mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-28 21:27:23 +00:00
99 KiB
99 KiB
Threat protection
The Windows Defender Security Center app
Customize the Windows Defender Security Center app for your organization
Hide Windows Defender Security Center app notifications
Virus and threat protection
Device performance and health
Firewall and network protection
App and browser control
Family options
Windows Defender Advanced Threat Protection
###Get started
Minimum requirements
Validate licensing and complete setup
Troubleshoot subscription and portal access issues
Preview features
Data storage and privacy
Assign user access to the portal
Onboard machines
Onboard Windows 10 machines
Onboard machines using Group Policy
Onboard machines using System Center Configuration Manager
Onboard machines using Mobile Device Management tools
Onboard machines using Microsoft Intune
Onboard machines using a local script
Onboard non-persistent virtual desktop infrastructure (VDI) machines
Onboard servers
Onboard non-Windows machines
Run a detection test on a newly onboarded machine
Run simulated attacks on machines
Configure proxy and Internet connectivity settings
Troubleshoot onboarding issues
Understand the Windows Defender ATP portal
Portal overview
View the Security operations dashboard
View the Secure score dashboard and improve your secure score
View the Threat analytics dashboard and take recommended mitigation actions
###Investigate and remediate threats ####Alerts queue
View and organize the Alerts queue
Manage alerts
Investigate alerts
Investigate files
Investigate machines
Investigate an IP address
Investigate a domain
Investigate a user account
####Machines list
View and organize the Machines list
Manage machine group and tags
Alerts related to this machine
Machine timeline
Search for specific events
Filter events from a specific date
Export machine timeline events
Navigate between pages
Take response actions
Take response actions on a machine
Collect investigation package
Run antivirus scan
Restrict app execution
Remove app restriction
Isolate machines from the network
Release machine from isolation
Check activity details in Action center
Take response actions on a file
Stop and quarantine files in your network
Remove file from quarantine
Block files in your network
Remove file from blocked list
Check activity details in Action center
Deep analysis
####### Submit files for analysis ####### View deep analysis reports ####### Troubleshoot deep analysis
Use Automated investigation to investigate and remediate threats
Query data using Advanced hunting
Advanced hunting reference
Query language best practices
Enable conditional access to better protect users, devices, and data
###API and SIEM support
Pull alerts to your SIEM tools
Enable SIEM integration
Configure Splunk to pull alerts
Configure HP ArcSight to pull alerts
Windows Defender ATP alert API fields
Pull alerts using REST API
Troubleshoot SIEM tool integration issues
Use the threat intelligence API to create custom alerts
Understand threat intelligence concepts
Enable the custom threat intelligence application
Create custom threat intelligence alerts
PowerShell code examples
Python code examples
Experiment with custom threat intelligence alerts
Troubleshoot custom threat intelligence issues
Use the Windows Defender ATP exposed APIs
Supported Windows Defender ATP APIs
######Actor ####### Get actor information ####### Get actor related alerts ######Alerts ####### Get alerts ####### Get alert information by ID ####### Get alert related actor information ####### Get alert related domain information ####### Get alert related file information ####### Get alert related IP information ####### Get alert related machine information ######Domain ####### Get domain related alerts ####### Get domain related machines ####### Get domain statistics ####### Is domain seen in organization
######File ####### Block file API ####### Get file information ####### Get file related alerts ####### Get file related machines ####### Get file statistics ####### Get FileActions collection API ####### Unblock file API
######IP ####### Get IP related alerts ####### Get IP related machines ####### Get IP statistics ####### Is IP seen in organization ######Machines ####### Collect investigation package API ####### Find machine information by IP ####### Get machines ####### Get FileMachineAction object API ####### Get FileMachineActions collection API ####### Get machine by ID ####### Get machine log on users ####### Get machine related alerts ####### Get MachineAction object API ####### Get MachineActions collection API ####### Get machines ####### Get package SAS URI API ####### Isolate machine API ####### Release machine from isolation API ####### Remove app restriction API ####### Request sample API ####### Restrict app execution API ####### Run antivirus scan API ####### Stop and quarantine file API
