deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 15:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into mde-updates

Browse Source
This commit is contained in:
Joey Caparas 2020-11-23 15:35:52 -08:00
commit ff11cafe3b
40 changed files with 476 additions and 360 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -84,6 +84,11 @@
"source_path": "windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-privacy",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-privacy",
"redirect_document_id": false
},
{
"source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md",

7
store-for-business/microsoft-store-for-business-overview.md
View File

@ -12,7 +12,7 @@ author: TrudyHa
ms.author: TrudyHa
ms.topic: conceptual
ms.localizationpriority: medium
ms.date: 10/17/2017
ms.date:
---
# Microsoft Store for Business and Microsoft Store for Education overview
@ -22,7 +22,10 @@ ms.date: 10/17/2017
- Windows 10
- Windows 10 Mobile
Designed for organizations, Microsoft Store for Business and Microsoft Store for Education give IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Microsoft Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Microsoft Store, or connect with management solutions for more options.
Designed for organizations, Microsoft Store for Business and Microsoft Store for Education give IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Microsoft Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Microsoft Store, or connect with management solutions for more options.
> [!IMPORTANT]
> Customers who are in the Office 365 GCC environment or are eligible to buy with government pricing cannot use Microsoft Store for Business.
## Features
Organizations or schools of any size can benefit from using Microsoft Store for Business or Microsoft Store for Education:

5
store-for-business/prerequisites-microsoft-store-for-business.md
View File

@ -12,7 +12,7 @@ author: TrudyHa
ms.author: TrudyHa
ms.topic: conceptual
ms.localizationpriority: medium
ms.date: 10/13/2017
ms.date:
---
# Prerequisites for Microsoft Store for Business and Education
@ -22,6 +22,9 @@ ms.date: 10/13/2017
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Customers who are in the Office 365 GCC environment or are eligible to buy with government pricing cannot use Microsoft Store for Business.
There are a few prerequisites for using Microsoft Store for Business or Microsoft Store for Education.
## Prerequisites

19
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -22,7 +22,7 @@ Requirements:
- The enterprise has configured a mobile device management (MDM) service
- The enterprise AD must be [registered with Azure Active Directory (Azure AD)](azure-active-directory-integration-with-mdm.md)
- The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`)
- The minimum Windows Server version requirement is based on the Hybrid AAD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) for more information.
- The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. See [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) for more information.
> [!TIP]
> For additional information, see the following topics:
@ -30,7 +30,7 @@ Requirements:
> - [How to plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan)
> - [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm)
The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered.
The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure ADregistered.
> [!NOTE]
> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.
@ -106,13 +106,16 @@ Requirements:
2. Under **Best match**, click **Edit group policy** to launch it.
3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**.
3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**.
![MDM policies](images/autoenrollment-mdm-policies.png)
![MDM policies](images/autoenrollment-mdm-policies.png)
4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** (support for Device Credential is coming) as the Selected Credential Type to use. User Credential enrolls Windows 10, version 1709 and later once an Intune licensed user logs into the device. Device Credential will enroll the device and then assign a user later, once support for this is available.
4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use.
![MDM autoenrollment policy](images/autoenrollment-policy.png)
> [!NOTE]
> **Device Credential** Credential Type will also work, however, it is not yet supported for MDM solutions (including Intune). We don't recommend using this option until support is announced.
![MDM autoenrollment policy](images/autoenrollment-policy.png)
5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**.
@ -162,7 +165,7 @@ Requirements:
Requirements:
- AD-joined PC running Windows 10, version 1709 or later
- Enterprise has MDM service already configured (with Intune or a third party service provider)
- Enterprise has MDM service already configured (with Intune or a third-party service provider)
- Enterprise AD must be integrated with Azure AD.
- Ensure that PCs belong to same computer group.
@ -257,7 +260,7 @@ To collect Event Viewer logs:
![Outdated enrollment entries](images/auto-enrollment-outdated-enrollment-entries.png)
By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016.
A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display less entries as shown in the following screenshot:
A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot:
![Manually deleted entries](images/auto-enrollment-activation-verification-less-entries.png)

7
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -371,7 +371,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy allows you to to configure one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
This policy allows you to configure one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
<!--/Description-->
<!--ADMXMapped-->
@ -754,8 +754,7 @@ The following list shows the supported values:
- 2 HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
- 3 HTTP blended with Internet peering.
- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607.
- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607.
- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. Note that this value is deprecated and will be removed in a future release.
<!--/SupportedValues-->
<!--/Policy-->
@ -882,7 +881,7 @@ The options set in this policy only apply to Group (2) download mode. If Group (
For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID.
Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
Starting with Windows 10, version 1903, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
<!--/Description-->
<!--ADMXMapped-->

2
windows/client-management/troubleshoot-windows-freeze.md
View File

@ -251,7 +251,7 @@ If the physical computer is still running in a frozen state, follow these steps
Pool Monitor shows you the number of allocations and outstanding bytes of allocation by type of pool and the tag that is passed into calls of ExAllocatePoolWithTag.
Learn [how to use Pool Monitor](https://support.microsoft.com/help/177415) and how to [use the data to troubleshoot pool leaks](https://blogs.technet.com/b/markrussinovich/archive/2009/03/26/3211216.aspx).
Learn [how to use Memory Pool Monitor to troubleshoot kernel mode memory leaks](https://support.microsoft.com/office/how-to-use-memory-pool-monitor-poolmon-exe-to-troubleshoot-kernel-mode-memory-leaks-4f4a05c2-ef8a-fca4-3ae0-670b940af398).
### Use memory dump to collect data for the virtual machine that's running in a frozen state

12
windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
View File

@ -388,12 +388,12 @@ On **MDT01**:
1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**.
2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This will take a few minutes, and then Windows System Image Manager (Windows SIM) will start.
>[!IMPORTANT]
>The current version of MDT (8456) has a known issue generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. As a temporary workaround:
>- Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144.
>- Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe).
>- Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim).
>- After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml.
> [!IMPORTANT]
> The ADK version 1903 has a [known issue](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](https://docs.microsoft.com/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903:
> - Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144.
> - Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe).
> - Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim).
> - After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml.
3. In Windows SIM, expand the **4 specialize** node in the **Answer File** pane and select the amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral entry.
4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values:

