From a25ade57d6338eada08b865841c9e7fac3928edb Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 10 Dec 2020 01:21:18 +0100 Subject: [PATCH 01/30] Update respond-file-alerts.md Changes proposed: - Whitespace standardization and normalization - MarkDown table extended to simplify future editing - Use MD H4 instead of **bold** style paragraph headings Whitespace changes: - remove redundant end-of-line whitespace - whitespace indents: use 3 instead of 4 blank spaces - add MD indent marker (`> `) compatibility spacing Ref. my own comment in PR #8726 --- .../respond-file-alerts.md | 92 +++++++++---------- 1 file changed, 46 insertions(+), 46 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index 354a099a61..bccc623abc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -13,7 +13,7 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article --- @@ -25,10 +25,10 @@ ms.topic: article **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - + [!include[Prerelease information](../../includes/prerelease.md)] ->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-responddile-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-responddile-abovefoldlink) Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details in the Action center. @@ -46,12 +46,12 @@ You can also submit files for deep analysis, to run the file in a secure cloud s Some actions require certain permissions. The following table describes what action certain permissions can take on portable executable (PE) and non-PE files: -Permission | PE files | Non-PE files -:---|:---|:--- -View data | X | X -Alerts investigation | ☑ | X -Live response basic | X | X -Live response advanced | ☑ |☑ +| Permission | PE files | Non-PE files | +| :--------------------- | :------: | :----------: | +| View data | X | X | +| Alerts investigation | ☑ | X | +| Live response basic | X | X | +| Live response advanced | ☑ | ☑ | For more information on roles, see [Create and manage roles for role-based access control](user-roles.md). @@ -60,8 +60,8 @@ For more information on roles, see [Create and manage roles for role-based acces You can contain an attack in your organization by stopping the malicious process and quarantining the file where it was observed. ->[!IMPORTANT] ->You can only take this action if: +> [!IMPORTANT] +> You can only take this action if: > > - The device you're taking the action on is running Windows 10, version 1703 or later > - The file does not belong to trusted third-party publishers or not signed by Microsoft @@ -71,35 +71,35 @@ The **Stop and Quarantine File** action includes stopping running processes, qua This action takes effect on devices with Windows 10, version 1703 or later, where the file was observed in the last 30 days. ->[!NOTE] ->You’ll be able to restore the file from quarantine at any time. +> [!NOTE] +> You’ll be able to restore the file from quarantine at any time. ### Stop and quarantine files 1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box: - - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline - - **Search box** - select **File** from the drop–down menu and enter the file name + - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline + - **Search box** - select **File** from the drop–down menu and enter the file name - >[!NOTE] - >The stop and quarantine file action is limited to a maximum of 1000 devices. To stop a file on a larger number of devices, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file). + > [!NOTE] + > The stop and quarantine file action is limited to a maximum of 1000 devices. To stop a file on a larger number of devices, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file). 2. Go to the top bar and select **Stop and Quarantine File**. - ![Image of stop and quarantine file action](images/atp-stop-quarantine-file.png) + ![Image of stop and quarantine file action](images/atp-stop-quarantine-file.png) 3. Specify a reason, then click **Confirm**. - ![Image of stop and quarantine file modal window](images/atp-stop-quarantine.png) + ![Image of stop and quarantine file modal window](images/atp-stop-quarantine.png) - The Action center shows the submission information: - ![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png) + The Action center shows the submission information: + ![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png) - - **Submission time** - Shows when the action was submitted. - - **Success** - Shows the number of devices where the file has been stopped and quarantined. - - **Failed** - Shows the number of devices where the action failed and details about the failure. - - **Pending** - Shows the number of devices where the file is yet to be stopped and quarantined from. This can take time for cases when the device is offline or not connected to the network. + - **Submission time** - Shows when the action was submitted. + - **Success** - Shows the number of devices where the file has been stopped and quarantined. + - **Failed** - Shows the number of devices where the action failed and details about the failure. + - **Pending** - Shows the number of devices where the file is yet to be stopped and quarantined from. This can take time for cases when the device is offline or not connected to the network. 4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed. @@ -118,9 +118,9 @@ You can roll back and remove a file from quarantine if you’ve determined that 1. Open an elevated command–line prompt on the device: - a. Go to **Start** and type _cmd_. + a. Go to **Start** and type _cmd_. - b. Right–click **Command prompt** and select **Run as administrator**. + b. Right–click **Command prompt** and select **Run as administrator**. 2. Enter the following command, and press **Enter**: @@ -130,26 +130,26 @@ You can roll back and remove a file from quarantine if you’ve determined that > [!NOTE] > In some scenarios, the **ThreatName** may appear as: EUS:Win32/CustomEnterpriseBlock!cl. -> +> > Defender for Endpoint will restore all custom blocked files that were quarantined on this device in the last 30 days. > [!Important] -> A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired. +> A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired. ## Add indicator to block or allow a file You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization. ->[!IMPORTANT] +> [!IMPORTANT] > ->- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–delivered protection is enabled. For more information, see [Manage cloud–delivered protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). +> - This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–delivered protection is enabled. For more information, see [Manage cloud–delivered protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). > ->- The Antimalware client version must be 4.18.1901.x or later. ->- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. ->- This response action is available for devices on Windows 10, version 1703 or later. ->- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action. +> - The Antimalware client version must be 4.18.1901.x or later. +> - This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. +> - This response action is available for devices on Windows 10, version 1703 or later. +> - The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action. ->[!NOTE] +> [!NOTE] > The PE file needs to be in the device timeline for you to be able to take this action. > > There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked. @@ -157,14 +157,14 @@ You can prevent further propagation of an attack in your organization by banning ### Enable the block file feature To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings. - + ### Allow or block file When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a device in your organization attempts to run it. Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue. - See [manage indicators](manage-indicators.md) for more details on blocking and raising alerts on files. +See [manage indicators](manage-indicators.md) for more details on blocking and raising alerts on files. To stop blocking a file, remove the indicator. You can do so via the **Edit Indicator** action on the file's profile page. This action will be visible in the same position that the **Add Indicator** action was, before you added the indicator. @@ -215,10 +215,10 @@ The Deep analysis summary includes a list of observed *behaviors*, some of which Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts. -Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page. +Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page.

->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0] +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0] **Submit for deep analysis** is enabled when the file is available in the Defender for Endpoint backend sample collection, or if it was observed on a Windows 10 device that supports submitting to deep analysis. @@ -232,7 +232,7 @@ You can also manually submit a sample through the [Microsoft Security Center Por When the sample is collected, Defender for Endpoint runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on devices, communication to IPs, and registry modifications. -**Submit files for deep analysis:** +#### Submit files for deep analysis: 1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views: @@ -242,17 +242,17 @@ When the sample is collected, Defender for Endpoint runs the file in is a secure 2. In the **Deep analysis** tab of the file view, click **Submit**. - ![You can only submit PE files in the file details section](images/submit-file.png) + ![You can only submit PE files in the file details section](images/submit-file.png) - > [!NOTE] - > Only PE files are supported, including _.exe_ and _.dll_ files. + > [!NOTE] + > Only PE files are supported, including _.exe_ and _.dll_ files. A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done. > [!NOTE] > Depending on device availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 device reporting at that time. You can re–submit files for deep analysis to get fresh data on the file. -**View deep analysis reports** +#### View deep analysis reports View the deep analysis report that Defender for Endpoint provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context. @@ -268,7 +268,7 @@ The details provided can help you investigate if there are indications of a pote ![The deep analysis report shows detailed information across a number of categories](images/analysis-results-nothing.png) -**Troubleshoot deep analysis** +#### Troubleshoot deep analysis If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps. From 80871aac40a1f430974a6c33eae3ed5a8b310281 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 10 Dec 2020 09:58:06 -0800 Subject: [PATCH 02/30] Update respond-file-alerts.md --- .../microsoft-defender-atp/respond-file-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index bccc623abc..766691ac1e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -232,7 +232,7 @@ You can also manually submit a sample through the [Microsoft Security Center Por When the sample is collected, Defender for Endpoint runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on devices, communication to IPs, and registry modifications. -#### Submit files for deep analysis: +#### Submit files for deep analysis 1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views: From 95f1084e6f521b245cb378ed09cadfbc05aadc24 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 14 Dec 2020 18:20:45 +0500 Subject: [PATCH 03/30] Link update As suggested I have updated the correct link. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/7896 --- .../microsoft-defender-atp/basic-permissions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md index fed2ad3911..af97cb1355 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md @@ -47,7 +47,7 @@ You can assign users with one of the following levels of permissions: > [!NOTE] > You need to run the PowerShell cmdlets in an elevated command-line. -- Connect to your Azure Active Directory. For more information, see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx). +- Connect to your Azure Active Directory. For more information, see, [Connect-MsolService](https://docs.microsoft.com/powershell/module/msonline/connect-msolservice?view=azureadps-1.0). **Full access**
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. From 8c6f6eb20929200bcc2c06bae033bd8374e5044a Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 15 Dec 2020 14:00:38 +0100 Subject: [PATCH 04/30] Important -> IMPORTANT (consistency) - Add uppercase for the Important blob. Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/respond-file-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index 766691ac1e..ef8a82a89f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -133,7 +133,7 @@ You can roll back and remove a file from quarantine if you’ve determined that > > Defender for Endpoint will restore all custom blocked files that were quarantined on this device in the last 30 days. -> [!Important] +> [!IMPORTANT] > A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired. ## Add indicator to block or allow a file From 564127205d603c4af019ebc946d790181464d6b7 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 24 Dec 2020 15:02:20 +0100 Subject: [PATCH 05/30] Update basic-permissions.md From issue ticket #8864 (**typo**): > For more information, see Assign administrator and non-administrator roles to uses with Azure Active Directory. > (near the bottom of the page) > > uses should read users Thanks to andrePKI for pointing out the typo. This seemingly simple typo correction escalated somewhat into a format improvement and link update to replace outdated MSDN and TechNet