From b2a7fc3bc9e14094df5a9113f08a0638a2ca4c91 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Mon, 13 Jul 2020 11:07:10 +0500
Subject: [PATCH 01/30] Link to deployment of PKI page
As suggested by user that content is missing in the document, I have linked the page with the deployment of PKI certificate.
Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/6360
---
.../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 5a7e9bb20a..898d43aaaa 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -76,7 +76,7 @@ The minimum required Enterprise certificate authority that can be used with Wind
* The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template.
* The domain controller certificate must be installed in the local computer's certificate store.
-
+See [Step-by-step example deployment of the PKI certificates](https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/network/example-deployment-of-pki-certificates).
> [!IMPORTANT]
> For Azure AD joined device to authenticate to and use on-premises resources, ensure you:
From efe389ee3bf4f59a53bd47737fa6e2fc6c2ff778 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Mon, 13 Jul 2020 14:45:26 +0500
Subject: [PATCH 02/30] Update
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 898d43aaaa..1772e4de58 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -74,7 +74,7 @@ The minimum required Enterprise certificate authority that can be used with Wind
* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).
* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.
* The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template.
-* The domain controller certificate must be installed in the local computer's certificate store.
+* The domain controller certificate must be installed in the local computer's certificate store. See [Step-by-step example deployment of the PKI certificates for Configuration Manager: Windows Server 2008 certification authority](https://docs.microsoft.com/mem/configmgr/core/plan-design/network/example-deployment-of-pki-certificates) for details.
See [Step-by-step example deployment of the PKI certificates](https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/network/example-deployment-of-pki-certificates).
From d46766bceefc57e2f3024b2ba5237f36b127dc10 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Mon, 13 Jul 2020 14:45:51 +0500
Subject: [PATCH 03/30] Update
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-hybrid-key-trust-prereqs.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 1772e4de58..d595c23de0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -76,7 +76,6 @@ The minimum required Enterprise certificate authority that can be used with Wind
* The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template.
* The domain controller certificate must be installed in the local computer's certificate store. See [Step-by-step example deployment of the PKI certificates for Configuration Manager: Windows Server 2008 certification authority](https://docs.microsoft.com/mem/configmgr/core/plan-design/network/example-deployment-of-pki-certificates) for details.
-See [Step-by-step example deployment of the PKI certificates](https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/network/example-deployment-of-pki-certificates).
> [!IMPORTANT]
> For Azure AD joined device to authenticate to and use on-premises resources, ensure you:
From 8efa046a314e4ba3cb053801f1771fdb1ebb2c23 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Thu, 30 Jul 2020 08:15:55 +0500
Subject: [PATCH 04/30] Added certificate deployment
Updated certificate deployment for WHFB as suggested by @mapalko.
---
.../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index d595c23de0..1ef40f8957 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -74,7 +74,7 @@ The minimum required Enterprise certificate authority that can be used with Wind
* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).
* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.
* The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template.
-* The domain controller certificate must be installed in the local computer's certificate store. See [Step-by-step example deployment of the PKI certificates for Configuration Manager: Windows Server 2008 certification authority](https://docs.microsoft.com/mem/configmgr/core/plan-design/network/example-deployment-of-pki-certificates) for details.
+* The domain controller certificate must be installed in the local computer's certificate store. See [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki) for details.
> [!IMPORTANT]
From 7b738c749ef6904d5120a5e674826fbb1a7a3dd2 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Fri, 11 Dec 2020 17:44:34 +0500
Subject: [PATCH 05/30] Command Update
There was an issue with the command arguments. Made adjustments in the command.
Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8721
---
.../threat-protection/microsoft-defender-atp/linux-resources.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
index 3b12f36855..7a265a8e8c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
@@ -97,7 +97,7 @@ The following table lists commands for some of the most common scenarios. Run `m
|Configuration |Turn on/off cloud protection |`mdatp config cloud --value [enabled|disabled]` |
|Configuration |Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled|disabled]` |
|Configuration |Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission [enabled|disabled]` |
-|Configuration |Turn on/off AV passive mode |`mdatp config passive-mode [enabled|disabled]` |
+|Configuration |Turn on/off AV passive mode |`mdatp config passive-mode --value [enabled|disabled]` |
|Configuration |Add/remove an antivirus exclusion for a file extension |`mdatp exclusion extension [add|remove] --name [extension]` |
|Configuration |Add/remove an antivirus exclusion for a file |`mdatp exclusion file [add|remove] --path [path-to-file]` |
|Configuration |Add/remove an antivirus exclusion for a directory |`mdatp exclusion folder [add|remove] --path [path-to-directory]` |
From 0afc459ed3c77cf47406db586ee904dd5746d1eb Mon Sep 17 00:00:00 2001
From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com>
Date: Fri, 11 Dec 2020 16:08:04 +0100
Subject: [PATCH 06/30] Use escape character before meta characters (pipe)
Had to suggest this additional change, seeing that the vertical pipe divider characters (logic 'or' in parameter examples) becomes interpreted as cell dividers by GitHub Flavored MarkDown.
- Add the backslash escape character in front of all pipe characters used as logic 'or' between parameter choices.
- Remove redundant (and unneeded) excessive backtick characters from inline encapsulations, only 1 (not 3) is needed.
---
.../microsoft-defender-atp/linux-resources.md | 30 +++++++++----------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
index 7a265a8e8c..969ca9675a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
@@ -75,9 +75,9 @@ There are several ways to uninstall Defender for Endpoint for Linux. If you are
### Manual uninstallation
-- ```sudo yum remove mdatp``` for RHEL and variants(CentOS and Oracle Linux).
-- ```sudo zypper remove mdatp``` for SLES and variants.
-- ```sudo apt-get purge mdatp``` for Ubuntu and Debian systems.
+- `sudo yum remove mdatp` for RHEL and variants(CentOS and Oracle Linux).
+- `sudo zypper remove mdatp` for SLES and variants.
+- `sudo apt-get purge mdatp` for Ubuntu and Debian systems.
## Configure from the command line
@@ -93,15 +93,15 @@ The following table lists commands for some of the most common scenarios. Run `m
|Group |Scenario |Command |
|----------------------|--------------------------------------------------------|-----------------------------------------------------------------------|
-|Configuration |Turn on/off real-time protection |`mdatp config real-time-protection --value [enabled|disabled]` |
-|Configuration |Turn on/off cloud protection |`mdatp config cloud --value [enabled|disabled]` |
-|Configuration |Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled|disabled]` |
-|Configuration |Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission [enabled|disabled]` |
-|Configuration |Turn on/off AV passive mode |`mdatp config passive-mode --value [enabled|disabled]` |
-|Configuration |Add/remove an antivirus exclusion for a file extension |`mdatp exclusion extension [add|remove] --name [extension]` |
-|Configuration |Add/remove an antivirus exclusion for a file |`mdatp exclusion file [add|remove] --path [path-to-file]` |
-|Configuration |Add/remove an antivirus exclusion for a directory |`mdatp exclusion folder [add|remove] --path [path-to-directory]` |
-|Configuration |Add/remove an antivirus exclusion for a process |`mdatp exclusion process [add|remove] --path [path-to-process]`
`mdatp exclusion process [add|remove] --name [process-name]` |
+|Configuration |Turn on/off real-time protection |`mdatp config real-time-protection --value [enabled\|disabled]` |
+|Configuration |Turn on/off cloud protection |`mdatp config cloud --value [enabled\|disabled]` |
+|Configuration |Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled\|disabled]` |
+|Configuration |Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission [enabled\|disabled]` |
+|Configuration |Turn on/off AV passive mode |`mdatp config passive-mode --value [enabled\|disabled]` |
+|Configuration |Add/remove an antivirus exclusion for a file extension |`mdatp exclusion extension [add\|remove] --name [extension]` |
+|Configuration |Add/remove an antivirus exclusion for a file |`mdatp exclusion file [add\|remove] --path [path-to-file]` |
+|Configuration |Add/remove an antivirus exclusion for a directory |`mdatp exclusion folder [add\|remove] --path [path-to-directory]` |
+|Configuration |Add/remove an antivirus exclusion for a process |`mdatp exclusion process [add\|remove] --path [path-to-process]`
`mdatp exclusion process [add\|remove] --name [process-name]` |
|Configuration |List all antivirus exclusions |`mdatp exclusion list` |
|Configuration |Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` |
|Configuration |Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` |
@@ -109,7 +109,7 @@ The following table lists commands for some of the most common scenarios. Run `m
|Configuration |Turn on PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action block` |
|Configuration |Turn off PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action off` |
|Configuration |Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action audit` |
-|Diagnostics |Change the log level |`mdatp log level set --level verbose [error|warning|info|verbose]` |
+|Diagnostics |Change the log level |`mdatp log level set --level verbose [error\|warning\|info\|verbose]` |
|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create` |
|Health |Check the product's health |`mdatp health` |
|Protection |Scan a path |`mdatp scan custom --path [path]` |
@@ -152,6 +152,6 @@ In the Defender for Endpoint portal, you'll see two categories of information:
- Logged on users do not appear in the Microsoft Defender Security Center portal.