######User ####### Get alert related user information ####### Get user information ####### Get user related alerts ####### Get user related machines
###Reporting
Create and build Power BI reports using Windows Defender ATP data
###Check service health and sensor state
Check sensor state
Fix unhealthy sensors
Inactive machines
Misconfigured machines
Check service health
Configure Windows Defender ATP Settings
####General
Update data retention settings
Configure alert notifications
Configure automation notifications
Enable and create Power BI reports using Windows Defender ATP data
Enable Secure score security controls
Configure advanced features
####Permissions
Manage portal access using RBAC
Create and manage machine groups
####APIs
Enable Threat intel
Enable SIEM integration
####Rules
Manage suppression rules
Manage automation allowed/blocked
Manage automation file uploads
Manage automation folder exclusions
####Machine management
Onboarding machines
Offboarding machines
Configure Windows Defender ATP time zone settings
Access the Windows Defender ATP Community Center
Troubleshoot Windows Defender ATP
Review events and errors on machines with Event Viewer
Windows Defender Antivirus compatibility with Windows Defender ATP
Windows Defender Antivirus in Windows 10
Windows Defender AV in the Windows Defender Security Center app
Windows Defender AV on Windows Server 2016
Windows Defender Antivirus compatibility
Use limited periodic scanning in Windows Defender AV
Evaluate Windows Defender Antivirus protection
Deploy, manage updates, and report on Windows Defender Antivirus
Deploy and enable Windows Defender Antivirus
Deployment guide for VDI environments
Report on Windows Defender Antivirus protection
Troubleshoot Windows Defender Antivirus reporting in Update Compliance
Manage updates and apply baselines
Manage protection and definition updates
Manage when protection updates should be downloaded and applied
Manage updates for endpoints that are out of date
Manage event-based forced updates
Manage updates for mobile devices and VMs
Configure Windows Defender Antivirus features
Utilize Microsoft cloud-delivered protection
Enable cloud-delivered protection
Specify the cloud-delivered protection level
Configure and validate network connections
Enable the Block at First Sight feature
Configure the cloud block timeout period
Configure behavioral, heuristic, and real-time protection
Detect and block Potentially Unwanted Applications
Enable and configure always-on protection and monitoring
Configure end-user interaction with Windows Defender AV
Configure the notifications that appear on endpoints
Prevent users from seeing or interacting with the user interface
Prevent or allow users to locally modify policy settings
Customize, initiate, and review the results of scans and remediation
Configure and validate exclusions in Windows Defender AV scans
Configure and validate exclusions based on file name, extension, and folder location
Configure and validate exclusions for files opened by processes
Configure exclusions in Windows Defender AV on Windows Server 2016
Configure scanning options in Windows Defender AV
Configure remediation for scans
Configure scheduled scans
Configure and run scans
Review scan results
Run and review the results of a Windows Defender Offline scan
Review event logs and error codes to troubleshoot issues
Manage Windows Defender AV in your business
Use Group Policy settings to configure and manage Windows Defender AV
Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
Use PowerShell cmdlets to configure and manage Windows Defender AV
Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV
Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV
Windows Defender Exploit Guard
Evaluate Windows Defender Exploit Guard
Use auditing mode to evaluate Windows Defender Exploit Guard
View Exploit Guard events
Exploit protection
Comparison with Enhanced Mitigation Experience Toolkit
Evaluate Exploit protection
Enable Exploit protection
Customize Exploit protection
Import, export, and deploy Exploit protection configurations
Attack surface reduction
Evaluate Attack surface reduction
Enable Attack surface reduction
Customize Attack surface reduction
Troubleshoot Attack surface reduction rules
Network Protection
Evaluate Network Protection
Enable Network Protection
Troubleshoot Network protection
Controlled folder access
Evaluate Controlled folder access