links with current MS Docs links. You want to verify if the new links are the proper ones for this source page, or request the links either to be reverted back to the old ones, in case there is specific information in the old documents not present in the new documents, or suggest more correct links to replace the old ones. Proposed changes: - typo correction, "uses" -> users - typo correction: remove 2 commas from "see, Add, or remove group memberships" - Connect-MsolService: replace the old MSDN URL with a new one pointing to its current PowerShell docs page - old URL: https://msdn.microsoft.com/library/dn194123.aspx - new URL: https://docs.microsoft.com/powershell/module/msonline/connect-msolservice - "Add, or remove group memberships" link text (document title: "Manage Azure AD group and role membership") replaced with "Add or remove group members using Azure Active Directory" - old URL: https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups (anchor link jump broken by redirection) - new URL: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal Whitespace & formatting changes: - remove redundant end-of-line blanks (2 occurrences) - add editorial blank line after MarkDown H2 and H3 headings (4 occurrences) - MD syntax highlighting phrase "text" corrected to "PowerShell" (MD code blocks containing PS cmdlets) - reduce double blank spacing in bullet point list to single space (1 occurrence) - add MD indent marker compatibility spacing (1 occurrence) Closes #8864 --- .../basic-permissions.md | 21 +++++++++++-------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md index fed2ad3911..730e666b20 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md @@ -13,7 +13,7 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article --- @@ -26,28 +26,30 @@ ms.topic: article - Azure Active Directory - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-basicaccess-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-basicaccess-abovefoldlink) -Refer to the instructions below to use basic permissions management. +Refer to the instructions below to use basic permissions management. You can use either of the following solutions: - Azure PowerShell -- Azure portal +- Azure portal For granular control over permissions, [switch to role-based access control](rbac.md). ## Assign user access using Azure PowerShell + You can assign users with one of the following levels of permissions: - Full access (Read and Write) - Read-only access ### Before you begin + - Install Azure PowerShell. For more information, see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
> [!NOTE] > You need to run the PowerShell cmdlets in an elevated command-line. -- Connect to your Azure Active Directory. For more information, see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx). +- Connect to your Azure Active Directory. For more information, see, [Connect-MsolService](https://docs.microsoft.com/powershell/module/msonline/connect-msolservice). **Full access**
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. @@ -61,19 +63,20 @@ Assigning read-only access rights requires adding the users to the "Security Rea Use the following steps to assign security roles: - For **read and write** access, assign users to the security administrator role by using the following command: - ```text + ```PowerShell Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com" ``` - For **read-only** access, assign users to the security reader role by using the following command: - ```text + ```PowerShell Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com" ``` -For more information, see, [Add, or remove group memberships](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). +For more information, see [Add or remove group members using Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal). ## Assign user access using the Azure portal -For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). +For more information, see [Assign administrator and non-administrator roles to users with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). ## Related topic + - [Manage portal access using RBAC](rbac.md) From 323600c55844d1a9ab3ae8fa613506593d2e963e Mon Sep 17 00:00:00 2001 From: aviveldan <39082532+aviveldan@users.noreply.github.com> Date: Thu, 24 Dec 2020 17:22:26 +0200 Subject: [PATCH 06/30] Added response fields descriptions table --- .../microsoft-defender-atp/get-ip-statistics.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index b58fd359e9..b3531c3636 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -93,3 +93,12 @@ Content-type: application/json "orgLastSeen": "2017-08-29T13:32:59Z" } ``` + + +Name | Description +:---|:---|:--- +Org prevalence | the distinct count of devices that opened network connection to this IP. +Org first seen | the first connection for this IP in the organization. +Org last seen | the last connection for this IP in the organization. +>[!Note] +> This statistic information is based on data from the past 30 days. From 682b74814d7c7ba5cd957febffe608deecd99bc6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 28 Dec 2020 07:12:05 -0800 Subject: [PATCH 07/30] Update windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/get-ip-statistics.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index b3531c3636..61b9b25be5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -95,10 +95,11 @@ Content-type: application/json ``` -Name | Description -:---|:---|:--- -Org prevalence | the distinct count of devices that opened network connection to this IP. -Org first seen | the first connection for this IP in the organization. -Org last seen | the last connection for this IP in the organization. + +| Name | Description | +| :--- | :---------- | +| Org prevalence | the distinct count of devices that opened network connection to this IP. | +| Org first seen | the first connection for this IP in the organization. | +| Org last seen | the last connection for this IP in the organization. | >[!Note] > This statistic information is based on data from the past 30 days. From 6d922b5a3fb3fb7380b60f52d6d56804c2192347 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 28 Dec 2020 07:12:12 -0800 Subject: [PATCH 08/30] Update windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/get-ip-statistics.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index 61b9b25be5..4f76236a07 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -101,5 +101,6 @@ Content-type: application/json | Org prevalence | the distinct count of devices that opened network connection to this IP. | | Org first seen | the first connection for this IP in the organization. | | Org last seen | the last connection for this IP in the organization. | ->[!Note] + +> [!Note] > This statistic information is based on data from the past 30 days. From 983c2b7934d0d13d22c8ed7cf2d3afced53968e8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 4 Jan 2021 08:56:40 -0800 Subject: [PATCH 09/30] Update microsoft-defender-antivirus-on-windows-server-2016.md --- .../microsoft-defender-antivirus-on-windows-server-2016.