Windows Version ISO - Microsoft Community.Threat Protection PDF | PDF | Windows 10 | Computer Security

Looking for:

Windows 10 1703 download iso itar compliance training day -  

Click here to DOWNLOAD

   

 

- Request Rejected

 

IT Technet24 Chapter 2. To do this, these three components actually consist of a variety of front-end and back-end applications and services, as described in the sections of this chapter. However, there are many Microsoft components operating beneath the immediately visible applications, which help to protect the users and their data and provide them with intelligent communication and collaboration services. Windows 10 Enterprise Windows 10 is the operating system that enables users to access both the Office productivity applications and the services provided by the other Microsoft components.

IT Technet24 plans include the Enterprise edition of Windows The Enterprise edition of Windows 10 includes security measures, deployment tools, and manageability functions that go beyond those of Windows 10 Pro, providing administrators of enterprise networks with centralized and automated protection of and control over fleets of workstations.

Some of the additional features included in Windows 10 Enterprise are described in the following sections. Security All Windows 10 editions include Windows Defender, which protects the operating system from various types of malware attacks. However, compared to Windows 10 Pro, Windows 10 Enterprise includes several enhancements to the Windows Defender software, including the following functions: Windows Defender Application Guard This enables enterprise administrators to create lists of trusted Internet sites, cloud resources, and intranet networks.

When a user accesses an untrusted site using Microsoft Edge or Internet Explorer, Windows 10 automatically creates a Hyper-V container and opens the untrusted resource within the protected environment that the container provides. The result is that if the untrusted resource turns out to be malicious, the attacker is isolated within the container and the host computer remains protected.

IT are proven otherwise. WDAC prevents a system from running any applications, plug-ins, add-ins, and other software modules that have not been identified as trusted using a policy created with Microsoft Intune or Group Policy.

ATP also protects the files in key system folders from unauthorized modification or encryption by ransomware and other attacks, applies exploit mitigation techniques to protect against known threats, enhances the network protection provided by Windows Defender SmartScreen, and performs automated real-time investigation and remediation of security breaches. Updates Windows 10 performs system updates differently from previous Windows versions, replacing the major service packs released every few years with semi-annual feature updates.

The Windows Update process is automated by default for the typical Windows user, but network administrators can still intervene in the process for the purpose of testing update releases before they are generally deployed. Microsoft provides the following tools for the administration of updates: Windows Update for Business This is a free cloud-based service that enables administrators to defer, schedule, and pause update deployments to specific workstations.

IT Technet24 service to allow the installation of updates on designated test systems only, and then deploy the updates later if no problems arise. If there are problems with particular updates, administrators can pause their deployments indefinitely. Windows Server Update Service WSUS This is a free, downloadable service that enables administrators to manage system updates internally by downloading releases to a WSUS server as they become available, testing them as needed, and then deploying them to workstations on a specific schedule.

WSUS not only enables administrators to exercise complete control over the update deployment process, it also reduces the Internet bandwidth used by the update process by downloading releases only once and then distributing them using the internal network.

Administrators can install multiple WSUS servers and distribute update preferences and release schedules among them, making the system highly scalable. While administrators can use these tools to manage updates on workstations running any version of Windows, there are additional enhancements for Windows 10 Enterprise workstations, including its manageability with the Desktop Analytics tool.

IT Upgrade Readiness Desktop Analytics collects information about Windows, Office , and other applications and drivers and analyzes it to identify any compatibility issues that might interfere with an upgrade. Update Compliance Desktop Analytics gathers Windows 10 information about the progress of operating system update deployments, as well as Windows Defender Antivirus signature and result data, Windows Update for Business configuration settings, and Delivery Optimization usage data. After analyzing the information, Desktop Analytics reports any update compliance issues that might need administrative attention.

Device Health A Desktop Analytics solution that uses the enhanced diagnostic data generated by Windows 10 to identify devices and drivers that are causing regular crashes.

The tool also provides potential remediations, such as alternative driver versions or application replacements. Desktop Analytics is an enhanced version of the tool that integrates with SCCM and provides these same functions for Windows 10 Enterprise workstations.

IT Technet24 monthly quality updates, but they do not receive the semi-annual feature updates. There are LTSC feature updates made available every two to three years, but administrators can choose when or whether to install them. This enables the LTSC system to maintain a consistent feature set throughout its life cycle, so that it remains compliant with its designated function.

Management Microsoft provides many enhancements to the enterprise management environment that enable administrators to simplify the process of deploying and configuring Windows 10 Enterprise workstations. Windows Autopilot This is a cloud-based feature that is designed to simplify and automate the process of deploying Windows 10 workstations on an enterprise network.

Instead of having to create and maintain images and drivers for every computer model, Autopilot uses cloud-based settings and policies to reconfigure the OEMinstalled operating system into a user-ready workstation, even installing applications and applying a new product key to transform Windows 10 Pro to the Windows 10 Enterprise edition. Microsoft Application Virtualization App-V This enables Windows workstations to access Win32 applications that are actually running on servers instead of local disks.

Administrators must install the App-V server components and publish the desired applications. IT additional installation is necessary.

The client does have to be activated, however; administrators can activate clients using either Group Policy settings or the Enable-App cmdlet in Windows PowerShell. Microsoft User Experience Virtualization UE-V This is the feature that enables Windows workstations to store user-customized operating system and application settings on a network share and sync them across multiple devices.

Windows 10 Business The Microsoft Business plan does not include the full Windows 10 package because the assumption is that potential deployers already have or will be purchasing computers with a Windows OEM operating system installed.

However, Windows 10 is required for the enduser workstations to function with the Microsoft services, so the Microsoft Business plan does include upgrade benefits to Windows 10 Pro for computers that are currently running Windows 7 or Windows 8. Microsoft Business also includes an enhancement called Windows 10 Business, which enables Windows 10 Pro to function with the cloudbased management and security controls in Microsoft , including Microsoft Autopilot.

All of the Microsoft Enterprise and Microsoft Business plans include access to Exchange Online for all of their users. This eliminates the need for organizations to install and maintain their own on-premises Exchange servers. As with Microsoft Azure, Exchange Online uses shared servers in Microsoft data centers to host the mailboxes and other services for multiple subscribers.

The Exchange Online services available include the following: Mailboxes Each user is provided with mail storage, the amount of which is based on the Microsoft plan. An In-Place Archive provides additional storage for mail. Exchange also supports shared mailboxes for groups of users that share responsibility for incoming mail. IT them with other users to create a unified scheduling and collaboration environment.

Shared calendars Users can share their calendars for scheduling, task management, and conference room booking. Exchange Online also provides a global address book, group management, and mailbox delegation. Exchange Online Protection EOP EOP scans incoming email for spam and malicious code and forwards, deletes, or quarantines potentially dangerous messages based on rules established by administrators.

Unified Messaging UM UM enables administrators to combine email message with voice mail, so that both message types are stored in a single mailbox for each user. UM provides standard voice mail features, including call answering, and enables users to listen to their messages from the Outlook Inbox or by using Outlook Voice Access from any telephone. Data Loss Prevention DLP DLP enables administrators to create DLP policies that protect sensitive company information by using deep content analysis to filter messaging traffic based on keywords, regular expressions, dictionary terms, and other criteria, and then take specific actions based on the type of information detected.

For example, a DLP policy can identify email messages that contain credit card numbers and either notify the sender, encrypt the messages, or block them outright. More complex policies can identify specific types of company documents and use virtual fingerprinting to identify their source.

Microsoft maintains two Exchange Online subscription plans: Plan 1 that is included with Microsoft Business, and Plan 2, which has additional features and is included with Microsoft Enterprise. The features included in each plan are listed in Table IT Windows Microsoft administrators do not have direct access to the Exchange Online servers, but they can access the Exchange Admin Center from a link in the Microsoft Admin Center to manage Exchangespecific settings using a web-based interface, as shown in Figure IT Configure mail flow options to integrate on-premises mail servers or third-party mail services into the message handling solution Enable calendar sharing with outside organizations or between users on-premises and in the cloud Manage hierarchical and offline address books, address lists, and address book policies Create and manage a public folder hierarchy for document sharing and collaboration Create and manage client access rules to restrict access to Exchange Online based on client platform, IP address, authentication type, location, and other criteria.