170
windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
View File

@ -53,6 +53,8 @@ These are the things you'll need to complete this lab:
A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix.
> If you already have Hyper-V and a Windows 10 VM, you can skip directly to the [Capture the hardware ID](#capture-the-hardware-id) step. The VM must be running Windows 10, version 1903 or a later version.
[Verify support for Hyper-V](#verify-support-for-hyper-v)
<br>[Enable Hyper-V](#enable-hyper-v)
<br>[Create a demo VM](#create-a-demo-vm)
@ -70,7 +72,8 @@ A summary of the sections and procedures in the lab is provided below. Follow ea
<br>&nbsp;&nbsp;&nbsp; [Autopilot registration using MSfB](#autopilot-registration-using-msfb)
<br>[Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile)
<br>&nbsp;&nbsp;&nbsp; [Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Assign the profile](#assign-the-profile)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Create a device group](#create-a-device-group)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Create the deployment profile](#create-the-deployment-profile)
<br>&nbsp;&nbsp;&nbsp; [Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
<br>[See Windows Autopilot in action](#see-windows-autopilot-in-action)
<br>[Remove devices from Autopilot](#remove-devices-from-autopilot)
@ -140,7 +143,7 @@ After we have set the ISO file location and determined the name of the appropria
You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
- When asked to select a platform, choose **64 bit**.
After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
After you download this file, the name will be extremely long (ex: 19042.508.200927-1902.20h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**.
@ -163,7 +166,7 @@ For example, if the command above displays Ethernet but you wish to use Ethernet
All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands.
> [!IMPORTANT]
> **VM switch**: a VM switch is how Hyper-V connects VMs to a network. <br><br>If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."<br><br>If you have never created an external VM switch before, then just run the commands below.
> **VM switch**: a VM switch is how Hyper-V connects VMs to a network. <br><br>If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."<br><br>If you have never created an external VM switch before, then just run the commands below.<br><br>If you are not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a currently list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that is used to connect to the Internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch).
```powershell
New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
@ -218,6 +221,9 @@ PS C:\autopilot&gt;
### Install Windows 10
> [!NOTE]
> The VM will be booted to gather a hardware ID, then it will be reset. The goal in the next few steps is to get to the desktop quickly so don't worry about how it is configured at this stage. The VM only needs to be connected to the Internet.
Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples:
![Windows setup example 1](images/winsetup1.png)
@ -250,7 +256,7 @@ Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see
Follow these steps to run the PS script:
1. Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device:
1. **On the client VM**: Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device:
```powershell
md c:\HWID
@ -263,18 +269,20 @@ Follow these steps to run the PS script:
When you are prompted to install the NuGet package, choose **Yes**.
See the sample output below.
See the sample output below. A 'dir' command is issued at the end to show the file that was created.
<pre>
PS C:\> md c:\HWID
Directory: C:\
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/14/2019 11:33 AM HWID
PS C:\> Set-Location c:\HWID
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/13/2020 3:00 PM HWID
PS C:\Windows\system32> Set-Location c:\HWID
PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
@ -287,13 +295,17 @@ import the NuGet provider now?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
Gathered details for device with serial number: 1804-7078-6805-7405-0796-0675-17
PS C:\HWID> dir
Directory: C:\HWID
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/14/2019 11:33 AM 8184 AutopilotHWID.csv
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/13/2020 3:01 PM 8184 AutopilotHWID.csv
PS C:\HWID>
</pre>
@ -305,7 +317,7 @@ Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory
![Serial number and hardware hash](images/hwid.png)
You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you're using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
You will need to upload this data into Intune to register your device for Autopilot, so the next step is to transfer this file to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If youre using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
@ -317,7 +329,7 @@ If you have trouble copying and pasting the file, just view the contents in Note
With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**.
Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**.
Select **Remove everything** and **Just remove my files**. If you are asked **How would you like to reinstall Windows**, select Local reinstall. Finally, click on **Reset**.
![Reset this PC final prompt](images/autopilot-reset-prompt.jpg)
@ -363,7 +375,7 @@ Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com
For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**.
![MDM user scope in the Mobility blade](images/autopilot-aad-mdm.png)
![MDM user scope in the Mobility blade](images/ap-aad-mdm.png)
## Register your VM
@ -371,24 +383,24 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
### Autopilot registration using Intune
1. In Intune in the Azure portal, choose **Device enrollment** > **Windows enrollment** > **Devices** > **Import**.
1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**.
![Intune device import](images/device-import.png)
![Intune device import](images/enroll1.png)
> [!NOTE]
> If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It's okay if other fields (Windows Product ID) are left blank.
![HWID CSV](images/hwid-csv.png)
![HWID CSV](images/enroll2.png)
You should receive confirmation that the file is formatted correctly before uploading it, as shown above.
3. Click **Import** and wait until the import process completes. This can take up to 15 minutes.
4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example.
4. Click **Refresh** to verify your VM or device has been added. See the following example.
![Import HWID](images/import-vm.png)
![Import HWID](images/enroll3.png)
### Autopilot registration using MSfB
@ -425,17 +437,33 @@ Pick one:
### Create a Windows Autopilot deployment profile using Intune
> [!NOTE]
> Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
> Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list.
![Intune Devices](images/intune-devices.png)
![Devices](images/enroll4.png)
> The example above lists both a physical device and a VM. Your list should only include only one of these.
#### Create a device group
To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles**
The Autopilot deployment profile wizard will ask for a device group, so we must create one first. To create a device group:
![Deployment profiles](images/deployment-profiles.png)
1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Groups** > **New group**.
2. In the **Group** blade:
1. For **Group type**, choose **Security**.
2. Type a **Group name** and **Group description** (ex: Autopilot Lab).
3. Azure AD roles can be assigned to the group: **No**
4. For **Membership type**, choose **Assigned**.
3. Click **Members** and add the Autopilot VM to the group. See the following example:
Click on **Create profile**.
![add members](images/group1.png)
4. Click **Create**.
#### Create the deployment profile
To create a Windows Autopilot profile, scroll back to the left hand pane and click **Devices**, then under **Enroll devices | Windows enrollment** select **Deployment Profiles**.
![Deployment profiles](images/dp.png)
Click on **Create profile** and then select **Windows PC**.
![Create deployment profile](images/create-profile.png)
@ -444,22 +472,33 @@ On the **Create profile** blade, use the following values:
| Setting | Value |
|---|---|
| Name | Autopilot Lab profile |
| Description | blank |
| Description | Lab |
| Convert all targeted devices to Autopilot | No |
| Deployment mode | User-driven |
| Join to Azure AD as | Azure AD joined |
Click on **Out-of-box experience (OOBE)** and configure the following settings:
Click **Next** to continue with the **Out-of-box experience (OOBE)** settings:
| Setting | Value |
|---|---|
| EULA | Hide |
| Deployment mode | User-driven |
| Join to Azure AD as | Azure AD joined |
| Microsoft Sofware License Terms | Hide |
| Privacy Settings | Hide |
| Hide change account options | Hide |
| User account type | Standard |
| Allow White Glove OOBE | No |
| Language (Region) | Operating system default |
| Automatically configure keyboard | Yes |
| Apply device name template | No |
See the following example:
Click **Next** to continue with the **Assignments** settings:
| Setting | Value |
|---|---|
| Assign to | Selected groups |
1. Click **Select groups to include**.
2. Click the **Autopilot Lab** group, and then click **Select**.
3. Click **Next** to continue and then click **Create**. See the following example:
![Deployment profile](images/profile.png)
@ -467,40 +506,6 @@ Click on **OK** and then click on **Create**.
> If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
#### Assign the profile
Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading.
To create a Group, open the Azure portal and select **Azure Active Directory** > **Groups** > **All groups**:
![All groups](images/all-groups.png)
Select New group from the Groups blade to open the new groups UI. Select the "Security" group type, name the group, and select the "Assigned" membership type:
Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group.
![New group](images/new-group.png)
Now click **Create** to finish creating the new group.
Click on **All groups** and click **Refresh** to verify that your new group has been successfully created.
With a group created containing your device, you can now go back and assign your profile to that group. Navigate back to the Intune page in the Azure portal (one way is to type **Intune** in the top banner search bar and select **Intune** from the results).
From Intune, select **Device enrollment** > **Windows enrollment** > **Deployment Profiles** to open the profile blade. Click on the name of the profile you previously created (Autopilot Lab profile) to open the details blade for that profile:
![Lab profile](images/deployment-profiles2.png)
Under **Manage**, click **Assignments**, and then with the **Include** tab highlighted, expand the **Select groups** blade and click **AP Lab Group 1** (the group will appear under **Selected members**).
![Include group](images/include-group.png)
Click **Select** and then click **Save**.
![Include group save](images/include-group2.png)
It's also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot).
### Create a Windows Autopilot deployment profile using MSfB
If you have already created and assigned a profile via Intune by using the steps immediately above, then skip this section.
@ -559,14 +564,17 @@ Also, make sure to wait at least 30 minutes from the time you've [configured com
- Turn on the device
- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
![OOBE sign-in page](images/autopilot-oobe.jpg)
![OOBE sign-in page](images/autopilot-oobe.png)
Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
![Device enabled](images/enabled-device.png)
![Device enabled](images/devices1.png)
Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done.
> [!TIP]
> If you recieve a message that "Something went wrong" and it "Looks like we can't connect to the URL for your organization's MDM terms of use" then verify you have correctly [assigned licenses](https://docs.microsoft.com/mem/intune/fundamentals/licenses-assign) to the current user.
Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
## Remove devices from Autopilot
@ -575,41 +583,27 @@ To use the device (or VM) for other purposes after completion of this lab, you w
### Delete (deregister) Autopilot device
You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu.
You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into the MEM admin center, then navigate to **Intune > Devices > All Devices**. Select the device you want to delete, then click the Delete button along the top menu.
![Delete device step 1](images/delete-device1.png)
Click **X** when challenged to complete the operation:
![Delete device step 2](images/delete-device2.png)
This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
![Delete device step 3](images/delete-device3.png)
The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune.
> [!NOTE]
> A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
To remove the device from the Autopilot program, select the device and click Delete.
To remove the device from the Autopilot program, select the device and click **Delete**. You will get a popup dialog box to confirm deletion.
![Delete device step 4](images/delete-device4.png)
A warning message appears reminding you to first remove the device from Intune, which we previously did.
![Delete device step 5](images/delete-device5.png)
![Delete device](images/delete-device2.png)
At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
![Delete device step 6](images/delete-device6.png)
Once the device no longer appears, you are free to reuse it for other purposes.
If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button:
![Delete device step 7](images/delete-device7.png)
## Appendix A: Verify support for Hyper-V
Starting with Windows 8, the host computer's microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
@ -741,7 +735,7 @@ You will be able to find your app in your app list:
#### Assign the app to your Intune profile
> [!NOTE]
> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#create-a-device-group). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
@ -810,7 +804,7 @@ Click **OK** and then click **Add**.
#### Assign the app to your Intune profile
> [!NOTE]
> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#create-a-device-group). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:

