From 93f7474a4be995738f6593341d1b33a2aa9f0aac Mon Sep 17 00:00:00 2001
From: amirsc3 <42802974+amirsc3@users.noreply.github.com>
Date: Sun, 17 May 2020 16:19:50 +0300
Subject: [PATCH 1/6] Update production-deployment.md
We should match the details from https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server
---
.../microsoft-defender-atp/production-deployment.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
index 0c0a59b197..2d7a107234 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
@@ -228,7 +228,7 @@ needed if the machine is on Windows 10, version 1803 or later.
Service location | Microsoft.com DNS record
-|-
-Common URLs for all locations | ```crl.microsoft.com```
```ctldl.windowsupdate.com```
```events.data.microsoft.com```
```notify.windows.com```
```settings-win.data.microsoft.com```
+Common URLs for all locations | ```crl.microsoft.com/pki/crl/*```
```ctldl.windowsupdate.com```
```www.microsoft.com/pkiops/*```
```events.data.microsoft.com```
```notify.windows.com```
```settings-win.data.microsoft.com```
European Union | ```eu.vortex-win.data.microsoft.com```
```eu-v20.events.data.microsoft.com```
```usseu1northprod.blob.core.windows.net```
```usseu1westprod.blob.core.windows.net```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com```
```wseu1northprod.blob.core.windows.net```
```wseu1westprod.blob.core.windows.net```
United Kingdom | ```uk.vortex-win.data.microsoft.com```
```uk-v20.events.data.microsoft.com```
```ussuk1southprod.blob.core.windows.net```
```ussuk1westprod.blob.core.windows.net```
```winatp-gw-uks.microsoft.com```
```winatp-gw-ukw.microsoft.com```
```wsuk1southprod.blob.core.windows.net```
```wsuk1westprod.blob.core.windows.net```
United States | ```us.vortex-win.data.microsoft.com```
```ussus1eastprod.blob.core.windows.net```
```ussus1westprod.blob.core.windows.net```
```ussus2eastprod.blob.core.windows.net```
```ussus2westprod.blob.core.windows.net```
```ussus3eastprod.blob.core.windows.net```
```ussus3westprod.blob.core.windows.net```
```ussus4eastprod.blob.core.windows.net```
```ussus4westprod.blob.core.windows.net```
```us-v20.events.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com```
```wsus1eastprod.blob.core.windows.net```
```wsus1westprod.blob.core.windows.net```
```wsus2eastprod.blob.core.windows.net```
```wsus2westprod.blob.core.windows.net```
From 05bb9d22485b4c9b3b60352772848a67dddcd76b Mon Sep 17 00:00:00 2001
From: Joey Caparas
Date: Mon, 18 May 2020 12:37:08 -0700
Subject: [PATCH 2/6] updates
---
.../configure-server-endpoints.md | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index b7e90ca3be..7ca70934da 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -24,8 +24,10 @@ ms.topic: article
- Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
+- Windows Server (SAC) version 1803 and later
- Windows Server, version 1803
-- Windows Server, 2019 and later
+- Windows Server 2019 and later
+- Windows Server 2019 core edition
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink)
@@ -37,9 +39,9 @@ The service supports the onboarding of the following servers:
- Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
-- Windows Server, version 1803
+- Windows Server (SAC) version 1803 and later
- Windows Server 2019 and later
-
+- Windows Server 2019 core edition
For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128).
@@ -128,9 +130,8 @@ Once completed, you should see onboarded servers in the portal within an hour.
4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
-
-## Windows Server, version 1803 and Windows Server 2019
-To onboard Windows Server, version 1803 or Windows Server 2019, refer to the supported methods and versions below.
+## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition
+To onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition, refer to the supported methods and versions below.
> [!NOTE]
> The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
@@ -191,7 +192,7 @@ The following capabilities are included in this integration:
## Offboard servers
-You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows 10 client machines.
+You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client machines.