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md index 8f3a10623e..c125ee496c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md @@ -10,8 +10,8 @@ ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 12/17/2020 -ms.reviewer: pahuijbr +ms.date: 01/04/2021 +ms.reviewer: pahuijbr, shwjha manager: dansimp --- From 8bfcddfa8f7b7f97e5f23d5e3550eea548af08ea Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 4 Jan 2021 09:00:09 -0800 Subject: [PATCH 10/30] Update microsoft-defender-antivirus-on-windows-server-2016.md --- ...fender-antivirus-on-windows-server-2016.md | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md index c125ee496c..9caf13e4a6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md @@ -46,7 +46,7 @@ The process of setting up and running Microsoft Defender Antivirus on a server p 5. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions) -6. (Only if necessary) [Uninstall Microsoft Defender Antivirus](#need-to-uninstall-microsoft-defender-antivirus) +6. (Only if necessary) [Set Microsoft Defender Antivirus to passive mode](#need-to-uninstall-microsoft-defender-antivirus) ## Enable the user interface on Windows Server 2016 or 2019 @@ -171,11 +171,11 @@ To help ensure security and performance, certain exclusions are automatically ad See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md). -## Need to uninstall Microsoft Defender Antivirus? +## Need to set Microsoft Defender Antivirus to passive mode? -If you are using a non-Microsoft antivirus product as your primary antivirus solution, you can either disable Microsoft Defender Antivirus, or set it to passive mode, as described in the following procedures. +If you are using a non-Microsoft antivirus product as your primary antivirus solution, set Microsoft Defender Antivirus to passive mode. -### Set Microsoft Defender Antivirus to passive mode +### Set Microsoft Defender Antivirus to passive mode using a registry key If you are using Windows Server, version 1803 or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` @@ -193,17 +193,6 @@ If you are using Windows Server, version 1803 or Windows Server 2019, you can se Microsoft Defender Antivirus will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature. -### Disable Microsoft Defender Antivirus using PowerShell - ->[!NOTE] ->You can't uninstall the Windows Security app, but you can disable the interface with these instructions. - -The following PowerShell cmdlet uninstalls Microsoft Defender Antivirus on Windows Server 2016 or 2019: - -```PowerShell -Uninstall-WindowsFeature -Name Windows-Defender -``` - ### Turn off the Microsoft Defender Antivirus user interface using PowerShell To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell cmdlet: From 180cad0aa3ace97c1986a531f3557429f52cb456 Mon Sep 17 00:00:00 2001 From: MatiG Date: Mon, 4 Jan 2021 19:00:20 +0200 Subject: [PATCH 11/30] clean linter warnings --- .../linux-support-install.md | 27 ++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md index 9a2bf09a0d..0f1f9c1af8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md @@ -24,7 +24,6 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) @@ -36,9 +35,11 @@ An error in installation may or may not result in a meaningful error message by ```bash sudo journalctl | grep 'microsoft-mdatp' > installation.log ``` + ```bash grep 'postinstall end' installation.log ``` + ```Output microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216 ``` @@ -54,6 +55,7 @@ Check if the mdatp service is running: ```bash systemctl status mdatp ``` + ```Output ● mdatp.service - Microsoft Defender for Endpoint Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled) @@ -69,47 +71,59 @@ systemctl status mdatp ## Steps to troubleshoot if mdatp service isn't running 1. Check if "mdatp" user exists: + ```bash id "mdatp" ``` + If there’s no output, run + ```bash sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp ``` 2. Try enabling and restarting the service using: + ```bash sudo systemctl enable mdatp ``` + ```bash sudo systemctl restart mdatp ``` 3. If mdatp.service isn't found upon running the previous command, run: + ```bash sudo cp /opt/microsoft/mdatp/conf/mdatp.service ``` + where `````` is ```/lib/systemd/system``` for Ubuntu and Debian distributions and - ```/usr/lib/systemd/system``` for Rhel, CentOS, Oracle and SLES. + ```/usr/lib/systemd/system``` for Rhel, CentOS, Oracle and SLES. Then rerun step 2. 4. If the above steps don’t work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details. Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot. -5. If `/opt` directory is a symbolic link, create a bind mount for `/opt/microsoft`. +5. If `/opt` directory is a symbolic link, create a bind mount for `/opt/microsoft`. 6. Ensure that the daemon has executable permission. + ```bash ls -l /opt/microsoft/mdatp/sbin/wdavdaemon ``` + ```Output -rwxr-xr-x 2 root root 15502160 Mar 3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon ``` + If the daemon doesn't have executable permissions, make it executable using: + ```bash sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon ``` + and retry running step 2. 7. Ensure that the file system containing wdavdaemon isn't mounted with "noexec". @@ -117,24 +131,31 @@ Now try restarting the mdatp service using step 2. Revert the configuration chan ## If mdatp service is running, but EICAR text file detection doesn't work 1. Check the file system type using: + ```bash findmnt -T ``` + Currently supported file systems for on-access activity are listed [here](microsoft-defender-atp-linux.md#system-requirements). Any files outside these file systems won't be scanned. ## Command-line tool “mdatp” isn't working 1. If running the command-line tool `mdatp` gives an error `command not found`, run the following command: + ```bash sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp ``` + and try again. If none of the above steps help, collect the diagnostic logs: + ```bash sudo mdatp diagnostic create ``` + ```Output Diagnostic file created: ``` + Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs. From 5ca316ae4def3482b1b279e1ba4fe35ffae40d98 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 4 Jan 2021 09:02:47 -0800 Subject: [PATCH 12/30] Update microsoft-defender-antivirus-compatibility.md --- .../microsoft-defender-antivirus-compatibility.