BIN
windows/deployment/windows-autopilot/images/ap-aad-mdm.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 90 KiB

BIN
windows/deployment/windows-autopilot/images/autopilot-oobe.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 80 KiB

BIN
windows/deployment/windows-autopilot/images/create-profile.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 5.5 KiB

After

Width:  |  Height:  |  Size: 61 KiB

BIN
windows/deployment/windows-autopilot/images/delete-device1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 115 KiB

After

Width:  |  Height:  |  Size: 146 KiB

BIN
windows/deployment/windows-autopilot/images/delete-device2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 22 KiB

After

Width:  |  Height:  |  Size: 124 KiB

BIN
windows/deployment/windows-autopilot/images/device-status.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 80 KiB

After

Width:  |  Height:  |  Size: 137 KiB

BIN
windows/deployment/windows-autopilot/images/devices1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 79 KiB

BIN
windows/deployment/windows-autopilot/images/dp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 229 KiB

BIN
windows/deployment/windows-autopilot/images/enroll1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 204 KiB

BIN
windows/deployment/windows-autopilot/images/enroll2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 104 KiB

BIN
windows/deployment/windows-autopilot/images/enroll3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 72 KiB

BIN
windows/deployment/windows-autopilot/images/enroll4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 90 KiB

BIN
windows/deployment/windows-autopilot/images/group1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 214 KiB

BIN
windows/deployment/windows-autopilot/images/profile.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 111 KiB

After

Width:  |  Height:  |  Size: 120 KiB

9
windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
View File

@ -44,9 +44,12 @@ Prepare the Active Directory Federation Services deployment by installing and up
> 1. Launch AD FS management console. Brose to "Services > Scope Descriptions".
> 2. Right click "Scope Descriptions" and select "Add Scope Description".
> 3. Under name type "ugs" and Click Apply > OK.
> 4. Launch Powershell as Administrator.
> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier Make a note of the ObjectIdentifier.
> 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier <ObjectIdentifier from step 5> -AddScope 'ugs'.
> 4. Launch PowerShell as an administrator.
> 5. Get the ObjectIdentifier of the application permission with the ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b":
> ```PowerShell
> (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
> ```
> 6. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier <ObjectIdentifier from step 5> -AddScope 'ugs'`.
> 7. Restart the ADFS service.
> 8. On the client: Restart the client. User should be prompted to provision WHFB.
> 9. If the provisioning window does not pop up then need to collect NGC trace logs and further troubleshoot.