- In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered:
- ```bash
+ ```bash
sudo SUSEConnect --status-text
- ```
+ ```
From bd894640228c1881af47bea09afb255d39ae2d63 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Wed, 30 Dec 2020 14:57:24 +0500
Subject: [PATCH 07/30] Update custom-detection-rules.md
---
.../microsoft-defender-atp/custom-detection-rules.md | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index 17e23e40fc..28be4b6c48 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -113,6 +113,7 @@ These actions are applied to devices in the `DeviceId` column of the query resul
- **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
- **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device
- **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device
+- **Restrict app execution**—sets restrictions on device to allow only files that are signed with a Microsoft-issued certificate to run. [Learn more about restricting app execution](respond-machine-alerts.md#restrict-app-execution)
### Actions on files
@@ -121,6 +122,10 @@ These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1`
- **Allow/Block**—automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
- **Quarantine file**—deletes the file from its current location and places a copy in quarantine
+### Actions on users
+
+- **Mark user as compromised**-sets the users risk level to "high" in Azure Active Directory, triggering corresponding [identity protection policies](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection#risk-levels).
+
## 5. Set the rule scope.
Set the scope to specify which devices are covered by the rule:
From 081961b496ff51e25eff440724928b094748f69a Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Wed, 30 Dec 2020 15:42:28 +0500
Subject: [PATCH 08/30] Update
windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../microsoft-defender-atp/custom-detection-rules.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index 28be4b6c48..44bf12dcfa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -124,7 +124,7 @@ These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1`
### Actions on users
-- **Mark user as compromised**-sets the users risk level to "high" in Azure Active Directory, triggering corresponding [identity protection policies](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection#risk-levels).
+- **Mark user as compromised**-sets the user's risk level to "high" in Azure Active Directory, triggering the corresponding [identity protection policies](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection#risk-levels).
## 5. Set the rule scope.
From 0726ac2d7abc646cf1b35d670b58c31bf8067502 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Wed, 30 Dec 2020 21:01:02 +0500
Subject: [PATCH 09/30] Update
windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../microsoft-defender-atp/custom-detection-rules.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index 44bf12dcfa..3c1cbc5713 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -113,7 +113,7 @@ These actions are applied to devices in the `DeviceId` column of the query resul
- **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
- **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device
- **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device
-- **Restrict app execution**—sets restrictions on device to allow only files that are signed with a Microsoft-issued certificate to run. [Learn more about restricting app execution](respond-machine-alerts.md#restrict-app-execution)
+- **Restrict app execution**—sets restrictions on the device to allow only files that are signed with a Microsoft-issued certificate to run. [Learn more about restricting app execution](respond-machine-alerts.md#restrict-app-execution)
### Actions on files
From 092e658109778d11de46a3450a469a27bba24811 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Wed, 30 Dec 2020 21:01:08 +0500
Subject: [PATCH 10/30] Update
windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../microsoft-defender-atp/custom-detection-rules.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
index 3c1cbc5713..89b5a47aa8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
@@ -124,7 +124,7 @@ These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1`
### Actions on users
-- **Mark user as compromised**-sets the user's risk level to "high" in Azure Active Directory, triggering the corresponding [identity protection policies](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection#risk-levels).