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 083cbc45be..e2f17d8448 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -11,9 +11,9 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.reviewer: pahuijbr +ms.reviewer: pahuijbr, shwjha manager: dansimp -ms.date: 12/20/2020 +ms.date: 01/04/2021 --- # Microsoft Defender Antivirus compatibility @@ -47,7 +47,7 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh | Windows Server 2016 or 2019 | Microsoft Defender Antivirus | Yes | Active mode | | Windows Server 2016 or 2019 | Microsoft Defender Antivirus | No | Active mode | -(1) On Windows Server 2016 or 2019, Microsoft Defender Antivirus does not enter passive or disabled mode automatically when you install non-Microsoft antivirus product. In those cases, [disable Microsoft Defender Antivirus, or set it to passive mode](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-microsoft-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a server. +(1) On Windows Server 2016 or 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server. If you are using Windows Server, version 1803 or Windows Server 2019, you set Microsoft Defender Antivirus to passive mode by setting this registry key: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` From b4aa169c7a4e67bb3cb39dec0bef6ed8c2f27e12 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 4 Jan 2021 09:17:12 -0800 Subject: [PATCH 13/30] Update microsoft-defender-antivirus-on-windows-server-2016.md --- ...fender-antivirus-on-windows-server-2016.md | 20 +++++++------------ 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md index 9caf13e4a6..c16f2a4930 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md @@ -34,19 +34,13 @@ While the functionality, configuration, and management are largely the same for The process of setting up and running Microsoft Defender Antivirus on a server platform includes several steps: -1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019) - -2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server-2016-or-2019) - -2. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running) - -3. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence) - -4. (As needed) [Submit samples](#submit-samples) - -5. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions) - -6. (Only if necessary) [Set Microsoft Defender Antivirus to passive mode](#need-to-uninstall-microsoft-defender-antivirus) +1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019). +2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server-2016-or-2019). +3. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running). +4. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence). +5. (As needed) [Submit samples](#submit-samples). +6. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions). +7. (Only if necessary) [Set Microsoft Defender Antivirus to passive mode](#need-to-set-microsoft-defender-antivirus-to-passive-mode). ## Enable the user interface on Windows Server 2016 or 2019 From 4727cb7d21be56f7bb961e55a60f4e57498f6751 Mon Sep 17 00:00:00 2001 From: MatiG Date: Mon, 4 Jan 2021 19:19:22 +0200 Subject: [PATCH 14/30] add to installaton tsg --- .../linux-support-install.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md index 0f1f9c1af8..cf23de1bf6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md @@ -48,6 +48,20 @@ An output from the previous command with correct date and time of installation i Also check the [Client configuration](linux-install-manually.md#client-configuration) to verify the health of the product and detect the EICAR text file. +## Make sure you have the correct package + +Please mind that the package you are installing is matching the host distribution and version. + +| package | distribution | +|-------------------------------|------------------------------------------| +| mdatp-rhel8.Linux.x86_64.rpm | Oracle, RHEL and CentOS 8.x | +| mdatp-sles12.Linux.x86_64.rpm | SuSE Linux Enterprise Server 12.x | +| mdatp-sles15.Linux.x86_64.rpm | SuSE Linux Enterprise Server 15.x | +| mdatp.Linux.x86_64.rpm | Oracle, RHEL and CentOS 7.x | +| mdatp.Linux.x86_64.deb | Debian and Ubuntu 16.04, 18.04 and 20.04 | + +For [manual deployment](linux-install-manually.md), make sure the correct distro and version had been chosen. + ## Installation failed Check if the mdatp service is running: From 19aa1f6eb9adb899dfc58c19652515382de1e960 Mon Sep 17 00:00:00 2001 From: MatiG Date: Mon, 4 Jan 2021 19:29:36 +0200 Subject: [PATCH 15/30] connectivity tsg --- .../linux-support-connectivity.md | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md index 74db615cdb..6c3ebda4cd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md @@ -24,7 +24,6 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) @@ -37,8 +36,29 @@ To test if Defender for Endpoint for Linux can communicate to the cloud with the mdatp connectivity test ``` +expected output: + +```output +Testing connection with https://cdn.x.cp.wd.microsoft.com/ping ... [OK] +Testing connection with https://eu-cdn.x.cp.wd.microsoft.com/ping ... [OK] +Testing connection with https://wu-cdn.x.cp.wd.microsoft.com/ping ... [OK] +Testing connection with https://x.cp.wd.microsoft.com/api/report ... [OK] +Testing connection with https://winatp-gw-cus.microsoft.com/test ... [OK] +Testing connection with https://winatp-gw-eus.microsoft.com/test ... [OK] +Testing connection with https://winatp-gw-weu.microsoft.com/test ... [OK] +Testing connection with https://winatp-gw-neu.microsoft.com/test ... [OK] +Testing connection with https://winatp-gw-ukw.microsoft.com/test ... [OK] +Testing connection with https://winatp-gw-uks.microsoft.com/test ... [OK] +Testing connection with https://eu-v20.events.data.microsoft.com/ping ... [OK] +Testing connection with https://us-v20.events.data.microsoft.com/ping ... [OK] +Testing connection with https://uk-v20.events.data.microsoft.com/ping ... [OK] +Testing connection with https://v20.events.data.microsoft.com/ping ... [OK] +``` + If the connectivity test fails, check if the device has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall. +Failures with curl error 35 or 60, indicate certificate pinning rejection. Please check if the connection is under SSL or HTTPS inspection. If so, please whitelist MDE from such inspection. + ## Troubleshooting steps for environments without proxy or with transparent proxy To test that a connection is not blocked in an environment without a proxy or with a transparent proxy, run the following command in the terminal: From ca98df17c4314ec30de067a38f2ea3e6a80e7184 Mon Sep 17 00:00:00 2001 From: MatiG Date: Mon, 4 Jan 2021 19:31:35 +0200 Subject: [PATCH 16/30] fix linter warnings --- .../linux-support-perf.md | 48 ++++++++++--------- 1 file changed, 26 insertions(+), 22 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index e6585fc97f..627b4a24e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -23,7 +23,6 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) @@ -43,19 +42,20 @@ The following steps can be used to troubleshoot and mitigate these issues: ```bash mdatp config real-time-protection --value disabled ``` + ```Output Configuration property updated ``` If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Defender for Endpoint for Linux](linux-preferences.md). -2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Linux. +2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Linux. > [!NOTE] > This feature is available in version 100.90.70 or newer. This feature is enabled by default on the `Dogfood` and `InsiderFast` channels. If you're using a different update channel, this feature can be enabled from the command line: - + ```bash mdatp config real-time-protection-statistics --value enabled ``` @@ -71,6 +71,7 @@ The following steps can be used to troubleshoot and mitigate these issues: ```bash mdatp config real-time-protection --value enabled ``` + ```Output Configuration property updated ``` @@ -80,16 +81,18 @@ The following steps can be used to troubleshoot and mitigate these issues: ```bash mdatp diagnostic real-time-protection-statistics --output json > real_time_protection.json ``` + > [!NOTE] > Using ```--output json``` (note the double dash) ensures that the output format is ready for parsing. - The output of this command will show all processes and their associated scan activity. + The output of this command will show all processes and their associated scan activity. -3. On your Linux system, download the sample Python parser **high_cpu_parser.py** using the command: +3. On your Linux system, download the sample Python parser **high_cpu_parser.py** using the command: ```bash wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py ``` + The output of this command should be similar to the following: ```Output @@ -102,39 +105,40 @@ The following steps can be used to troubleshoot and mitigate these issues: 100%[===========================================>] 1,020 --.-K/s in 0s ``` + 4. Next, type the following commands: + ```bash chmod +x high_cpu_parser.py ``` + ```bash cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log ``` The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is te process name, and the last column is the number of scanned files, sorted by impact. - + For example, the output of the command will be something like the below: ```Output ... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10 - 27432 None 76703 - 73467 actool     1249 - 73914 xcodebuild 1081 - 73873 bash 1050 - 27475 None 836 - 1    launchd    407 - 73468 ibtool     344 - 549  telemetryd_v1   325 - 4764 None 228 - 125  CrashPlanService 164 + 27432 None 76703 + 73467 actool     1249 + 73914 xcodebuild 1081 + 73873 bash 1050 + 27475 None 836 + 1    launchd    407 + 73468 ibtool     344 + 549  telemetryd_v1   325 + 4764 None 228 + 125  CrashPlanService 164 ``` -   - To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). - + + To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). + >[!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. 5. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. - For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). - - + For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). From 6229099d43ef75159b6d5166e680094ca362a122 Mon Sep 17 00:00:00 2001 From: MatiG Date: Mon, 4 Jan 2021 19:43:03 +0200 Subject: [PATCH 17/30] update perf docs --- .../microsoft-defender-atp/linux-support-perf.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 627b4a24e7..6e3ff940d3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -33,6 +33,8 @@ Real-time protection (RTP) is a feature of Defender for Endpoint for Linux that Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Defender for Endpoint for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Defender for Endpoint for Linux. +Before starting, **please make sure that other security products are not currenly running on the device**. Multilpe security products may conflict and impact the host performance. + The following steps can be used to troubleshoot and mitigate these issues: 1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Defender for Endpoint for Linux is contributing to the performance issues. @@ -49,6 +51,8 @@ The following steps can be used to troubleshoot and mitigate these issues: If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Defender for Endpoint for Linux](linux-preferences.md). + If the performance problem persists while real-time protection is off, the origin of the problem could the EDR component. In this case please contact customer support for further instructions and mitigation. + 2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Linux. > [!NOTE] From 89ac2af4ffd5d3ac81dfc1b5e4b4f0d06ff65095 Mon Sep 17 00:00:00 2001 From: MatiG Date: Mon, 4 Jan 2021 20:07:30 +0200 Subject: [PATCH 18/30] add support for missing events --- windows/security/threat-protection/TOC.md | 1 + .../linux-support-events.md | 94 +++++++++++++++++++ 2 files changed, 95 insertions(+) create mode 100644 windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 47925e97e7..59c4787025 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -302,6 +302,7 @@ ##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md) ##### [Troubleshoot cloud connectivity issues](microsoft-defender-atp/linux-support-connectivity.md) ##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md) +##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-events.md) #### [Privacy](microsoft-defender-atp/linux-privacy.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md new file mode 100644 index 0000000000..f541d9d0d0 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md @@ -0,0 +1,94 @@ +--- +title: Troubleshoot missing events or alerts issues for Microsoft Defender ATP for Linux +description: Troubleshoot missing events or alerts issues in Microsoft Defender ATP for Linux. +keywords: microsoft, defender, atp, linux, events +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +mms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: conceptual +--- + +# Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint for Linux + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) + +This article provides some general steps to mitigate missing events or alerts in the [security center](https://securitycenter.windows.com/) portal. + +Once MDE had been installed properly on a device, a device page will be generated in the portal and _File_, _Process_, _Network_ and other events should appear in the timeline and advanced hunting pages. +In case events are not appearing or some types of events are missing, that could indicate some problem. + +## Missing network and login events + +MDE utilized `audit` framework from linux to track network and login activity. + +1. Make sure audit framework is working. + + ```bash + service auditd status + ``` + + expected output: + + ```output + ● auditd.service - Security Auditing Service + Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) + Active: active (running) since Mon 2020-12-21 10:48:02 IST; 2 weeks 0 days ago + Docs: