pane](images/945c9c5d66797037c3caeaa5c19f135c.png) + + ![Image of next generation protection pane](images/3876ca687391bfc0ce215d221c683970.png) + +3. Right-click on the newly created antimalware policy and select **Deploy** . + + ![Image of next generation protection pane](images/f5508317cd8c7870627cb4726acd5f3d.png) + +4. Target the new antimalware policy to your Windows 10 collection and click **OK**. + + ![Image of next generation protection pane](images/26efa2711bca78f6b6d73712f86b5bd9.png) + +After completing this task, you now have successfully configured Windows +Defender Antivirus. + +## Attack surface reduction +The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit +Protection. + +All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step-by-step move security controls into block mode. + +To set ASR rules in Audit mode: + +1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**. + + ![Image of Microsoft Endpoint Configuration Manager console](images/728c10ef26042bbdbcd270b6343f1a8a.png) + + +2. Select **Attack Surface Reduction**. + + +3. Set rules to **Audit** and click **Next**. + + ![Image of Microsoft Endpoint Configuration Manager console](images/d18e40c9e60aecf1f9a93065cb7567bd.png) + +4. Confirm the new Exploit Guard policy by clicking on **Next**. + + ![Image of Microsoft Endpoint Configuration Manager console](images/0a6536f2c4024c08709cac8fcf800060.png) + + +5. Once the policy is created click **Close**. + + ![Image of Microsoft Endpoint Configuration Manager console](images/95d23a07c2c8bc79176788f28cef7557.png) + + + +6. Right-click on the newly created policy and choose **Deploy**. + + ![Image of Microsoft Endpoint Configuration Manager console](images/8999dd697e3b495c04eb911f8b68a1ef.png) + +7. Target the policy to the newly created Windows 10 collection and click **OK**. + + ![Image of Microsoft Endpoint Configuration Manager console](images/0ccfe3e803be4b56c668b220b51da7f7.png) + +After completing this task, you now have successfully configured ASR rules in audit mode. + +Below are additional steps to verify whether ASR rules are correctly applied to +endpoints. (This may take few minutes) + + +1. From a web browser, navigate to . + +2. Select **Configuration management** from left side menu. + + ![A screenshot of a cell phone Description automatically generated](images/653db482c7ccaf31d06f29fb2aa24b7a.png) + +3. Click **Go to attack surface management** in the Attack surface management panel. + + ![Image of attack surface management](images/3a01c7970ce3ec977a35883c0a01f0a2.png) + +4. Click **Configuration** tab in Attack Surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices. + + ![A screenshot of attack surface reduction rules reports](images/f91f406e6e0aae197a947d3b0e8b2d0d.png) + +5. Click each device shows configuration details of ASR rules. + + ![A screenshot of attack surface reduction rules reports](images/24bfb16ed561cbb468bd8ce51130ca9d.png) + +See [Optimize ASR rule deployment and +detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr) for more details. + + +### To set Network Protection rules in Audit mode: +1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**. + + ![A screenshot System Center Confirugatiom Manager](images/728c10ef26042bbdbcd270b6343f1a8a.png) + +2. Select **Network protection**. + +3. Set the setting to **Audit** and click **Next**. + + ![A screenshot System Center Confirugatiom Manager](images/c039b2e05dba1ade6fb4512456380c9f.png) + +4. Confirm the new Exploit Guard Policy by clicking **Next**. + + ![A screenshot Exploit GUard policy](images/0a6536f2c4024c08709cac8fcf800060.png) + +5. Once the policy is created click on **Close**. + + ![A screenshot Exploit GUard policy](images/95d23a07c2c8bc79176788f28cef7557.png) + +6. Right-click on the newly created policy and choose **Deploy**. + + ![A screenshot Microsoft Endpoint Configuration Manager ](images/8999dd697e3b495c04eb911f8b68a1ef.png) + +7. Select the policy to the newly created Windows 10 collection and choose **OK**. + + ![A screenshot Microsoft Endpoint Configuration Manager ](images/0ccfe3e803be4b56c668b220b51da7f7.png) + +After completing this task, you now have successfully configured Network +Protection in audit mode. + +### To set Controlled Folder Access rules in Audit mode: + +1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**. + + ![A screenshot of Microsoft Endpoint Configuration Manager ](images/728c10ef26042bbdbcd270b6343f1a8a.png) + +2. Select **Controlled folder access**. + +3. Set the configuration to **Audit** and click **Next**. + + ![A screenshot of Microsoft Endpoint Configuration Manager ](images/a8b934dab2dbba289cf64fe30e0e8aa4.png) + +4. Confirm the new Exploit Guard Policy by clicking on **Next**. + + ![A screenshot of Microsoft Endpoint Configuration Manager ](images/0a6536f2c4024c08709cac8fcf800060.png) + +5. Once the policy is created click on **Close**. + + ![A screenshot of Microsoft Endpoint Configuration Manager ](images/95d23a07c2c8bc79176788f28cef7557.png) + +6. Right-click on the newly created policy and choose **Deploy**. + + ![A screenshot of Microsoft Endpoint Configuration Manager ](images/8999dd697e3b495c04eb911f8b68a1ef.png) + +7. Target the policy to the newly created Windows 10 collection and click **OK**. + + ![A screenshot of Microsoft Endpoint Configuration Manager ](images/0ccfe3e803be4b56c668b220b51da7f7.png) + +After completing this task, you now have successfully configured Controlled folder access in audit mode. + diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview.md b/windows/security/threat-protection/microsoft-defender-atp/overview.md deleted file mode 100644 index 8600ed540e..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/overview.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: Overview of Microsoft Defender ATP -ms.reviewer: -description: Understand the concepts behind the capabilities in Microsoft Defender ATP so you take full advantage of the complete threat protection platform -keywords: atp, microsoft defender atp, defender, mdatp, threat protection, platform, threat, vulnerability, asr, attack, surface, reduction, next-gen, protection, edr, endpoint, detection, response, automated, air, cyber threat hunting, advanced hunting -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Overview of Microsoft Defender ATP capabilities -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -Understand the concepts behind the capabilities in Microsoft Defender ATP so you take full advantage of the complete threat protection platform. - ->[!TIP] ->- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). ->- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). - -## In this section - -Topic | Description -:---|:--- -[Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) | Reduce organizational vulnerability exposure and increase threat resilience while seamlessly connecting workflows across security stakeholders—security administrators, security operations, and IT administrators in remediating threats. -[Attack surface reduction](overview-attack-surface-reduction.md) | Leverage exploit protection, attack surface reduction rules, and other capabilities to protect the perimeter of your organization. This set of capabilities also includes [network protection](network-protection.md) and [web protection](web-protection-overview.md), which regulate access to malicious IP addresses, domains, and URLs. -[Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | Learn about the antivirus capabilities in Microsoft Defender ATP so you can protect desktops, portable computers, and servers. -[Endpoint detection and response](overview-endpoint-detection-response.md) | Understand how Microsoft Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization and the features you can use to mitigate and remediate threats. -[Automated investigation and remediation](automated-investigations.md) | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. -[Configuration score](configuration-score.md) | Your configuration score shows the collective security configuration state of your machines across application, operating system, network, accounts, and security controls. -[Microsoft Threat Experts](microsoft-threat-experts.md) | Managed cybersecurity threat hunting service. Learn how you can get expert-driven insights and data through targeted attack notification and access to experts on demand.

    **NOTE:**

    Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.