+- **Mark user as compromised**—sets the user's risk level to "high" in Azure Active Directory, triggering the corresponding [identity protection policies](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection#risk-levels).
## 5. Set the rule scope.
From 56837ef515082a92bd6802b9fc828a86251c2d06 Mon Sep 17 00:00:00 2001
From: Karl Wester-Ebbinghaus <45657752+Karl-WE@users.noreply.github.com>
Date: Sat, 23 Jan 2021 19:07:52 +0100
Subject: [PATCH 11/30] Update install-vamt.md
adding link to ADK, removing specific version to ease maintenance of this page as we would have to update it at least once a year.
---
windows/deployment/volume-activation/install-vamt.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 6b18acd8ae..c2737b30a4 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -49,8 +49,8 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
### Install VAMT using the ADK
-1. Download and open the [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) package.
-Reminder: There won't be new ADK release for 1909.
+1. Download the latest version of [Windows 10 ADK](https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install)
+It is recommended to uninstall and install the latest version of ADK if you use a previous version. Existing data of VAMT is maintained in the respective VAMT database.
2. Enter an install location or use the default path, and then select **Next**.
3. Select a privacy setting, and then select **Next**.
4. Accept the license terms.
From 539a6ec83a1a5072f7482874fc5bf4a27fb51021 Mon Sep 17 00:00:00 2001
From: Karl Wester-Ebbinghaus <45657752+Karl-WE@users.noreply.github.com>
Date: Sat, 23 Jan 2021 19:29:08 +0100
Subject: [PATCH 12/30] Update install-vamt.md
spellings / corrections
---
windows/deployment/volume-activation/install-vamt.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index c2737b30a4..3c482e49b3 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -49,8 +49,8 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
### Install VAMT using the ADK
-1. Download the latest version of [Windows 10 ADK](https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install)
-It is recommended to uninstall and install the latest version of ADK if you use a previous version. Existing data of VAMT is maintained in the respective VAMT database.
+1. Download the latest version of [Windows 10 ADK](https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install).
+It is recommended to uninstall ADK and install the latest version, if you use a previous version. Existing data of VAMT is maintained in the respective VAMT database.
2. Enter an install location or use the default path, and then select **Next**.
3. Select a privacy setting, and then select **Next**.
4. Accept the license terms.
From 3745db7676eb331faffe66aeb76d1fe77c4eb107 Mon Sep 17 00:00:00 2001
From: Guillaume Aubert <44520046+gaubert-ms@users.noreply.github.com>
Date: Tue, 26 Jan 2021 10:55:11 +0100
Subject: [PATCH 13/30] Update passwordless-strategy.md
Missing "System" in GPO path
---
.../hello-for-business/passwordless-strategy.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index dd1b6b18e0..87e71bc747 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -216,7 +216,7 @@ The policy name for these operating systems is **Interactive logon: Require Wind
When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card.
#### Excluding the password credential provider
-You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > Logon**
+You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**
The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**.
From cf5684d08b22e3cc90316984028b006030ded975 Mon Sep 17 00:00:00 2001
From: Karl Wester-Ebbinghaus <45657752+Karl-WE@users.noreply.github.com>
Date: Tue, 26 Jan 2021 19:07:58 +0100
Subject: [PATCH 14/30] Update
windows/deployment/volume-activation/install-vamt.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
windows/deployment/volume-activation/install-vamt.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 3c482e49b3..8fc4fde224 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -50,7 +50,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
### Install VAMT using the ADK
1. Download the latest version of [Windows 10 ADK](https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install).
-It is recommended to uninstall ADK and install the latest version, if you use a previous version. Existing data of VAMT is maintained in the respective VAMT database.
+ If an older version is already installed, it is recommended to uninstall the older ADK and install the latest version. Existing VAMT data is maintained in the VAMT database.