man:auditd(8) + https://github.com/linux-audit/audit-documentation + Process: 16689 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE) + Process: 16665 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) + Main PID: 16666 (auditd) + Tasks: 25 + CGroup: /system.slice/auditd.service + ├─16666 /sbin/auditd + ├─16668 /sbin/audispd + ├─16670 /usr/sbin/sedispatch + └─16671 /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin -d + ``` + +2. If auditd is stopped, please start it. + + ```bash + service auditd start + ``` + +**On SLES15** systems, SYSCALL auditing in `auditd` is disabled by default and can explain missing events. + +1. To validate that SYSCALL auditing is not disabeld, list the current audit rules: + + ```bash + sudo auditctl -l + ``` + + if the following line is present, please remove it or edit it to enable MDE to track specific SYSCALLs. + + ```output + -a task, never + ``` + + audit rules are located at `/etc/audit/rules.d/audit.rules`. + +## Missing file events + +File events are collected with `fanotify` framework. In case some or all file events are missing please make sure fanotify is enabled on the device and that the file system is [supported](microsoft-defender-atp-linux#system-requirements). + +List the filesystems on the machine with: + +```bash +df -Th +``` From 34914b978bc750593e5e0a5ab1ccdf68a8672594 Mon Sep 17 00:00:00 2001 From: MatiG Date: Mon, 4 Jan 2021 20:12:04 +0200 Subject: [PATCH 19/30] fix title --- windows/security/threat-protection/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 59c4787025..25a5417d95 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -302,7 +302,7 @@ ##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md) ##### [Troubleshoot cloud connectivity issues](microsoft-defender-atp/linux-support-connectivity.md) ##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md) -##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-events.md) +##### [Troubleshoot missing events issues](microsoft-defender-atp/linux-support-events.md) #### [Privacy](microsoft-defender-atp/linux-privacy.md) From 6a3ab419c597adbc1bd1df06f52d12cb055a1930 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 4 Jan 2021 10:41:37 -0800 Subject: [PATCH 20/30] Update linux-support-events.md --- .../microsoft-defender-atp/linux-support-events.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md index f541d9d0d0..0d035c7cf7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md @@ -29,12 +29,12 @@ ms.topic: conceptual This article provides some general steps to mitigate missing events or alerts in the [security center](https://securitycenter.windows.com/) portal. -Once MDE had been installed properly on a device, a device page will be generated in the portal and _File_, _Process_, _Network_ and other events should appear in the timeline and advanced hunting pages. +Once Microsoft Defender for Endpoint has been installed properly on a device, a device page will be generated in the portal and _File_, _Process_, _Network_ and other events should appear in the timeline and advanced hunting pages. In case events are not appearing or some types of events are missing, that could indicate some problem. ## Missing network and login events -MDE utilized `audit` framework from linux to track network and login activity. +Microsoft Defender for Endpoint utilized `audit` framework from linux to track network and login activity. 1. Make sure audit framework is working. @@ -75,7 +75,7 @@ MDE utilized `audit` framework from linux to track network and login activity. sudo auditctl -l ``` - if the following line is present, please remove it or edit it to enable MDE to track specific SYSCALLs. + if the following line is present, please remove it or edit it to enable Microsoft Defender for Endpoint to track specific SYSCALLs. ```output -a task, never From 7b08a9c1a6217a54e0bb988c474bd5f995653c2e Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 4 Jan 2021 10:42:38 -0800 Subject: [PATCH 21/30] Update linux-support-perf.md --- .../microsoft-defender-atp/linux-support-perf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 6e3ff940d3..ab5e272c34 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -51,7 +51,7 @@ The following steps can be used to troubleshoot and mitigate these issues: If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Defender for Endpoint for Linux](linux-preferences.md). - If the performance problem persists while real-time protection is off, the origin of the problem could the EDR component. In this case please contact customer support for further instructions and mitigation. + If the performance problem persists while real-time protection is off, the origin of the problem could be the endpoint detection and response component. In this case please contact customer support for further instructions and mitigation. 2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Linux. From afae7f15ddac1bb06551620e897c1cc19ce1d1bf Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 4 Jan 2021 10:49:09 -0800 Subject: [PATCH 22/30] fix link --- .../microsoft-defender-atp/linux-support-events.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md index 0d035c7cf7..af7e797106 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md @@ -85,7 +85,7 @@ Microsoft Defender for Endpoint utilized `audit` framework from linux to track n ## Missing file events -File events are collected with `fanotify` framework. In case some or all file events are missing please make sure fanotify is enabled on the device and that the file system is [supported](microsoft-defender-atp-linux#system-requirements). +File events are collected with `fanotify` framework. In case some or all file events are missing please make sure fanotify is enabled on the device and that the file system is [supported](microsoft-defender-atp-linux.md#system-requirements). List the filesystems on the machine with: From 4667c3bd23d80cd3ce5d077848ee3f69e9630d49 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 4 Jan 2021 10:55:44 -0800 Subject: [PATCH 23/30] Update linux-support-connectivity.md --- .../microsoft-defender-atp/linux-support-connectivity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md index 6c3ebda4cd..9e0a8a30c6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md @@ -57,7 +57,7 @@ Testing connection with https://v20.events.data.microsoft.com/ping ... [OK] If the connectivity test fails, check if the device has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall. -Failures with curl error 35 or 60, indicate certificate pinning rejection. Please check if the connection is under SSL or HTTPS inspection. If so, please whitelist MDE from such inspection. +Failures with curl error 35 or 60, indicate certificate pinning rejection. Please check if the connection is under SSL or HTTPS inspection. If so, add Microsoft Defender for Endpoint to the allow list. ## Troubleshooting steps for environments without proxy or with transparent proxy From 130009ae7bcd5672df9e108b244bf0873dd03aef Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Mon, 4 Jan 2021 11:52:09 -0800 Subject: [PATCH 24/30] pencil edit --- .../microsoft-defender-atp/basic-permissions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md index af97cb1355..a92747f148 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md @@ -47,7 +47,7 @@ You can assign users with one of the following levels of permissions: > [!NOTE] > You need to run the PowerShell cmdlets in an elevated command-line. -- Connect to your Azure Active Directory. For more information, see, [Connect-MsolService](https://docs.microsoft.com/powershell/module/msonline/connect-msolservice?view=azureadps-1.0). +- Connect to your Azure Active Directory. For more information, see [Connect-MsolService](https://docs.microsoft.com/powershell/module/msonline/connect-msolservice?view=azureadps-1.0). **Full access**