For other server versions, you have two options to offboard servers from the service:
- Uninstall the MMA agent
From 1bd4905b54136e1041237c2636927da0737a0ccf Mon Sep 17 00:00:00 2001
From: Joey Caparas
Date: Mon, 18 May 2020 12:52:37 -0700
Subject: [PATCH 3/6] edit
---
.../microsoft-defender-atp/configure-server-endpoints.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 7ca70934da..78f2fede2f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -25,7 +25,6 @@ ms.topic: article
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server (SAC) version 1803 and later
-- Windows Server, version 1803
- Windows Server 2019 and later
- Windows Server 2019 core edition
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
From 38c0c8ee28334661d67b958b89be8eff2c7383db Mon Sep 17 00:00:00 2001
From: Gary Moore
Date: Mon, 18 May 2020 13:33:29 -0700
Subject: [PATCH 4/6] Corrected indentation and numbering in lists
---
.../configure-server-endpoints.md | 38 ++++++++++---------
1 file changed, 21 insertions(+), 17 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 78f2fede2f..a14525a0c9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -59,21 +59,23 @@ There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012
### Option 1: Onboard servers through Microsoft Defender Security Center
You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security Center.
-- For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix:
+ - For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix:
- [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
-- In addition, for Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements:
+ - In addition, for Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements:
- Install the [February monthly update rollup](https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598)
- Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
-- For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
+ - For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
-> [!NOTE]
-> This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2.
+ > [!NOTE]
+ > This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2.
-- Turn on server monitoring from Microsoft Defender Security Center.
-- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
+ - Turn on server monitoring from Microsoft Defender Security Center.
+ - If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support.
+
+ Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
> [!TIP]
> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
@@ -84,6 +86,7 @@ Microsoft Defender ATP integrates with System Center Endpoint Protection. The in
The following steps are required to enable this integration:
- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie)
+
- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
@@ -150,20 +153,20 @@ Support for Windows Server, provide deeper insight into activities happening on
2. If you're running a third-party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings. Verify that it was configured correctly:
- a. Set the following registry entry:
+ 1. Set the following registry entry:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
- Name: ForceDefenderPassiveMode
- Value: 1
- b. Run the following PowerShell command to verify that the passive mode was configured:
+ 1. Run the following PowerShell command to verify that the passive mode was configured:
- ```PowerShell
- Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}
- ```
+ ```PowerShell
+ Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}
+ ```
- c. Confirm that a recent event containing the passive mode event is found:
+ 1. Confirm that a recent event containing the passive mode event is found:
- 
+ 
3. Run the following command to check if Windows Defender AV is installed:
@@ -221,11 +224,12 @@ To offboard the server, you can use either of the following methods:
#### Run a PowerShell command to remove the configuration
1. Get your Workspace ID:
- a. In the navigation pane, select **Settings** > **Onboarding**.
- b. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID:
+ 1. In the navigation pane, select **Settings** > **Onboarding**.
+
+ 1. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID:
- 
+ 
2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:
From 75b5070537527e326063fbaa6170a7a60582eafe Mon Sep 17 00:00:00 2001
From: Joey Caparas
Date: Mon, 18 May 2020 13:39:13 -0700
Subject: [PATCH 5/6] chars
---
.../threat-protection/microsoft-defender-atp/machine-tags.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
index 23a14e3ccd..9da990fe57 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
@@ -72,7 +72,7 @@ You can also delete tags from this view.
>- Windows 7 SP1
> [!NOTE]
-> The maximum number of characters that can be set in a tag from the registry is 30.
+> The maximum number of characters that can be set in a tag is 200.
Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines.
From 294799b51eaf94c481fc43993c5797d90bec1352 Mon Sep 17 00:00:00 2001
From: Gary Moore
Date: Mon, 18 May 2020 13:57:04 -0700
Subject: [PATCH 6/6] Fixed a few small issues
---
.../microsoft-defender-atp/production-deployment.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
index 2d7a107234..c2a4429c26 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
@@ -198,9 +198,9 @@ Use netsh to configure a system-wide static proxy.
1. Open an elevated command-line:
- a. Go to **Start** and type **cmd**.
+ 1. Go to **Start** and type **cmd**.
- b. Right-click **Command prompt** and select **Run as administrator**.
+ 1. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command and press **Enter**:
@@ -253,9 +253,9 @@ Microsoft Defender ATP is built on Azure cloud, deployed in the following region
You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653).
> [!NOTE]
-> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
+> As a cloud-based solution, the IP address range can change. It's recommended you move to DNS resolving setting.
## Next step
|||
|:-------|:-----|
-|
[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them
+|
[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so that the Microsoft Defender ATP service can get sensor data from them.