2. Enter an install location or use the default path, and then select **Next**.
3. Select a privacy setting, and then select **Next**.
4. Accept the license terms.
From 2d5030b41f663590154cdf47afb85ecce5a101db Mon Sep 17 00:00:00 2001
From: Jane Muriranja <68369324+JaneM-02@users.noreply.github.com>
Date: Thu, 28 Jan 2021 22:55:56 +0300
Subject: [PATCH 15/30] Update manage-windows-2004-endpoints.md
Adding 'adl.windows.com'
---
windows/privacy/manage-windows-2004-endpoints.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md
index c6f1fd140f..aea5913427 100644
--- a/windows/privacy/manage-windows-2004-endpoints.md
+++ b/windows/privacy/manage-windows-2004-endpoints.md
@@ -113,6 +113,7 @@ The following methodology was used to derive these network endpoints:
|||HTTP|*.windowsupdate.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|HTTPS|*.delivery.mp.microsoft.com|
|||TLSv1.2|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTP|adl.windows.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|TLSv1.2|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||TLSv1.2|dlassets-ssl.xboxlive.com|
From 098fadffe74b309909c6a4de723156a405223a0e Mon Sep 17 00:00:00 2001
From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com>
Date: Fri, 29 Jan 2021 17:22:30 +0100
Subject: [PATCH 16/30] Update indicator-ip-domain.md
indicators are also supported on iOS
---
.../microsoft-defender-atp/indicator-ip-domain.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
index 2fd5f9cce1..bfa5bf0c44 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
@@ -46,6 +46,7 @@ It's important to understand the following prerequisites prior to creating indic
- The Antimalware client version must be 4.18.1906.x or later.
- Supported on machines on Windows 10, version 1709 or later.
- Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security Center > Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md).
+- For support of indicators on iOS, please [see](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features#configure-custom-indicators)
>[!IMPORTANT]
From 68a4c1dddae4e0ab457802d54180545168b58ce9 Mon Sep 17 00:00:00 2001
From: Paul Huijbregts <30799281+pahuijbr@users.noreply.github.com>
Date: Wed, 3 Feb 2021 16:28:12 -0800
Subject: [PATCH 17/30] Update Onboard-Windows-10-multi-session-device.md
---
.../Onboard-Windows-10-multi-session-device.md | 3 ---
1 file changed, 3 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
index 1f03573655..7f1df6920d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
@@ -25,9 +25,6 @@ ms.technology: mde
Applies to:
- Windows 10 multi-session running on Windows Virtual Desktop (WVD)
-> [!WARNING]
-> Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-session scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However, single session scenarios on Windows Virtual Desktop are fully supported.
-
Microsoft Defender for Endpoint supports monitoring both VDI as well as Windows Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Windows Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity.
## Before you begin
From b8132898d8b37a888292975338cca8616418d5a4 Mon Sep 17 00:00:00 2001
From: MatiG
Date: Thu, 4 Feb 2021 16:28:24 +0200
Subject: [PATCH 18/30] change default to prod
---
.../linux-install-manually.md | 36 +++++++++++++------
1 file changed, 25 insertions(+), 11 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
index c45701fbed..f41fa4b080 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
@@ -32,10 +32,18 @@ ms.technology: mde
This article describes how to deploy Microsoft Defender for Endpoint for Linux manually. A successful deployment requires the completion of all of the following tasks:
-- [Configure the Linux software repository](#configure-the-linux-software-repository)
-- [Application installation](#application-installation)
-- [Download the onboarding package](#download-the-onboarding-package)
-- [Client configuration](#client-configuration)
+- [Deploy Microsoft Defender for Endpoint for Linux manually](#deploy-microsoft-defender-for-endpoint-for-linux-manually)
+ - [Prerequisites and system requirements](#prerequisites-and-system-requirements)
+ - [Configure the Linux software repository](#configure-the-linux-software-repository)
+ - [RHEL and variants (CentOS and Oracle Linux)](#rhel-and-variants-centos-and-oracle-linux)
+ - [SLES and variants](#sles-and-variants)
+ - [Ubuntu and Debian systems](#ubuntu-and-debian-systems)
+ - [Application installation](#application-installation)
+ - [Download the onboarding package](#download-the-onboarding-package)
+ - [Client configuration](#client-configuration)
+ - [Log installation issues](#log-installation-issues)
+ - [Operating system upgrades](#operating-system-upgrades)
+ - [Uninstallation](#uninstallation)