    If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription. -[Advanced hunting](advanced-hunting-overview.md) | Use a powerful query-based threat-hunting tool to proactively find breach activity and create custom detection rules. -[Management and APIs](management-apis.md) | Microsoft Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows. -[Microsoft Threat Protection](threat-protection-integration.md) | Microsoft security products work better together. Learn about other how Microsoft Defender ATP works with other Microsoft security solutions. -[Portal overview](portal-overview.md) |Learn to navigate your way around Microsoft Defender Security Center. diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md index d54f893ac4..bf5f352335 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md @@ -22,9 +22,54 @@ ms.topic: article **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + + +Deploying Microsoft Defender ATP is a three-phase process: + +
    + + + + + + + + + + + +
    + + Plan to deploy Microsoft Defender ATP +
    Phase 1: Prepare
    +     		+ + Onboard to the Microsoft Defender ATP service +
    Phase 2: Setup
    +     		+ + Configure capabilities +
    Phase 3: Onboard
    +
    + + + + + +
    + +You are currently in the preparation phase. + + +Preparation is key to any successful deployment. In this article, you'll be guided on the points you'll need to consider as you prepare to deploy Microsoft Defender ATP. + + ## Stakeholders and Sign-off The following section serves to identify all the stakeholders that are involved -in this project and need to sign-off, review, or stay informed. Add stakeholders +in the project and need to sign-off, review, or stay informed. + +Add stakeholders to the table below as appropriate for your organization. - SO = Sign-off on this project @@ -41,33 +86,6 @@ to the table below as appropriate for your organization. | Enter name and email | **Workplace Architect** *A representative from the IT team in charge of defining how this change is aligned with the core workplace architecture in the organization.* | R | | Enter name and email | **Security Analyst** *A representative from the CDOC team who can provide input on the detection capabilities, user experience and overall usefulness of this change from a security operations perspective.* | I | -## Project Management - -### In Scope - -The following is in scope for this project: - -- Enabling Microsoft Defender ATP endpoint protection platform (EPP) - capabilities - - - Next Generation Protection - - - Attack Surface Reduction - -- Enabling Microsoft Defender ATP endpoint detection and response (EDR) - capabilities including automatic investigation and remediation - -- Enabling Microsoft Defender ATP threat and vulnerability management (TVM) -- Use of Microsoft Endpoint Configuration Manager to onboard endpoints into the service. - -### Out of scope - -The following are out of scope of this project: - -- Configuration of third-party solutions that might integrate with Microsoft - Defender ATP. - -- Penetration testing in production environment. ## Environment @@ -140,8 +158,9 @@ structure required for your environment. ## Adoption Order In many cases, organizations will have existing endpoint security products in place. The bare minimum every organization should have is an antivirus solution. But in some cases, an organization might also have implanted an EDR solution already. + Historically, replacing any security solution used to be time intensive and difficult -to achieve, due to the tight hooks into the application layer and infrastructure +to achieve due to the tight hooks into the application layer and infrastructure dependencies. However, because Microsoft Defender ATP is built into the operating system, replacing third-party solutions is now easy to achieve. @@ -158,5 +177,8 @@ how the endpoint security suite should be enabled. | Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable | | Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed. [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable | -## Related topic -- [Production deployment](production-deployment.md) +## Next step +||| +|:-------|:-----| +|![Phase 2: Setup](images/setup.png)
    [Phase 2: Setup](production-deployment.md) | Setup Microsoft Defender ATP deployment + diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index 4cde145e4c..28bac40cc5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -42,6 +42,7 @@ Turn on the preview experience setting to be among the first to try upcoming fea ## Preview features The following features are included in the preview release: +- [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md)
    Microsoft Defender ATP now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender ATP for Linux. - [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list)
    Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information. @@ -51,7 +52,7 @@ The following features are included in the preview release: - [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy)
    You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy). -- [Machine health and compliance report](machine-reports.md) The machine health and compliance report provides high-level information about the devices in your organization. +- [Machine health and compliance report](machine-reports.md)
    The machine health and compliance report provides high-level information about the devices in your organization. - [Information protection](information-protection-in-windows-overview.md)
    Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. diff --git a/windows/security/threat-protection/microsoft-defender-atp/product-brief.md b/windows/security/threat-protection/microsoft-defender-atp/product-brief.md deleted file mode 100644 index e69a6bc890..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/product-brief.md +++ /dev/null @@ -1,75 +0,0 @@ ---- -title: Microsoft Defender Advanced Threat Protection product brief -description: Learn about the Microsoft Defender Advanced Threat Protection capabilities and licensing requirements -keywords: Microsoft Defender Security Center, product brief, brief, capabilities, licensing -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Microsoft Defender Advanced Threat Protection product brief - -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - - -Microsoft Defender ATP is a platform designed to -help enterprise networks prevent, detect, investigate, and respond to advanced -threats. - -![Image of the Microsoft Defender ATP components](images/mdatp-platform.png) - -## Platform capabilities - -Capability | Description -:---|:--- -**Threat and Vulnerability Management** | This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. -**Attack Surface Reduction** | The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. -**Next Generation Protection** | To further reinforce the security perimeter of the organizations network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats. -**Endpoint Detection & Response** | Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. -**Auto Investigation & Remediation** | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. -**Microsoft Threat Experts** | Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately. -**Configuration Score** | Microsoft Defender ATP includes configuration score to help dynamically assess the security state of the enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of the organization. - **Advance Hunting** | Create custom threat intelligence and use a powerful search and query tool to hunt for possible threats in the organization. -**Management and API** | Integrate Microsoft Defender Advanced Threat Protection into existing workflows. - **Microsoft Threat Protection** | Microsoft Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to the organization. | | - -Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: - -- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors - collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP. - -- **Cloud security analytics**: Leveraging big-data, machine-learning, and - unique Microsoft optics across the Windows ecosystem, - enterprise cloud products (such as Office 365), and online assets, behavioral signals - are translated into insights, detections, and recommended responses - to advanced threats. - -- **Threat intelligence**: Generated by Microsoft hunters, security teams, - and augmented by threat intelligence provided by partners, threat - intelligence enables Microsoft Defender ATP to identify attacker - tools, techniques, and procedures, and generate alerts when these - are observed in collected sensor data. - -## Licensing requirements - -Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: - -- Windows 10 Enterprise E5 -- Windows 10 Education A5 -- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 -- Microsoft 365 A5 (M365 A5) - -## Related topic - -- [Prepare deployment](prepare-deployment.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md index 6bed8fc78a..5ee99f304a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md @@ -1,5 +1,5 @@ --- -title: Microsoft Defender ATP production deployment +title: Setup Microsoft Defender ATP deployment description: keywords: search.product: eADQiWindows 10XVcnh @@ -17,21 +17,74 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Microsoft Defender ATP production deployment +# Setup Microsoft Defender ATP deployment **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Proper planning is the foundation of a successful deployment. In this deployment scenario, you'll be guided through the steps on: + +Deploying Microsoft Defender ATP is a three-phase process: + +
    + + + + + + + + +
    + + Prepare to deploy Microsoft Defender ATP +
    Phase 1: Prepare
    +     		+ + Onboard to the Microsoft Defender ATP service +
    Phase 2: Setup
    +     		+ + Onboard +
    Phase 3: Onboard
    +
    + +You are currently in the setup phase. + +In this deployment scenario, you'll be guided through the steps on: +- Licensing validation - Tenant configuration - Network configuration -- Onboarding using Microsoft Endpoint Configuration Manager -- Endpoint detection and response -- Next generation protection -- Attack surface reduction + >[!NOTE] ->For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defender ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md). +>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defnder ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md). + +## Check license state + +Checking for the license state and whether it got properly provisioned, can be done through the admin center or through the **Microsoft Azure portal**. + +1. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products). + + ![Image of Azure Licensing page](images/atp-licensing-azure-portal.png) + +1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**. + + - On the screen you will see all the provisioned licenses and their current **Status**. + + ![Image of billing licenses](images/atp-billing-subscriptions.png) + + +## Cloud Service Provider validation + +To gain access into which licenses are provisioned to your company, and to check the state of the licenses, go to the admin center. + +1. From the **Partner portal**, click on the **Administer services > Office 365**. + +2. Clicking on the **Partner portal** link will leverage the **Admin on behalf** option and will give you access to the customer admin center. + + ![Image of O365 admin portal](images/atp-O365-admin-portal-customer.png) + + ## Tenant Configuration @@ -111,7 +164,7 @@ under: Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service - - Set it to **Enabled** and select�**Disable Authenticated Proxy usage** + - Set it to **Enabled** and select **Disable Authenticated Proxy usage** 1. Open the Group Policy Management Console. 2. Create a policy or edit an existing policy based off the organizational practices. @@ -205,397 +258,7 @@ You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https: > [!NOTE] > As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting. -## Onboarding using Microsoft Endpoint Configuration Manager -### Collection creation -To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the -deployment can target either and existing collection or a new collection can be -created for testing. The onboarding like group policy or manual method does -not install any agent on the system. Within the Configuration Manager console -the onboarding process will be configured as part of the compliance settings -within the console. Any system that receives this required configuration will -maintain that configuration for as long as the Configuration Manager client -continues to receive this policy from the management point. Follow the steps -below to onboard systems with Configuration Manager. - -1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**. - - ![Image of Configuration Manager wizard](images/sccm-device-collections.png) - -2. Right Click **Device Collection** and select **Create Device Collection**. - - ![Image of Configuration Manager wizard](images/sccm-create-device-collection.png) - -3. Provide a **Name** and **Limiting Collection**, then select **Next**. - - ![Image of Configuration Manager wizard](images/sccm-limiting-collection.png) - -4. Select **Add Rule** and choose **Query Rule**. - - ![Image of Configuration Manager wizard](images/sccm-query-rule.png) - -5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**. - - ![Image of Configuration Manager wizard](images/sccm-direct-membership.png) - -6. Select **Criteria** and then choose the star icon. - - ![Image of Configuration Manager wizard](images/sccm-criteria.png) - -7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is equal to** and value **10240** and click on **OK**. - - ![Image of Configuration Manager wizard](images/sccm-simple-value.png) - -8. Select **Next** and **Close**. - - ![Image of Configuration Manager wizard](images/sccm-membership-rules.png) - -9. Select **Next**. - - ![Image of Configuration Manager wizard](images/sccm-confirm.png) - -After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment. - -## Endpoint detection and response -### Windows 10 -From within the Microsoft Defender Security Center it is possible to download -the '.onboarding' policy that can be used to create the policy in Microsoft Endpoint Configuration Manager and deploy that policy to Windows 10 devices. - -1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding). - - - -2. Under Deployment method select the supported version of **Configuration Manager**. - - ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-onboarding-wizard.png) - -3. Select **Download package**. - - ![Image of Microsoft Defender ATP onboarding wizard](images/mdatp-download-package.png) - -4. Save the package to an accessible location. -5. In Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**. - -6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**. - - ![Image of Configuration Manager wizard](images/sccm-create-policy.png) - -7. Enter the name and description, verify **Onboarding** is selected, then select **Next**. - - ![Image of Configuration Manager wizard](images/sccm-policy-name.png) - -8. Click **Browse**. - -9. Navigate to the location of the downloaded file from step 4 above. - - ![Image of configuration settings](images/1b9f85316170cfe24b46330afa8517d5.png) - -10. Click **Next**. -11. Configure the Agent with the appropriate samples (**None** or **All file types**). - - ![Image of configuration settings](images/1b9f85316170cfe24b46330afa8517d5.png) - -12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**. - - ![Image of configuration settings](images/13201b477bc9a9ae0020814915fe80cc.png) - -14. Verify the configuration, then click **Next**. - - ![Image of configuration settings](images/adc17988b0984ca2aa3ff8f41ddacaf9.png) - -15. Click **Close** when the Wizard completes. - -16. In the Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**. - - ![Image of configuration settings](images/4a37f3687e6ff53a593d3670b1dad3aa.png) - -17. On the right panel, select the previously created collection and click **OK**. - - ![Image of configuration settings](images/26efa2711bca78f6b6d73712f86b5bd9.png) - - -### Previous versions of Windows Client (Windows 7 and Windows 8.1) -Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows. - -1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**. - -2. Under operating system choose **Windows 7 SP1 and 8.1**. - - ![Image of onboarding](images/91b738e4b97c4272fd6d438d8c2d5269.png) - -3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process. - -Before the systems can be onboarded into the workspace, the deployment scripts need to be updated to contain the correct information. Failure to do so will result in the systems not being properly onboarded. Depending on the deployment method, this step may have already been completed. - -Edit the InstallMMA.cmd with a text editor, such as notepad and update the -following lines and save the file: - - ![Image of onboarding](images/a22081b675da83e8f62a046ae6922b0d.png) - -Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file: - - ![Image of onboarding](images/09833d16df7f37eda97ea1d5009b651a.png) - -Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating -Systems: - -- Server SKUs: Windows Server 2008 SP1 or Newer - -- Client SKUs: Windows 7 SP1 and later - -The MMA agent will need to be installed on Windows devices. To install the -agent, some systems will need to download the [Update for customer experience -and diagnostic -telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) -in order to collect the data with MMA. These system versions include but may not -be limited to: - -- Windows 8.1 - -- Windows 7 - -- Windows Server 2016 - -- Windows Server 2012 R2 - -- Windows Server 2008 R2 - -Specifically, for Windows 7 SP1, the following patches must be installed: - -- Install - [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) - -- Install either [.NET Framework - 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or - later) **or** - [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework). - Do not install both on the same system. - -To deploy the MMA with Microsoft Endpoint Configuration Manager, follow the steps -below to utilize the provided batch files to onboard the systems. The CMD file -when executed, will require the system to copy files from a network share by the -System, the System will install MMA, Install the DependencyAgent, and configure -MMA for enrollment into the workspace. - - -1. In the Configuration Manager console, navigate to **Software - Library**. - -2. Expand **Application Management**. - -3. Right-click **Packages** then select **Create Package**. - -4. Provide a Name for the package, then click **Next** - - ![Image of Configuration Manager console](images/e156a7ef87ea6472d57a3dc594bf08c2.png) - -5. Verify **Standard Program** is selected. - - ![Image of Configuration Manager console](images/227f249bcb6e7f29c4d43aa1ffaccd20.png) - -6. Click **Next**. - - ![Image of Configuration Manager console](images/2c7f9d05a2ebd19607cc76b6933b945b.png) - -7. Enter a program name. - -8. Browse to the location of the InstallMMA.cmd. - -9. Set Run to **Hidden**. - -10. Set **Program can run** to **Whether or not a user is logged on**. - -11. Click **Next**. - -12. Set the **Maximum allowed run time** to 720. - -13. Click **Next**. - - ![Image of Configuration Manager console](images/262a41839704d6da2bbd72ed6b4a826a.png) - -14. Verify the configuration, then click **Next**. - - ![Image of Configuration Manager console](images/a9d3cd78aa5ca90d3c2fbd2e57618faf.png) - -15. Click **Next**. - -16. Click **Close**. - -17. In the Configuration Manager console, right-click the Microsoft Defender ATP - Onboarding Package just created and select **Deploy**. - -18. On the right panel select the appropriate collection. - -19. Click **OK**. - -## Next generation protection -Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. - -1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**. - - ![Image of antimalware policy](images/9736e0358e86bc778ce1bd4c516adb8b.png) - -2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**. - - ![Image of next generation protection pane](images/1566ad81bae3d714cc9e0d47575a8cbd.png) - - In certain industries or some select enterprise customers might have specific -needs on how Antivirus is configured. - - - [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan) - - For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework) - - - ![Image of next generation protection pane](images/cd7daeb392ad5a36f2d3a15d650f1e96.png) - - ![Image of next generation protection pane](images/36c7c2ed737f2f4b54918a4f20791d4b.png) - - ![Image of next generation protection pane](images/a28afc02c1940d5220b233640364970c.png) - - ![Image of next generation protection pane](images/5420a8790c550f39f189830775a6d4c9.png) - - ![Image of next generation protection pane](images/33f08a38f2f4dd12a364f8eac95e8c6b.png) - - ![Image of next generation protection pane](images/41b9a023bc96364062c2041a8f5c344e.png) - - ![Image of next generation protection pane](images/945c9c5d66797037c3caeaa5c19f135c.png) - - ![Image of next generation protection pane](images/3876ca687391bfc0ce215d221c683970.png) - -3. Right-click on the newly created antimalware policy and select **Deploy** . - - ![Image of next generation protection pane](images/f5508317cd8c7870627cb4726acd5f3d.png) - -4. Target the new antimalware policy to your Windows 10 collection and click **OK**. - - ![Image of next generation protection pane](images/26efa2711bca78f6b6d73712f86b5bd9.png) - -After completing this task, you now have successfully configured Windows -Defender Antivirus. - -## Attack Surface Reduction -The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit -Protection. All these features provide an audit mode and a block mode. In audit mode there is no end user impact all it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step by step move security controls into block mode. - -To set ASR rules in Audit mode: - -1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**. - - ![Image of Configuration Manager console](images/728c10ef26042bbdbcd270b6343f1a8a.png) - - -2. Select **Attack Surface Reduction**. - - -3. Set rules to **Audit** and click **Next**. - - ![Image of Configuration Manager console](images/d18e40c9e60aecf1f9a93065cb7567bd.png) - -4. Confirm the new Exploit Guard policy by clicking on **Next**. - - ![Image of Configuration Manager console](images/0a6536f2c4024c08709cac8fcf800060.png) - - -5. Once the policy is created click **Close**. - - ![Image of Configuration Manager console](images/95d23a07c2c8bc79176788f28cef7557.png) - - - -6. Right-click on the newly created policy and choose **Deploy**. - - ![Image of Configuration Manager console](images/8999dd697e3b495c04eb911f8b68a1ef.png) - -7. Target the policy to the newly created Windows 10 collection and click **OK**. - - ![Image of Configuration Manager console](images/0ccfe3e803be4b56c668b220b51da7f7.png) - -After completing this task, you now have successfully configured ASR rules in audit mode. - -Below are additional steps to verify whether ASR rules are correctly applied to -endpoints. (This may take few minutes) - - -1. From a web browser, navigate to . - -2. Select **Configuration management** from left side menu. - - ![A screenshot of a cell phone Description automatically generated](images/653db482c7ccaf31d06f29fb2aa24b7a.png) - -3. Click **Go to attack surface management** in the Attack surface management panel. - - ![Image of attack surface management](images/3a01c7970ce3ec977a35883c0a01f0a2.png) - -4. Click **Configuration** tab in Attack Surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices. - - ![A screenshot of attack surface reduction rules reports](images/f91f406e6e0aae197a947d3b0e8b2d0d.png) - -5. Click each device shows configuration details of ASR rules. - - ![A screenshot of attack surface reduction rules reports](images/24bfb16ed561cbb468bd8ce51130ca9d.png) - -See [Optimize ASR rule deployment and -detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr) for more details. - - -### To set Network Protection rules in Audit mode: -1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**. - - ![A screenshot Configuration Manager](images/728c10ef26042bbdbcd270b6343f1a8a.png) - -2. Select **Network protection**. - -3. Set the setting to **Audit** and click **Next**. - - ![A screenshot Configuration Manager](images/c039b2e05dba1ade6fb4512456380c9f.png) - -4. Confirm the new Exploit Guard Policy by clicking **Next**. - - ![A screenshot Exploit GUard policy](images/0a6536f2c4024c08709cac8fcf800060.png) - -5. Once the policy is created click on **Close**. - - ![A screenshot Exploit GUard policy](images/95d23a07c2c8bc79176788f28cef7557.png) - -6. Right-click on the newly created policy and choose **Deploy**. - - ![A screenshot Configuration Manager](images/8999dd697e3b495c04eb911f8b68a1ef.png) - -7. Select the policy to the newly created Windows 10 collection and choose **OK**. - - ![A screenshot Configuration Manager](images/0ccfe3e803be4b56c668b220b51da7f7.png) - -After completing this task, you now have successfully configured Network -Protection in audit mode. - -### To set Controlled Folder Access rules in Audit mode: - -1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**. - - ![A screenshot of Configuration Manager](images/728c10ef26042bbdbcd270b6343f1a8a.png) - -2. Select **Controlled folder access**. - -3. Set the configuration to **Audit** and click **Next**. - - ![A screenshot of Configuration Manager](images/a8b934dab2dbba289cf64fe30e0e8aa4.png) - -4. Confirm the new Exploit Guard Policy by clicking on **Next**. - - ![A screenshot of Configuration Manager](images/0a6536f2c4024c08709cac8fcf800060.png) - -5. Once the policy is created click on **Close**. - - ![A screenshot of Configuration Manager](images/95d23a07c2c8bc79176788f28cef7557.png) - -6. Right-click on the newly created policy and choose **Deploy**. - - ![A screenshot of Configuration Manager](images/8999dd697e3b495c04eb911f8b68a1ef.png) - -7. Target the policy to the newly created Windows 10 collection and click **OK**. - - ![A screenshot of Configuration Manager](images/0ccfe3e803be4b56c668b220b51da7f7.png) - -After completing this task, you now have successfully configured Controlled folder access in audit mode. - +## Next step +||| +|:-------|:-----| +|![Phase 3: Onboard](images/onboard.png)
    [Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md index 54dc6d37fa..1aabe438b0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md @@ -29,6 +29,9 @@ ms.topic: article Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](advanced-hunting-overview.md) to an [Event Hubs](https://docs.microsoft.com/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/azure/event-hubs/). +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4ga] + + ## In this section Topic | Description diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index 14398b7265..8d2e155a2e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -27,155 +27,9 @@ ms.topic: article [!include[Prerelease information](../../includes/prerelease.md)] -## Before you begin - -Ensure that your machines: - -- Are onboarded to Microsoft Defender Advanced Threat Protection -- Run with Windows 10 1709 (Fall Creators Update) or later - ->[!NOTE] ->Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday. - -- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates: - -> Release | Security update KB number and link -> :---|:--- -> RS3 customers | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) -> RS4 customers| [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) -> RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) -> 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) - -- Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version. -- Have at least one security recommendation that can be viewed in the machine page -- Are tagged or marked as co-managed - -## Reduce your threat and vulnerability exposure - -Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats. - -The exposure score is continuously calculated on each device in the organization and influenced by the following factors: - -- Weaknesses, such as vulnerabilities discovered on the device -- External and internal threats such as public exploit code and security alerts -- Likelihood of the device to get breached given its current security posture -- Value of the device to the organization given its role and content - -The exposure score is broken down into the following levels: - -- 0–29: low exposure score -- 30–69: medium exposure score -- 70–100: high exposure score - -You can remediate the issues based on prioritized security recommendations to reduce the exposure score. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization. - -To lower down your threat and vulnerability exposure: - -1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. The **Security recommendation** page opens. - - There are two types of recommendations: - - - *Security update* which refers to recommendations that require a package installation - - *Configuration change* which refers to recommendations that require a registry or GPO modification - - Always prioritize recommendations that are associated with ongoing threats: - - - ![Threat insight](images/tvm_bug_icon.png) Threat insight icon - - ![Possible active alert](images/tvm_alert_icon.png) Active alert icon - - >![Top security recommendations](images/tvm_security_recommendations.png) - -2. The **Security recommendations** page shows the list of items to remediate. Select the security recommendation that you need to investigate. When you select a recommendation from the list, a fly-out panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Click **Open software page** option from the flyout panel. ![Details in security recommendations page](images/tvm_security_recommendations_page.png) - -3. Click **Installed machines** and select the affected machine from the list to open the flyout panel with the relevant machine details, exposure and risk levels, alert and incident activities. ![Details in software page ](images/tvm_software_page_details.png) - -4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. ![Details in machine page](images/tvm_machine_page_details.png) - -5. Allow a few hours for the changes to propagate in the system. - -6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases. - -## Improve your security configuration - ->[!NOTE] -> Secure score is now part of Threat & Vulnerability Management as [Configuration score](configuration-score.md). - -You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities. - -1. From the Configuration score widget, select **Security controls**. The **Security recommendations** page opens and shows the list of issues related to security controls. - - >![Configuration score widget](images/tvm_config_score.png) - -2. Select the first item on the list. The flyout panel will open with a description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**. - - ![Security controls related security recommendations](images/tvm_security_controls.png) - -3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up. - - >![Request remediation](images/tvm_request_remediation.png). - - You will see a confirmation message that the remediation task has been created. - >![Remediation task creation confirmation](images/tvm_remediation_task_created.png) - -4. Save your CSV file. - ![Save csv file](images/tvm_save_csv_file.png) - -5. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system. - -6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase. - -## Request a remediation - ->[!NOTE] ->To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on. - -The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT Administrators through the remediation request workflow. - -Security Administrators like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune. - -1. Click a security recommendation you would like to request remediation for, and then click **Remediation options**. - -2. Select **Open a ticket in Intune (for AAD joined devices)**, select a due date, and add optional notes for the IT Administrator. Click **Submit request**. - -3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment. - -4. Go to the **Remediation** page to view the status of your remediation request. - -See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. - ->[!NOTE] ->If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune. - -## File for exception - -With Threat & Vulnerability Management, you can create exceptions for recommendations, as an alternative to a remediation request. - -There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons. - -Exceptions can be created for both *Security update* and *Configuration change* recommendations. - -When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list. - -1. Navigate to the **Security recommendations** page under the **Threat & Vulnerability Management** section menu. - -2. Click the top-most recommendation. A flyout panel opens with the recommendation details. - -3. Click **Exception options**. -![Screenshot of the exception option in the remediation flyout pane](images/tvm-exception-option.png) - -4. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration. - -> ![Screenshot of exception flyout page which details justification and context](images/tvm-exception-flyout.png) - -5. Click **Submit**. A confirmation message at the top of the page indicates that the exception has been created. -![Screenshot of exception confirmation message](images/tvm-exception-confirmation.png) - -6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past). -![Screenshot of exception list of exceptions in the Remediation page](images/tvm-exception-list.png) - ## Use advanced hunting query to search for machines with High active alerts or critical CVE public exploit -1. Go to **Advanced hunting** from the left-hand navigation pane. +1. Go to **Advanced hunting** from the left-hand navigation pane of the Microsoft Defender Security Center. 2. Scroll down to the TVM advanced hunting schemas to familiarize yourself with the column names. @@ -196,22 +50,22 @@ DeviceName=any(DeviceName) by DeviceId, AlertId ``` -## Conduct an inventory of software or software versions which have reached end-of-support (EOS) +## Find and remediate software or software versions which have reached end-of-support (EOS) End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks. It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. -To conduct an inventory of software or software versions which have reached end-of-support: +To find software or software versions which have reached end-of-support: 1. From the Threat & Vulnerability Management menu, navigate to **Security recommendations**. -2. Go to the **Filters** panel and select **Software uninstall** from **Remediation Type** options to see the list of software recommendations associated with software which have reached end of support (tagged as **EOS software**). -3. Select **Software update** from **Remediation Type** options to see the list of software recommendations associated with software and software versions which have reached end-of-support (tagged as **EOS versions installed**). -4. Select software that you'd like to investigate. A fly-out screen opens where you can select **Open software page**. -![Screenshot of Security recommendation for a software that reached its end of life page](images/secrec_flyout.png) +2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**. -5. In the **Software page** select the **Version distribution** tab to know which versions of the software have reached their end-of-support, and how many vulnerabilities were discovered in it. -![Screenshot of software details for a software that reached its end of support](images/secrec_sw_details.png) + ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tag.png) + +3. You will see a list recommendations related to software that is end of support, software versions that are end of support, or upcoming end of support versions. These tags are also visible in the [software inventory](tvm-software-inventory.md) page. + + ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tags-column.png) After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details. @@ -228,10 +82,9 @@ After you have identified which software and software versions are vulnerable du - [Weaknesses](tvm-weaknesses.md) - [Advanced hunting overview](overview-hunting.md) - [All advanced hunting tables](advanced-hunting-reference.md) -- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) -- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine) -- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) -- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software) -- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) -- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score) - +- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [Recommendation APIs](vulnerability.md) +- [Machine APIs](machine.md) +- [Score APIs](score.md) +- [Software APIs](software.md) +- [Vulnerability APIs](vulnerability.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md index e0ce98100b..34dcdcc230 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md @@ -72,11 +72,12 @@ IE and Microsoft Edge use the **Region** settings configured in the **Clocks, La #### Known issues with regional formats **Date and time formats**
    -There are some known issues with the time and date formats. +There are some known issues with the time and date formats. If you configure your regional settings to anything other than the supported formats, the portal may not correctly reflect your settings. -The following date formats are supported: -- MM/dd/yyyy -- dd/MM/yyyy +The following date and time formats are supported: +- Date format MM/dd/yyyy +- Date format dd/MM/yyyy +- Time format hh:mm:ss (12 hour format) The following date and time formats are currently not supported: - Date format yyyy-MM-dd @@ -84,7 +85,7 @@ The following date and time formats are currently not supported: - Date format dd/MM/yy - Date format MM/dd/yy - Date format with yy. Will only show yyyy. -- Time format HH:mm:ss is not supported (the 12 hour AM/PM format is not supported). Only the 24-hour format is supported. +- Time format HH:mm:ss (24 hour format) **Decimal symbol used in numbers**
    Decimal symbol used is always a dot, even if a comma is selected in the **Numbers** format settings in **Region** settings. For example, 15,5K is displayed as 15.5K. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index 97a1b56853..d2c196a62c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -1,6 +1,6 @@ --- -title: What's in the dashboard and what it means for my organization's security posture -description: The Threat & Vulnerability Management dashboard can help SecOps and security admins address cybersecurity threats and build their org's security resilience. +title: Threat & Vulnerability Management dashboard overview +description: The Threat & Vulnerability Management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience. keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score search.appverid: met150 search.product: eADQiWindows 10XVcnh @@ -8,8 +8,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor +ms.author: ellevin +author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -19,59 +19,72 @@ ms.topic: conceptual # Threat & Vulnerability Management dashboard overview **Applies to:** + - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: + - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities - Invaluable machine vulnerability context during incident investigations - Built-in remediation processes through Microsoft Intune and Microsoft Endpoint Configuration Manager You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to: + - View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines -- Correlate EDR insights with endpoint vulnerabilities and process them +- Correlate EDR insights with endpoint vulnerabilities and process them - Select remediation options, triage and track the remediation tasks - Select exception options and track active exceptions > [!NOTE] > Machines that are not active in the last 30 days are not factored in on the data that reflects your organization's Threat & Vulnerability Management exposure score and configuration score. +Watch this video for a quick overview of what is in the Threat & Vulnerability Management dashboard. + +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r1nv] + ## Threat & Vulnerability Management in Microsoft Defender Security Center -When you open the portal, you’ll see the main areas of the capability: - ![Microsoft Defender Advanced Threat Protection portal](images/tvm_dashboard.png) - - ![Threat & Vulnerability Management menu](images/tvm-menu.png) +When you open the portal, you'll see the main areas of the capability: -- (1) Menu in the navigation pane -- (2) Threat & Vulnerability Management icon +- (1) Menu to open the navigation pane +- (2) Threat & Vulnerability Management navigation pane - (3) Threat & Vulnerability Management dashboard -You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section. + ![Microsoft Defender Advanced Threat Protection portal](images/tvm_dashboard.png) + + ![Threat & Vulnerability Management menu](images/tvm-menu.png) + +You can navigate through the portal using the menu options available in all sections. Refer to the following tables for a description of each section. + +## Threat & Vulnerability Management navigation pane Area | Description :---|:--- -(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities. -(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, **Software inventory**, and **Weaknesses**. -**Dashboards** | Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data. -**Security recommendations** | See the list of security recommendations, their related components, whether software or software versions in your network have reached their end-of-life, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information. -**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. See [Remediation and exception](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information. -**Software inventory** | See the list of software, versions, weaknesses, whether there’s an exploit found on the software, whether the software or software version has reached its end-of-life, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information. -**Weaknesses** | See the list of common vulnerabilities and exposures, the severity, its common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines are there. You can select each item in the list and it opens a flyout panel with the vulnerability description and other details. See [Weaknesses](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) for more information. -(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, and **Top exposed machines**. -**Selected machine groups (#/#)** | Filter the Threat & Vulnerability Management data that you want to see in the dashboard and widgets by machine groups. What you select in the filter applies throughout the Threat & Vulnerability management pages only. -**Organization Exposure score** | See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. See [Exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score) for more information. -**Organization Configuration score** | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. You can click the bars and it takes you to the **Security recommendation** page for details. See [Configuration score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score) for more information. -**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it takes you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, operating system platform, its health state, when it was last seen, and its tags. -**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts ![Possible active alert](images/tvm_alert_icon.png), associated public exploits ![Threat insight](images/tvm_bug_icon.png), and recommendation insights ![Recommendation insight](images/tvm_insight_icon.png). Tags also indicates the remediation type required, such as **Configuration change**, **Software uninstall** (if the software has reached its end-of-life), and **Software update** (if the software version has reached its end-of-life, or if the vulnerable version requires security updates and needs to be updated to the latest one). You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list. -**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page. -**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities, and active exceptions. -**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list. +**Dashboard** | Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data. +[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. +[**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. +[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. +[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details. -See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal. +## Threat & Vulnerability Management dashboard + +Area | Description +:---|:--- +**Selected machine groups (#/#)** | Filter the Threat & Vulnerability Management data you want to see in the dashboard and cards by machine groups. What you select in the filter applies throughout the Threat & Vulnerability management pages. +[**Exposure score**](tvm-exposure-score.md) | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. +[**Configuration score**](configuration-score.md) | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. Selecting the bars will take you to the **Security recommendation** page. +**Machine exposure distribution** | See how many machines are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Machines list** page and view the affected machine names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags. +**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Useful icons also quickly calls your attention to