Enable Controlled folder access
Customize Controlled folder access
Windows Defender Application Control
Enable HVCI
AppLocker
Administer AppLocker
Maintain AppLocker policies
Edit an AppLocker policy
Test and update an AppLocker policy
Deploy AppLocker policies by using the enforce rules setting
Use the AppLocker Windows PowerShell cmdlets
Use AppLocker and Software Restriction Policies in the same domain
Optimize AppLocker performance
Monitor app usage with AppLocker
Manage packaged apps with AppLocker
Working with AppLocker rules
Create a rule that uses a file hash condition
Create a rule that uses a path condition
Create a rule that uses a publisher condition
Create AppLocker default rules
Add exceptions for an AppLocker rule
Create a rule for packaged apps
Delete an AppLocker rule
Edit AppLocker rules
Enable the DLL rule collection
Enforce AppLocker rules
Run the Automatically Generate Rules wizard
Working with AppLocker policies
Configure the Application Identity service
Configure an AppLocker policy for audit only
Configure an AppLocker policy for enforce rules
Display a custom URL message when users try to run a blocked app
Export an AppLocker policy from a GPO
Export an AppLocker policy to an XML file
Import an AppLocker policy from another computer
Import an AppLocker policy into a GPO
Add rules for packaged apps to existing AppLocker rule-set
Merge AppLocker policies by using Set-ApplockerPolicy
Merge AppLocker policies manually
Refresh an AppLocker policy
Test an AppLocker policy by using Test-AppLockerPolicy
AppLocker design guide
Understand AppLocker policy design decisions
Determine your application control objectives
Create a list of apps deployed to each business group
Document your app list
Select the types of rules to create
Document your AppLocker rules
Determine the Group Policy structure and rule enforcement
Understand AppLocker enforcement settings
Understand AppLocker rules and enforcement setting inheritance in Group Policy
Document the Group Policy structure and AppLocker rule enforcement
Plan for AppLocker policy management
Document your application control management processes
Create your AppLocker planning document
AppLocker deployment guide
Understand the AppLocker policy deployment process
Requirements for Deploying AppLocker Policies
Use Software Restriction Policies and AppLocker policies
Create Your AppLocker policies
Create Your AppLocker rules
Deploy the AppLocker policy into production
Use a reference device to create and maintain AppLocker policies
Determine which apps are digitally signed on a reference device
Configure the AppLocker reference device
AppLocker technical reference
What Is AppLocker?
Requirements to use AppLocker
AppLocker policy use scenarios
How AppLocker works
Understanding AppLocker rule behavior
Understanding AppLocker rule exceptions
Understanding AppLocker rule collections
Understanding AppLocker allow and deny actions on rules
Understanding AppLocker rule condition types
Understanding the publisher rule condition in AppLocker
Understanding the path rule condition in AppLocker
Understanding the file hash rule condition in AppLocker
Understanding AppLocker default rules
Executable rules in AppLocker
Windows Installer rules in AppLocker
Script rules in AppLocker
DLL rules in AppLocker
Packaged apps and packaged app installer rules in AppLocker
AppLocker architecture and components
AppLocker processes and interactions
AppLocker functions
Security considerations for AppLocker
Tools to Use with AppLocker
Using Event Viewer with AppLocker
AppLocker Settings
Control the health of Windows 10-based devices
Device Guard deployment guide
Introduction to Device Guard: virtualization-based security and WDAC
Requirements and deployment planning guidelines for Device Guard
Planning and getting started on the Device Guard deployment process
Deploy WDAC
Optional: Create a code signing certificate for WDAC
Deploy WDAC: policy rules and file rules
Steps to deploy WDAC
Deploy catalog files to support WDAC
Deploy Managed Installer for Device Guard
Deploy Device Guard: enable virtualization-based security
Windows Defender SmartScreen
Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings
Set up and use Windows Defender SmartScreen on individual devices
##Windows Defender Application Guard ###System requirements for Windows Defender Application Guard ###Prepare and install Windows Defender Application Guard ###Configure the Group Policy settings for Windows Defender Application Guard ###Testing scenarios using Windows Defender Application Guard in your business or organization ###Frequently Asked Questions - Windows Defender Application Guard