## Prerequisites and system requirements
@@ -71,7 +79,13 @@ In order to preview new features and provide early feedback, it is recommended t
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
```
- For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insiders-fast* channel:
+ For example, if you are running CentOS 7 and wish to deploy MDE for Linux from the *prod* channel:
+
+ ```bash
+ sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/prod.repo
+ ```
+
+ Or if you wish to explore new features on selected devices, you might want to deploy MDE for Linux to *insiders-fast* channel:
```bash
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo
@@ -99,10 +113,10 @@ In order to preview new features and provide early feedback, it is recommended t
sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
```
- For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insiders-fast* channel:
+ For example, if you are running SLES 12 and wish to deploy MDE for Linux from the *prod* channel:
```bash
- sudo zypper addrepo -c -f -n microsoft-insiders-fast https://packages.microsoft.com/config/sles/12/insiders-fast.repo
+ sudo zypper addrepo -c -f -n microsoft-prod https://packages.microsoft.com/config/sles/12/prod.repo
```
- Install the Microsoft GPG public key:
@@ -133,10 +147,10 @@ In order to preview new features and provide early feedback, it is recommended t
curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].list
```
- For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the *insiders-fast* channel:
+ For example, if you are running Ubuntu 18.04 and wish to deploy MDE for Linux from the *prod* channel:
```bash
- curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list
+ curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/prod.list
```
- Install the repository configuration:
@@ -144,10 +158,10 @@ In order to preview new features and provide early feedback, it is recommended t
```bash
sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-[channel].list
```
- For example, if you chose *insiders-fast* channel:
+ For example, if you chose *prod* channel:
```bash
- sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-insiders-fast.list
+ sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-prod.list
```
- Install the `gpg` package if not already installed:
From 845958b66d328bfa36723e14c91065249fb96398 Mon Sep 17 00:00:00 2001
From: MatiG
Date: Thu, 4 Feb 2021 17:30:24 +0200
Subject: [PATCH 19/30] "closest" meaning
---
.../microsoft-defender-atp/linux-install-manually.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
index f41fa4b080..046ec05444 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
@@ -68,7 +68,7 @@ In order to preview new features and provide early feedback, it is recommended t
sudo yum install yum-utils
```
-- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`.
+- Note your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/config/`. For instance, RHEL 7.9 is closer to 7.4 than to 8.
In the below commands, replace *[distro]* and *[version]* with the information you've identified:
@@ -105,7 +105,7 @@ In order to preview new features and provide early feedback, it is recommended t
### SLES and variants
-- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`.
+- Note your distribution and version, and identify the closest entry(by major, then minor) for it under `https://packages.microsoft.com/config/`.
In the following commands, replace *[distro]* and *[version]* with the information you've identified:
@@ -139,7 +139,7 @@ In order to preview new features and provide early feedback, it is recommended t
sudo apt-get install libplist-utils
```
-- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config`.
+- Note your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/config`.
In the below command, replace *[distro]* and *[version]* with the information you've identified:
From 5de115d5a01426ef854582bc19e44bb1430bb386 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 4 Feb 2021 07:35:49 -0800
Subject: [PATCH 20/30] Update Onboard-Windows-10-multi-session-device.md
---
...Onboard-Windows-10-multi-session-device.md | 35 +++++++++----------
1 file changed, 17 insertions(+), 18 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
index 7f1df6920d..a03a960bb6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
@@ -13,14 +13,13 @@ ms.topic: article
author: dansimp
ms.author: dansimp
ms.custom: nextgen
-ms.date: 09/10/2020
+ms.date: 02/04/2021
ms.reviewer:
manager: dansimp
ms.technology: mde
---
# Onboard Windows 10 multi-session devices in Windows Virtual Desktop
-6 minutes to read
Applies to:
- Windows 10 multi-session running on Windows Virtual Desktop (WVD)
@@ -28,37 +27,37 @@ Applies to:
Microsoft Defender for Endpoint supports monitoring both VDI as well as Windows Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Windows Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity.