4
windows/security/identity-protection/hello-for-business/hello-faq.md
View File

@ -76,6 +76,8 @@ Communicating with Azure Active Directory uses the following URLs:
- login.microsoftonline.com
- login.windows.net
- account.live.com
- accountalt.azureedge.net
- secure.aadcdn.microsoftonline-p.com
If your environment uses Microsoft Intune, you need these additional URLs:
- enrollment.manage.microsoft.com
@ -144,7 +146,7 @@ Beginning with Windows 10, version 1709, Windows Hello for Business used as a sm
The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process does not receive the PIN, but rather the ticket that grants them private key operations. Windows 10 does not provide any Group Policy settings to adjust this caching.
## Can I disable the PIN while using Windows Hello for Business?
No. The movement away from passwords is accomplished by gradually reducing the use of the password. In the occurrence where you cannot authenticate with biometrics, you need a fall back mechanism that is not a password. The PIN is the fall back mechanism. Disabling or hiding the PIN credential provider disabled the use of biometrics.
No. The movement away from passwords is accomplished by gradually reducing the use of the password. In the occurrence where you cannot authenticate with biometrics, you need a fallback mechanism that is not a password. The PIN is the fallback mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics.
## How are keys protected?
Wherever possible, Windows Hello for Business takes advantage of trusted platform module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business does not require a TPM. Administrators can choose to allow key operations in software.

2
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
View File

@ -506,7 +506,7 @@ The following script helps you with the creation of the issuance transform rules
#### Configure Device Authentication in AD FS
Using an elevated PowerShell command window, configure AD FS policy by executing the following command
`PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod All`
`PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod SignedToken`
#### Check your configuration
For your reference, below is a comprehensive list of the AD DS devices, containers and permissions required for device write-back and authentication to work

2
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -67,7 +67,7 @@ Key trust deployments do not need client issued certificates for on-premises aut
The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](https://support.microsoft.com/help/291010/requirements-for-domain-controller-certificates-from-a-third-party-ca).
* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL.
* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL, or an Authority Information Access (AIA) extension that points to an Online Certificate Status Protocol (OCSP) responder.
* The certificate Subject section should contain the directory path of the server object (the distinguished name).
* The certificate Key Usage section must contain Digital Signature and Key Encipherment.
* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].

3
windows/security/threat-protection/TOC.md
View File

@ -278,7 +278,7 @@
#### [Configure]()
##### [Configure iOS features](microsoft-defender-atp/ios-configure-features.md)
#### [Privacy](microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md)
#### [Privacy](microsoft-defender-atp/ios-privacy.md)
### [Microsoft Defender Advanced Threat Protection for Linux]()
@ -297,6 +297,7 @@
##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md)
##### [Set preferences](microsoft-defender-atp/linux-preferences.md)
##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/linux-pua.md)
##### [Schedule scans with Microsoft Defender ATP for Linux](microsoft-defender-atp/linux-schedule-scan-atp.md)
#### [Troubleshoot]()
##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md)

BIN
windows/security/threat-protection/images/linux-mdatp-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.5 KiB

BIN
windows/security/threat-protection/images/linux-mdatp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.5 KiB

21
windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.date: 11/18/2020
ms.reviewer:
manager: dansimp
---
@ -37,15 +37,16 @@ The following broad categories of features can be configured:
- Cloud-delivered protection
- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection
- How end-users interact with the client on individual endpoints
- How end users interact with the client on individual endpoints
The topics in this section describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools).
The following articles describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each article includes instructions for the applicable configuration tool (or tools).
You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help.
|Article |Description |
|---------|---------|
|[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Use cloud-delivered protection for advanced, fast, robust antivirus detection. |
|[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) |Enable behavior-based, heuristic, and real-time antivirus protection. |
|[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) | Configure how end users in your organization interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings. |
> [!TIP]
> You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help.
## In this section
Topic | Description
:---|:---
[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection
[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection
[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)|Configure how end-users interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings

11
windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
View File

@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 07/08/2020
ms.date: 11/18/2020
ms.reviewer:
manager: dansimp
---
@ -62,7 +62,7 @@ The table below lists the services and their associated URLs. Make sure that the
| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net` <br/> `ussus1westprod.blob.core.windows.net` <br/> `usseu1northprod.blob.core.windows.net` <br/> `usseu1westprod.blob.core.windows.net` <br/> `ussuk1southprod.blob.core.windows.net` <br/> `ussuk1westprod.blob.core.windows.net` <br/> `ussas1eastprod.blob.core.windows.net` <br/> `ussas1southeastprod.blob.core.windows.net` <br/> `ussau1eastprod.blob.core.windows.net` <br/> `ussau1southeastprod.blob.core.windows.net` |
| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `http://www.microsoft.com/pkiops/crl/` <br/> `http://www.microsoft.com/pkiops/certs` <br/> `http://crl.microsoft.com/pki/crl/products` <br/> `http://www.microsoft.com/pki/certs` |
| Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` |
| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com` <br/> `settings-win.data.microsoft.com`|
| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses telemetry for product quality monitoring purposes | The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com` <br/> `settings-win.data.microsoft.com`|
## Validate connections between your network and the cloud
@ -85,8 +85,7 @@ For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun
You can download a sample file that Microsoft Defender Antivirus will detect and block if you are properly connected to the cloud.
Download the file by visiting the following link:
- https://aka.ms/ioavtest
Download the file by visiting [https://aka.ms/ioavtest](https://aka.ms/ioavtest).
>[!NOTE]
>This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud.
@ -105,11 +104,11 @@ You will also see a detection under **Quarantined threats** in the **Scan histor
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label:
2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label:
![Screenshot of the Scan history label in the Windows Security app](images/defender/wdav-history-wdsc.png)
3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware.
3. Under the **Quarantined threats** section, select **See full history** to see the detected fake malware.
> [!NOTE]
> Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md).