    • ![Possible active alert](images/tvm_alert_icon.png) possible active alerts
    • ![Threat insight](images/tvm_bug_icon.png) associated public exploits
    • ![Recommendation insight](images/tvm_insight_icon.png) recommendation insights

    Tags also indicates the remediation type required, such as **Configuration change**, **Software uninstall** (if the software has reached its end-of-life), and **Software update** (if the software version has reached end-of-support, or if a vulnerable version requires updating). You can drill down on the security recommendation to see potential risks, list of exposed machines, and insights. You can then request a remediation for the recommendation. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception. +**Top vulnerable software** | Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page. +**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can select each item on the list to see the details in the **Remediation** page or select **Show more** to view the rest of the remediation activities, and active exceptions. +**Top exposed machines** | View exposed machine names and their exposure level. Select a machine name from the list to go to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed machines. Select **Show more** to see the rest of the exposed machines list. From the machines list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. + +See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-icons) for more information on the icons used throughout the portal. ## Related topics + - [Supported operating systems and platforms](tvm-supported-os.md) - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Exposure score](tvm-exposure-score.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index ad6de378c5..f245ad4692 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -1,43 +1,78 @@ --- title: Exposure score -description: The Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) exposure score reflects how vulnerable your organization is to cybersecurity threats. -keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score +description: The Microsoft Defender ATP exposure score reflects how vulnerable your organization is to cybersecurity threats. +keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score, threat and vulnerability management, Microsoft Defender Advanced Threat Protection search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor +ms.author: ellevin +author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 06/30/2019 --- # Exposure score + **Applies to:** + - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Your exposure score reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your machines are less vulnerable from exploitation. +Your Exposure score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your machines are less vulnerable from exploitation. -The widget also gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further. +The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further. -![Exposure score widget](images/tvm_exp_score.png) +![Exposure score card](images/tvm_exp_score.png) ## How it works -Several factors affect your organization exposure score: -- Weakness discovered on the device -- Likelihood of a device getting breached -- Value of the device to the organization -- Relevant alert discovered on the device +Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats. + +The exposure score is continuously calculated on each device in the organization and influenced by the following factors: + +- Weaknesses, such as vulnerabilities discovered on the device +- External and internal threats such as public exploit code and security alerts +- Likelihood of the device to get breached given its current security posture +- Value of the device to the organization given its role and content + +The exposure score is broken down into the following levels: + +- 0–29: low exposure score +- 30–69: medium exposure score +- 70–100: high exposure score + +You can remediate the issues based on prioritized [security recommendations](tvm-security-recommendation.md) to reduce the exposure score. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization. + +## Reduce your threat and vulnerability exposure + +To lower your threat and vulnerability exposure, follow these steps. + +1. Review the **Top security recommendations** from your [**Threat & Vulnerability Management dashboard**](tvm-dashboard-insights.md) , and select the first item on the list. The **Security recommendation** page opens. + + Always prioritize recommendations that are associated with ongoing threats: + + - ![Threat insight](images/tvm_bug_icon.png) Threat insight icon + - ![Possible active alert](images/tvm_alert_icon.png) Active alert icon + + ![Screenshot of security recommendations page](images/top-security-recommendations350.png) + +2. The **Security recommendations** page shows the list of items to remediate. Select the security recommendation that you need to investigate. When you select a recommendation from the list, a fly-out panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Click **Open software page** option from the flyout panel. ![Details in security recommendations page](images/tvm_security_recommendations_page.png) + +3. Select **Installed machines** and then the affected machine from the list. A flyout panel will open with the relevant machine details, exposure and risk levels, alert and incident activities. ![Details in software page ](images/tvm_software_page_details.png) + +4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. ![Details in machine page](images/tvm_machine_page_details.png) + +5. Allow a few hours for the changes to propagate in the system. + +6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases. -Reduce the exposure score by addressing what needs to be remediated based on the prioritized security recommendations. See [Security recommendations](tvm-security-recommendation.md) for details. ## Related topics + - [Supported operating systems and platforms](tvm-supported-os.md) - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) @@ -47,8 +82,9 @@ Reduce the exposure score by addressing what needs to be remediated based on the - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) -- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score) -- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software) -- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) -- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) +- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [Recommendation APIs](vulnerability.md) +- [Machine APIs](machine.md) +- [Score APIs](score.md) +- [Software APIs](software.md) +- [Vulnerability APIs](vulnerability.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index a33b2a7311..09f5eadae8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -1,6 +1,6 @@ --- -title: Security recommendation -description: The weaknesses identified in the environment are mapped to actionable security recommendations and prioritized by their impact on the organizational exposure score. +title: Security recommendations +description: Get actionable security recommendations prioritized by threat, likelihood to be breached, and value. keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -8,17 +8,18 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor +ms.author: ellevin +author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/11/2019 --- -# Security recommendation +# Security recommendations + **Applies to:** + - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > [!TIP] @@ -26,80 +27,125 @@ ms.date: 04/11/2019 [!include[Prerelease information](../../includes/prerelease.md)] -The cyber security weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact on the security recommendation list. Prioritized recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance. +Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendation helps shorten the time to mitigate or remediate vulnerabilities and drive compliance. -Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. It is also dynamic in the sense that when the threat landscape changes, the recommendation also changes as it continuously collects information from your environment. +Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment. -## The basis of the security recommendation -Each machine in the organization is scored based on three important factors: threat, likelihood to be breached, and value, to help customers to focus on the right things at the right time. +## Criteria -- Threat - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports. +Each machine in the organization is scored based on three important factors to help customers to focus on the right things at the right time. -- Breach likelihood - Your organization's security posture and resilience against threats +- **Threat** - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports. -- Business value - Your organization's assets, critical processes, and intellectual properties +- **Breach likelihood** - Your organization's security posture and resilience against threats +- **Business value** - Your organization's assets, critical processes, and intellectual properties -## Navigate through your security recommendations +## Navigate to security recommendations -You can access the security recommendation from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page, to give you the context that you need, as you require it. +You can access security recommendations from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page. -*Security recommendations option from the left navigation menu* +### Top security recommendations in the Threat & Vulnerability Management dashboard -1. Go to the Threat & Vulnerability Management navigation menu and select **Security recommendations** to open up the list of security recommendations for the threats and vulnerabilities found in your organization. It gives you an overview of the security recommendation context: weaknesses found, related components, the application and operating system where the threat or vulnerabilities were found, network, accounts, and security controls, associated breach, threats, and recommendation insights, exposed machine trends, status, remediation type and activities. -![Screenshot of Security recommendations page](images/tvmsecrec-updated.png) +In a given day as a Security Administrator, you can take a look at the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side-by-side with your [configuration score](configuration-score.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. - >[!NOTE] - > The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens when the numbers on the right hand side is greater than what’s on the left, which means an increase or decrease at the end of even a single machine will change the graph's color. +![Screenshot of security recommendations page](images/top-security-recommendations350.png) - You can filter your view based on related components, status, and remediation type. If you want to see the remediation activities of software and software versions which have reached their end-of-life, select **Active**, then select **Software update** from the **Remediation Type** filter, and click **Apply**. -

    ![Screenshot of the remediation type filters for software update and uninstall](images/remediationtype-swupdatefilter.png) +The top security recommendations lists the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details about the recommendation. -2. Select the security recommendation that you need to investigate or process. -

    ![Screenshot of the security recommendation page flyout for a software which reached its end-of-life](images/secrec-flyouteolsw.png) +### Navigation menu - -*Top security recommendations from the dashboard* +Go to the Threat & Vulnerability Management navigation menu and select **Security recommendations** to open the list of security recommendations for the threats and vulnerabilities found in your organization. -In a given day as a Security Administrator, you can take a look at the dashboard to see your exposure score side-by-side with your configuration score. The goal is to lower down your organization's exposure from vulnerabilities, and increase your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal. +## Security recommendations overview -The top security recommendations lists down the improvement opportunities prioritized based on the three important factors mentioned in the previous section - threat, likelihood to be breached, and value. +You will be able to view the recommendation, the number of weaknesses found, related components, threat insights, number of exposed machines, status, remediation type, remediation activities, impact to your exposure and configuration scores, and associated tags. -You can click on each one of them and see the details, the description, the potential risk if you don't act on or remediate it, insights, vulnerabilities, other threats found, how many exposed devices are associated with the security recommendation, and business impact of each security recommendation on the organizational exposure and configuration score. +The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens when the numbers on the right hand side is greater than what's on the left, which means an increase or decrease at the end of even a single machine will change the graph's color. -From that page, you can do any of the following depending on what you need to do: +![Screenshot of security recommendations page](images/tvmsecrec-updated.png) -- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software or software version end-of-life, and charts so you can see the exposure trend over time. +Select the security recommendation that you want to investigate or process. -- Choose from remediation options - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address. +![Screenshot of the security recommendation page flyout for a software which reached its end-of-life](images/secrec-flyouteolsw.png) -- Choose from exception options - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet due to specific business reasons, compensation controls, or if it is a false positive. +From the flyout, you can do any of the following: + +- **Open software page** - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software or software version end-of-life, and charts so you can see the exposure trend over time. + +- **Remediation options** - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address. + +- **Exception options** - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet due to specific business reasons, compensation controls, or if it is a false positive. + +>[!NOTE] +>When a change is made on a machine, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center. + +## Request remediation + +The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT Administrators through the remediation request workflow. Security Administrators like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune. + +### Enable Microsoft Intune connection + +To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on. + +See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. + +### Remediation request steps + +1. Select a security recommendation you would like to request remediation for, and then select **Remediation options**. + +2. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within Threat & Vulnerability Management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to machines. + +3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment. + +4. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request. + +>[!NOTE] +>If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune. + +## File for exception + +With Threat & Vulnerability Management, you can create exceptions for recommendations, as an alternative to a remediation request. + +There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons. + +Exceptions can be created for both *Security update* and *Configuration change* recommendations. + +When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list. + +1. Select a security recommendation you would like create an exception for, and then **Exception options**. +![Screenshot of the exception option in the remediation flyout pane](images/tvm-exception-option.png) + +2. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration. + +> ![Screenshot of exception flyout page which details justification and context](images/tvm-exception-flyout.png) + +3. Select **Submit**. A confirmation message at the top of the page indicates that the exception has been created. +![Screenshot of exception confirmation message](images/tvm-exception-confirmation.png) + +4. Navigate to the [**Remediation**](tvm-remediation.md) page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past). +![Screenshot of exception list of exceptions in the Remediation page](images/tvm-exception-list.png) ## Report inaccuracy -You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information in the machine page. +You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information. -1. Select the **Security recommendation** tab. +1. Open the Security recommendation. -2. Click **:** beside the security recommendation that you want to report about, then select **Report inaccuracy**. -![Screenshot of Report inaccuracy control from the machine page under the Security recommendation column](images/tvm-report-inaccuracy.png) -
    A flyout pane opens.
    -![Screenshot of Report inaccuracy flyout pane](images/tvm-report-inaccuracyflyout.png) +2. Select the three dots beside the security recommendation that you want to report, then select **Report inaccuracy**. -3. From the flyout pane, select the inaccuracy category from the drop-down menu. -
    ![Screenshot of Report inaccuracy categories drop-down menu](images/tvm-report-inaccuracyoptions.png)
    +![Screenshot of Report inaccuracy control](images/report-inaccuracy500.png) -4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported. +3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy. -5. Include your machine name for investigation context. +![Screenshot of Report inaccuracy flyout pane](images/report-inaccuracy-flyout500.png) - >[!TIP] - > You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context. +4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts. -6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context. ## Related topics + - [Supported operating systems and platforms](tvm-supported-os.md) - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) @@ -109,9 +155,9 @@ You can report a false positive when you see any vague, inaccurate, incomplete, - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) -- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) -- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine) -- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score) -- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software) -- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) +- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [Recommendation APIs](vulnerability.md) +- [Machine APIs](machine.md) +- [Score APIs](score.md) +- [Software APIs](software.md) +- [Vulnerability APIs](vulnerability.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md index 4428d8a925..c56539dc1b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md @@ -8,33 +8,37 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor +ms.author: ellevin +author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/11/2019 --- # Software inventory + **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it. ## Navigate through your software inventory -1. Select **Software inventory** from the Threat & Vulnerability management navigation menu. The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact, tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached their end-of-life. + +1. Select **Software inventory** from the Threat & Vulnerability management navigation menu. The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact to exposure score, tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support. ![Screenshot of software inventory page](images/software_inventory_filter.png) -2. In the **Software inventory** page, select the software that you want to investigate and a flyout panel opens up with the same details mentioned above but in a more compact view. You can either dive deeper into the investigation and select **Open software page** or flag any technical inconsistencies by selecting **Report inaccuracy**. -3. Select **Open software page** to dive deeper into your software inventory to see how many weaknesses are discovered in the software, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified. From the **Version distribution** tab, you can also filter the view by **Version EOL** if you want to see the software versions that has reached their end-of-life which needs to be uninstalled, replaced, or updated. + +2. In the **Software inventory** page, select the software that you want to investigate and a flyout panel opens up with the same details mentioned above but in a more compact view. You can either dive deeper into the investigation and select **Open software page** or flag any technical inconsistencies by selecting **Report inaccuracy**. + +3. Select **Open software page** to dive deeper into your software inventory to see how many weaknesses are discovered in the software, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified. ## How it works -In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment. + +In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment. Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available. @@ -42,29 +46,22 @@ Since it is real-time, in a matter of minutes, you will see vulnerability inform You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information in the machine page. -1. Select the **Software inventory** tab. +1. Select one of the software rows. A flyout will appear. -2. Click **:** beside the software that you want to report about, and then select **Report inaccuracy**. -![Screenshot of Report inaccuracy control from the machine page under the Software inventory column](images/tvm_report_inaccuracy_software.png) -
    A flyout pane opens.
    -![Screenshot of Report inaccuracy flyout pane](images/tvm_report_inaccuracy_softwareflyout.png) +2. Select "Report inaccuracy" in the flyout -3. From the flyout pane, select the inaccuracy category from the **Software inventory inaccuracy reason** drop-down menu. -
    ![Screenshot of Report inaccuracy software inventory inaccuracy reason drop-down menu](images/tvm_report_inaccuracy_softwareoptions.png)
    +![Screenshot of Report inaccuracy control](images/software-inventory-report-inaccuracy500.png) -4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported. +3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy. -5. Include your machine name for investigation context. - - >[!NOTE] - > You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context. - -6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context. +![Screenshot of Report inaccuracy flyout pane](images/report-inaccuracy-flyout500.png) +4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts. ## Related topics + - [Supported operating systems and platforms](tvm-supported-os.md) -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) @@ -72,10 +69,9 @@ You can report a false positive when you see any vague, inaccurate version, inco - [Remediation and exception](tvm-remediation.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) -- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software) -- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine) -- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) -- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability) -- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score) - +- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [Recommendation APIs](vulnerability.md) +- [Machine APIs](machine.md) +- [Score APIs](score.md) +- [Software APIs](software.md) +- [Vulnerability APIs](vulnerability.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md index 568f6d7c1d..bd569252f4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md @@ -1,15 +1,15 @@ --- -title: Threat & Vulnerability Management supported operating systems +title: Threat & Vulnerability Management supported operating systems and platforms description: Before you begin, ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your all devices are properly accounted for. -keywords: mdatp-tvm supported os, mdatp-tvm, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score +keywords: threat & vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, risk-based threat & vulnerability management, security configuration, configuration score, exposure score search.appverid: met150 search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor +ms.author: ellevin +author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -19,6 +19,7 @@ ms.topic: article # Threat & Vulnerability Management supported operating systems and platforms **Applies to:** + - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) @@ -32,7 +33,7 @@ Operating system | Security assessment support Windows 7 | Operating System (OS) vulnerabilities Windows 8.1 | Not supported Windows 10 1607-1703 | Operating System (OS) vulnerabilities -Windows 10 1709+ |Operating System (OS) vulnerabilities
    Software product vulnerabilities
    Operating System (OS) configuration assessment
    Security controls configuration assessment
    Software product configuration assessment +Windows 10 1709+ |Operating System (OS) vulnerabilities
    Software product vulnerabilities
    Operating System (OS) configuration assessment
    Security controls configuration assessment
    Software product configuration assessment Windows Server 2008R2 | Operating System (OS) vulnerabilities
    Software product vulnerabilities Windows Server 2012R2 | Operating System (OS) vulnerabilities
    Software product vulnerabilities Windows Server 2016 | Operating System (OS) vulnerabilities
    Software product vulnerabilities @@ -43,6 +44,7 @@ Linux | Not supported (planned) Some of the above prerequisites might be different from the [Minimum requirements for Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements) list. ## Related topics + - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) @@ -52,4 +54,3 @@ Some of the above prerequisites might be different from the [Minimum requirement - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) - [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) - diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 2d9187a57f..689a9fe3d1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -27,6 +27,9 @@ The following features are generally available (GA) in the latest release of Mic For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection). +RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: +`https://docs.microsoft.com/api/search/rss?search=%22Lists+the+new+features+and+functionality+in+Microsoft+Defender+ATP%22&locale=en-us` + ## November-December 2019 - [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md)
    Microsoft Defender ATP for Mac brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices, including [endpoint detection and response](endpoint-detection-response-mac-preview.md). diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index 4c475c71c0..de8bac35db 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -44,7 +44,7 @@ The Security Compliance Toolkit consists of: - Office 365 ProPlus (Sept 2019) - Microsoft Edge security baseline - - Version 79 + - Version 80 - Tools - Policy Analyzer tool diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md index b777bb0066..378bc21d36 100644 --- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md @@ -20,7 +20,8 @@ ms.date: 04/19/2017 # Administer security policy settings **Applies to** -- Windows 10 + +- Windows 10 This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization. @@ -30,90 +31,46 @@ Security settings policies are rules that you can configure on a device, or mult Security settings can control: -- User authentication to a network or device. -- The resources that users are permitted to access. -- Whether to record a user’s or group’s actions in the event log. -- Membership in a group. +- User authentication to a network or device. +- The resources that users are permitted to access. +- Whether to record a user's or group's actions in the event log. +- Membership in a group. For info about each setting, including descriptions, default settings, and management and security considerations, see [Security policy settings reference](security-policy-settings-reference.md). To manage security configurations for multiple computers, you can use one of the following options: -- Edit specific security settings in a GPO. -- Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, or applied to a local device, or it can be used to analyze security. -## What’s changed in how settings are administered? +- Edit specific security settings in a GPO. +- Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, or applied to a local device, or it can be used to analyze security. + +## What's changed in how settings are administered Over time, new ways to manage security policy settings have been introduced, which include new operating system features and the addition of new settings. The following table lists different means by which security policy settings can be administered. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Tool or featureDescription and use