## Before you begin
-Familiarize yourself with the [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). While [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a golden Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment and thus impacts what entries are created and maintained in the Microsoft Defender for Endpoint portal, potentially reducing visibility for your security analysts.
+Familiarize yourself with the [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). Although [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment, and thus impacts what entries are created and maintained in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), potentially reducing visibility for your security analysts.
> [!NOTE]
-> Depending on your choice of onboarding method, devices can appear in Microsoft Defender for Endpoint portal as either:
+> Depending on your choice of onboarding method, devices can appear in MMicrosoft Defender Security Center as either:
> - Single entry for each virtual desktop
> - Multiple entries for each virtual desktop
-Microsoft recommends onboarding Windows Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Endpoint portal is in the context of one device based on the machine name. Organizations that frequently delete and re-deploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender for Endpoint portal. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently.
+Microsoft recommends onboarding Windows Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Security Center is in the context of one device based on the machine name. Organizations that frequently delete and re-deploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender Security Center. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently.
-Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD golden image. This way, you can be sure that this onboarding script runs immediately at first boot. It is executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you are using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy.
+Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD image. This way, you can be sure that this onboarding script runs immediately at first boot. It is executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you are using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy.
> [!NOTE]
> The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It is NOT recommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 & 2 take this into account.
-### Scenarios
+## Scenarios
There are several ways to onboard a WVD host machine:
- Run the script in the golden image (or from a shared location) during startup.
- Use a management tool to run the script.
-#### *Scenario 1: Using local group policy*
+### Scenario 1: Using local group policy
This scenario requires placing the script in a golden image and uses local group policy to run early in the boot process.
Use the instructions in [Onboard non-persistent virtual desktop infrastructure VDI devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1).
Follow the instructions for a single entry for each device.
-#### *Scenario 2: Using domain group policy*
+### Scenario 2: Using domain group policy
This scenario uses a centrally located script and runs it using a domain-based group policy. You can also place the script in the golden image and run it in the same way.
-**Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center**
+#### Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center
1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip)
- In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**.
- Select Windows 10 as the operating system.
@@ -66,7 +65,7 @@ This scenario uses a centrally located script and runs it using a domain-based g
- Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called **OptionalParamsPolicy** and the files **WindowsDefenderATPOnboardingScript.cmd** and **Onboard-NonPersistentMachine.ps1**.
-**Use Group Policy management console to run the script when the virtual machine starts**
+#### Use Group Policy management console to run the script when the virtual machine starts
1. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
1. In the Group Policy Management Editor, go to **Computer configuration** \> **Preferences** \> **Control panel settings**.
1. Right-click **Scheduled tasks**, click **New**, and then click **Immediate Task** (At least Windows 7).
@@ -81,7 +80,7 @@ Enter the following:
Click **OK** and close any open GPMC windows.
-#### *Scenario 3: Onboarding using management tools*
+### Scenario 3: Onboarding using management tools
If you plan to manage your machines using a management tool, you can onboard devices with Microsoft Endpoint Configuration Manager.
@@ -93,18 +92,18 @@ For more information, see: [Onboard Windows 10 devices using Configuration Manag
> [!TIP]
> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
-#### Tagging your machines when building your golden image
+## Tagging your machines when building your image
As part of your onboarding, you may want to consider setting a machine tag to be able to differentiate WVD machines more easily in the Microsoft Security Center. For more information, see
[Add device tags by setting a registry key value](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags#add-device-tags-by-setting-a-registry-key-value).
-#### Other recommended configuration settings
+## Other recommended configuration settings
-When building your golden image, you may want to configure initial protection settings as well. For more information, see [Other recommended configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp#other-recommended-configuration-settings).
+When building your image, you may want to configure initial protection settings as well. For more information, see [Other recommended configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp#other-recommended-configuration-settings).