60
windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
View File

@ -26,15 +26,16 @@ manager: dansimp
You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
This topic describes how to configure exclusion lists for the following:
This article describes how to configure exclusion lists.
<a id="examples"></a>
## Examples of exclusions
|Exclusion | Example |
|---|---|
|Any file on the machine that is opened by any process with a specific file name | Specifying `test.exe` would exclude files opened by: <br/>`c:\sample\test.exe`<br/>`d:\internal\files\test.exe` |
|Any file on the machine that is opened by any process under a specific folder | Specifying `c:\test\sample\*` would exclude files opened by:<br/>`c:\test\sample\test.exe`<br/>`c:\test\sample\test2.exe`<br/>`c:\test\sample\utility.exe` |
|Any file on the machine that is opened by a specific process in a specific folder | Specifying `c:\test\process.exe` would exclude files only opened by `c:\test\process.exe` |
Exclusion | Example
---|---
Any file on the machine that is opened by any process with a specific file name | Specifying "test.exe" would exclude files opened by: <ul><li>c:\sample\test.exe</li><li>d:\internal\files\test.exe</li></ul>
Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:<ul><li>c:\test\sample\test.exe</li><li>c:\test\sample\test2.exe</li><li>c:\test\sample\utility.exe</li></ul>
Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe
When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md).
@ -42,18 +43,16 @@ The exclusions only apply to [always-on real-time protection and monitoring](con
Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists.
You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists.
You can add, remove, and review the lists for exclusions in Group Policy, Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists.
You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists.
You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists.
By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
By default, local changes made to the lists (by users with administrator privileges; changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
## Configure the list of exclusions for files opened by specified processes
<a id="gp"></a>
### Use Microsoft Intune to exclude files that have been opened by specified processes from scans
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
@ -74,14 +73,12 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
1. Set the option to **Enabled**.
2. Under the **Options** section, click **Show...**.
3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes.
3. Enter each process on its own line under the **Value name** column. See the example table for the different types of process exclusions. Enter **0** in the **Value** column for all processes.
5. Click **OK**.
![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png)
<a id="ps"></a>
### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans
Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender).
@ -94,11 +91,11 @@ The format for the cmdlets is:
The following are allowed as the \<cmdlet>:
Configuration action | PowerShell cmdlet
---|---
Create or overwrite the list | `Set-MpPreference`
Add to the list | `Add-MpPreference`
Remove items from the list | `Remove-MpPreference`
|Configuration action | PowerShell cmdlet |
|---|---|
|Create or overwrite the list | `Set-MpPreference` |
|Add to the list | `Add-MpPreference` |
|Remove items from the list | `Remove-MpPreference` |
>[!IMPORTANT]
>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
@ -109,7 +106,7 @@ For example, the following code snippet would cause Microsoft Defender AV scans
Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
```
See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Microsoft Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
For more information on how to use PowerShell with Microsoft Defender Antivirus, see Manage antivirus with PowerShell cmdlets and [Microsoft Defender Antivirus cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve=true).
### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans
@ -121,33 +118,24 @@ ExclusionProcess
The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
<a id="man-tools"></a>
For more information and allowed parameters, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx).
### Use the Windows Security app to exclude files that have been opened by specified processes from scans
See [Add exclusions in the Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions) for instructions.
<a id="wildcards"></a>
## Use wildcards in the process exclusion list
The use of wildcards in the process exclusion list is different from their use in other exclusion lists.
In particular, you cannot use the question mark ? wildcard, and the asterisk \* wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list.
In particular, you cannot use the question mark (`?`) wildcard, and the asterisk (`*`) wildcard can only be used at the end of a complete path. You can still use environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the process exclusion list.
The following table describes how the wildcards can be used in the process exclusion list:
Wildcard | Use | Example use | Example matches
---|---|---|---
\* (asterisk) | Replaces any number of characters | <ul><li>C:\MyData\\*</li></ul> | <ul><li>Any file opened by C:\MyData\file.exe</li></ul>
? (question mark) | Not available | \- | \-
Environment variables | The defined variable will be populated as a path when the exclusion is evaluated | <ul><li>%ALLUSERSPROFILE%\CustomLogFiles\file.exe</li></ul> | <ul><li>Any file opened by C:\ProgramData\CustomLogFiles\file.exe</li></ul>
<a id="review"></a>
|Wildcard | Example use | Example matches |
|:---|:---|:---|
|`*` (asterisk) <br/><br/> Replaces any number of characters | `C:\MyData\*` | Any file opened by `C:\MyData\file.exe` |
|Environment variables <br/><br/> The defined variable is populated as a path when the exclusion is evaluated | `%ALLUSERSPROFILE%\CustomLogFiles\file.exe` | Any file opened by `C:\ProgramData\CustomLogFiles\file.exe` |
## Review the list of exclusions

101
windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
View File

@ -10,8 +10,8 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 01/31/2020
ms.reviewer:
ms.date: 11/18/2020
ms.reviewer: jesquive
manager: dansimp
---
@ -28,7 +28,7 @@ In addition to standard on-premises or hardware configurations, you can also use
See [Windows Virtual Desktop Documentation](https://docs.microsoft.com/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support.
For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection) topic.
For Azure-based virtual machines, see [Install Endpoint Protection in Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection).
With the ability to easily deploy updates to VMs running in VDIs, we've shortened this guide to focus on how you can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a periodic basis, as updates are expanded into their component bits on the host server and then downloaded directly to the VM when it's turned on.
@ -49,7 +49,7 @@ You can also download the whitepaper [Microsoft Defender Antivirus on Virtual De
## Set up a dedicated VDI file share
In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with a Group Policy, or PowerShell.
In Windows 10, version 1903, we introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machine—thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with a Group Policy, or PowerShell.
### Use Group Policy to enable the shared security intelligence feature:
@ -63,7 +63,7 @@ In Windows 10, version 1903, we introduced the shared security intelligence feat
5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears.
6. Enter `\\<sharedlocation\>\wdav-update` (for what this will be, see [Download and unpackage](#download-and-unpackage-the-latest-updates)).
6. Enter `\\<sharedlocation\>\wdav-update` (for help with this value, see [Download and unpackage](#download-and-unpackage-the-latest-updates)).
7. Click **OK**.
@ -81,7 +81,7 @@ See the [Download and unpackage](#download-and-unpackage-the-latest-updates) sec
## Download and unpackage the latest updates
Now you can get started on downloading and installing new updates. Weve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if youre familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those).
Now you can get started on downloading and installing new updates. Weve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if youre familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those scripts).
```PowerShell
$vdmpathbase = 'c:\wdav-update\{00000000-0000-0000-0000-'
@ -98,7 +98,7 @@ cmd /c "cd $vdmpath & c: & mpam-fe.exe /x"
```
You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs will receive the new update.