SharePoint Online Microsoft SharePoint is a web-based collaboration tool that was originally introduced in as an onpremises server product. SharePoint Online is the cloudbased equivalent that is included with all Microsoft plans. SharePoint Online is a service that administrators and workers can use to create websites for document management, distribution, and collaboration. At its simplest, SharePoint Online users can create a document library on the web and upload their files to it.

The files are then accessible from any device that has access to the site. As SharePoint Online is part of Office , editing a library document opens it in the appropriate Office application, whether installed on a desktop or part of Office Online.

IT Technet24 Users can share their library files with other users with varying degrees of access by assigning permissions to them. A scenario in which an organization or user wants to post documents to a library for many users to access is called a communication site.

For example, a company could use SharePoint Online to create a library of human resources documents for all employees to access. SharePoint includes customization capabilities that enable administrators to design websites with modern graphical components, as shown in Figure By creating a team site, a designated group of users can work simultaneously on documents that only they can access. IT Technet24 maintains multiple versions of the files in a library, so that users can review the iterations of a document throughout its history.

Communication sites and team sites are linked together in SharePoint Online by hub sites, which provide centralized navigation to the subordinate sites and downstream searching. The SharePoint Online service included in Microsoft can host multiple hub, collaboration, and team sites, as shown in Figure IT advantage of their security and manageability features.

The documents uploaded to SharePoint Online sites are protected against malicious code by the same antimalware engine used by Exchange, as well as Data Loss Prevention. SharePoint also can control group memberships and document permissions with user identities taken from Active Directory and Azure Active Directory.

An organization can also purchase additional storage, up to a maximum of 25 TB per site collection. An organization can create up to one million site collections. A SharePoint Online library can have up to 30 million files and folders, although there are limitations when the number goes beyond , Individual files can be up to 15 GB in size, and SharePoint can maintain up to 50, versions of each file.

SharePoint groups can have up to 5, users, and a user can be a member of up to 5, groups. Therefore, SharePoint Online can support enormous installations that service as many as , users. Teams is a client interface that works together with the other Microsoft services to create a unified collaboration environment, as shown in Figure IT FIGURE The Microsoft Teams desktop interface The Teams client provides real-time chat and the ability to make and receive calls, but the other tools incorporated into the client are provided by other Microsoft services, as shown in Figure A channel enables its members to post text and images, as well as information from outside social media services.

Teams messaging is an independent service that does not rely on email or SMS messaging for communication. Teams also supports the transmission of private one-to-one messages between users. Video conferencing is also possible within the Teams client software. Membership and authentication in Microsoft Teams is provided by Office groups, which store their identity information in Azure Active Directory. Teams can store their documents and other files in the cloud using OneDrive for Business.

Team websites, implemented using SharePoint Online, are also accessible through the Teams client. Group mailboxes and event and meeting scheduling are provided by Exchange Online and accessed via Outlook. To host and preserve meetings on video, Teams can use the Microsoft Stream service.

Teams is highly scalable and can support collaborative environments ranging from small workgroups to large departments to gigantic presentations, webinars, and conferences. For example, multiple vendors are working on H. Skype for Business Online is being deprecated. Current users must switch to Microsoft Teams when their current Skype for Business Online terms expires. In achieving this end, the product incorporates two current technologies that introduce new security and access control issues: the cloud and portable computing devices.

For the features highlighted in Microsoft to function as intended, users must be able to access their colleagues and their data from any location, using any device. For the administrators of Microsoft , the users must be able to do their work securely and reliably, even when they are using devices not supplied by the company. EMS is a cloud-based management and security suite that consists of several components that were at one time separate products.

Together, these components supply services to Microsoft in the following primary areas: Identity and access management Mobile device and application management Information management and protection Cybersecurity and risk management The components that make up EMS are described in the following sections.

A directory service is a database of objects, including users and computers, that provides authentication and authorization services for network resources. IT location. Azure AD provides a Microsoft deployment with identity and access management services that extend beyond the on-premises network into the cloud. Azure AD enhances the security of the Microsoft environment by supporting multifactor authentication, which requires users to verify their identities in two or more ways, such as with a password and a biometric factor, such as a fingerprint.

Azure AD can also provide authentication and authorization services for internal resources, such as on-premises applications and services. For organizations with an existing Windows Server—based AD infrastructure, Azure AD can connect to internal domain controllers, to create a hybrid directory service solution that shares the advantages of both implementations.

Need More Review? Using Intune, even operating systems that are not able to join an Active Directory domain can access protected resources. Administrators can use Intune to create standards for the configuration of security settings that a device must meet before it can access protected resources.

For example, an administrator can require that a device uses a particular type of authentication or specify that only certain applications can access company data. Intune can even ensure that sensitive data is removed from a device when an app shuts down. This type of control enables Microsoft to maintain the security of its resources without the need for administrators to take complete control over user-owned devices.

IT Azure Information Protection Azure Information Protection AIP is a system that enables users and administrators to apply labels to documents and emails that classify the information they contain.

The labels can be configured to specify how applications treat the information and, optionally, take steps to protect it. AIP can apply labels to specific documents, or it can follow rules created by administrators to identify sensitive data in any document.

For example, an administrator can create a rule that identifies data patterns associated with credit card or social security numbers in a Word document as a user is creating it. When the user attempts to save the document, AIP warns the user to apply the label, as shown in Figure When a user agrees to classify a document as sensitive, the application can apply a watermark or other visual indicator, which will persist in the document wherever it is stored. Based on the rules created by administrators, documents labeled by AIP can be protected using encryption, identity restrictions, authorization policies, and other methods.

For example, when an email message contains sensitive data, AIP can exercise control over the email client application, preventing users from clicking the Reply All or Forward button. In the same way, AIP can restrict Office documents to nonprinting or read-only status. Microsoft Advanced Threat Analytics Advanced Threat Analytics ATA is an on-premises solution that uses information gathered from a wide variety of enterprise sources and uses it to anticipate, detect, and react to security threats and attacks.

ATA receives log and event information from Windows systems, and also captures network traffic generated by security-related protocols, such as Kerberos and NTLM. Using this gathered information, ATA builds up profiles of applications, services, and users. By examining the normal behavior of these entities, ATA can detect anomalous behavior when it occurs and ascertain whether that behavior is suspicious, based on known attack patterns. IT Technet24 ATA is one of several Microsoft technologies that uses advanced intelligence to anticipate user needs before they occur.

In this case, the need is for intervention, whether automated or human, in a potentially dangerous security situation. Microsoft has started calling these clandestine cloud apps Shadow IT, and they obviously present a security hazard. Cloud App Security is a cloud access security broker CASB product that enables Microsoft administrators to scan their networks for the cloud apps that users are accessing, assess their security vulnerability, and manage them on an ongoing basis.

Cloud App Security examines traffic logs and firewall and proxy information to discover the cloud apps in use. After determining whether the apps present a danger to data, identities, or other resources, administrators can then sanction or unsanction specific apps to allow or prevent user access to them. IT user activity. Each ATP engine is designed to use machine intelligence to prevent, detect, and respond to the security threats unique to its environment.

In Azure, the primary vulnerability is the identities stored in Azure Active Directory, so the Azure ATP engine looks for anomalous user behavior and compares it to standardized patterns used by attackers. SKILL 2. For example, an organization can use Exchange Online for email and scheduling or install its own servers and run an on-premises version of Exchange.