    Security Policy snap-in

    Secpol.msc

    -

    MMC snap-in designed to manage only security policy settings.

    Security editor command line tool

    Secedit.exe

    -

    Configures and analyzes system security by comparing your current configuration to specified security templates.

    Security Compliance Manager

    Tool download

    -

    A Solution Accelerator that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and Microsoft applications.

    Security Configuration Wizard

    Scw.exe

    -

    SCW is a role-based tool available on servers only: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles.

    Security Configuration Manager tool

    This tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.

    Group Policy

    Gpmc.msc and Gpedit.msc

    -

    The Group Policy Management Console uses the Group Policy Object editor to expose the local Security options, which can then be incorporated into Group Policy Objects for distribution throughout the domain. The Local Group Policy Editor performs similar functions on the local device.

    Software Restriction Policies

    -

    See Administer Software Restriction Policies.

    Gpedit.msc

    -

    Software Restriction Policies (SRP) is a Group Policy-based feature that identifies software programs running on computers in a domain, and it controls the ability of those programs to run.

    AppLocker

    -

    See Administer AppLocker.

    Gpedit.msc

    -

    Prevents malicious software (malware) and unsupported applications from affecting computers in your environment, and it prevents users in your organization from installing and using unauthorized applications.

    - +|Tool or feature |Description and use | +|---------|---------| +|[Security Policy snap-in](#using-the-local-security-policy-snap-in)|Secpol.msc
    MMC snap-in designed to manage only security policy settings.| +|[Security editor command line tool](#using-the-secedit-command-line-tool) |Secedit.exe
    Configures and analyzes system security by comparing your current configuration to specified security templates.| +|[Security Compliance Manager](#using-the-security-compliance-manager)|Tool download
    A Solution Accelerator that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and Microsoft applications.| +|[Security Configuration Wizard](#using-the-security-configuration-wizard)|Scw.exe
    SCW is a role-based tool available on servers only: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles.| +|[Security Configuration Manager tool](#working-with-the-security-configuration-manager)|This tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.| +|[Group Policy](#working-with-group-policy-tools)|Gpmc.msc and Gpedit.msc
    The Group Policy Management Console uses the Group Policy Object editor to expose the local Security options, which can then be incorporated into Group Policy Objects for distribution throughout the domain. The Local Group Policy Editor performs similar functions on the local device.| +|Software Restriction Policies
    See [Administer Software Restriction Policies](https://docs.microsoft.com/windows-server/identity/software-restriction-policies/administer-software-restriction-policies)|Gpedit.msc
    Software Restriction Policies (SRP) is a Group Policy-based feature that identifies software programs running on computers in a domain, and it controls the ability of those programs to run.| +|Administer AppLocker
    See [Administer AppLocker](/windows/device-security/applocker/administer-applocker)|Gpedit.msc
    Prevents malicious software (malware) and unsupported applications from affecting computers in your environment, and it prevents users in your organization from installing and using unauthorized applications.| + ## Using the Local Security Policy snap-in The Local Security Policy snap-in (Secpol.msc) restricts the view of local policy objects to the following policies and features: -- Account Policies -- Local Policies -- Windows Firewall with Advanced Security -- Network List Manager Policies -- Public Key Policies -- Software Restriction Policies -- Application Control Policies -- IP Security Policies on Local Computer -- Advanced Audit Policy Configuration +- Account Policies +- Local Policies +- Windows Firewall with Advanced Security +- Network List Manager Policies +- Public Key Policies +- Software Restriction Policies +- Application Control Policies +- IP Security Policies on Local Computer +- Advanced Audit Policy Configuration Policies set locally might be overwritten if the computer is joined to the domain. @@ -123,12 +80,12 @@ The Local Security Policy snap-in is part of the Security Configuration Manager The secedit command-line tool works with security templates and provides six primary functions: -- The **Configure** parameter helps you resolve security discrepancies between devices by applying the correct security template to the errant server. -- The **Analyze** parameter compares the server’s security configuration with the selected template. -- The **Import** parameter allows you to create a database from an existing template. The Security Configuration and Analysis tool does this also. -- The **Export** parameter allows you to export the settings from a database into a security settings template. -- The **Validate** parameter allows you to validate the syntax of each or any lines of text that you created or added to a security template. This ensures that if the template fails to apply syntax, the template will not be the issue. -- The **Generate Rollback** parameter saves the server’s current security settings into a security template so it can be used to restore most of the server’s security settings to a known state. The exceptions are that, when applied, the rollback template will not change access control list entries on files or registry entries that were changed by the most recently applied template. +- The **Configure** parameter helps you resolve security discrepancies between devices by applying the correct security template to the errant server. +- The **Analyze** parameter compares the server's security configuration with the selected template. +- The **Import** parameter allows you to create a database from an existing template. The Security Configuration and Analysis tool does this also. +- The **Export** parameter allows you to export the settings from a database into a security settings template. +- The **Validate** parameter allows you to validate the syntax of each or any lines of text that you created or added to a security template. This ensures that if the template fails to apply syntax, the template will not be the issue. +- The **Generate Rollback** parameter saves the server's current security settings into a security template so it can be used to restore most of the server's security settings to a known state. The exceptions are that, when applied, the rollback template will not change access control list entries on files or registry entries that were changed by the most recently applied template. ## Using the Security Compliance Manager @@ -136,10 +93,10 @@ The Security Compliance Manager is a downloadable tool that helps you plan, depl **To administer security policies by using the Security Compliance Manager** -1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](https://blogs.technet.com/b/secguide/) blog. -2. Read the relevant security baseline documentation that is included in this tool. -3. Download and import the relevant security baselines. The installation process steps you through baseline selection. -4. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines. +1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](https://blogs.technet.com/b/secguide/) blog. +1. Read the relevant security baseline documentation that is included in this tool. +1. Download and import the relevant security baselines. The installation process steps you through baseline selection. +1. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines. ## Using the Security Configuration Wizard @@ -155,62 +112,36 @@ The following are considerations for using SCW: - SCW detects server role dependencies. If you select a server role, it automatically selects dependent server roles. - All apps that use the IP protocol and ports must be running on the server when you run SCW. - In some cases, you must be connected to the Internet to use the links in the SCW help. - > **Note** The SCW is available only on Windows Server and only applicable to server installations. - + > [!NOTE] + > The SCW is available only on Windows Server and only applicable to server installations. + The SCW can be accessed through Server Manager or by running scw.exe. The wizard steps you through server security configuration to: -- Create a security policy that can be applied to any server on your network. -- Edit an existing security policy. -- Apply an existing security policy. -- Roll back the last applied security policy. +- Create a security policy that can be applied to any server on your network. +- Edit an existing security policy. +- Apply an existing security policy. +- Roll back the last applied security policy. -The Security Policy Wizard configures services and network security based on the server’s role, as well as configures auditing and registry settings. +The Security Policy Wizard configures services and network security based on the server's role, as well as configures auditing and registry settings. -For more information about SCW, including procedures, see [Security Configuration Wizard](https://technet.microsoft.com/library/cc754997.aspx). +For more information about SCW, including procedures, see [Security Configuration Wizard](https://docs.microsoft.com/previous-versions/orphan-topics/ws.11/cc754997(v=ws.11)). ## Working with the Security Configuration Manager The Security Configuration Manager tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain. -For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager](https://technet.microsoft.com/library/cc758219(WS.10).aspx). +For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc758219(v=ws.10)). The following table lists the features of the Security Configuration Manager. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Security Configuration Manager toolsDescription

    Security Configuration and Analysis

    Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.

    Security templates

    Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.

    Security Settings extension to Group Policy

    Edits individual security settings on a domain, site, or organizational unit.

    Local Security Policy

    Edits individual security settings on your local computer.

    Secedit

    Automates security configuration tasks at a command prompt.

    - +|Security Configuration Manager tools |Description | +|---------|---------| +|[Security Configuration and Analysis](#security-configuration-and-analysis) |Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.| +|[Security templates](#security-templates) |Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.| +|[Security Settings extension to Group Policy](#security-settings-extension-to-group-policy) |Edits individual security settings on a domain, site, or organizational unit.| +|[Local Security Policy](#local-security-policy)|Edits individual security settings on your local computer.| +|Secedit |Automates security configuration tasks at a command prompt.| + ### Security Configuration and Analysis Security Configuration and Analysis is an MMC snap-in for analyzing and configuring local system security. @@ -238,19 +169,19 @@ To apply a security template to your local device, you can use Security Configur Security templates can be used to define: -- Account Policies - - Password Policy - - Account Lockout Policy - - Kerberos Policy -- Local Policies - - Audit Policy - - User Rights Assignment - - Security Options -- Event Log: Application, system, and security Event Log settings -- Restricted Groups: Membership of security-sensitive groups -- System Services: Startup and permissions for system services -- Registry: Permissions for registry keys -- File System: Permissions for folders and files +- Account Policies + - Password Policy + - Account Lockout Policy + - Kerberos Policy +- Local Policies + - Audit Policy + - User Rights Assignment + - Security Options +- Event Log: Application, system, and security Event Log settings +- Restricted Groups: Membership of security-sensitive groups +- System Services: Startup and permissions for system services +- Registry: Permissions for registry keys +- File System: Permissions for folders and files Each template is saved as a text-based .inf file. This enables you to copy, paste, import, or export some or all of the template attributes. With the exceptions of Internet Protocol security and public key policies, all security attributes can be contained in a security template. @@ -260,15 +191,15 @@ Organizational units, domains, and sites are linked to Group Policy Objects. The Security settings or security policies are rules that are configured on a device or multiple device for protecting resources on a device or network. Security settings can control: -- How users are authenticated to a network or device -- What resources users are authorized to use. -- Whether or not a user's or group's actions are recorded in the event log. -- Group membership. +- How users are authenticated to a network or device +- What resources users are authorized to use. +- Whether or not a user's or group's actions are recorded in the event log. +- Group membership. You can change the security configuration on multiple computers in two ways: -- Create a security policy by using a security template with Security Templates, and then import the template through security settings to a Group Policy Object. -- Change a few select settings with security settings. +- Create a security policy by using a security template with Security Templates, and then import the template through security settings to a Group Policy Object. +- Change a few select settings with security settings. ### Local Security Policy @@ -276,59 +207,61 @@ A security policy is a combination of security settings that affect the security With the local security policy, you can control: -- Who accesses your device. -- What resources users are authorized to use on your device. -- Whether or not a user’s or group's actions are recorded in the event log. +- Who accesses your device. +- What resources users are authorized to use on your device. +- Whether or not a user's or group's actions are recorded in the event log. If your local device is joined to a domain, you are subject to obtaining a security policy from the domain's policy or from the policy of any organizational unit that you are a member of. If you are getting a policy from more than one source, conflicts are resolved in the following order of precedence. -1. Organizational unit policy -2. Domain policy -3. Site policy -4. Local computer policy +1. Organizational unit policy +1. Domain policy +1. Site policy +1. Local computer policy If you modify the security settings on your local device by using the local security policy, then you are directly modifying the settings on your device. Therefore, the settings take effect immediately, but this may only be temporary. The settings will actually remain in effect on your local device until the next refresh of Group Policy security settings, when the security settings that are received from Group Policy will override your local settings wherever there are conflicts. ### Using the Security Configuration Manager -For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager How To](https://technet.microsoft.com/library/cc784762(WS.10).aspx). This section contains information in this topic about: +For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager How To](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784762(v=ws.10)). This section contains information in this topic about: -- [Applying security settings](#bkmk-applysecsettings) -- [Importing and exporting security templates](#bkmk-impexpsectmpl) -- [Analyzing security and viewing results](#bkmk-anasecviewresults) -- [Resolving security discrepancies](#bkmk-resolvesecdiffs) -- [Automating security configuration tasks](#bkmk-autoseccfgtasks) +- [Applying security settings](#applying-security-settings) +- [Importing and exporting security templates](#importing-and-exporting-security-templates) +- [Analyzing security and viewing results](#analyzing-security-and-viewing-results) +- [Resolving security discrepancies](#resolving-security-discrepancies) +- [Automating security configuration tasks](#automating-security-configuration-tasks) ### Applying security settings Once you have edited the security settings, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object: -- When a device is restarted, the settings on that device will be refreshed. -- To force a device to refresh its security settings as well as all Group Policy settings, use gpupdate.exe. +- When a device is restarted, the settings on that device will be refreshed. +- To force a device to refresh its security settings as well as all Group Policy settings, use gpupdate.exe. **Precedence of a policy when more than one policy is applied to a computer** For security settings that are defined by more than one policy, the following order of precedence is observed: -1. Organizational Unit Policy -2. Domain Policy -3. Site Policy -4. Local computer Policy +1. Organizational Unit Policy +1. Domain Policy +1. Site Policy +1. Local computer Policy For example, a workstation that is joined to a domain will have its local security settings overridden by the domain policy wherever there is a conflict. Likewise, if the same workstation is a member of an Organizational Unit, the settings applied from the Organizational Unit's policy will override both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence. -> **Note**  Use gpresult.exe to find out what policies are applied to a device and in what order. + +> [!NOTE] +> Use gpresult.exe to find out what policies are applied to a device and in what order. For domain accounts, there can be only one account policy that includes password policies, account lockout policies, and Kerberos policies. - + **Persistence in security settings** Security settings may still persist even if a setting is no longer defined in the policy that originally applied it. Persistence in security settings occurs when: -- The setting has not been previously defined for the device. -- The setting is for a registry object. -- The setting is for a file system object. +- The setting has not been previously defined for the device. +- The setting is for a registry object. +- The setting is for a file system object. All settings applied through local policy or a Group Policy Object are stored in a local database on your device. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the device. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database, then the setting does not revert to anything and remains defined as is. This behavior is sometimes called "tattooing." @@ -350,42 +283,14 @@ Security Configuration and Analysis performs security analysis by comparing the Security Configuration and Analysis displays the analysis results by security area, using visual flags to indicate problems. It displays the current system and base configuration settings for each security attribute in the security areas. To change the analysis database settings, right-click the entry, and then click **Properties**. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Visual flagMeaning

    Red X

    The entry is defined in the analysis database and on the system, but the security setting values do not match.

    Green check mark

    The entry is defined in the analysis database and on the system and the setting values match.

    Question mark

    The entry is not defined in the analysis database and, therefore, was not analyzed.

    -

    If an entry is not analyzed, it may be that it was not defined in the analysis database or that the user who is running the analysis may not have sufficient permission to perform analysis on a specific object or area.

    Exclamation point

    This item is defined in the analysis database, but does not exist on the actual system. For example, there may be a restricted group that is defined in the analysis database but does not actually exist on the analyzed system.

    No highlight

    The item is not defined in the analysis database or on the system.