We suggest starting with once a day but you should experiment with increasing or decreasing the frequency to understand the impact.
We suggest starting with once a day—but you should experiment with increasing or decreasing the frequency to understand the impact.
Security intelligence packages are typically published once every three to four hours. Setting a frequency shorter than four hours isnt advised because it will increase the network overhead on your management machine for no benefit.
@ -106,23 +106,25 @@ Security intelligence packages are typically published once every three to four
1. On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task…** on the side panel.
2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Click **New…** Select **Daily** and click **OK**.
2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Select **New…** > **Daily**, and select **OK**.
3. Go to the **Actions** tab. Click **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Click **OK**.
3. Go to the **Actions** tab. Select **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Select **OK**.
4. You can choose to configure additional settings if you wish.
5. Click **OK** to save the scheduled task.
5. Select **OK** to save the scheduled task.
You can initiate the update manually by right-clicking on the task and clicking **Run**.
### Download and unpackage manually
If you would prefer to do everything manually, this what you would need to do to replicate the scripts behavior:
If you would prefer to do everything manually, here's what to do to replicate the scripts behavior:
1. Create a new folder on the system root called `wdav_update` to store intelligence updates, for example, create the folder `c:\wdav_update`.
2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`; for example `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`.
2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`
Here's an example: `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`
> [!NOTE]
> In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time.
@ -138,74 +140,99 @@ If you would prefer to do everything manually, this what you would need to do to
Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-microsoft-defender-antivirus.md).
The start time of the scan itself is still based on the scheduled scan policy — ScheduleDay, ScheduleTime, ScheduleQuickScanTime. Randomization will cause Microsoft Defender AV to start a scan on each machine within a 4 hour window from the time set for the scheduled scan.
The start time of the scan itself is still based on the scheduled scan policy (**ScheduleDay**, **ScheduleTime**, and **ScheduleQuickScanTime**). Randomization will cause Microsoft Defender Antivirus to start a scan on each machine within a 4-hour window from the time set for the scheduled scan.
See [Schedule scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) for other configuration options available for scheduled scans.
## Use quick scans
You can specify the type of scan that should be performed during a scheduled scan.
Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active.
You can specify the type of scan that should be performed during a scheduled scan. Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. The following procedure describes how to set up quick scans using Group Policy.
1. Expand the tree to **Windows components > Windows Defender > Scan**.
1. In your Group Policy Editor, go to **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus** > **Scan**.
2. Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**.
2. Select **Specify the scan type to use for a scheduled scan** and then edit the policy setting.
3. Click **OK**.
3. Set the policy to **Enabled**, and then under **Options**, select **Quick scan**.
4. Select **OK**.
5. Deploy your Group Policy object as you usually do.
## Prevent notifications
Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Microsoft Defender Antivirus user interface.
Sometimes, Microsoft Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can lock down the Microsoft Defender Antivirus user interface. The following procedure describes how to suppress notifications with Group Policy.
1. Expand the tree to **Windows components > Windows Defender > Client Interface**.
1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**.
2. Double-click **Suppress all notifications** and set the option to **Enabled**.
2. Select **Suppress all notifications** and then edit the policy settings.
3. Click **OK**.
3. Set the policy to **Enabled**, and then select **OK**.
This prevents notifications from Microsoft Defender AV appearing in the action center on Windows 10 when scans or remediation is performed.
4. Deploy your Group Policy object as you usually do.
Suppressing notifications prevents notifications from Microsoft Defender Antivirus from showing up in the Action Center on Windows 10 when scans are done or remediation actions are taken. However, your security operations team will see the results of the scan in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
> [!TIP]
> To open the Action Center on Windows 10, take one of the following steps:
> - On the right end of the taskbar, select the Action Center icon.
> - Press the Windows logo key button + A.
> - On a touchscreen device, swipe in from the right edge of the screen.
## Disable scans after an update
This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as you've already scanned it when you created the base image).
Disabling a scan after an update will prevent a scan from occurring after receiving an update. You can apply this setting when creating the base image if you have also run a quick scan. This way, you can prevent the newly updated VM from performing a scan again (as you've already scanned it when you created the base image).
> [!IMPORTANT]
> Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image.
1. Expand the tree to **Windows components > Windows Defender > Signature Updates**.
1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates**.
2. Double-click **Turn on scan after signature update** and set the option to **Disabled**.
2. Select **Turn on scan after security intelligence update** and then edit the policy setting.
3. Click **OK**.
3. Set the policy to **Disabled**.
This prevents a scan from running immediately after an update.
4. Select **OK**.
5. Deploy your Group Policy object as you usually do.
This policy prevents a scan from running immediately after an update.
## Scan VMs that have been offline
1. Expand the tree to **Windows components > Windows Defender > Scan**.
1. In your Group Policy Editor, go to to **Windows components** > **Microsoft Defender Antivirus** > **Scan**.
2. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**.
2. Select **Turn on catch-up quick scan** and then edit the policy setting.
3. Click **OK**.
3. Set the policy to **Enabled**.
This forces a scan if the VM has missed two or more consecutive scheduled scans.
4. Select **OK**.
5. Deploy your Group Policy Object as you usually do.
This policy forces a scan if the VM has missed two or more consecutive scheduled scans.
## Enable headless UI mode
1. Double-click **Enable headless UI mode** and set the option to **Enabled**.
1. In your Group Policy Editor, go to **Windows components** > **Microsoft Defender Antivirus** > **Client Interface**.
2. Click **OK**.
2. Select **Enable headless UI mode** and edit the policy.
This hides the entire Microsoft Defender AV user interface from users.
3. Set the policy to **Enabled**.
4. Click **OK**.
5. Deploy your Group Policy Object as you usually do.
This policy hides the entire Microsoft Defender Antivirus user interface from end users in your organization.
## Exclusions
Exclusions can be added, removed, or customized to suit your needs.
For more details, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-exclusions-microsoft-defender-antivirus.md).
For more information, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-exclusions-microsoft-defender-antivirus.md).
## Additional resources
- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( https://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s)
- [Tech Community Blog: Configuring Microsoft Defender Antivirus for non-persistent VDI machines](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/configuring-microsoft-defender-antivirus-for-non-persistent-vdi/ba-p/1489633)
- [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS)
- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4)

21
windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
View File

@ -14,7 +14,7 @@ audience: ITPro
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 11/12/2020
ms.date: 11/19/2020
---
# Protect security settings with tamper protection
@ -48,7 +48,7 @@ Tamper protection essentially locks Microsoft Defender Antivirus and prevents yo
- Changing settings through PowerShell cmdlets
- Editing or removing security settings through group policies
Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; this is managed by your security team.
Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; tamper protection is managed by your security team.
### What do you want to do?
@ -72,7 +72,7 @@ Tamper protection doesn't prevent you from viewing your security settings. And,
>
> Once youve made this update, tamper protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors.
If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do this.
If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do change security settings, such as tamper protection.
1. Click **Start**, and start typing *Defender*. In the search results, select **Windows Security**.
@ -93,7 +93,7 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-
1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune:
- Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; Intune is included in Microsoft 365 E5.)
- Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.)
- Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).)
- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
- Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
@ -132,7 +132,7 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release
> [!IMPORTANT]
> The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Make sure to review the prerequisites and other information in the resources mentioned in this procedure.
If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10 and Windows Server 2019 by using tenant attach. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices.
If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10 and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices.
1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions).
@ -207,17 +207,6 @@ If you are an organization using [Microsoft Defender for Endpoint](https://www.m
Your regular group policy doesnt apply to tamper protection, and changes to Microsoft Defender Antivirus settings are ignored when tamper protection is on.
> [!NOTE]
> A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Microsoft Defender Antivirus features protected by tamper protection.
To avoid any potential delays, we recommend that you remove settings that control Microsoft Defender Antivirus related behavior using GPO and allow tamper protection to protect your Microsoft Defender Antivirus settings.
Some sample Microsoft Defender Antivirus settings:
- *Turn off real-time protection* <br />
Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\\<br />
Value `DisableRealtimeMonitoring` = 0
### For Microsoft Defender for Endpoint, is configuring tamper protection in Intune targeted to the entire organization only?
Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization as well as to specific devices and user groups.

100
windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md
View File

@ -1,78 +1,96 @@
---
title: Microsoft Defender ATP for iOS note on Privacy
title: Privacy information - Microsoft Defender for Endpoint for iOS
ms.reviewer:
description: Describes the Microsoft Defender ATP for iOS Privacy
keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope,
description: Describes privacy information for Microsoft Defender for Endpoint for iOS
keywords: microsoft, defender, atp, ios, policy, overview
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: sunasing
author: sunasing
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.topic: conceptual
hideEdit: true
---
# Microsoft Defender ATP for iOS - Privacy information
# Privacy information - Microsoft Defender for Endpoint for iOS
**Applies to:**
- [Microsoft Defender for Endpoint](microsoft-defender-atp-ios.md)
>[!NOTE]
> Defender for Endpoint for iOS uses a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. Microsoft or your organization **does not see your browsing activity**.
> [!NOTE]
> Defender for Endpoint for iOS uses a VPN to provide the Web Protection feature. This is not a regular VPN and is a local or self-looping VPN that does not take traffic outside the device. **Microsoft or your organization, does not see your browsing activity.**
Defender for Endpoint for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Defender for Endpoint.
Defender for Endpoint for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Defender for Endpoint. The information is collected to help keep Defender for Endpoint for iOS secure, up-to-date, performing as expected, and to support the service.
Information is collected to help keep Defender for Endpoint for iOS secure, up-to-date, performing as expected and to support the service.
For more information about data storage, see [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md).
## Required data
## Required data
Required data consists of data that is necessary to make Defender for Endpoint for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. Here's a list of the types of data being collected:
Required data consists of data that is necessary to make Defender for Endpoint for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps.
### Web page / Network information
Here is a list of the types of data being collected:
- Connection information
- Protocol type (such as HTTP, HTTPS, etc.)
### Web page or Network information
### Device and account information
- Connection information only when a malicious connection or web page is detected.
- Device information such as date & time, iOS version, CPU info, and Device identifier
- Device identifier is one of the below:
- Wi-Fi adapter MAC address
- Randomly generated globally unique identifier (GUID)
- Protocol type (such as HTTP, HTTPS, etc.) only when a malicious connection or web page is detected.
- Tenant, Device, and User information
- Azure Active Directory (AD) Device ID and Azure User ID: Uniquely identifies the device, User respectively at Azure Active directory.
- Azure tenant ID - GUID that identifies your organization within Azure Active Directory
- Microsoft Defender ATP org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted
- User Principal Name - Email ID of the user
### Device and account information
### Product and service usage data
- Device information such as date & time, iOS version, CPU info, and Device identifier, where Device identifier is one of the following:
- App package info, including name, version, and app upgrade status
- Actions performed in the app
- Crash report logs generated by iOS
- Memory usage data
- Wi-Fi adapter MAC address
## Optional data
- Randomly generated globally unique identifier (GUID)
Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself.
- Tenant, Device, and User information
Optional diagnostic data includes:
- Azure Active Directory (AD) Device ID and Azure User ID - Uniquely identifies the device, User respectively at Azure Active directory.
- App, CPU, and network usage
- Features configured by the admin
- Azure tenant ID - GUID that identifies your organization within Azure Active Directory.
**Feedback Data** is collected through in-app feedback provided by the user.
- Microsoft Defender for Endpoint org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify if there are issues affecting a select set of enterprises and the number of enterprises impacted.
- User Principal Name - Email ID of the user.
### Product and service usage data
The following information is collected only for Microsoft Defender for Endpoint app installed on the device.
- App package info, including name, version, and app upgrade status.
- Actions done in the app.
- Crash report logs generated by iOS.
- Memory usage data.
## Optional Data
Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself.
Optional diagnostic data includes:
- App, CPU, and network usage for Defender for Endpoint.
- Features configured by the admin for Defender for Endpoint.
Feedback Data is collected through in-app feedback provided by the user.
- The user's email address, if they choose to provide it.
- Feedback type (smile, frown, idea) and any feedback comments submitted by the user.
For more information, see [More on Privacy](https://aka.ms/mdatpiosprivacystatement).
- The user's email address, if they choose to provide it
- Feedback type (smile, frown, idea) and any feedback comments submitted by the user
[More on Privacy](https://aka.ms/mdatpiosprivacystatement)

167
windows/security/threat-protection/microsoft-defender-atp/linux-schedule-scan-atp.md Normal file
View File

@ -0,0 +1,167 @@
---
title: How to schedule scans with Microsoft Defender for Endpoint (Linux)
description: Learn how to schedule an automatic scanning time for Microsoft Defender for Endpoint (Linux) to better protect your organization's assets.
keywords: microsoft, defender, atp, linux, scans, antivirus, microsoft defender for endpoint (linux)
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Schedule scans with Microsoft Defender for Endpoint (Linux)