IT Technet24 trade-off situation, there are advantages and disadvantages to both sides. Deployment A cloud-based service is always simpler to deploy than an on-premises server-based product because the service is provided to the subscriber in an installed and operational state. There is no need to design an infrastructure, obtain hardware, or install server software. An administrator can begin to work with the service immediately after subscribing to it, creating user objects, Exchange mailboxes, or SharePoint sites that are up and running in minutes, instead of days or weeks.

Updates One significant advantage to using the cloud-based version of any of these applications or services is that they are regularly and automatically updated with the latest version of the software. Administrators are relieved of the need to download, evaluate, and deploy updates as they are released.

IT products might not receive certain features at all. For an on-premises service installation, a responsible update strategy requires testing and evaluation of new software releases and might require service downtime for the actual update deployments.

Cost Cost is another decisive factor in the deployment of any of these services. Cloud-based services require the payment of a regular subscription fee, and sometimes there are additional fees for add-on features.

This enables an organization to implement a service with a minimal initial outlay, as there are no hardware costs or server licenses required. Fees for cloud-based services are predictable and simplify the process of budgeting.

Installing the equivalent on-premises service is a more complicated affair. An organization obviously first must purchase the server software license and the computers on which the software will run, as well as an operating system license and client access licenses for all the users. This can be a significant initial outlay.

Depending on the requirements of the organization, there might be additional costs as well. IT Technet24 outlay cost. Backing up data and storing it also adds to the cost. There are also the issues of fault tolerance and disaster recovery to consider. Most cloud-based services from Microsoft are supplied with a This means that the service will experience no more than 0.

What infrastructure Microsoft uses to maintain that consistent performance is of no concern to the subscriber. To duplicate that performance level with on-premises servers will require redundant hardware and possibly even redundant data centers.

Not every organization requires this same level of consistent performance, but even a more modest uptime guarantee will increase the expenditure for an on-premises solution. Finally, there is the issue of the people needed to design, install, and maintain on-premises services. For example, deploying Exchange servers is not a simple matter of just installing the software and creating user accounts.

Depending on the size of the organization, multiple servers might be needed at each location, and the design and configuration process can require advanced skills.

These people will be an ongoing expense throughout the life of the service. IT always cheaper than on-premises servers. In the long term, cloud-based services can reach a point where they are more expensive.

Cloud service fees are ongoing and perpetual, and while expenditures for on-premises servers might begin with a large initial outlay, they can come down to a much lower level once the servers and the software have been purchased and deployed. A comparison of the relative costs also depends on the requirements of the organization and their existing infrastructure.

For a large enterprise that already maintains data centers in multiple locations with experienced personnel, deploying a new service inhouse might be relatively affordable. For a newly formed company with no existing IT infrastructure, the initial outlay for an on-premises service might be unfeasible.

Administration Compared to on-premises server administrators, who can work with server software controls directly, Microsoft administrators work with cloud services using web-based remote interfaces. IT Technet24 possible to manage configuration settings and create virtual resources, such as mailboxes and directory service objects. IT have access to the underlying resources on which the services run. They cannot access the operating system of the computers on which their services are running, nor do they have direct access to the files and databases that form their service environments.

The web-based interfaces are not necessarily a drawback for all administrators. In addition, Microsoft maintains responsibility for those data structures, ensuring their availability and security. In an on-premises service deployment, it is up to the local administrators to replicate the data structures for availability and implement a load balancing solution to maintain a similar level of performance.

Here again, the differences between the two service environments depend on the experience and preferences of the people responsible for them. IT Technet24 wary of using a cloud-based Exchange implementation that would isolate them from the servers, the operating system, and the traditional Exchange controls.

An administrator relatively new to Exchange, however, might welcome the simplified access that the Exchange Online Admin Center provides. Security One of the most critical factors in the decision to use cloud-based or on-premises services is the location of sensitive data. For many organizations, the security of their data is not just a matter of their own benefit.

In some cases, contractual and legal constraints can make cloud-based data storage an impossibility. A company with a government contract, for example, might be required to maintain personal responsibility for their stored data; they cannot pass that responsibility on to a third-party cloud provider. However, in cases where there are no legal constraints, storing data in the cloud can provide protection that is the equivalent of several different onpremises security products.

IT maintenance and expense to implement for on-premises servers. Service comparisons Not all the cloud services included in Microsoft are available in on-premises versions.

Microsoft Teams and Microsoft Streams, for example, only exist as cloud services. However, some the core Microsoft services have existed as standalone server software products for years, and organizations planning a Microsoft deployment might want to compare the cloud services to their corresponding on-premises versions, as in the following sections, before committing to one or the other.

Office The Microsoft Office suite is a collection of productivity applications that has been available as a standalone product for many years. Office was then introduced as a subscription-based product that enables users to access the same applications in several different ways.

In most of the Office plans, it is still possible to install the applications on a computer for online or offline use, but they are also available in the cloud for use on any device, using a web browser. In addition, there are also non-Windows versions of the applications available for use on Android and iOS devices.

The Office license is limited to a single device installation, while Office enables you to install the applications on up to five devices. Free security updates to the current versions of the applications are released on a regular basis, but not as frequently as the updates for Office , which can also include new features. In the event of a major upgrade release, such as from Office to Office , there is an additional charge for the standalone product.

An Office subscription ensures that you always have the latest version of the software. Office is available in several versions targeted at different audiences, with differing price points.

IT Office is available in several different plans that provide other services in addition to the applications, such as Exchange-based online email and extra OneDrive storage. The version included in Microsoft , called Office ProPlus, is integrated with all the cloud services described earlier in this chapter, including Exchange Online, SharePoint Online, OneDrive for business, and Teams.

The integration of the Office applications with these services provides users with advanced intelligence and collaboration features that are not available with Office Exchange All the issues described earlier in this section apply to a comparison of Exchange Online with the on-premises version of Exchange. An Exchange Server deployment can be an elaborate and expensive affair requiring multiple servers and extensive configuration, while administrators can have Exchange Online up and running in less than a day.

Exchange Online provides each user with 50 or GB of storage. IT Technet24 create Office groups, which enable users to work together with shared resources. This can be a valuable resource for administrators. For example, a technical support team can have its members added to an Office group.

Administrators then grant the group the permissions necessary to access a shared Exchange mailbox, a SharePoint team site, and other resources. When members enter or leave the group, the permissions to access those resources are automatically granted or revoked.

On Exchange Server, by default, user mailboxes exist on one server and are therefore vulnerable to hardware failures, system faults, and other disasters that can render them temporarily unavailable or even lead to data loss. For this reason, an enterprise exchange deployment often requires additional servers to maintain duplicate mailboxes, a reliable backup strategy, and in some cases duplicate data centers, all of which add to the cost of the installation.

Exchange Online, by default, replicates mailbox databases across servers and data centers, ensuring the continuous availability of the service. This, too, is an issue that some Exchange administrators would prefer to address themselves, rather than leave it to a service provider, but the market for organizations that like the idea of a turnkey solution and are willing to trust cloud services is growing constantly. IT Note: Hybrid Service Deployments Another possible solution to the availability issues inherent in on-premises Exchange, SharePoint, and Active Directory implementations is for an organization to create a hybrid service deployment, using on-premises servers and cloud services together.

The cloud service can therefore function as an availability mechanism that might be more economical than creating redundant on-premises servers or data centers. When you replicate mailboxes or sites or AD accounts to the cloud, they can take advantage of the security mechanisms that Microsoft provides. A hybrid deployment can also function as a migration mechanism for organizations that want to gradually move from on-premises services to cloudbased ones. The main advantages of the cloud version are the same as those of the other services: simplified deployment, automatic updating, data redundancy, web-based administration, and so forth.

IT Technet24 product. New features, such as the Modern experience in site design, appear in SharePoint Online first. SharePoint Server includes features that enable it to work together with Microsoft cloud services. For example, administrators can redirect the MySites link in SharePoint Server to OneDrive for Business, so that users will be directed to cloud storage, rather than to the on-premises server. There is also a hybrid cloud search capability that causes an Office search to incorporate the index from an on-premises server into the standard cloud search.