    - +|Visual flag |Meaning | +|---------|---------| +|Red X |The entry is defined in the analysis database and on the system, but the security setting values do not match.| +|Green check mark |The entry is defined in the analysis database and on the system and the setting values match.| +|Question mark |The entry is not defined in the analysis database and, therefore, was not analyzed.
    If an entry is not analyzed, it may be that it was not defined in the analysis database or that the user who is running the analysis may not have sufficient permission to perform analysis on a specific object or area.| +|Exclamation point |This item is defined in the analysis database, but does not exist on the actual system. For example, there may be a restricted group that is defined in the analysis database but does not actually exist on the analyzed system.| +|No highlight |The item is not defined in the analysis database or on the system.| + If you choose to accept the current settings, the corresponding value in the base configuration is modified to match them. If you change the system setting to match the base configuration, the change will be reflected when you configure the system with Security Configuration and Analysis. To avoid continued flagging of settings that you have investigated and determined to be reasonable, you can modify the base configuration. The changes are made to a copy of the template. @@ -394,11 +299,12 @@ To avoid continued flagging of settings that you have investigated and determine You can resolve discrepancies between analysis database and system settings by: -- Accepting or changing some or all of the values that are flagged or not included in the configuration, if you determine that the local system security levels are valid due to the context (or role) of that computer. These attribute values are then updated in the database and applied to the system when you click **Configure Computer Now**. -- Configuring the system to the analysis database values, if you determine the system is not in compliance with valid security levels. -- Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system. -Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file. -You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies. In general, do not use **Configure Computer Now** when you are analyzing security for domain-based clients, since you will have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object. +- Accepting or changing some or all of the values that are flagged or not included in the configuration, if you determine that the local system security levels are valid due to the context (or role) of that computer. These attribute values are then updated in the database and applied to the system when you click **Configure Computer Now**. +- Configuring the system to the analysis database values, if you determine the system is not in compliance with valid security levels. +- Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system. +Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file. +You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies. +In general, do not use **Configure Computer Now** when you are analyzing security for domain-based clients, since you will have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object. ### Automating security configuration tasks diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md index 217b812683..300344160d 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md @@ -1,6 +1,6 @@ --- -title: Interactive logon Prompt user to change password before expiration (Windows 10) -description: Best practices, security considerations, and more for the security policy setting, Interactive logon Prompt user to change password before expiration. +title: Interactive log-on prompt user to change password before expiration (Windows 10) +description: Best practices and security considerations for an interactive log-on prompt for users to change passwords before expiration. ms.assetid: 8fe94781-40f7-4fbe-8cfd-5e116e6833e9 ms.reviewer: ms.author: dansimp @@ -17,52 +17,52 @@ ms.topic: conceptual ms.date: 04/19/2017 --- -# Interactive logon: Prompt user to change password before expiration +# Interactive log on: Prompt the user to change passwords before expiration **Applies to** - Windows 10 -Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting. +This article describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting. ## Reference -The **Interactive logon: Prompt user to change password before expiration** policy setting determines how many days in advance users are warned that their passwords are about to expire. With this advance warning, the user has time to construct a password that is sufficiently strong. +This policy setting determines when users are warned that their passwords are about to expire. This warning gives users time to select a strong password before their current password expires to avoid losing system access. ### Possible values -- A user-defined number of days from 0 through 999. -- Not defined. +- A user-defined number of days from 0 through 999 +- Not defined ### Best practices -1. Configure user passwords to expire periodically. Users will need warning that their passwords are going to expire, or they might inadvertently get locked out of the system. This could lead to confusion for users who access the network locally, or make it impossible for users who access the network through dial-up or virtual private network (VPN) connections to log on. -2. Set **Interactive logon: Prompt user to change password before expiration** to 5 days. When their password expiration date is 5 or fewer days away, users will see a dialog box each time they log on to the domain. -3. Do not set the value to 0, which results in displaying the password expiration warning every time the user logs on. +- Configure user passwords to expire periodically. Users need warning that their password is going to expire, or they might get locked out of the system. +- Set **Interactive logon: Prompt user to change password before expiration** to five days. When their password expiration date is five or fewer days away, users will see a dialog box each time that they log on to the domain. +- Don't set the value to zero, which displays the password expiration warning every time the user logs on. ### Location -Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options +*Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options* ### Default values -The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. +The following table lists the default values for this policy. Default values are also listed on the policy’s property page. -| Server type or GPO | Default value | +| Server type or Group Policy Object | Default value | | - | - | | Default Domain Policy| Not defined| | Default Domain Controller Policy | Not defined| -| Stand-Alone Server Default Settings | 5 days| -| DC Effective Default Settings | 5 days | -| Member Server Effective Default Settings| 5 days | -| Client Computer Effective Default Settings | 5 days| +| Stand-Alone Server Default Settings | Five days| +| DC Effective Default Settings | Five days | +| Member Server Effective Default Settings| Five days | +| Client Computer Effective Default Settings | Five days| ## Policy management -This section describes features and tools that are available to help you manage this policy. +This section describes features and tools that you can use to manage this policy. ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -70,24 +70,24 @@ None. ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +Configure this policy setting by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, it can be configured on the local computer through the Local Security Policy snap-in. ## Security considerations -This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. +This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and possible negative consequences of the countermeasure. ### Vulnerability -If user passwords are configured to expire periodically in your organization, users need to be warned when this is about to happen, or they may be locked out of the device inadvertently when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections. +If user passwords are configured to expire periodically in your organization, users need to be warned before expiration. Otherwise, they may get locked out of the devices inadvertently. ### Countermeasure -Configure the **Interactive logon: Prompt user to change password before expiration** setting to 5 days. +Configure the **Interactive logon: Prompt user to change password before expiration** setting to five days. ### Potential impact -Users see a dialog-box prompt to change their password each time that they log on to the domain when their password is configured to expire in 5 or fewer days. +Users see a dialog-box that prompts them to change their password each time that they log on to the domain when their password is configured to expire in 5 or fewer days. ## Related topics -- [Security Options](security-options.md) +- [Security options](security-options.md) diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md index d36aa5c106..457ba6494f 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md @@ -1,6 +1,6 @@ --- title: Microsoft network client Digitally sign communications (always) (Windows 10) -description: Best practices, security considerations and more for the security policy setting, Microsoft network client Digitally sign communications (always). +description: Best practices and security considerations for the Microsoft network client Digitally sign communications (always) security policy setting. ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76 ms.reviewer: manager: dansimp @@ -20,46 +20,46 @@ ms.date: 06/28/2018 - Windows 10 - Windows Server -Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2. +This article describes the best practices, location, values, policy management, and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2. ## Reference -The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. +The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. To prevent "man-in-the-middle" attacks that modify SMB packets in transit, the SMB protocol supports digital signing of SMB packets. -Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data access failure. +Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." Misuse of these policy settings is a common error that can cause data access failure. -Beginning with SMBv2 clients and servers, signing can be either required or not required. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md). +Beginning with SMBv2 clients and servers, signing can be either *required* or *not required*. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md). -There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2. +Negotiation occurs between the SMB client and the SMB server to decide whether signing will be used. The following table shows the effective behavior for SMBv3 and SMBv2. -| | Server – Required | Server – Not Required | +| | Server – required | Server – not required | |---------------------------|---------------------|------------------------| -| **Client – Required** | Signed | Signed | -| **Client – Not Required** | Signed 1 | Not Signed2 | +| **Client – required** | Signed | Signed | +| **Client – not required** | Signed 1 | Not signed2 |
    1 Default for domain controller SMB traffic
    2 Default for all other SMB traffic -Performance of SMB signing is improved in SMBv2. For more details, see [Potential impact](#potential-impact). +Performance of SMB signing is improved in SMBv2. For more information, see [Potential impact](#potential-impact). ### Possible values - Enabled - Disabled -### Best practices +### Best practice Enable **Microsoft network client: Digitally sign communications (always)**. ### Location -Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options +*Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options* ### Default values -The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. +The following table lists the default values for this policy. Default values are also listed on the policy’s property page. | Server type or GPO | Default value | | - | - | @@ -72,33 +72,33 @@ The following table lists the actual and effective default values for this polic ## Policy management -This section describes features and tools that are available to help you manage this policy. +This section describes features and tools that you can use to manage this policy. ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations -This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. +This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of the countermeasure. ### Vulnerability -Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication, and gain unauthorized access to data. +Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it to make the server perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication and gain unauthorized access to data. -SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of many modern features like Storage Spaces Direct, Storage Replica, and SMB Direct, as well as many legacy protocols and tools. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place. +SMB is the resource-sharing protocol that's supported by many versions of the Windows operating system. It's the basis of many modern features like Storage Spaces Direct, Storage Replica, and SMB Direct, as well as many legacy protocols and tools. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission doesn't happen. ### Countermeasure Enable **Microsoft network client: Digitally sign communications (always)**. ->[!NOTE] ->An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing. +> [!NOTE] +> An alternative countermeasure that could protect all network traffic is to implement digital signatures through IPsec. There are hardware-based accelerators for IPsec encryption and signing that can be used to minimize the performance impact on servers. No such accelerators are available for SMB signing. ### Potential impact -Storage speeds impact performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage of signing. If you are using a 1 Gb Ethernet network or slower storage speed with a modern CPU, there is limited degradation in performance. If you are using a faster network (such as 10 Gb), the performance impact of signing may be greater. +Storage speeds affect performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage for signing. If you're using a 1-Gb Ethernet network or slower storage speed with a modern CPU, there's limited degradation in performance. If you're using a faster network (such as 10 Gb), the performance impact of signing may be greater. ## Related topics -- [Security Options](security-options.md) +- [Security options](security-options.md) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 01dea39c48..4870151b22 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -1,6 +1,6 @@ --- title: Network security Allow PKU2U authentication requests to this computer to use online identities (Windows 10) -description: Best practices and more for the security policy setting, Network Security Allow PKU2U authentication requests to this computer to use online identities. +description: Best practices for the Network Security Allow PKU2U authentication requests to this computer to use online identities security setting. ms.assetid: e04a854e-d94d-4306-9fb3-56e9bd7bb926 ms.reviewer: ms.author: dansimp @@ -22,45 +22,41 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting. +This article describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting. ## Reference -Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Support Provider (SSP) supports an extension SSP, Negoexts.dll. This extension SSP is treated as an authentication protocol by the Windows operating system, and it supports SSPs from Microsoft, including PKU2U. You can also develop or add other SSPs. +Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Support Provider (SSP) supports an extension SSP, Negoexts.dll. This extension SSP is treated as an authentication protocol by the Windows operating system. It supports SSPs from Microsoft, including PKU2U. You can also develop or add other SSPs. -When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. +When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that's used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When it's validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. -> [!Note] -> The ability to link online IDs can be performed by anyone with an account that has standard user’s credentials through **Credential Manager**. +> [!NOTE] +> Linking online IDs can be performed by anyone who has an account that has standard user’s credentials through Credential Manager. -This policy is not configured by default on domain-joined devices. This would disallow the online identities to be able to authenticate to the domain-joined computers in Windows 7 and later. +This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers in Windows 7 and later. ### Possible values -- **Enabled** +- **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use of online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. - This will allow authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use on online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. + > [!NOTE] + > KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server. -> [!Note] -> KU2U is disabled by default on Windows Server. Remote desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device, or Hybrid Azure AD-joined domain member Windows 10 device, fails. To resolve this, enable PKU2U on the Server. +- **Disabled**: This setting prevents online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship. -- **Disabled** - - This will prevent online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship. - -- Not set. Not configuring this policy prevents online IDs from being used to authenticate the user. This is the default on domain-joined devices +- ***Not set***: Not configuring this policy prevents online IDs from being used to authenticate the user. This option is the default on domain-joined devices. ### Best practices -Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or do not configure this policy to exclude online identities from being used to authenticate. +Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate. ### Location -Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options +*Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options* ### Default values -The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. +The following table lists the effective default values for this policy. Default values are also listed on the policy’s property page. | Server type or Group Policy Object (GPO) | Default value | | - | - | @@ -73,20 +69,20 @@ The following table lists the actual and effective default values for this polic ## Security considerations -This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. +This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of the countermeasure. ### Vulnerability -Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft Account, so that account can log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). Although this is beneficial for workgroups or home groups, using this feature in a domain-joined environment might circumvent your established security policies. +Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is beneficial for workgroups or home groups. But in a domain-joined environment, it might circumvent established security policies. ### Countermeasure -Set this policy to Disabled or do not configure this security policy for domain-joined devices. +Set this policy to *Disabled* or don't configure this security policy for domain-joined devices. ### Potential impact -If you do not set or disable this policy, the PKU2U protocol will not be used to authenticate between peer devices, which forces users to follow domain defined access control policies. If you enable this policy, you will allow your users to authenticate by using local certificates between systems that are not part of a domain that uses PKU2U. This will allow users to share resources between devices +If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. If you enable this policy, you allow your users to authenticate by using local certificates between systems that aren't part of a domain that uses PKU2U. This configuration allows users to share resources between devices. ## Related topics -- [Security Options](security-options.md) +- [Security options](security-options.md) diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md index a6ae751c35..a8bd08c42d 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md @@ -20,7 +20,8 @@ ms.date: 04/19/2017 # Security policy settings **Applies to** -- Windows 10 + +- Windows 10 This reference topic describes the common scenarios, architecture, and processes for security settings. @@ -28,43 +29,43 @@ Security policy settings are rules that administrators configure on a computer o Security settings can control: -- User authentication to a network or device. -- The resources that users are permitted to access. -- Whether to record a user’s or group’s actions in the event log. -- Membership in a group. +- User authentication to a network or device. +- The resources that users are permitted to access. +- Whether to record a user's or group's actions in the event log. +- Membership in a group. To manage security configurations for multiple devices, you can use one of the following options: -- Edit specific security settings in a GPO. -- Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, applied to a local device, or used to analyze security. +- Edit specific security settings in a GPO. +- Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, applied to a local device, or used to analyze security. For more info about managing security configurations, see [Administer security policy settings](administer-security-policy-settings.md). The Security Settings extension of the Local Group Policy Editor includes the following types of security policies: -- **Account Policies.** These polices are defined on devices; they affect how user accounts can interact with the computer or domain. Account policies include the following types of policies: +- **Account Policies.** These polices are defined on devices; they affect how user accounts can interact with the computer or domain. Account policies include the following types of policies: - - **Password Policy.** These policies determine settings for passwords, such as enforcement and lifetimes. Password policies are used for domain accounts. - - **Account Lockout Policy.** These policies determine the conditions and length of time that an account will be locked out of the system. Account lockout policies are used for domain or local user accounts. - - **Kerberos Policy.** These policies are used for domain user accounts; they determine Kerberos-related settings, such as ticket lifetimes and enforcement. + - **Password Policy.** These policies determine settings for passwords, such as enforcement and lifetimes. Password policies are used for domain accounts. + - **Account Lockout Policy.** These policies determine the conditions and length of time that an account will be locked out of the system. Account lockout policies are used for domain or local user accounts. + - **Kerberos Policy.** These policies are used for domain user accounts; they determine Kerberos-related settings, such as ticket lifetimes and enforcement. -- **Local Policies.** These policies apply to a computer and include the following types of policy settings: +- **Local Policies.** These policies apply to a computer and include the following types of policy settings: - - **Audit Policy.** Specify security settings that control the logging of security events into the Security log on the computer, and specifies what types of security events to log (success, failure, or both). - - >**Note:**  For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy Configuration rather than the Audit Policy settings under Local Policies. - - - **User Rights Assignment.** Specify the users or groups that have logon rights or privileges on a device - - **Security Options.** Specify security settings for the computer, such as Administrator and Guest Account names; access to floppy disk drives and CD-ROM drives; installation of drivers; logon prompts; and so on. + - **Audit Policy.** Specify security settings that control the logging of security events into the Security log on the computer, and specifies what types of security events to log (success, failure, or both). -- **Windows Firewall with Advanced Security.** Specify settings to protect the device on your network by using a stateful firewall that allows you to determine which network traffic is permitted to pass between your device and the network. -- **Network List Manager Policies.** Specify settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices. -- **Public Key Policies.** Specify settings to control Encrypting File System, Data Protection, and BitLocker Drive Encryption in addition to certain certificate paths and services settings. -- **Software Restriction Policies.** Specify settings to identify software and to control its ability to run on your local device, organizational unit, domain, or site. -- **Application Control Policies.** Specify settings to control which users or groups can run particular applications in your organization based on unique identities of files. -- **IP Security Policies on Local Computer.** Specify settings to ensure private, secure communications over IP networks through the use of cryptographic security services. IPsec establishes trust and security from a source IP address to a destination IP address. -- **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under -Local Policies. + > [!NOTE] + > For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy Configuration rather than the Audit Policy settings under Local Policies. + + - **User Rights Assignment.** Specify the users or groups that have logon rights or privileges on a device + - **Security Options.** Specify security settings for the computer, such as Administrator and Guest Account names; access to floppy disk drives and CD-ROM drives; installation of drivers; logon prompts; and so on. + +- **Windows Firewall with Advanced Security.** Specify settings to protect the device on your network by using a stateful firewall that allows you to determine which network traffic is permitted to pass between your device and the network. +- **Network List Manager Policies.** Specify settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices. +- **Public Key Policies.** Specify settings to control Encrypting File System, Data Protection, and BitLocker Drive Encryption in addition to certain certificate paths and services settings. +- **Software Restriction Policies.** Specify settings to identify software and to control its ability to run on your local device, organizational unit, domain, or site. +- **Application Control Policies.** Specify settings to control which users or groups can run particular applications in your organization based on unique identities of files. +- **IP Security Policies on Local Computer.** Specify settings to ensure private, secure communications over IP networks through the use of cryptographic security services. IPsec establishes trust and security from a source IP address to a destination IP address. +- **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under Local Policies. ## Policy-based security settings management @@ -80,72 +81,72 @@ As part of your security strategy, you can create GPOs with security settings po You can create an organizational unit (OU) structure that groups devices according to their roles. Using OUs is the best method for separating specific security requirements for the different roles in your network. This approach also allows you to apply customized security templates to each class of server or computer. After creating the security templates, you create a new GPO for each of the OUs, and then import the security template (.inf file) into the new GPO. -Importing a security template to a GPO ensures that any accounts to which the GPO is applied automatically receive the template’s security settings when the Group Policy settings are refreshed. On a workstation or server, the security settings are refreshed at regular intervals (with a random -offset of at most 30 minutes), and, on a domain controller, this process occurs every few minutes if changes have occurred in any of the GPO settings that apply. The settings are also refreshed every 16 hours, whether or not any changes have occurred. +Importing a security template to a GPO ensures that any accounts to which the GPO is applied automatically receive the template's security settings when the Group Policy settings are refreshed. On a workstation or server, the security settings are refreshed at regular intervals (with a random offset of at most 30 minutes), and, on a domain controller, this process occurs every few minutes if changes have occurred in any of the GPO settings that apply. The settings are also refreshed every 16 hours, whether or not any changes have occurred. + +> [!NOTE] +> These refresh settings vary between versions of the operating system and can be configured. ->**Note:**  These refresh settings vary between versions of the operating system and can be configured. - By using Group Policy−based security configurations in conjunction with the delegation of administration, you can ensure that specific security settings, rights, and behavior are applied to all servers and computers within an OU. This approach makes it simple to update a number of servers with any additional changes required in the future. ### Dependencies on other operating system technologies For devices that are members of a Windows Server 2008 or later domain, security settings policies depend on the following technologies: -- **Active Directory Domain Services (AD DS)** +- **Active Directory Domain Services (AD DS)** - The Windows-based directory service, AD DS, stores information about objects on a network and makes this information available to administrators and users. By using AD DS, you can view and manage network objects on the network from a single location, and users can access permitted network resources by using a single logon. + The Windows-based directory service, AD DS, stores information about objects on a network and makes this information available to administrators and users. By using AD DS, you can view and manage network objects on the network from a single location, and users can access permitted network resources by using a single logon. -- **Group Policy** +- **Group Policy** - The infrastructure within AD DS that enables directory-based configuration management of user and computer settings on devices running Windows Server. By using Group Policy, you can define configurations for groups of users and computers, including policy settings, registry-based policies, software installation, scripts, folder redirection, Remote Installation Services, Internet Explorer maintenance, and security. + The infrastructure within AD DS that enables directory-based configuration management of user and computer settings on devices running Windows Server. By using Group Policy, you can define configurations for groups of users and computers, including policy settings, registry-based policies, software installation, scripts, folder redirection, Remote Installation Services, Internet Explorer maintenance, and security. -- **Domain Name System (DNS)** +- **Domain Name System (DNS)** - A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses, and IP addresses to domain names. This allows users, computers, and applications to query DNS to specify remote systems by fully qualified domain names rather than by IP addresses. + A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses, and IP addresses to domain names. This allows users, computers, and applications to query DNS to specify remote systems by fully qualified domain names rather than by IP addresses. -- **Winlogon** +- **Winlogon** - A part of the Windows operating system that provides interactive logon support. Winlogon is designed around an interactive logon model that consists of three components: the Winlogon executable, a credential provider, and any number of network providers. + A part of the Windows operating system that provides interactive logon support. Winlogon is designed around an interactive logon model that consists of three components: the Winlogon executable, a credential provider, and any number of network providers. -- **Setup** +- **Setup** - Security configuration interacts with the operating system setup process during a clean installation or upgrade from earlier versions of Windows Server. + Security configuration interacts with the operating system setup process during a clean installation or upgrade from earlier versions of Windows Server. -- **Security Accounts Manager (SAM)** +- **Security Accounts Manager (SAM)** - A Windows service used during the logon process. SAM maintains user account information, including groups to which a user belongs. + A Windows service used during the logon process. SAM maintains user account information, including groups to which a user belongs. -- **Local Security Authority (LSA)** +- **Local Security Authority (LSA)** - A protected subsystem that authenticates and logs users onto the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system. + A protected subsystem that authenticates and logs users onto the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system. -- **Windows Management Instrumentation (WMI)** +- **Windows Management Instrumentation (WMI)** - A feature of the Microsoft Windows operating system, WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI provides access to information about objects in a managed environment. Through WMI and the WMI application programming interface (API), applications can query for and make changes to static information in the Common Information Model (CIM) repository and dynamic information maintained by the various types of providers. + A feature of the Microsoft Windows operating system, WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), which is an industry initiative to develop a standard technology for accessing management information in an enterprise environment. WMI provides access to information about objects in a managed environment. Through