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. From 5fa5d4f66a21aee83bc4c95be59251909fb92f6e Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 4 Jan 2021 11:54:51 -0800 Subject: [PATCH 25/30] Update windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/get-ip-statistics.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index 4f76236a07..29ce380e88 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -95,7 +95,6 @@ Content-type: application/json ``` - | Name | Description | | :--- | :---------- | | Org prevalence | the distinct count of devices that opened network connection to this IP. | From 3e3f2ce52f529fd45b9418b829c4088adb7c7c3f Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 4 Jan 2021 11:54:59 -0800 Subject: [PATCH 26/30] Update windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../microsoft-defender-atp/get-ip-statistics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index 29ce380e88..04c6b1641c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -101,5 +101,5 @@ Content-type: application/json | Org first seen | the first connection for this IP in the organization. | | Org last seen | the last connection for this IP in the organization. | -> [!Note] +> [!NOTE] > This statistic information is based on data from the past 30 days. From deb2b53038b3bdeedd956430e3c3c77b3308a5d6 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 4 Jan 2021 11:55:42 -0800 Subject: [PATCH 27/30] Update get-ip-statistics.md --- .../microsoft-defender-atp/get-ip-statistics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index 04c6b1641c..ca568de79c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -42,7 +42,7 @@ Permission type | Permission | Permission display name Application | Ip.Read.All | 'Read IP address profiles' Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' ->[!Note] +>[!NOTE] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) From 84f185edd619282636ecaee93761d566c3629ac2 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 4 Jan 2021 16:59:42 -0800 Subject: [PATCH 28/30] Added vertical space --- .../microsoft-defender-atp/basic-permissions.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md index 9cddee17c5..1c8fc2eacd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md @@ -63,10 +63,13 @@ Assigning read-only access rights requires adding the users to the "Security Rea Use the following steps to assign security roles: - For **read and write** access, assign users to the security administrator role by using the following command: + ```PowerShell Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com" ``` + - For **read-only** access, assign users to the security reader role by using the following command: + ```PowerShell Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com" ``` From b5a5fb637f136d31a5276e2db48a68958a5b6d8a Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 4 Jan 2021 17:00:10 -0800 Subject: [PATCH 29/30] Labeled code blocks with valid content types --- .../microsoft-defender-atp/get-ip-statistics.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index 8b78df80cd..c34fe0e526 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -51,7 +51,8 @@ Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' >- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ## HTTP request -``` + +```http GET /api/ips/{ip}/stats ``` @@ -75,7 +76,7 @@ If successful and ip exists - 200 OK with statistical data in the body. IP do no Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats ``` @@ -84,7 +85,7 @@ GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats Here is an example of the response. -``` +```http HTTP/1.1 200 OK Content-type: application/json { From 695fb9a00ff804726b428b58a636280353a0e394 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 4 Jan 2021 17:06:33 -0800 Subject: [PATCH 30/30] Corrected code block labels and second-level list formatting Valid types for code blocks are listed here: https://review.docs.microsoft.com/en-us/help/contribute/metadata-taxonomies?branch=master --- .../microsoft-defender-atp/respond-file-alerts.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index ef8a82a89f..05fd5e59e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -94,6 +94,7 @@ This action takes effect on devices with Windows 10, version 1703 or later, wher ![Image of stop and quarantine file modal window](images/atp-stop-quarantine.png) The Action center shows the submission information: + ![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png) - **Submission time** - Shows when the action was submitted. @@ -118,13 +119,13 @@ You can roll back and remove a file from quarantine if you’ve determined that 1. Open an elevated command–line prompt on the device: - a. Go to **Start** and type _cmd_. + 1. Go to **Start** and type _cmd_. - b. Right–click **Command prompt** and select **Run as administrator**. + 1. Right–click **Command prompt** and select **Run as administrator**. 2. Enter the following command, and press **Enter**: - ```Powershell + ```powershell “%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All ``` @@ -273,11 +274,14 @@ The details provided can help you investigate if there are indications of a pote If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps. 1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications). + 1. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified. + 1. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error. + 1. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value: - ```Powershell + ```powershell Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection Name: AllowSampleCollection Type: DWORD @@ -287,6 +291,7 @@ If you encounter a problem when trying to submit a file, try each of the followi ``` 1. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md). + 1. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com). ## Related topics