After creating an AD DS domain controller out of a Windows server, administrators create a hierarchy of forests and domains and populate them with logical objects representing users, computers, applications, and other resources. With those objects, AD DS functions as an intermediary between users and network resources, providing authentication and authorization services when users attempt to access them.

IT Identity as a Service IDaaS mechanism that performs the same basic authentication and authorization functions for the Microsoft cloud services, but it does so in a different way. There are no forests or domains in Azure AD. After an organization subscribes to Microsoft or any of the individual Microsoft cloud services , an administrator creates a tenant, using the Create Directory page, as shown in Figure In Azure AD, a tenant is a logical construct that represents the entire organization.

Administrators of the tenant can then use the Azure portal to create user accounts and manage their properties, such as permissions and passwords. The accounts provide users with single-sign on capability for all the Microsoft services. IT users outside of the enterprise or manage cloud-based services like those in Microsoft Fortunately, this does not mean that it will be necessary to create duplicate user accounts in each of the directory services.

Microsoft provides a tool called Azure AD Connect that creates a link between the two and provides each user with a single hybrid identity that spans both on-premises and cloud-based services.

This provides the user with single sign-on capability for all applications and services. IT Technet24 Modern management is a term that was coined by Microsoft, but which is rapidly being accepted throughout the IT industry. The traditional approach to IT device management consists of a paradigm in which all devices are owned, deployed, and managed by the enterprise IT department.

This management typically includes the following elements: Deployment IT administrators create and maintain system image files and deploy them on new computers using a management tool, such as System Center Configuration Manager SCCM. Administrators must create and store separate images and drivers for each model of computer purchased and update them whenever the software configuration changes. Updates Administrators manage operating system and application updates, typically using an elaborate download, evaluation, and deployment process, using a tool such as Windows Server Update Services WSUS.

Identity Active Directory is a database of identities and other network resources that provide authentication and authorization services for internal users, services, and applications. Configuration Administrators use Group Policy to deploy configuration settings as they connect and log on to the internal network. IT for a long time, and many IT professionals are extremely reluctant to abandon it, particularly when adopting a new modern management concept requires them to learn to use new tools and technologies.

The idea of users all working on enterprise-owned and managed devices located in a company site is rapidly becoming a relic of the past. Vast numbers of users are working outside the office using their own devices, such as laptops, tablets, and smartphones, which cannot be readily deployed, updated, and configured to the specifications of an IT department using traditional tools. The other motivation for modernizing IT management is the increased ubiquity of cloud-based applications in the enterprise.

As software manufacturers shift their marketing emphasis to the cloud, it is becoming increasingly difficult for IT administrators to provide the services their users need with traditional, on-premises applications and services.

IT Technet24 proactive processes. Microsoft includes tools that do all these things, such as the following: Deployment Windows AutoPilot is a cloud-based service that eliminates the need for separate system images and SCCM and simplifies the process of deploying new computers by automating the process of installing, activating, and configuring Windows Updates The Windows as a Service update program provides Windows 10 workstations with regularly scheduled feature and quality updates that are automatically applied.

Microsoft has also implemented technologies to reduce the size of the update downloads, mitigating the burden on networks and Internet connections. Identity Azure Active Directory moves user identities from the local network to cloud, enabling administrators to manage them from anywhere and providing users with single-sign on capability to all cloud-based services and applications.

However, Intune can also replace Group Policy for configuring Windows 10 computers because it has also been enhanced with hundreds of mobile device management MDM APIs that enable Intune and similar tools to control them through the cloud. IT history with traditional management tools, can adapt to the new ones without any conflict between the two models.

However, when an organization has an existing infrastructure based on the traditional model, they must decide whether to change to modern management and how they should do it. A transition to the modern management model requires new tools and also new skills for administrators. Microsoft has designed three approaches to a transition from traditional to modern management, as follows: Big switch In the big switch transition, an organization abandons all the traditional management tools and modalities and begins using modern management tools exclusively.

While this might be a feasible option for a relatively small organization, large enterprises will likely find a sudden transition impractical. Group-by-group In a group-by-group transition, an organization classifies its users by department, location, or workload and converts one group of users at a time to the modern management environment.

In many cases, the transition process will be determined by the applications users require and whether they can readily be managed from the cloud. Co-management The co-management model calls for administrators to maintain both the traditional and modern management paradigms for an extended period.

This makes it possible for the organization to transition gradually from traditional applications and procedures to those that support modern management. IT Technet24 their traditional management model or that have applications and services that are not manageable using the modern tools.

Administrators can continue to use elements of their traditional, on-premises infrastructure, such as Active Directory Domain Services and System Center Configuration Manager, and gradually migrate to modern tools, such as Azure Active Directory and Microsoft Intune. The steps involved in a co-management transition not necessarily in order are as follows: Begin using the Windows as a Service model in Windows 10 and Office ProPlus.

Transition from creating, maintaining, and deploying system images for Windows workstations to using Windows AutoPilot for cloudbased, zero-touch deployments. Although it is possible to undertake them separately, all these tasks are incorporated into a Microsoft deployment. IT Windows as a Service With the Windows 10 release, Microsoft changed the way in which they generate and release operating system updates.

Dubbing the new system Windows as a Service WaaS , it is designed to reduce the burden on users and administrators. In the past, Microsoft released major version Windows upgrades every three to five years, large service packs in between those upgrades, and small updates every month.

The version upgrades were a major undertaking both for administrators and for users. Administrators had to reinstall the operating system on all their workstations, and users were faced with a different interface and new features. The Windows as a Service model eliminates the version upgrades.

Instead, there are feature updates twice a year and quality updates at least every month. The quality updates address security and reliability issues, while the feature updates add new functionality. Because the feature updates are more frequent than the previous major version upgrades, they spread out the update deployment process for administrators and do not represent as profound an interface and feature change to the users.

Windows Insider Channel For users or organizations that want early access to updates for testing and the ability to provide feedback, there is the Windows Insider channel. Long Term Servicing Channel For devices with specialized functions in which continuity is essential, such as medical equipment, point-of-sale systems, and kiosks, there is the Long Term Servicing Channel, which receives feature updates only every two to three years, which are then supported by Microsoft for ten years.

Finally, the update goes into general release, which in a large enterprise typically consists of a pilot or test deployment, followed by a general production deployment to all workstations, as shown in Figure For most of the Windows 10 editions, Microsoft services each feature update for eighteen months after its general release.

For the Windows 10 Enterprise and Education editions, the service period is 30 months. IT FIGURE Phases of a Windows 10 feature update release The monthly quality updates in the old model took the form of many individual patches, which enterprise administrators had to evaluate and deploy individually. Many administrators chose to deploy only essential security fixes, leaving their workstations in a fragmented state.

It was only the infrequent service packs that incorporated all the previous patches and fully updated the workstations. Fragmented workstations made it difficult or impossible for Microsoft to accurately predict the result of future updates. The WaaS quality updates take the form of cumulative monthly releases that include all the latest security and reliability fixes. This leaves workstations in a fully patched state each month.

Therefore, Microsoft can test subsequent updates on a consistent platform, rather than having to be concerned whether all the previous patches have been applied. IT Technet24 responsible for update deployment is the size of the semiannual feature updates. A 3—4 GB download for every workstation in a large enterprise fleet of hundreds or thousands of computers can easily overwhelm even a robust Internet connection. In addition, because quality updates are cumulative, they grow larger each month after the most recent feature update, ultimately reaching 1 GB or slightly more.

Microsoft has addressed this issue with a feature called Express Updates, which generates differential downloads for workstations based the updates they already have installed. A differential download contains only the files that the workstation needs. Express Update can reduce a quality update to — MB on a computer that is already up to date.

It is also possible to reduce the burden on Internet connections by using peer-to-peer features, such as BranchCache and Delivery Optimization. Using the Microsoft portals Because Microsoft consists mostly of cloud-based services, administrators use web-based controls to manage them and users can use web-based portals to access them.