WMI and the WMI application programming interface (API), applications can query for and make changes to static information in the Common Information Model (CIM) repository and dynamic information maintained by the various types of providers. -- **Resultant Set of Policy (RSoP)** +- **Resultant Set of Policy (RSoP)** - An enhanced Group Policy infrastructure that uses WMI in order to make it easier to plan and debug policy settings. RSoP provides public methods that expose what an extension to Group Policy would do in a what-if situation, and what the extension has done in an actual situation. This allows administrators to easily determine the combination of policy settings that apply to, or will apply to, a user or device. + An enhanced Group Policy infrastructure that uses WMI in order to make it easier to plan and debug policy settings. RSoP provides public methods that expose what an extension to Group Policy would do in a what-if situation, and what the extension has done in an actual situation. This allows administrators to easily determine the combination of policy settings that apply to, or will apply to, a user or device. -- **Service Control Manager (SCM)** +- **Service Control Manager (SCM)** - Used for configuration of service startup modes and security. + Used for configuration of service startup modes and security. -- **Registry** +- **Registry** - Used for configuration of registry values and security. + Used for configuration of registry values and security. -- **File system** +- **File system** - Used for configuration of security. + Used for configuration of security. -- **File system conversions** +- **File system conversions** - Security is set when an administrator converts a file system from FAT to NTFS. + Security is set when an administrator converts a file system from FAT to NTFS. -- **Microsoft Management Console (MMC)** +- **Microsoft Management Console (MMC)** - The user interface for the Security Settings tool is an extension of the Local Group Policy Editor MMC snap-in. + The user interface for the Security Settings tool is an extension of the Local Group Policy Editor MMC snap-in. ### Security settings policies and Group Policy @@ -153,25 +154,25 @@ The Security Settings extension of the Local Group Policy Editor is part of the The following diagram shows Security Settings and related features. -**Security Settings Policies and Related Features** +#### Security Settings Policies and Related Features ![components related to security policies](images/secpol-components.gif) -- **Scesrv.dll** +- **Scesrv.dll** - Provides the core security engine functionality. + Provides the core security engine functionality. -- **Scecli.dll** +- **Scecli.dll** - Provides the client-side interfaces to the security configuration engine and provides data to Resultant Set of Policy (RSoP). + Provides the client-side interfaces to the security configuration engine and provides data to Resultant Set of Policy (RSoP). -- **Wsecedit.dll** +- **Wsecedit.dll** - The Security Settings extension of Local Group Policy Editor. scecli.dll is loaded into wsecedit.dll to support the Security Settings user interface. + The Security Settings extension of Local Group Policy Editor. scecli.dll is loaded into wsecedit.dll to support the Security Settings user interface. -- **Gpedit.dll** +- **Gpedit.dll** - The Local Group Policy Editor MMC snap-in. + The Local Group Policy Editor MMC snap-in. ## Security Settings extension architecture @@ -185,57 +186,56 @@ The security settings configuration and analysis tools include a security config The following list describes these primary features of the security configuration engine and other Security Settings−related features. -- **scesrv.dll** +- **scesrv.dll** - This .dll is hosted in services.exe and runs under local system context. scesrv.dll provides core Security Configuration Manager functionality, such as import, configure, analyze, and policy propagation. + This .dll is hosted in services.exe and runs under local system context. scesrv.dll provides core Security Configuration Manager functionality, such as import, configure, analyze, and policy propagation. - Scesrv.dll performs configuration and analysis of various security-related system parameters by calling corresponding system APIs, including LSA, SAM, and the registry. + Scesrv.dll performs configuration and analysis of various security-related system parameters by calling corresponding system APIs, including LSA, SAM, and the registry. - Scesrv.dll exposes APIs such as import, export, configure, and analyze. It checks that the request is made over LRPC (Windows XP) and fails the call if it is not. + Scesrv.dll exposes APIs such as import, export, configure, and analyze. It checks that the request is made over LRPC (Windows XP) and fails the call if it is not. - Communication between parts of the Security Settings extension occurs by using the following methods: + Communication between parts of the Security Settings extension occurs by using the following methods: - - Component Object Model (COM) calls - - Local Remote Procedure Call (LRPC) - - Lightweight Directory Access Protocol (LDAP) - - Active Directory Service Interfaces (ADSI) - - Server Message Block (SMB) - - Win32 APIs - - Windows Management Instrumentation (WMI) calls + - Component Object Model (COM) calls + - Local Remote Procedure Call (LRPC) + - Lightweight Directory Access Protocol (LDAP) + - Active Directory Service Interfaces (ADSI) + - Server Message Block (SMB) + - Win32 APIs + - Windows Management Instrumentation (WMI) calls - On domain controllers, scesrv.dll receives notifications of changes made to SAM and the LSA that need to be synchronized across domain controllers. Scesrv.dll incorporates those changes into the Default Domain Controller Policy GPO by using in-process scecli.dll template modification APIs. - Scesrv.dll also performs configuration and analysis operations. + On domain controllers, scesrv.dll receives notifications of changes made to SAM and the LSA that need to be synchronized across domain controllers. Scesrv.dll incorporates those changes into the Default Domain Controller Policy GPO by using in-process scecli.dll template modification APIs. + Scesrv.dll also performs configuration and analysis operations. -- **Scecli.dll** +- **Scecli.dll** - This is the client-side interface or wrapper to scesrv.dll. scecli.dll is loaded into Wsecedit.dll to support MMC snap-ins. It is used by Setup to configure default system security and security of files, registry keys, and services installed by the Setup API .inf files. + This is the client-side interface or wrapper to scesrv.dll. scecli.dll is loaded into Wsecedit.dll to support MMC snap-ins. It is used by Setup to configure default system security and security of files, registry keys, and services installed by the Setup API .inf files. - The command-line version of the security configuration and analysis user interfaces, secedit.exe, uses scecli.dll. + The command-line version of the security configuration and analysis user interfaces, secedit.exe, uses scecli.dll. - Scecli.dll implements the client-side extension for Group Policy. + Scecli.dll implements the client-side extension for Group Policy. - Scesrv.dll uses scecli.dll to download applicable Group Policy files from SYSVOL in order to apply Group Policy security settings to the local device. + Scesrv.dll uses scecli.dll to download applicable Group Policy files from SYSVOL in order to apply Group Policy security settings to the local device. - Scecli.dll logs application of security policy into WMI (RSoP). + Scecli.dll logs application of security policy into WMI (RSoP). - Scesrv.dll policy filter uses scecli.dll to update Default Domain Controller Policy GPO when changes are made to SAM and LSA. + Scesrv.dll policy filter uses scecli.dll to update Default Domain Controller Policy GPO when changes are made to SAM and LSA. -- **Wsecedit.dll** +- **Wsecedit.dll** - The Security Settings extension of the Group Policy Object Editor snap-in. You use this tool to configure security settings in a Group Policy Object for a site, domain, or organizational unit. You can also use Security Settings to import security templates to a GPO. + The Security Settings extension of the Group Policy Object Editor snap-in. You use this tool to configure security settings in a Group Policy Object for a site, domain, or organizational unit. You can also use Security Settings to import security templates to a GPO. -- **Secedit.sdb** +- **Secedit.sdb** - This is a permanent system database used for policy propagation including a table of persistent settings for rollback purposes. + This is a permanent system database used for policy propagation including a table of persistent settings for rollback purposes. -- **User databases** +- **User databases** - A user database is any database other than the system database created by administrators for the purposes of configuration or analysis of security. + A user database is any database other than the system database created by administrators for the purposes of configuration or analysis of security. -- **.Inf Templates** +- **.Inf Templates** - These are text files that contain declarative security settings. They are loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they are downloaded (by using file copy) and merged into - the system database during policy propagation. + These are text files that contain declarative security settings. They are loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they are downloaded (by using file copy) and merged into the system database during policy propagation. ## Security settings policy processes and interactions @@ -245,39 +245,39 @@ For a domain-joined device, where Group Policy is administered, security setting When a computer starts and a user logs on, computer policy and user policy are applied according to the following sequence: -1. The network starts. Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) start. -2. An ordered list of Group Policy Objects is obtained for the device. The list might depend on these factors: +1. The network starts. Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) start. +1. An ordered list of Group Policy Objects is obtained for the device. The list might depend on these factors: - - Whether the device is part of a domain and, therefore, subject to Group Policy through Active Directory. - - The location of the device in Active Directory. - - Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done. + - Whether the device is part of a domain and, therefore, subject to Group Policy through Active Directory. + - The location of the device in Active Directory. + - Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done. -3. Computer policy is applied. These are the settings under Computer Configuration from the gathered list. This is a synchronous process by default and occurs in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while computer policies are processed. -4. Startup scripts run. This is hidden and synchronous by default; each script must complete or time out before the next one starts. The default time-out is 600 seconds. You can use several policy settings to modify this behavior. -5. The user presses CTRL+ALT+DEL to log on. -6. After the user is validated, the user profile loads; it is governed by the policy settings that are in effect. -7. An ordered list of Group Policy Objects is obtained for the user. The list might depend on these factors: +1. Computer policy is applied. These are the settings under Computer Configuration from the gathered list. This is a synchronous process by default and occurs in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while computer policies are processed. +1. Startup scripts run. This is hidden and synchronous by default; each script must complete or time out before the next one starts. The default time-out is 600 seconds. You can use several policy settings to modify this behavior. +1. The user presses CTRL+ALT+DEL to log on. +1. After the user is validated, the user profile loads; it is governed by the policy settings that are in effect. +1. An ordered list of Group Policy Objects is obtained for the user. The list might depend on these factors: - - Whether the user is part of a domain and, therefore, subject to Group Policy through Active Directory. - - Whether loopback policy processing is enabled, and if so, the state (Merge or Replace) of the loopback policy setting. - - The location of the user in Active Directory. - - Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done. + - Whether the user is part of a domain and, therefore, subject to Group Policy through Active Directory. + - Whether loopback policy processing is enabled, and if so, the state (Merge or Replace) of the loopback policy setting. + - The location of the user in Active Directory. + - Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done. -8. User policy is applied. These are the settings under User Configuration from the gathered list. This is synchronous by default and in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while user policies are processed. -9. Logon scripts run. Group Policy−based logon scripts are hidden and asynchronous by default. The user object script runs last. -10. The operating system user interface that is prescribed by Group Policy appears. +1. User policy is applied. These are the settings under User Configuration from the gathered list. This is synchronous by default and in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while user policies are processed. +1. Logon scripts run. Group Policy−based logon scripts are hidden and asynchronous by default. The user object script runs last. +1. The operating system user interface that is prescribed by Group Policy appears. ### Group Policy Objects storage A Group Policy Object (GPO) is a virtual object that is identified by a Globally Unique Identifier (GUID) and stored at the domain level. The policy setting information of a GPO is stored in the following two locations: -- **Group Policy containers in Active Directory.** +- **Group Policy containers in Active Directory.** - The Group Policy container is an Active Directory container that contains GPO properties, such as version information, GPO status, plus a list of other component settings. + The Group Policy container is an Active Directory container that contains GPO properties, such as version information, GPO status, plus a list of other component settings. -- **Group Policy templates in a domain’s system volume folder (SYSVOL).** +- **Group Policy templates in a domain's system volume folder (SYSVOL).** - The Group Policy template is a file system folder that includes policy data specified by .admx files, security settings, script files, and information about applications that are available for installation. The Group Policy template is located in the SYSVOL folder in the domain\\Policies subfolder. + The Group Policy template is a file system folder that includes policy data specified by .admx files, security settings, script files, and information about applications that are available for installation. The Group Policy template is located in the SYSVOL folder in the \\\Policies subfolder. The **GROUP\_POLICY\_OBJECT** structure provides information about a GPO in a GPO list, including the version number of the GPO, a pointer to a string that indicates the Active Directory portion of the GPO, and a pointer to a string that specifies the path to the file system portion of the GPO. @@ -285,21 +285,21 @@ The **GROUP\_POLICY\_OBJECT** structure provides information about a GPO in a GP Group Policy settings are processed in the following order: -1. **Local Group Policy Object.** +1. **Local Group Policy Object.** - Each device running a Windows operating system beginning with Windows XP has exactly one Group Policy Object that is stored locally. + Each device running a Windows operating system beginning with Windows XP has exactly one Group Policy Object that is stored locally. -2. **Site.** +1. **Site.** - Any Group Policy Objects that have been linked to the site are processed next. Processing is synchronous and in an order that you specify. + Any Group Policy Objects that have been linked to the site are processed next. Processing is synchronous and in an order that you specify. -3. **Domain.** +1. **Domain.** - Processing of multiple domain-linked Group Policy Objects is synchronous and in an order you speciy. + Processing of multiple domain-linked Group Policy Objects is synchronous and in an order you speciy. -4. **Organizational units.** +1. **Organizational units.** - Group Policy Objects that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then Group Policy Objects that are linked to its child organizational unit, and so on. Finally, the Group Policy Objects that are linked to the organizational unit that contains the user or device are processed. + Group Policy Objects that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then Group Policy Objects that are linked to its child organizational unit, and so on. Finally, the Group Policy Objects that are linked to the organizational unit that contains the user or device are processed. At the level of each organizational unit in the Active Directory hierarchy, one, many, or no Group Policy Objects can be linked. If several Group Policy Objects are linked to an organizational unit, their processing is synchronous and in an order that you specify. @@ -311,34 +311,34 @@ This is the default processing order and administrators can specify exceptions t In the context of Group Policy processing, security settings policy is processed in the following order. -1. During Group Policy processing, the Group Policy engine determines which security settings policies to apply. -2. If security settings policies exist in a GPO, Group Policy invokes the Security Settings client-side extension. -3. The Security Settings extension downloads the policy from the appropriate location such as a specific domain controller. -4. The Security Settings extension merges all security settings policies according to precedence rules. The processing is according to the Group Policy processing order of local, site, domain, and organizational unit (OU), as described earlier in the “Group Policy processing order” section. If multiple GPOs are in effect for a given device and there are no conflicting policies, then the policies are cumulative and are merged. +1. During Group Policy processing, the Group Policy engine determines which security settings policies to apply. +1. If security settings policies exist in a GPO, Group Policy invokes the Security Settings client-side extension. +1. The Security Settings extension downloads the policy from the appropriate location such as a specific domain controller. +1. The Security Settings extension merges all security settings policies according to precedence rules. The processing is according to the Group Policy processing order of local, site, domain, and organizational unit (OU), as described earlier in the "Group Policy processing order" section. If multiple GPOs are in effect for a given device and there are no conflicting policies, then the policies are cumulative and are merged. - This example uses the Active Directory structure shown in the following figure. A given computer is a member of OU2, to which the **GroupMembershipPolGPO** GPO is linked. This computer is also subject to the **UserRightsPolGPO** GPO, which is linked to OU1, higher in the hierarchy. In this case, no conflicting policies exist so the device receives all of the policies contained in both the **UserRightsPolGPO** and the **GroupMembershipPolGPO** GPOs. + This example uses the Active Directory structure shown in the following figure. A given computer is a member of OU2, to which the **GroupMembershipPolGPO** GPO is linked. This computer is also subject to the **UserRightsPolGPO** GPO, which is linked to OU1, higher in the hierarchy. In this case, no conflicting policies exist so the device receives all of the policies contained in both the **UserRightsPolGPO** and the **GroupMembershipPolGPO** GPOs. - **Multiple GPOs and Merging of Security Policy** + **Multiple GPOs and Merging of Security Policy** - ![multiple gpos and merging of security policy](images/secpol-multigpomerge.gif) + ![multiple gpos and merging of security policy](images/secpol-multigpomerge.gif) -5. The resultant security policies are stored in secedit.sdb, the security settings database. The security engine gets the security template files and imports them to secedit.sdb. -6. The security settings policies are applied to devices. +1. The resultant security policies are stored in secedit.sdb, the security settings database. The security engine gets the security template files and imports them to secedit.sdb. +1. The security settings policies are applied to devices. The following figure illustrates the security settings policy processing. **Security Settings Policy Processing** -![process and interactions of security policy settin](images/secpol-processes.gif) +![process and interactions of security policy settings](images/secpol-processes.gif) ### Merging of security policies on domain controllers Password policies, Kerberos, and some security options are only merged from GPOs that are linked at the root level on the domain. This is done to keep those settings synchronized across all domain controllers in the domain. The following security options are merged: -- Network Security: Force logoff when logon hours expire -- Accounts: Administrator account status -- Accounts: Guest account status -- Accounts: Rename administrator account -- Accounts: Rename guest account +- Network Security: Force logoff when logon hours expire +- Accounts: Administrator account status +- Accounts: Guest account status +- Accounts: Rename administrator account +- Accounts: Rename guest account Another mechanism exists that allows security policy changes made by administrators by using net accounts to be merged into the Default Domain Policy GPO. User rights changes that are made by using Local Security Authority (LSA) APIs are filtered into the Default Domain Controllers Policy GPO. @@ -350,9 +350,9 @@ If an application is installed on a primary domain controller (PDC) with operati After you have edited the security settings policies, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object in the following instances: -- When a device is restarted. -- Every 90 minutes on a workstation or server and every 5 minutes on a domain controller. This refresh interval is configurable. -- By default, Security policy settings delivered by Group Policy are also applied every 16 hours (960 minutes) even if a GPO has not changed. +- When a device is restarted. +- Every 90 minutes on a workstation or server and every 5 minutes on a domain controller. This refresh interval is configurable. +- By default, Security policy settings delivered by Group Policy are also applied every 16 hours (960 minutes) even if a GPO has not changed. ### Persistence of security settings policy @@ -360,12 +360,12 @@ Security settings can persist even if a setting is no longer defined in the poli Security settings might persist in the following cases: -- The setting has not been previously defined for the device. -- The setting is for a registry security object. -- The settings are for a file system security object. +- The setting has not been previously defined for the device. +- The setting is for a registry security object. +- The settings are for a file system security object. -All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is. -This behavior is sometimes referred to as “tattooing.” +All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is. +This behavior is sometimes referred to as "tattooing". Registry and file security settings will maintain the values applied through Group Policy until that setting is set to other values. @@ -377,8 +377,9 @@ Both Apply Group Policy and Read permissions are required to have the settings f By default, all GPOs have Read and Apply Group Policy both Allowed for the Authenticated Users group. The Authenticated Users group includes both users and computers. Security settings policies are computer-based. To specify which client computers will or will not have a Group Policy Object applied to them, you can deny them either the Apply Group Policy or Read permission on that Group Policy Object. Changing these permissions allows you to limit the scope of the GPO to a specific set of computers within a site, domain, or OU. -**Note:**  Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it. - +> [!NOTE] +> Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it. + ### Migration of GPOs containing security settings In some situations, you might want to migrate GPOs from one domain environment to another environment. The two most common scenarios are test-to-production migration, and production-to-production migration. The GPO copying process has implications for some types of security settings. @@ -387,12 +388,12 @@ Data for a single GPO is stored in multiple locations and in various formats; so The following security policies can contain security principals and might require some additional work to successfully move them from one domain to another. -- User rights assignment -- Restricted groups -- Services -- File system -- Registry -- The GPO DACL, if you choose to preserve it during a copy operation +- User rights assignment +- Restricted groups +- Services +- File system +- Registry +- The GPO DACL, if you choose to preserve it during a copy operation To ensure that data is copied correctly, you can use Group Policy Management Console (GPMC). When migrating a GPO from one domain to another, GPMC ensures that all relevant data is properly copied. GPMC also offers migration tables, which can be used to update domain-specific data to new values as part of the migration process. GPMC hides much of the complexity involved in the migrating GPO operations, and it provides simple and reliable mechanisms for performing operations such as copy and backup of GPOs. @@ -400,6 +401,6 @@ To ensure that data is copied correctly, you can use Group Policy Management Con | Topic | Description | | - | - | -| [Administer security policy settings](administer-security-policy-settings.md) | This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.| -| [Configure security policy settings](how-to-configure-security-policy-settings.md) | Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.| -| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.| +| [Administer security policy settings](administer-security-policy-settings.md) | This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.| +| [Configure security policy settings](how-to-configure-security-policy-settings.md) | Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.| +| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.| diff --git a/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md index 228378515b..9b7b2cffbf 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md +++ b/windows/security/threat-protection/windows-defender-antivirus/antivirus-false-positives-negatives.md @@ -13,7 +13,7 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen ms.date: 02/05/2020 -ms.reviewer: +ms.reviewer: shwetaj manager: dansimp audience: ITPro ms.topic: article diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md index 17897257a2..b42e1c8729 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.reviewer: +ms.reviewer: ksarens manager: dansimp --- @@ -22,14 +22,12 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can perform various Windows Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. - -This utility can be useful when you want to automate Windows Defender Antivirus use. - -You can find the utility in _%ProgramFiles%\Windows Defender\MpCmdRun.exe_. You must run it from a command prompt. +You can perform various Windows Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Windows Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt. > [!NOTE] > You might need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. +> +> If you're running an updated Windows Defender Platform version, please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\`. The utility has the following commands: @@ -44,11 +42,11 @@ MpCmdRun.exe -scan -2 | Command | Description | |:----|:----| | `-?` **or** `-h` | Displays all available options for this tool | -| `-Scan [-ScanType [0\|1\|2\|3]] [-File [-DisableRemediation] [-BootSectorScan]] [-Timeout ] [-Cancel]` | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan. | +| `-Scan [-ScanType [0\|1\|2\|3]] [-File [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout ] [-Cancel]` | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan. | | `-Trace [-Grouping #] [-Level #]` | Starts diagnostic tracing | | `-GetFiles` | Collects support information | | `-GetFilesDiagTrack` | Same as `-GetFiles`, but outputs to temporary DiagTrack folder | -| `-RemoveDefinitions [-All]` | Restores the installed Security intelligence to a previous backup copy or to the original default set | +| `-RemoveDefinitions [-All]` | Restores the installed Security intelligence to a previous backup copy or to the original default set | | `-RemoveDefinitions [-DynamicSignatures]` | Removes only the dynamically downloaded Security intelligence | | `-RemoveDefinitions [-Engine]` | Restores the previous installed engine | | `-SignatureUpdate [-UNC \| -MMPC]` | Checks for new Security intelligence updates | diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md index 03cf88d610..e0805ca3fb 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 02/05/2020 +ms.date: 03/12/2020 ms.reviewer: manager: dansimp --- diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 7f217bed68..10c52c2aba 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 12/10/2018 ms.reviewer: manager: dansimp --- @@ -33,7 +32,7 @@ You can exclude certain files from Windows Defender Antivirus scans by modifying > [!NOTE] > Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default. -This topic describes how to configure exclusion lists for the files and folders. +This article describes how to configure exclusion lists for the files and folders. Exclusion | Examples | Exclusion list ---|---|--- @@ -90,21 +89,22 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// 3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. -4. Double-click the **Path Exclusions** setting and add the exclusions: +4. Double-click the **Path Exclusions** setting and add the exclusions. - 1. Set the option to **Enabled**. - 2. Under the **Options** section, click **Show...**. - 3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. + - Set the option to **Enabled**. + - Under the **Options** section, click **Show...**. + - Specify each folder on its own line under the **Value name** column. + - If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. 5. Click **OK**. ![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png) -6. Double-click the **Extension Exclusions** setting and add the exclusions: +6. Double-click the **Extension Exclusions** setting and add the exclusions. - 1. Set the option to **Enabled**. - 2. Under the **Options** section, click **Show...**. - 3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column. + - Set the option to **Enabled**. + - Under the **Options** section, click **Show...**. + - Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column. 7. Click **OK**. @@ -116,13 +116,13 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender). -The format for the cmdlets is: +The format for the cmdlets is as follows: ```PowerShell - "" ``` -The following are allowed as the \: +The following are allowed as the ``: Configuration action | PowerShell cmdlet ---|--- @@ -130,7 +130,7 @@ Create or overwrite the list | `Set-MpPreference` Add to the list | `Add-MpPreference` Remove item from the list | `Remove-MpPreference` -The following are allowed as the \: +The following are allowed as the ``: Exclusion type | PowerShell parameter ---|--- @@ -168,6 +168,7 @@ For more information, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.c See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions. + ## Use wildcards in the file name and folder path or extension exclusion lists You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations. @@ -180,91 +181,21 @@ You can use the asterisk `*`, question mark `?`, or environment variables (such >- An asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names. The following table describes how the wildcards can be used and provides some examples. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    WildcardUse in file name and file extension exclusionsUse in folder exclusionsExample useExample matches
    * (asterisk)Replaces any number of characters.
    Only applies to files in the last folder defined in the argument.     		Replaces a single folder.
    Use multiple * with folder slashes \ to indicate multiple, nested folders.
    After matching the number of wild carded and named folders, all subfolders will also be included.    		 -
      -
    1. C:\MyData\*.txt
      2. -
    2. C:\somepath\*\Data
      3. -
    3. C:\Serv\*\*\Backup -
    -     		-
      -
    1. C:\MyData\notes.txt
      2. -
    2. Any file in: -
        -
      • C:\somepath\Archives\Data and its subfolders
        • -
      • C:\somepath\Authorized\Data and its subfolders
        • -
      -
    3. Any file in: -
        -
      • C:\Serv\Primary\Denied\Backup and its subfolders
        • -
      • C:\Serv\Secondary\Allowed\Backup and its subfolders
        • -
      -
    -
    - ? (question mark) - - Replaces a single character.
    - Only applies to files in the last folder defined in the argument. -     		- Replaces a single character in a folder name.
    - After matching the number of wild carded and named folders, all subfolders will also be included. -     		-
      -
    1. C:\MyData\my?.zip
      2. -
    2. C:\somepath\?\Data
      3. -
    3. C:\somepath\test0?\Data
      4. -
    -     		-
      -
    1. C:\MyData\my1.zip
      2. -
    2. Any file in C:\somepath\P\Data and its subfolders
      3. -
    3. Any file in C:\somepath\test01\Data and its subfolders
      4. -
    -
    Environment variablesThe defined variable will be populated as a path when the exclusion is evaluated.Same as file and extension use. -
      -
    1. %ALLUSERSPROFILE%\CustomLogFiles
      2. -
    -     		-
      -
    1. C:\ProgramData\CustomLogFiles\Folder1\file1.txt
      2. -
    -
    + + +|Wildcard |Examples | +|---------|---------| +|`*` (asterisk)