To run a scan for Linux, see [Supported Commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-resources#supported-commands).
Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to be able to run scheduled tasks.
## Pre-requisite
> [!NOTE]
> To get a list of all the time zones, run the following command:
> `timedatectl list-timezones`<br>
> Examples for timezones:
> - `America/Los_Angeles`
> - `America/New_York`
> - `America/Chicago`
> - `America/Denver`
## To set the Cron job
Use the following commands:
**To backup crontab entries**
`sudo crontab -l > /var/tmp/cron_backup_200919.dat`
> [!NOTE]
> Where 200919 == YRMMDD
> [!TIP]
> Do this before you edit or remove. <br>
To edit the crontab, and add a new job as a root user: <br>
`sudo crontab -e`
> [!NOTE]
> The default editor is VIM.
You might see:
0 * * * * /etc/opt/microsoft/mdatp/logrorate.sh
Press “Insert”
Add the following entries:
CRON_TZ=America/Los_Angeles
0 2 * * sat /bin/mdatp scan quick > ~/mdatp_cron_job.log
> [!NOTE]
>In this example, we have set it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC 8).
Press “Esc”
Type “:wq” without the double quotes.
> [!NOTE]
> w == write, q == quit
To view your cron jobs, type `sudo crontab -l`
:::image type="content" source="..\images\linux-mdatp-1.png" alt-text="linux mdatp":::
**To inspect cron job runs**
`sudo grep mdatp /var/log/cron`
**To inspect the mdatp_cron_job.log**
`sudo nano mdatp_cron_job.log`
## For those who use Ansible, Chef, or Puppet
Use the following commands:
### To set cron jobs in Ansible
`cron Manage cron.d and crontab entries`
See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) for more information.
### To set crontabs in Chef
`cron resource`
See [https://docs.chef.io/resources/cron/](https://docs.chef.io/resources/cron/) for more information.
### To set cron jobs in Puppet
Resource Type: cron
See [https://puppet.com/docs/puppet/5.5/types/cron.html](https://puppet.com/docs/puppet/5.5/types/cron.html) for more information.
Automating with Puppet: Cron jobs and scheduled tasks
See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/) for more information.
## Additional information
**To get help with crontab**
`man crontab`
**To get a list of crontab file of the current user**
`crontab -l`
**To get a list of crontab file of another user**
`crontab -u username -l`
**To backup crontab entries**
`crontab -l > /var/tmp/cron_backup.dat`
> [!TIP]
> Do this before you edit or remove. <br>
**To restore crontab entries**
`crontab /var/tmp/cron_backup.dat`
**To edit the crontab and add a new job as a root user**
`sudo crontab -e`
**To edit the crontab and add a new job**
`crontab -e`
**To edit other users crontab entries**
`crontab -u username -e`
**To remove all crontab entries**
`crontab -r`
**To remove other users crontab entries**
`crontab -u username -r`
**Explanation**
+—————- minute (values: 0 59) (special characters: , * /) <br>
| +————- hour (values: 0 23) (special characters: , * /) <br>
| | +———- day of month (values: 1 31) (special characters: , * / L W C) <br>
| | | +——- month (values: 1 12) (special characters: ,- * / ) <br>
| | | | +—- day of week (values: 0 6) (Sunday=0 or 7) (special characters: , * / L W C) <br>
| | | | |*****command to be executed

4
windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md
View File

@ -150,13 +150,13 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender
4. After the certificate is created and installed to your device, run the following command from the Terminal to sign the file:
```bash
$ security cms -S -N "<CertificateName>" -i <PathToFile>/com.apple.webcontent-filter.mobileconfig -o <PathToSignedFile>/com.microsoft.network-extension.signed.mobileconfig
$ security cms -S -N "<CertificateName>" -i <PathToFile>/com.microsoft.network-extension.mobileconfig -o <PathToSignedFile>/com.microsoft.network-extension.signed.mobileconfig
```
For example, if the certificate name is **SigningCertificate** and the signed file is going to be stored in Documents:
```bash
$ security cms -S -N "SigningCertificate" -i ~/Documents/com.apple.webcontent-filter.mobileconfig -o ~/Documents/com.microsoft.network-extension.signed.mobileconfig
$ security cms -S -N "SigningCertificate" -i ~/Documents/com.microsoft.network-extension.mobileconfig -o ~/Documents/com.microsoft.network-extension.signed.mobileconfig
```
5. From the JAMF portal, navigate to **Configuration Profiles** and click the **Upload** button. Select `com.microsoft.network-extension.signed.mobileconfig` when prompted for the file.

92
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md
View File

@ -1,92 +0,0 @@
---
title: Microsoft Defender ATP for iOS - Privacy information
ms.reviewer:
description: Describes privacy information for Microsoft Defender ATP for iOS
keywords: microsoft, defender, atp, ios, policy, overview
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.topic: conceptual
---
# Privacy information - Microsoft Defender for Endpoint for iOS
> [!NOTE]
> Defender for Endpoint for iOS uses a VPN to provide the Web Protection feature. This is not a regular VPN and is a local or self-looping VPN that does not take traffic outside the device. **Microsoft or your organization, does not see your browsing activity.**
Defender for Endpoint for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Defender for Endpoint. The information is collected to help keep Defender for Endpoint for iOS secure, up-to-date, performing as expected, and to support the service.
For more details about data storage, see [Microsoft Defender for Endpoint data storage and privacy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy).
## Required data
Required data consists of data that is necessary to make Defender for Endpoint for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps.
Here is a list of the types of data being collected:
### Web page or Network information
- Connection information only when a malicious connection or web page is detected.
- Protocol type (such as HTTP, HTTPS, etc.) only when a malicious connection or web page is detected.
### Device and account information
- Device information such as date & time, iOS version, CPU info, and Device identifier, where Device identifier is one of the following:
- Wi-Fi adapter MAC address
- Randomly generated globally unique identifier (GUID)
- Tenant, Device and User information
- Azure Active Directory (AD) Device ID and Azure User ID - Uniquely identifies the device, User respectively at Azure Active directory.
- Azure tenant ID - GUID that identifies your organization within Azure Active Directory.
- Microsoft Defender ATP org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted.
- User Principal Name Email ID of the user.
### Product and service usage data
The following information is collected only for Microsoft Defender for Endpoint app installed on the device.
- App package info, including name, version, and app upgrade status.
- Actions performed in the app.
- Crash report logs generated by iOS.
- Memory usage data.
## Optional Data
Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself.
Optional diagnostic data includes:
- App, CPU, and network usage for Defender for Endpoint.
- Features configured by the admin for Defender for Endpoint.
Feedback Data is collected through in-app feedback provided by the user.
- The users email address, if they choose to provide it.
- Feedback type (smile, frown, idea) and any feedback comments submitted by the user.
For more information, see [More on Privacy](https://aka.ms/mdatpiosprivacystatement).

5
windows/security/threat-protection/microsoft-defender-atp/network-protection.md
View File

@ -52,6 +52,11 @@ Windows 10 version | Microsoft Defender Antivirus
-|-
Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled
After you have enabled the services, you may need to configure your network or firewall to allow the connections between the services and your endpoints.
- .smartscreen.microsoft.com
- .smartscreen-prod.microsoft.com
## Review network protection events in the Microsoft Defender for Endpoint Security Center
Microsoft Defender for Endpoint provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).

7
windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md
View File

@ -104,12 +104,13 @@ needs.<br>
In the following section, you'll create a number of configuration policies.
First is a configuration policy to select which groups of users or devices will
be onboarded to Defender for Endpoint.
be onboarded to Defender for Endpoint:
- [Endpoint detection and response](#endpoint-detection-and-response)
Then you will continue by creating several
different types of endpoint security policies.
different types of endpoint security policies:
- [Endpoint detection and response](#endpoint-detection-and-response)
- [Next-generation protection](#next-generation-protection)
- [Attack surface reduction](#attack-surface-reduction--attack-surface-reduction-rules)