IT products, so they have their own administrative portals, called Admin Centers. However, the Microsoft Admin Center is the main administrative portal for the product, and it provides access to all the individual portals as well.

Administrators can place their most frequently used controls on the Home page by dragging items from the navigation menu to the right pane to add more cards. IT Technet24 screen The navigation pane contains menus for control categories, with drop-down menus for specific control types.

The categories are as follows: Users Enables administrators to create, manage, and delete user accounts. By assigning licenses to accounts, users will be granted access to Office or other applications and services. Assigning administrative roles to users grants them privileges to access certain additional controls. Devices Enables administrators to add new devices, individually or in bulk, such as smartphones and tablets, create policies for securing the devices, and manage individual devices by resetting them, removing corporate data, or removing them entirely.

Groups Enables administrators to create various types of groups, including Office , security, mail-enabled security, and distribution list groups, assign owners to them, and configure privacy settings. They can also create shared mailboxes for access by all members of a specific group. Resources Enables administrators to create and configure rooms and equipment for assignment to meetings and create SharePoint sites and collections.

Full control over SharePoint is provided by the SharePoint Online Admin Center, but this interface can control site sharing and remove external users.

Billing Enables administrators to purchase additional Microsoft applications and services, manage product subscriptions, monitor available product licenses, and manage invoices and payments. Support Enables administrators to find solutions to common Microsoft problems and create and view requests for service from Microsoft technicians.

IT partner relationships. Setup Enables administrators to monitor their Microsoft products and manage the licenses for those products, purchase or add Internet domains, and migrate data from outside email providers into Microsoft accounts. Reports Enables administrators to generate various reports, such as email activity, active users, and SharePoint site usage, over intervals ranging from 7 to days. Reports like these can indicate who is using the Microsoft services heavily, who is near to reaching storage quotas, and who might not need a license at all.

Health Enables administrators to monitor the operational health of the various Microsoft services, read any incident and advisory reports that have been generated, and receive messages about product update availability and other topics. Admin Centers Enables administrators to open new windows containing the admin centers for the other services provided in Microsoft , including Security, Compliance, Azure Active Directory, Exchange, SharePoint, and Teams.

Note: Microsoft Admin Center Because the admin centers for the Microsoft services are web-based, the product developers can easily modify them and add features as they become available without interrupting their users. Beginning in early , Microsoft made a new design for the Microsoft Admin Center the default setting and added a control in the upper-right corner that enables users to switch between the previous design and the new one at will.

The figures of the admin center controls in this book are taken from the new design as it exists at the time of writing. Design and feature changes might have been introduced since the time of publication. After signing on using the email address created by the administrator as part of the user account, the Office portal appears, as shown in Figure Along with the applications, additional icons provide access to the cloud-based services included with a Microsoft license, including OneDrive, OneNote, SharePoint, Teams, and Yammer.

Adding users to groups can cause the icon to provide access to a team site instead. Clicking the Teams icon for the first time opens a page that invites the user to download the Teams app or use the web-based Teams client instead. After that, the web client appears by default. If the user has been granted global administrator privileges, an additional Admin icon appears in the portal, which provides the user with access to the Microsoft Admin Center. IT Technet24 the Office productivity applications on up to five systems.

This is the only way for an Office user to run the Access and Publisher applications because there are no web-based versions of these. However, the process of deploying Microsoft is not just a matter of obtaining licenses for these three products and installing them. The ways in which the Microsoft components work together to provide intelligent management, security, and collaboration require that the deployment be undertaken as an integrated process.

The complexity of a Microsoft enterprise deployment depends on the size of the existing enterprise and the applications running on it. Microsoft has defined three Microsoft deployment strategies: FastTrack for Microsoft FastTrack is a benefit included as part of a Microsoft Enterprise subscription that provides ongoing support from Microsoft personnel, including a FastTrack manager, an engineer, and a migration engineer. Third-party services Microsoft partners and consulting services can provide help with a Microsoft deployment at many levels, ranging from complete control of the operation to occasional support.

FIGURE The Microsoft Enterprise deployment model The Microsoft Enterprise deployment guide breaks the foundation infrastructure—sometimes referred to as a core deployment—into six phases, as described in the following sections.

Each phase is divided into steps and concludes with exit criteria that must be met before the foundation infrastructure deployment can be considered complete. For an existing enterprise that is already using some of the Microsoft components, some of the exit criteria might have already been met, and the six phases do not have to be followed in an unbroken sequence.

Administrators can approach the phases in any order that they find practical, if they eventually meet the exit criteria for each phase. Phase 1: Networking The Networking phase is intended to ensure that all Microsoft clients have sufficient Internet connectivity to access the cloud resources they require on a regular basis.

IT Technet24 bandwidth, however. The Microsoft Global Network provides endpoints to its cloud services all over the world, and for Microsoft clients to function efficiently, they should have access to the closest possible endpoint. Many enterprise networks were designed and constructed at a time when the proximity of the Internet connection was not a priority. It was common for Internet traffic at remote sites to be routed over a backbone network to a central location that provided the actual Internet access.

This can result is a significant amount of network latency that can have a negative effect on Microsoft performance.

The clients should therefore also utilize a geographically local DNS server for their outbound Internet traffic. For an enterprise that has a centralized Internet access infrastructure, the organization should take the steps necessary to reroute the Internet traffic so that each client is directed to the Microsoft endpoint that is geographically closest to its location.

In a large enterprise with many remote sites, this can be a substantial undertaking, one that might play a role in the decision whether adopt Microsoft in the first place. IT Microsoft also recommends that enterprise networks avoid using protection mechanisms, such as proxy servers and packet inspection, for Microsoft traffic. Duplicating this protection at the enterprise end can also have a negative effect on Microsoft performance. To bypass these local protection mechanisms, it is necessary for browsers, firewalls, and other components to identify Microsoft traffic and process it differently from other types of Internet traffic.

This view helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on context. Alerts Indicates the number of alerts associated with or part of the incidents. Machines You can limit to show only the machines at risk which are associated with incidents.

Users You can limit to show only the users of the machines at risk which are associated with incidents. Assigned to You can choose to show between unassigned incidents or those which are assigned to you.

Status You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved Classification Use this filter to choose between focusing on incidents flagged as true or false incidents. You can manage incidents by selecting an incident from the Incidents queue or the Incidents management pane.

You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of their progress. Selecting an incident from the Incidents queue brings up the Incident management pane where you can open the incident page for details. Assign incidents If an incident has not been assigned yet, you can select Assign to me to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it. Change the incident status You can categorize incidents as Active, or Resolved by changing their status as your investigation progresses.

This helps you organize and manage how your team can respond to incidents. For example, your SoC analyst can review the urgent Active incidents for the day, and decide to assign them to himself for investigation. Alternatively, your SoC analyst might set the incident as Resolved if the incident has been remediated. Classify the incident You can choose not to set a classification, or decide to specify whether an incident is true or false.

Doing so helps the team see patterns and learn from them. Rename incident By default, incidents are assigned with numbers. You can rename the incident if your organization uses a naming convention for easier cybersecurity threat identification. Add comments and view the history of an incident You can add comments and view historical events about an incident to see previous changes made to it.

Whenever a change or comment is made to an alert, it is recorded in the Comments and history section. Added comments instantly appear on the pane. Analyze incident details Click an incident to see the Incident pane. Select Open incident page to see the incident details and related information alerts, machines, investigations, evidence, graph.

Alerts You can investigate the alerts and see how they were linked together in an incident. For more information, see Investigate alerts. Machines You can also investigate the machines that are part of, or related to, a given incident.

For more information, see Investigate machines. Going through the evidence Windows Defender Advanced Threat Protection automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with auto-response and information about the important files, processes, services, and more.

This helps quickly detect and block potential threats in the incident. Each of the analyzed entities will be marked as infected, remediated, or suspicious. Visualizing associated cybersecurity threats Windows Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph. Incident graph The Graph tells the story of the cybersecurity attack.