    In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument.

    In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple, nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`

    `C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders`

    `C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` | +|`?` (question mark)

    In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument.

    In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my` would include `C:\MyData\my1.zip`

    `C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders

    `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders | +|Environment variables

    The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` | + >[!IMPORTANT] >If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders. > ->For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument c:\data\\\*\marked\date*.\*. +>For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`. > ->This argument, however, will not match any files in **subfolders** under `c:\data\final\marked` or `c:\data\review\marked`. +>This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`. @@ -361,7 +292,4 @@ You can also copy the string into a blank text file and attempt to save it with - [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) -- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) -- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Handling false positives/negatives](antivirus-false-positives-negatives.md) +- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 94b115e1e2..1b19f98ccd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 12/10/2018 ms.reviewer: manager: dansimp --- diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png b/windows/security/threat-protection/windows-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png new file mode 100644 index 0000000000..cea5e255f5 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/pre-execution-and-post-execution-detection-engines.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/shadow-protection-detection.jpg b/windows/security/threat-protection/windows-defender-antivirus/images/shadow-protection-detection.jpg new file mode 100644 index 0000000000..d6177a0899 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/shadow-protection-detection.jpg differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turn-shadow-protection-on.jpg b/windows/security/threat-protection/windows-defender-antivirus/images/turn-shadow-protection-on.jpg new file mode 100644 index 0000000000..577f034ff6 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/turn-shadow-protection-on.jpg differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md b/windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md new file mode 100644 index 0000000000..9fc1cbc630 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md @@ -0,0 +1,94 @@ +--- +title: Shadow protection in next-generation protection +description: Learn about shadow protection in next-generation protection +keywords: Windows Defender Antivirus, shadow protection, passive mode +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +author: denisebmsft +ms.author: deniseb +manager: dansimp +ms.reviewer: shwetaj +audience: ITPro +ms.topic: article +ms.prod: w10 +ms.localizationpriority: medium +ms.custom: next-gen +ms.collection: +--- + +# Shadow protection in next-generation protection + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +## What is shadow protection? + +When enabled, shadow protection extends behavioral-based blocking and containment capabilities by blocking malicious artifacts or behaviors observed through post-breach protection. This is the case even if [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) is not your active antivirus protection. Shadow protection is useful if your organization has not fully transitioned to Windows Defender Antivirus and you are presently using a third-party antivirus solution. Shadow protection works behind the scenes by remediating malicious entities identified in post-breach protection that the existing third-party antivirus solution missed. + +> [!NOTE] +> Shadow protection is currently in [limited private preview](#can-i-participate-in-the-private-preview-of-shadow-protection). + +To get the best protection, [deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline). And see [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus). + +## What happens when something is detected? + +When shadow protection is turned on, and a malicious artifact is detected, the detection results in blocking and remediation actions. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#review-completed-actions). + +The following images shows an instance of unwanted software that was detected and blocked through shadow protection: + +:::image type="content" source="images/shadow-protection-detection.jpg" alt-text="Malware detected by shadow protection"::: + +## Turn on shadow protection + +> [!IMPORTANT] +> Make sure the [requirements](#requirements-for-shadow-protection) are met before turning shadow protection on. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. + +2. Choose **Settings** > **Advanced features**. + + :::image type="content" source="images/turn-shadow-protection-on.jpg" alt-text="Turn shadow protection on"::: + +3. Turn shadow protection on. + +> [!NOTE] +> Shadow protection can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to turn shadow protection on or off. + +## Requirements for shadow protection + +|Requirement |Details | +|---------|---------| +|Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). | +|Operating system |One of the following:
    - Windows 10 (all releases)
    - Windows Server 2016 or later | +|Windows E5 enrollment |This is included in the following subscriptions:
    - Microsoft 365 E5
    - Microsoft 365 E3 together with the Identity & Threat Protection offering
    See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide#components) and [Features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | +|Cloud-delivered protection |Make sure Windows Defender Antivirus is configured such that cloud-delivered protection is enabled.
    See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus). | +|Windows Defender Antivirus antimalware client |To make sure your client is up to date, using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | +|Windows Defender Antivirus engine |To make sure your engine is up to date, using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | + +> [!IMPORTANT] +> To get the best protection value, make sure Windows Defender Antivirus is configured to receive regular updates and other essential features, such as behavioral monitoring, IOfficeAV, tamper protection, and more. See [Protect security settings with tamper protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection) + + +## Frequently asked questions + +### Will shadow protection have any impact on a user's antivirus protection? + +No. Shadow protection does not affect third-party antivirus protection running on users' machines. Shadow protection kicks in if the primary antivirus solution misses something, or if there is post-breach detection. Shadow protection works just like Windows Defender Antivirus in passive mode with the additional steps of blocking and remediating malicious items detected. + +### Why do I need to keep Windows Defender Antivirus up to date? + +The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack works in integration, and to get best protection value, you should keep Windows Defender Antivirus up to date. + +### Why do we need cloud protection on? + +Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on the optics received, along with behavioral and machine learning models. + +### Can I participate in the private preview of shadow protection? + +If you would like to participate in our private preview program, please send email to `shwjha@microsoft.com`. + +## See also + +- [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus) + diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index 8c86ac5722..33827edea0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 02/25/2020 ms.reviewer: manager: dansimp --- @@ -23,21 +22,24 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. +## Overview -However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender Antivirus will automatically disable itself. +Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection. +- When endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, Windows Defender Antivirus automatically goes into disabled mode. +- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real time protection and and threats are not remediated by Windows Defender Antivirus.) +- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [shadow protection (currently in private preview)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/shadow-protection), then Windows Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack. -If you are also using Microsoft Defender Advanced Threat Protection, then Windows Defender Antivirus will enter a passive mode. Important: Real time protection and and threats will not be remediated by Windows Defender Antivirus. +## Antivirus and Microsoft Defender ATP -The following matrix illustrates the states that Windows Defender Antivirus will enter when third-party antivirus products or Microsoft Defender ATP are also used. +The following table summarizes what happens with Windows Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP. -| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Windows Defender Antivirus state | -|---------------------|---------------------------------------------------------------------|-------------------------------------------------|-----------------------------------| -| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode | -| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode | -| Windows 10 | Windows Defender Antivirus | Yes | Active mode | -| Windows 10 | Windows Defender Antivirus | No | Active mode | +| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Windows Defender Antivirus state | +|------|------|-------|-------| +| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode | +| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode | +| Windows 10 | Windows Defender Antivirus | Yes | Active mode | +| Windows 10 | Windows Defender Antivirus | No | Active mode | | Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] | | Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | No | Active mode[[1](#fn1)] | | Windows Server 2016 or 2019 | Windows Defender Antivirus | Yes | Active mode | @@ -52,7 +54,6 @@ If you are Using Windows Server, version 1803 and Windows 2019, you can enable p See [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations. - >[!IMPORTANT] >Windows Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019. > @@ -60,32 +61,38 @@ See [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defende > >Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations). +## Functionality and features available in each state -This table indicates the functionality and features that are available in each state: +The following table summarizes the functionality and features that are available in each state: -State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Security intelligence updates](manage-updates-baselines-windows-defender-antivirus.md) -:-|:-|:-:|:-:|:-:|:-:|:-: -Passive mode | Windows Defender Antivirus will not be used as the antivirus app, and threats will not be remediated by Windows Defender Antivirus. Files will be scanned and reports will be provided for threat detections which are shared with the Microsoft Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] -Automatic disabled mode | Windows Defender Antivirus will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] -Active mode | Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] +|State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) | +|--|--|--|--|--|--| +|Active mode