For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which machine. The Alerts queue shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top of the list, helping you see the most recent alerts first.

There are several options you can choose from to customize the alerts queue view. On the top navigation you can: Select grouped view or list view Customize columns to add or remove columns Select the items to show per page Navigate between pages Apply filters. Sort, filter, and group the alerts queue You can apply the following filters to limit the list of alerts and get a more focused view the alerts.

These alerts indicate a high risk due to the severity of damage they can inflict on machines. Informational Informational alerts are those that might not be considered Grey harmful to the network but might be good to keep track of.

The Windows Defender AV threat severity represents the absolute severity of the detected threat malware , and is assigned based on the potential risk to the individual machine, if infected. The Windows Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization.

So, for example: The severity of a Windows Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred. An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat.

An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. Status You can choose to limit the list of alerts based on their status.

Investigation state Corresponds to the automated investigation state. Assigned to You can choose between showing alerts that are assigned to you or automation.

Detection source Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts managed hunting service. OS platform Limit the alerts queue view by selecting the OS platform that you're interested in investigating. Associated threat Use this filter to focus on alerts that are related to high profile threats.

You can see the full list of high-profile threats in Threat analytics. Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the Security operations dashboard, and you can access all alerts in the Alerts queue.

You can manage alerts by selecting an alert in the Alerts queue or the Alerts related to this machine section of the machine details view. Selecting an alert in either of those places brings up the Alert management pane. Link to another incident You can create a new incident from the alert or link to an existing incident. Assign alerts If an alert is no yet assigned, you can select Assign to me to assign the alert to yourself.

Suppress alerts There might be scenarios where you need to suppress alerts from appearing in Windows Defender Security Center. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. Suppression rules can be created from an existing alert.

They can be disabled and reenabled if needed. When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created. There are two contexts for a suppression rule that you can choose from: Suppress alert on this machine Suppress alert in my organization The context of the rule lets you tailor what gets surfaced into the portal and ensure that only real security alerts are surfaced into the portal.

You can use the examples in the following table to help you choose the context for a suppression rule:. Suppress alert on this machine Alerts with the same alert title and on A security researcher is that specific machine only will be investigating a malicious script suppressed. A developer regularly creates PowerShell scripts for their team. Suppress alert in my organization Alerts with the same alert title on any A benign administrative tool is machine will be suppressed.

Suppress an alert and create a new suppression rule: Create custom rules to control when alerts are suppressed, or resolved. You can control the context for when an alert is suppressed by specifying the alert title, Indicator of compromise, and the conditions. Select the alert you'd like to suppress.

This brings up the Alert management pane. Select Create a suppression rule. You can create a suppression rule based on the following attributes: File hash File name - wild card supported File path - wild card supported IP URL - wild card supported 3. Select the Trigerring IOC. Specify the action and scope on the alert.

You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard.

You can also specify to suppress the alert on a specific machine group. Enter a rule name and a comment. Click Save. View the list of suppression rules 1. The list of suppression rules shows all the rules that users in your organization have created. For more information on managing suppression rules, see Manage suppression rules.

Change the status of an alert You can categorize alerts as New, In Progress, or Resolved by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to alerts.

For example, a team leader can review all New alerts, and decide to assign them to the In Progress queue for further analysis. Alternatively, the team leader might assign the alert to the Resolved queue if they know the alert is benign, coming from a machine that is irrelevant such as one belonging to a security administrator , or is being dealt with through an earlier alert.

Alert classification You can choose not to set a classification, or specify whether an alert is a true alert or a false alert. This classification is used to monitor alert quality, and make alerts more accurate. The "determination" field defines additional fidelity for a "true positive" classification. Add comments and view the history of an alert You can add comments and view historical events about an alert to see previous changes made to the alert.

Investigate alerts that are affecting your network, understand what they mean, and how to resolve them. Click an alert to see the alert details view and the various tiles that provide information about the alert. You can also manage an alert and see alert metadata along with other information that can help you make better decisions on how to approach them.

You'll also see a status of the automated investigation on the upper right corner. Clicking on the link will take you to the Automated investigations view. For more information, see Automated investigations. The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the machine or user details pane.

The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand. For more information about managing alerts, see Manage alerts. The alert details page also shows the alert process tree, an incident graph, and an artifact timeline. You can click on the machine link from the alert view to navigate to the machine.

If the alert appeared more than once on the machine, the latest occurrence will be displayed in the Machine timeline. Alerts attributed to an adversary or actor display a colored tile with the actor's name. Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes TTPs and areas where they've been observed worldwide.

You will also see a set of recommended actions to take. Some actor profiles include a link to download a more comprehensive threat intelligence report. The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures TTPs they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading.

Alert process tree The Alert process tree takes alert triage and investigation to the next level, displaying the aggregated alert and surrounding evidence that occurred within the same execution context and time period. This rich triage and investigation context is available on the alert page. The Alert process tree expands to display the execution path of the alert and related evidence that occurred around the same period. Items marked with a thunderbolt icon should be given priority during investigation.

Clicking in the circle immediately to the left of the indicator displays its details. The alert details pane helps you take a deeper look at the details about the alert. It displays rich information about the execution details, file details, detections, observed worldwide, observed in organization, and other details taken from the entity's page — while remaining on the alert page, so you never leave the current context of your investigation.

Incident graph The Incident Graph provides a visual representation of the organizational footprint of the alert and its evidence: where the evidence that triggered the alert was observed on other machines. It provides a graphical mapping from the original machine and evidence expanding to show other machines in the organization where the triggering evidence was also observed.

You can click the full circles on the incident graph to expand the nodes and view the expansion to other machines where the matching criteria were observed. Artifact timeline The Artifact timeline feature provides an addition view of the evidence that triggered the alert on the machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the machine. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the machine earlier - without triggering an alert.

Selecting an alert detail brings up the Details pane where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization. Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.

You can investigate files by using the search feature, clicking on a link from the Alert process tree, Incident graph, Artifact timeline, or from an event listed in the Machine timeline.

You can get information from the following sections in the file view: File details, Malware detection, Prevalence worldwide Deep analysis Alerts related to this file File in organization Most recent observed machines with file. File worldwide and Deep analysis The file details, malware detection, and prevalence worldwide sections display various attributes about the file. For more information on how to take action on a file, see Take response action on a file.

You'll also be able to submit a file for deep analysis. Alerts related to this file The Alerts related to this file section provides a list of alerts that are associated with the file. This list is a simplified version of the Alerts queue, and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert.

File in organization The File in organization section provides details on the prevalence of the file, prevalence in email inboxes and the name observed in the organization. Most recent observed machines with the file The Most recent observed machines with the file section allows you to specify a date range to see which machines have been observed with the file.

This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the organization. Investigate machines Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach. You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas: The Machines list The Alerts queue The Security operations dashboard Any individual alert Any individual file details view Any IP address or domain details view When you investigate a specific machine, you'll see: Machine details, Logged on users, Machine risk, and Machine Reporting Alerts related to this machine Machine timeline.

The machine details, logged on users, machine risk, and machine reporting sections display various attributes about the machine. Machine details The machine details tile provides information such as the domain and OS of the machine. If there's an investigation package available on the machine, you'll see a link that allows you to download the package.

For more information on how to take action on a machine, see Take response action on a machine. Logged on users Clicking on the logged on users in the Logged on users tile opens the Users Details pane that displays the following information for logged on users in the past 30 days: Interactive and remote interactive logins Network, batch, and system logins.

You'll also see details such as logon types for each user account, the user group, and when the account logon occurred. For more information, see Investigate user entities. Machine risk The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level can be determined using the number of active alerts or by a combination of multiple risks that may increase the risk assessment and their severity levels.

You can influence a machine's risk level by resolving associated alerts manually or automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be exposed to. Azure Advanced Threat Protection If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided.

For more information on how to enable advanced features, see Turn on advanced features. It also shows when the machine was first and last seen reporting to the service. Alerts related to this machine The Alerts related to this machine section provides a list of alerts that are associated with the machine.

This list is a filtered version of the Alerts queue, and shows the date when the alert's last activity was detected, a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. You can also choose to highlight an alert from the Alerts related to this machine or from the Machine timeline section to see the correlation between the alert and its related events on the machine by right-clicking on the alert and selecting Select and mark events.

This highlights the alert and its related events and helps distinguish them from other alerts and events appearing in the timeline. Highlighted events are displayed in all information levels whether you choose to view the timeline by Detections, Behaviors, or Verbose.

Machine timeline The Machine timeline section provides a chronological view of the events and associated alerts that have been observed on the machine. This feature also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a selected time period.

Windows Defender ATP monitors and captures suspicious or anomalous behavior on Windows 10 machines and displays the process tree flow in the Machine timeline. This gives you better context of the behavior which can contribute to understanding the correlation between events, files, and IP addresses in relation to the machine. Search for specific events Use the search bar to look for specific timeline events.

This search supports defined search queries based on type:value pairs. Filtering by event type allows you to define precise queries so that you see events with a specific focus. For example, you can search for a file name, then filter the results to only see Process events matching the search criteria or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed.

Firewall covers the following events: - firewall service stopped - application blocked from accepting incoming connections on the network - blocked connection. User account — Click the drop-down button to filter the machine timeline by the following user associated events: Logon users System Network Local service The following example illustrates the use of type:value pair. The events were filtered by searching for the user jonathan. The results in the timeline only show network communication events run in the defined user context.

Filter events from a specific date Use the time-based slider to filter events from a specific date. Using the slider updates the listed alerts to the date that you select. Displayed events are filtered from that date and older. The slider is helpful when you're investigating a particular alert on a machine.

You can navigate from the Alerts view and click on the machine associated with the alert to jump to the specific date when the alert was observed, enabling you to investigate the events that took place around the alert.

Export machine timeline events You can also export detailed event data from the machine timeline to conduct offline analysis. You can choose to export the machine timeline for the current date or specify a date range. You can export up to seven days of data and specify the specific time between the two dates.

You can choose to display 20, 50, or events per page. You can also move between pages by clicking Older or Newer. From the Machines list, you can also navigate to the file, IP, or URL view and the timeline associated with an alert is retained, helping you view the investigation from different angles and retain the context of the event time line.

From the list of events that are displayed in the timeline, you can examine the behaviors or events in to help identify indicators of interests such as files and IP addresses to help determine the scope of a breach.

You can then use the information to respond to events and keep your system secure. You can also use the Artifact timeline feature to see the correlation between alerts and events on a specific machine.

Expand an event to view associated processes related to the event. This action brings up the Details pane which includes execution context of processes, network communications and a summary of meta data on the file or IP address. It lets you focus on the task of tracing associations between attributes without leaving the current context. Examine possible communication between your machines and external internet protocol IP addresses.

Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control C2 servers, helps determine the potential scope of breach, associated files, and infected machines. IP in organization The IP in organization section provides details on the prevalence of the IP address in the organization.

Most recent observed machines with IP The Most recent observed machines with IP section provides a chronological view on the events and associated alerts that were observed on the IP address. Investigate an external IP: 1.

Select IP from the Search bar drop-down menu. Enter the IP address in the Search field. Click the search icon or press Enter. Details about the IP address are displayed, including: registration details if available , reverse IPs for example, domains , prevalence of machines in the organization that communicated with this IP Address during selectable time period , and the machines in the organization that were observed communicating with this IP address.

NOTE Search results will only be returned for IP addresses observed in communication with machines in the organization. Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the IP address, the file associated with the communication and the last date observed. Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events.

Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain. You can investigate a domain by using the search feature or by clicking on a domain link from the Machine timeline. Investigate a domain: 1. Select URL from the Search bar drop-down menu. Enter the URL in the Search field. Details about the URL are displayed.

Note: search results will only be returned for URLs observed in communications from machines in the organization. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the URL, the file associated with the communication and the last date observed.

Investigate user account entities Identify user accounts with the most active alerts displayed on dashboard as "Users at risk" and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account. You can find user account information in the following views: Dashboard Alert queue Machine details page A clickable user account link is available in these views, that will take you to the user account details page where more details about the user account are shown.

When you investigate a user account entity, you'll see: User account details, Azure Advanced Threat Protection Azure ATP alerts, and Logged on machines Alerts related to this user Observed in organization machines logged on to. User details The user account entity details, Azure ATP alerts, and logged on machines sections display various attributes about the user account. The user entity tile provides details about the user such as when the user was first and last seen.

Depending on the integration features you enable, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal. Azure Advanced Threat Protection If you have enabled the Azure ATP feature and there are alerts related to the user, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided.

The Azure ATP tile also provides details such as the last AD site, total group memberships, and login failure associated with the user. Logged on machines You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine. Alerts related to this user This section provides a list of alerts that are associated with the user account.

This list is a filtered view of the Alert queue, and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert.

Observed in organization This section allows you to specify a date range to see a list of machines where this user was observed logged on to, and the most frequent and least frequent logged on user account on each of these machines. The machine health state is displayed in the machine icon and color as well as in a description text.

Clicking on the icon displays additional details regarding machine health. Search for specific user accounts 1. Select User from the Search bar drop-down menu. Enter the user account in the Search field. A list of users matching the query text is displayed. You'll see the user account's domain and name, when the user account was last seen, and the total number of machines it was observed logged on to in the last 30 days.

The Machines list shows a list of the machines in your network where alerts were generated. By default, the queue displays machines with alerts seen in the last 30 days. At a glance you'll see information such as domain, risk level, OS platform, and other details. There are several options you can choose from to customize the machines list view. On the top navigation you can: Customize columns to add or remove columns Export the entire list in CSV format Select the items to show per page Navigate between pages Apply filters Use the machine list in these main scenarios: During onboarding During the onboarding process, the Machines list is gradually populated with machines as they begin to report sensor data.

Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, Active malware category, or Sensor health state, or download the complete endpoint list as a CSV file for offline analysis.

It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself. Day-to-day work The list enables easy identification of machines most at risk in a glance.

High-risk machines have the greatest number and highest-severity alerts. Sorting machines by Active alerts, helps identify the most vulnerable machines and take action on them.

Sort and filter the machine list You can apply the following filters to limit the list of alerts and get a more focused view. Risk level Machine risk levels are indicators of the active threats that machines could be exposed to. A machine's risk level is determined using the number of active alerts and their severity levels. OS Platform Limit the alerts queue view by selecting the OS platform that you're interested in investigating. Health state Filter the list to view specific machines grouped together by the following machine health states: Active — Machines that are actively reporting sensor data to the service.

Misconfigured — Machines that have impaired communications with service or are unable to send sensor data. Misconfigured machines can further be classified to: No sensor data Impaired communications For more information on how to address issues on misconfigured machines see, Fix unhealthy sensors. Inactive — Machines that have completely stopped sending signals for more than 7 days. Security state Filter the list to view specific machines that are well configured or require attention based on the Windows Defender security controls that are enabled in your organization.

Well configured - Machines have the Windows Defender security controls well configured. Requires attention - Machines where improvements can be made to increase the overall security posture of your organization. For more information, see View the Secure Score dashboard. Tags You can filter the list based on the grouping and tagging that you've added to individual machines.

Add tags on machines to create a logical group affiliation. Machine group affiliation can represent geographic location, specific activity, importance level and others. You can create machine groups in the context of role-based access RBAC to control who can take specific action or who can see information on a specific machine group or groups by assigning the machine group to a user group. For more information, see Manage portal access using role-based access control.

You can also use machine groups to assign specific remediation levels to apply during automated investigations. For more information, see Create and manage machine groups. In an investigation, you can filter the Machines list to just specific machine groups by using the Groups filter.

Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. You can add tags on machines using the following ways: By setting a registry key value By using the portal. You can limit the machines in the list by selecting the Tag filter on the Machines list.

Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines. NOTE The device tag is part of the machine information report that's generated once a day.

As an alternative, you may choose to restart the endpoint that would transfer a new machine information report. Add machine tags using the portal Dynamic context capturing is achieved using tags.

After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag. Select the machine that you want to manage tags on.

You can select or search for a machine from any of the following views: Security operations dashboard - Select the machine name from the Top machines with active alerts section. Alerts queue - Select the machine name beside the machine icon from the alerts queue. Machines list - Select the machine name from the list of machines. Search box - Select Machine from the drop-down menu and enter the machine name. You can also get to the alert page through the file and IP views. Open the Actions menu and select Manage tags.

Enter tags on the machine. Click Save and close. Tags are added to the machine view and will also be reflected on the Machines list view. You can then use the Tags filter to see the relevant list of machines. Manage machine tags You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel.

You can also choose to highlight an alert from the Alerts related to this machine or from the Machine timeline section to see the correlation between the alert and its related events on the machine by right- clicking on the alert and selecting Select and mark events. By default, the machine timeline is set to display the events of the current day. Click on the circle next to any process or IP address in the process tree to investigate additional details of the identified processes.

You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization.

Take response actions on a machine Isolate machines or collect an investigation package. Take response actions on a file Stop and quarantine files or block a file from your network. Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center.

For non-Windows platforms, response capabilities such as Machine isolation are dependent on the third-party capabilities. Collect investigation package from machines As part of the investigation or response process, you can collect an investigation package from a machine.

By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker.

You can download the package Zip file and investigate the events that occurred on a machine. The package contains the following folders:.

Installed programs This. CSV file contains the list of installed programs that can help identify what is currently installed on the machine. Provides the ability to look for suspicious connectivity made by a process.

ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack. This can help in identifying suspicious connections.

Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.

Prefetch files Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files.

Processes Contains a. CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state. Scheduled tasks Contains a. CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically.

Security event log Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. Services Contains the services. Windows Server Message Block SMB sessions Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. This can help to track suspicious files that an attacker may have dropped on the system.

Users and Groups Provides a list of files that each represent a group and its members. You can use this report to track if the package includes all the expected data and identify if there were any errors. Select the machine that you want to investigate. Machines list - Select the heading of the machine name from the machines list. Open the Actions menu and select Collect investigation package. Type a comment and select Yes, collect package to take action on the machine.

Submission time - Shows when the action was submitted. Status - Indicates if the package was successfully collected from the network. When the collection is complete, you can download the package. Select Package available to download the package. When the package is available a new event will be added to the machine timeline.

You can download the package from the machine page, or the Action center. You can also search for historical packages in the machine timeline. Run Windows Defender Antivirus scan on machines As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine.

Windows Defender AV can be in Passive mode. For more information, see Windows Defender Antivirus compatibility. Select the machine that you want to run the scan on. Open the Actions menu and select Run antivirus scan. Select the scan type that you'd like to run. You can choose between a quick or a full scan.

Type a comment and select Yes, run scan to start the scan. The Action center shows the scan information:. Status - Indicates any pending actions or the results of completed actions. The machine timeline will include a new event, reflecting that a scan action was submitted on the machine.

Windows Defender AV alerts will reflect any detections that surfaced during the scan. This feature is available if your organization uses Windows Defender Antivirus.

This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see Code integrity policy formats and signing. The action to restrict an application from running applies a code integrity policy that only allows running of files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities.

Select the machine where you'd like to restrict an application from running from. Open the Actions menu and select Restrict app execution. Type a comment and select Yes, restict app execution to take action on the file. The Action center shows the submission information:. When the application execution restriction configuration is applied, a new event is reflected in the machine timeline. Remove app restriction Depending on the severity of the attack and the state of the machine, you can choose to reverse the restriction of applications policy after you have verified that the compromised machine has been remediated.

Select the machine where you restricted an application from running from. Open the Actions menu and select Remove app restrictions. Type a comment and select Yes, remove restriction to take action on the application.

The machine application restriction will no longer apply on the machine. Isolate machines from the network Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement.

Selective isolation is available for machines on Windows 10, version or later. This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine.

On Windows 10, version or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity a. Select the machine that you want to isolate. Open the Actions menu and select Isolate machine. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated a.

Type a comment and select Yes, isolate machine to take action on the machine. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated.

Additional indications will be provided if you've enabled Outlook and Skype for Business communication. When the isolation configuration is applied, a new event is reflected in the machine timeline. Notification on machine user: When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network:.

Release machine from isolation Depending on the severity of the attack and the state of the machine you can choose to release the machine from isolation after you have verified that the compromised machine has been remediated.

Select a machine that was previously isolated. Open the Actions menu and select Release from isolation. Type a comment and select Yes, release machine to take action on the machine. The machine will be reconnected to the network.

Check activity details in Action center The Action center provides information on actions that were taken on a machine or file. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial- up connections. Restrict app execution In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.

Notification on machine user: When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running:. Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center. You can also submit files for deep analysis to run the file in a secure cloud sandbox.

When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file. Stop and quarantine files in your network You can contain an attack in your organization by stopping the malicious process and quarantine the file where it was observed. The Stop and Quarantine File action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys.

The action takes effect on machines with Windows 10, version or later, where the file was observed in the last 30 days. Stop and quarantine files 1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box: Alerts - click the corresponding links from the Description or Details in the Artifact timeline Search box - select File from the drop—down menu and enter the file name 2.

Open the Actions menu and select Stop and Quarantine File. Specify a reason, then click Yes, stop and quarantine. Success - Shows the number of machines where the file has been stopped and quarantined. Failed - Shows the number of machines where the action failed and details about the failure. Pending - Shows the number of machines where the file is yet to be stopped and quarantined from.

This can take time for cases when the machine is offline or not connected to the network. Select any of the status indicators to view more information about the action. For example, select Failed to see where the action failed. Notification on machine user: When the file is being removed from a machine, the following notification is shown:.

In the machine timeline, a new event is added for each machine where a file was stopped and quarantined. IMPORTANT The Action button is turned off for files signed by Microsoft as well as trusted third—party publishers to prevent the removal of critical system files and files used by important applications.

For prevalent files in the organization, a warning is shown before an action is implemented to validate that the operation is intended. Run the following command on each machine where the file was quarantined.

Open an elevated command—line prompt on the machine: a. Go to Start and type cmd. Right—click Command prompt and select Run as administrator. Enter the following command, and press Enter:.

Block files in your network You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable PE file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. For more information, see Manage cloud—based protection.

 

-

 

This update includes diagnostic improvements for determining the applicability of updates in Windows 10 Version windows 10 1703 download iso itar compliance training day, VersionVersionand Version The files and resources in this update make sure that feature updates are installed seamlessly to improve the reliability and security of Windows Only certain builds of Windows 10 VersionVersionVersionand Version require this update.

Devices that are running подробнее на этой странице builds automatically get the update downloaded and installed through Windows Update. This update is also offered directly to Windows Update Client for some devices that have not installed the most recent updates. The English United States version dayy this software update installs files that have the attributes that are listed in the following tables.

The dates and compliancce times for these files on your local computer are displayed in your local time together doenload your current daylight compliamce time DST bias. Additionally, the dates and the times may change when you perform certain operations on the files. Sign in with Microsoft. You have multiple trining. Windows 10 More Need more help? Expand your skills.

Get new features first. Was this information helpful? Yes No. Thank you! Any more feedback? The more you tell us the more we can help.

Can you help free powerpoint templates journey improve? Resolved my issue. Clear instructions. Easy to follow. No jargon. Pictures helped. Didn't match my screen. Incorrect instructions. Too technical. Not enough information. Not enough pictures. Any additional feedback? Submit feedback. Thank you for your feedback!

Windows 10 1703 download iso itar compliance training day name. File version. File size.