    |Yes |No |Yes |Yes |Yes | +|Passive mode |No |No |Yes |No |Yes | +|[Shadow protection enabled](shadow-protection.md) |No |No |Yes |Yes |Yes | +|Automatic disabled mode |No |Yes |No |No |No | + +- In Active mode, Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself). +- In Passive mode, Windows Defender Antivirus is not used as the antivirus app, and threats are not remediated by Windows Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service. +- When [shadow protection (currently in private preview)](shadow-protection.md) is turned on, Windows Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items. +- In Automatic disabled mode, Windows Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. + +## Keep the following points in mind If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. -Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows Defender Antivirus will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. +When Windows Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. -In passive and automatic disabled mode, you can still [manage updates for Windows Defender Antivirus](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. +In passive and automatic disabled mode, you can still [manage updates for Windows Defender Antivirus](manage-updates-baselines-windows-defender-antivirus.md); however, you can't move Windows Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. - If you uninstall the other product, and choose to use Windows Defender Antivirus to provide protection to your endpoints, Windows Defender Antivirus will automatically return to its normal active mode. +If you uninstall the other product, and choose to use Windows Defender Antivirus to provide protection to your endpoints, Windows Defender Antivirus will automatically return to its normal active mode. >[!WARNING] ->You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. -> ->This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. -> ->It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md). +>You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md). ## Related topics - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) - [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md) +- [Shadow protection in next-generation protection](shadow-protection.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 7275492629..5ade5917e6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -21,23 +21,24 @@ ### [Audit WDAC policies](audit-windows-defender-application-control-policies.md) ### [Merge WDAC policies](merge-windows-defender-application-control-policies.md) ### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md) -### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md) ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md) ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md) +### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md) ### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md) -### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) +### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md) +### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) #### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) #### [Deploy catalog files to support WDAC](deploy-catalog-files-to-support-windows-defender-application-control.md) -### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md) -### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) ### [Use signed policies to protect Windows Defender Application Control against tampering](use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md) -#### [Signing WDAC policies with SignTool.exe](signing-policies-with-signtool.md) ### [Disable WDAC policies](disable-windows-defender-application-control-policies.md) ### [LOB Win32 Apps on S Mode](LOB-win32-apps-on-s.md) +## [Windows Defender Application Control operational guide](windows-defender-application-control-operational-guide.md) +### [Understanding Application Control events](event-id-explanations.md) +### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) ## [AppLocker](applocker\applocker-overview.md) ### [Administer AppLocker](applocker\administer-applocker.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 128fb4d3a3..48ce449ecd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -14,12 +14,9 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 05/17/2018 +ms.date: 02/28/2020 --- -> [!NOTE] -> For WDAC enhancements see [Delivering major enhancements in Windows Defender Application Control with the Windows 10 May 2019 Update](https://www.microsoft.com/security/blog/2019/07/01/). - # Deploy Windows Defender Application Control policies by using Microsoft Intune **Applies to:** @@ -33,6 +30,10 @@ In order to deploy a custom policy through Intune and define your own circle of ## Using Intune's Built-In Policies +Intune's built-in WDAC support enables you to deploy a policy which only allows Windows components and Microsoft Store apps to run. This policy is the non-Multiple Policy Format version of the DefaultWindows policy; the Multiple Policy Format version can be found at C:\Windows\schemas\CodeIntegrity\ExamplePolicies. + +Setting "Trust apps with good reputation" to enabled is equivalent to adding [Option 14 (Enabled: Intelligent Security Graph Authorization)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#windows-defender-application-control-policy-rules) to the DefaultWindows policy. + 1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**. 2. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**. diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md new file mode 100644 index 0000000000..182c28dedc --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -0,0 +1,80 @@ +--- +title: Understanding Application Control events (Windows 10) +description: Learn what different Windows Defender Application Control events signify. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.date: 3/17/2020 +--- + +# Understanding Application Control events + +A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations: + +1. Event IDs beginning with 30 appear in Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational +2. Event IDs beginning with 80 appear in Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script + +## Microsoft Windows CodeIntegrity Operational log event IDs + +| Event ID | Explanation | +|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 3076 | Audit executable/dll file | +| 3077 | Block executable/dll file | +| 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is.
    Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the “System” portion of the event data under “Correlation ActivityID”. | +| 3099 | Indicates that a policy has been loaded | + +## Microsoft Windows Applocker MSI and Script log event IDs + +| Event ID | Explanation | +|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the scripthosts themselves. Note: there is no WDAC enforcement on 3rd party scripthosts. | +| 8029 | Block script/MSI file | +| 8038 | Signing information event correlated with either a 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the “System” portion of the event data under “Correlation ActivityID”. | | + +## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events + +If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide additional diagnostic information. + +| Event ID | Explanation | +|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 3090 | Allow executable/dll file | +| 3091 | Audit executable/dll file | +| 3092 | Block executable/dll file | + +3090, 3091, and 3092 events are generated based on the status code of whether a binary passed the policy, regardless of what reputation it was given or whether it was allowed by a designated MI. The SmartLocker template which appears in the event should indicate why the binary passed/failed. Only one event is generated per binary pass/fail. If both ISG and MI are disabled, 3090, 3091, and 3092 events will not be generated. + +### SmartLocker template + +Below are the fields which help to diagnose what a 3090, 3091, or 3092 event indicates. + +| Name | Explanation | +|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. | +| ManagedInstallerEnabled | Policy trusts a MI | +| PassesManagedInstaller | File originated from a trusted MI | +| SmartlockerEnabled | Policy trusts the ISG | +| PassesSmartlocker | File had positive reputation | +| AuditEnabled | True if the policy is in audit mode, otherwise it is in enforce mode | + +### Enabling ISG and MI diagnostic events + +In order to enable 3091 audit events and 3092 block events, you must create a TestFlags regkey with a value of 0x100. You can do so using the following PowerShell command: + + ```powershell + reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x100 + ``` +In order to enable 3090 allow events, you must create a TestFlags regkey with a value of 0x300. You can do so using the following PowerShell command: + + ```powershell + reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300 + ``` diff --git a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md deleted file mode 100644 index 4d6bb94c8f..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md +++ /dev/null @@ -1,91 +0,0 @@ ---- -title: Signing Windows Defender Application Control policies with SignTool.exe (Windows 10) -description: SSigned WDAC policies give organizations the highest level of malware protection available in Windows 10. -keywords: whitelisting, security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -audience: ITPro -ms.collection: M365-security-compliance -author: jsuther1974 -ms.reviewer: isbrahm -ms.author: dansimp -manager: dansimp -ms.date: 02/21/2018 ---- - -# Signing Windows Defender Application Control policies with SignTool.exe - -**Applies to:** - -- Windows 10 -- Windows Server 2016 - -Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. -In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. -These policies are designed to prevent administrative tampering and kernel mode exploit access. -With this in mind, it is much more difficult to remove signed WDAC policies. -Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run. - -Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. -If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA. - -Before signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md). - -To sign a WDAC policy with SignTool.exe, you need the following components: - -- SignTool.exe, found in the Windows SDK (Windows 7 or later) - -- The binary format of the WDAC policy that you generated in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section or another WDAC policy that you have created - -- An internal CA code signing certificate or a purchased code signing certificate - -If you do not have a code signing certificate, see the [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) section for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session: - -1. Initialize the variables that will be used: - - `$CIPolicyPath=$env:userprofile+"\Desktop\"` - - `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` - - `$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` - - > [!NOTE] - > This example uses the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information. - -2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). - -3. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later. - -4. Navigate to your desktop as the working directory: - - `cd $env:USERPROFILE\Desktop` - -5. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy: - - `Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update` - - > [!NOTE] - > \ should be the full path to the certificate that you exported in step 3. - Also, adding update signers is crucial to being able to modify or disable this policy in the future. - -6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option: - - `Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete` - -7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format: - - `ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin` - -8. Sign the WDAC policy by using SignTool.exe: - - ` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin` - - > [!NOTE] - > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy. - -9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). - diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index edbac5d2b9..7386316a87 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -28,10 +28,8 @@ ms.date: 05/03/2018 - Windows Server 2016 -Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. -In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. -These policies are designed to prevent administrative tampering and kernel mode exploit access. -With this in mind, it is much more difficult to remove signed WDAC policies. +Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies. + Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run. Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index e34ac21abb..7c9d0b4790 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -14,6 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp +ms.date: 03/10/2020 --- # Authorize reputable apps with the Intelligent Security Graph (ISG) @@ -25,18 +26,18 @@ manager: dansimp Application execution control can be difficult to implement in enterprises that do not have processes to effectively control the deployment of applications centrally through an IT managed system. In such environments, users are empowered to acquire the applications they need for work, making accounting for all the applications that would need to be authorized for execution control a daunting task. -Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) provides a new option, known as the Microsoft Intelligent Security Graph authorization, that allows IT administrators to automatically authorize applications that the Microsoft Intelligent Security Graph recognizes as having known good reputation. The the Microsoft Intelligent Security Graph option helps IT organizations take a significant first step towards going from having no application control at all to a simple means of preventing the execution of unknown and known bad software. To learn more about the Microsoft Intelligent Security Graph, see the Security section in [Major services and features in Microsoft Graph](https://docs.microsoft.com/graph/overview-major-services). +Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) provides a new option, known as the Microsoft Intelligent Security Graph authorization, that allows IT administrators to automatically authorize applications that the Microsoft Intelligent Security Graph recognizes as having known good reputation. The Microsoft Intelligent Security Graph option helps IT organizations take a significant first step towards going from having no application control at all to a simple means of preventing the execution of unknown and known bad software. To learn more about the Microsoft Intelligent Security Graph, see the Security section in [Major services and features in Microsoft Graph](https://docs.microsoft.com/graph/overview-major-services). ## How does the integration between WDAC and the Intelligent Security Graph work? -The the Microsoft Intelligent Security Graph relies on Microsoft’s vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the the Microsoft Intelligent Security Graph authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed, the reputation data is used to help make the right policy authorization decision. +The Microsoft Intelligent Security Graph relies on the same vast security intelligence and machine learning analytics which power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having known good, known bad, or unknown reputation. When an unevaluated file is run on a system with WDAC enabled with the Microsoft Intelligent Security Graph authorization option specified, WDAC queries the file's reputation by sending its hash and signing information to the cloud. If the Microsoft Intelligent Security Graph determines that the file has a known good reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file. Every time the file tries to execute, if there are no explicit deny rules present for the file, it will be allowed to run based on its positive reputation. Conversely, a file that has unknown or known bad reputation will still be allowed to run in the presence of a rule that explicitly allows the file. -After that initial download and installation, the WDAC component will check for the presence of the positive reputation information when evaluating other application execution control rules specified in the policy. If there are no deny rules present for the file, it will be authorized based on the known good reputation classification. +Additionally, an application installer which is determined to have known good reputation will pass along that positive reputation to any files that it writes. This way, all the files needed to install and run an app are granted positive reputation data. -The reputation data on the client is rechecked periodically and enterprises can also specify that any cached reputation results are flushed on reboot. +WDAC periodically re-queries the reputation data on a file. Additionally, enterprises can specify that any cached reputation results are flushed on reboot by using the **Enabled:Invalidate EAs on Reboot** option. >[!NOTE] ->Admins should make sure there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, such as custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both Microsoft Endpoint Configuration Manager and Microsoft Intune can be used to create and push a WDAC policy to your client machines. +>Admins should make sure there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, such as custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both Microsoft Endpoint Manager Configuration Manager (MEMCM) and Microsoft Endpoint Manager Intune (MEM Intune) can be used to create and push a WDAC policy to your client machines. Other examples of WDAC policies are available in `C:\Windows\schemas\CodeIntegrity\ExamplePolicies` and can help authorize Windows OS components, WHQL signed drivers and all Store apps. Admins can reference and customize them as needed for their Windows Defender Application Control deployment or [create a custom WDAC policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy). @@ -85,7 +86,7 @@ In order for the heuristics used by the Microsoft Intelligent Security Graph to appidtel start ``` -For WDAC policies deployed over MDM using the AppLocker CSP this step is not required as the CSP will enable the necessary components. ISG enabled through the Configuration Manager WDAC UX will not need this step but if custom policies are being deployed outside of the WDAC UX through Configuration Manager then this step is required. +This step is not required for WDAC policies deployed over MDM using the AppLocker CSP, as the CSP will enable the necessary components. This step is also not required when enabling the Microsoft Intelligent Security Graph through the MEMCM WDAC UX. However, if custom policies are being deployed outside of the WDAC UX through MEMCM, then this step is required. ## Security considerations with the Intelligent Security Graph @@ -104,4 +105,4 @@ The Microsoft Intelligent Security Graph heuristics do not authorize kernel mode In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. Review for functionality and performance for the related applications using the native images maybe necessary in some cases. >[!NOTE] -> A rule that explicitly allows an application will take precedence over the Microsoft Intelligent Security Graph rule that does not allow it. In this scenario, this policy is not compatible with Intune, where there is no option to add rules to the template that enables the Microsoft Intelligent Security Graph. In most circumstances you would need to build a custom WDAC policy, including the Microsoft Intelligent Security Graph, if desired. +> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. MEM Intune's built-in WDAC support includes the option to trust apps with good reputation via the Microsoft Intelligent Security Graph, but it has no option to add explicit allow or deny rules. In most circumstances, customers enforcing application control need to deploy a custom WDAC policy (which can include the Microsoft Intelligent Security Graph option if desired) using [Intune's OMA-URI functionality](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune#using-a-custom-oma-uri-profile). diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md new file mode 100644 index 0000000000..a34e52ab58 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md @@ -0,0 +1,42 @@ +--- +title: Managing and troubleshooting Windows Defender Application Control policies (Windows 10) +description: Gather information about how your deployed Windows Defender Application Control policies are behaving. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.date: 03/16/2020 +--- + +# Windows Defender Application Control operational guide + +**Applies to** +- Windows 10 +- Windows Server 2016 + +After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender Advanted Threat Protection (MDATP) Advanced Hunting feature. + +## WDAC Events Overview + +WDAC generates and logs events when a policy is loaded as well as when a binary attempts to execute and is blocked. These events include information that identifies the policy and gives more details about the block. Generally, WDAC does not generate events when a binary is allowed; however, there is the option to enable allow events when Managed Installer and/or the Intelligent Security Graph (ISG) is configured. + +WDAC events are generated under two locations: + +1. Applications and Services logs – Microsoft – Windows – CodeIntegrity – Operational +2. Applications and Services logs – Microsoft – Windows – AppLocker – MSI and Script + +## In this section + +| Topic | Description | +| - | - | +| [Understanding Application Control events](event-id-explanations.md) | This topic explains the meaning of different WDAC events. | +| [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) | This topic covers how to view WDAC events centrally from all systems that are connected to Microsoft Defender ATP. | diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index b3b52de9b2..827bc6fab0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -14,7 +14,7 @@ author: denisebmsft ms.reviewer: isbrahm ms.author: deniseb manager: dansimp -ms.date: 01/08/2019 +ms.date: 01/31/2020 ms.custom: asr --- @@ -59,7 +59,7 @@ WDAC policies apply to the managed computer as a whole and affects all users of ### WDAC System Requirements WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above. -WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a scripthost like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10. +WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10. ## AppLocker @@ -97,6 +97,23 @@ Although either AppLocker or WDAC can be used to control application execution o AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps. As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level. +## WDAC and AppLocker Feature Availability +| Capability | WDAC | AppLocker | +|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Platform support | Available on Windows 10 | Available on Windows 8+ | +| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.
    For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
    Policies deployed through MDM are effective on all SKUs. | +| Management solutions |
    • [Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) (limited built-in policies or custom policy deployment via OMA-URI)
    • [Microsoft Endpoint Manager Configuration Manager (MEMCM)](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)
    • [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy)
    • PowerShell
    |
    • [Intune](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)
    • MEMCM (custom policy deployment via Software Distribution only)
    • [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement)
    • PowerShell
        • | +| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ | +| Kernel mode policies | Available on all Windows 10 versions | Not available | +| Per-app rules | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules) | Not available | +| Managed Installer (MI) | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) | Not available | +| Reputation-Based intelligence | [Available on 1709+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph) | Not available | +| Multiple policy support | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) | Not available | +| Path-based rules | [Available on 1903+.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. | +| COM object configurability | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy) | Not available | +| Packaged app rules | [Available on RS5+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) | Available on Windows 8+ | +| Enforceable file types |
        • Driver files: .sys
        • Executable files: .exe and .com
        • DLLs: .dll and .ocx
        • Windows Installer files: .msi, .mst, and .msp
        • Scripts: .ps1, .vbs, and .js
        • Packaged apps and packaged app installers: .appx
        |
        • Executable files: .exe and .com
        • [Optional] DLLs: .dll and .ocx
        • Windows Installer files: .msi, .mst, and .msp
        • Scripts: .ps1, .bat, .cmd, .vbs, and .js
        • Packaged apps and packaged app installers: .appx
        | + ## See also - [WDAC design guide](windows-defender-application-control-design-guide.md) diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md index d22f241c9b..b9d400165d 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md @@ -55,6 +55,9 @@ Windows Defender SmartScreen provide an early warning system against websites th - **Blocking URLs associated with potentially unwanted applications.** In the next major version of Microsoft Edge (based on Chromium), SmartScreen will blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). +> [!IMPORTANT] +> SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares. + ## Viewing Windows Defender SmartScreen anti-phishing events When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md index 04739b0f9c..2ddbd8ddd4 100644 --- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md @@ -14,14 +14,13 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 --- # Basic Firewall Policy Design **Applies to** -- Windows 10 -- Windows Server 2016 +- Windows 10 +- Windows Server 2016 Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization. @@ -31,19 +30,20 @@ Traffic can be blocked or permitted based on the characteristics of each network Many network administrators do not want to tackle the difficult task of determining all the appropriate rules for every program that is used by the organization, and then maintaining that list over time. In fact, most programs do not require specific firewall rules. The default behavior of Windows and most contemporary applications makes this task easy: -- On client devices, the default firewall behavior already supports typical client programs. Programs create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another device. +- On client devices, the default firewall behavior already supports typical client programs. Programs create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another device. -- When you install a server program that must accept unsolicited inbound network traffic, the installation program likely creates or enables the appropriate rules on the server for you. +- When you install a server program that must accept unsolicited inbound network traffic, the installation program likely creates or enables the appropriate rules on the server for you. - For example, when you install a server role, the appropriate firewall rules are created and enabled automatically. + For example, when you install a server role, the appropriate firewall rules are created and enabled automatically. -- For other standard network behavior, the predefined rules that are built into Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista can easily be configured in a GPO and deployed to the devices in your organization. +- For other standard network behavior, the predefined rules that are built into Windows 10, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, and Windows 7 can easily be configured in a GPO and deployed to the devices in your organization. - For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols. + For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols. With few exceptions, the firewall can be enabled on all configurations. Therefore, we recommended that you enable the firewall on every device in your organization. This includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network. ->**Caution:**  Stopping the service associated with Windows Defender Firewall with Advanced Security is not supported by Microsoft. +> [!CAUTION] +> Stopping the service associated with Windows Defender Firewall with Advanced Security is not supported by Microsoft. By default, in new installations, Windows Defender Firewall with Advanced Security is turned on in Windows Server 2012, Windows 8, and later. @@ -55,20 +55,22 @@ An organization typically uses this design as a first step toward a more compreh After implementing this design, you will have centralized management of the firewall rules applied to all devices that are running Windows in your organization. ->**Important:**  If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design. +> [!IMPORTANT] +> If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design. The basic firewall design can be applied to devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the firewall settings and rules. For more information about this design: -- This design coincides with the deployment goal to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md). +- This design coincides with the deployment goal to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md). -- To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md). +- To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md). -- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). +- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md). -- To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md). +- To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md). -- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md). +- For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md). -**Next:** [Domain Isolation Policy Design](domain-isolation-policy-design.md) +> [!div class="nextstepaction"] +> [Domain Isolation Policy Design](domain-isolation-policy-design.md)