In addition, if you are using FSlogix user profiles, we recommend you exclude the following files from always-on protection:
-**Exclude Files:**
+### Exclude Files
> %ProgramFiles%\FSLogix\Apps\frxdrv.sys
> %ProgramFiles%\FSLogix\Apps\frxdrvvt.sys
@@ -116,12 +115,12 @@ In addition, if you are using FSlogix user profiles, we recommend you exclude th
> \\storageaccount.file.core.windows.net\share\*\*.VHD
> \\storageaccount.file.core.windows.net\share\*\*.VHDX
-**Exclude Processes:**
+### Exclude Processes
> %ProgramFiles%\FSLogix\Apps\frxccd.exe
> %ProgramFiles%\FSLogix\Apps\frxccds.exe
> %ProgramFiles%\FSLogix\Apps\frxsvc.exe
-#### Licensing requirements
+## Licensing requirements
Windows 10 Multi-session is a client OS. Licensing requirements for Microsoft Defender for endpoint can be found at: [Licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements).
From 901da52c20e3c7874098728ee391e7a7f8deade5 Mon Sep 17 00:00:00 2001
From: JesseEsquivel <33558203+JesseEsquivel@users.noreply.github.com>
Date: Thu, 4 Feb 2021 11:26:26 -0500
Subject: [PATCH 21/30] VDI File share feature backported to 1703
Adding note that the change has been backported and works in 1703+
---
.../deployment-vdi-microsoft-defender-antivirus.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
index 3849774f8b..ef143bfe39 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
@@ -50,7 +50,7 @@ You can also download the whitepaper [Microsoft Defender Antivirus on Virtual De
## Set up a dedicated VDI file share
-In Windows 10, version 1903, we introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machine—thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with a Group Policy, or PowerShell.
+In Windows 10, version 1903, we introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machine—thus saving previous CPU, disk, and memory resources on individual machines. This feature has been backported and now works in Windows 10 version 1703 and above. You can set this feature with a Group Policy, or PowerShell.
### Use Group Policy to enable the shared security intelligence feature:
From 6f46373573a78e6cde7c9d40b292d4805d31e877 Mon Sep 17 00:00:00 2001
From: Tina Burden
Date: Thu, 4 Feb 2021 11:08:59 -0800
Subject: [PATCH 22/30] pencil edit
---
.../Onboard-Windows-10-multi-session-device.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
index a03a960bb6..3abe07fc71 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md
@@ -30,7 +30,7 @@ Microsoft Defender for Endpoint supports monitoring both VDI as well as Windows
Familiarize yourself with the [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). Although [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment, and thus impacts what entries are created and maintained in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), potentially reducing visibility for your security analysts.
> [!NOTE]
-> Depending on your choice of onboarding method, devices can appear in MMicrosoft Defender Security Center as either:
+> Depending on your choice of onboarding method, devices can appear in Microsoft Defender Security Center as either:
> - Single entry for each virtual desktop
> - Multiple entries for each virtual desktop
From bcf853a0c6d7be245aa5771142910694bbc0e2ab Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 4 Feb 2021 12:52:16 -0800
Subject: [PATCH 23/30] Update
manage-updates-baselines-microsoft-defender-antivirus.md
---
...tes-baselines-microsoft-defender-antivirus.md | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
index a93bfb03a8..3e94248b41 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer: pahuijbr
manager: dansimp
-ms.date: 01/07/2021
+ms.date: 02/04/2021
ms.technology: mde
---
@@ -387,6 +387,20 @@ We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind
For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
+1.1.2102.03
+
+ Package version: **1.1.2102.03**
+ Platform version: **4.18.2011.6**
+ Engine version: **1.17800.5**
+ Signature version: **1.331.174.0**
+
+### Fixes
+- None
+
+### Additional information
+- None
+
+
1.1.2101.02
Package version: **1.1.2101.02**
From 50ae6bdaf97483e5006027f062ad773dc1244b8b Mon Sep 17 00:00:00 2001
From: Tristan Kington
Date: Fri, 5 Feb 2021 08:28:07 +1100
Subject: [PATCH 24/30] Update hello-hybrid-cert-whfb-settings-pki.md
Certification Authority is the actual console name for Certificate Authority servers. Spelling/grammar fixes, some clarity and wording fixes. PKIView tip for NTAuth.
---
.../hello-hybrid-cert-whfb-settings-pki.md | 69 ++++++++++---------
1 file changed, 35 insertions(+), 34 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index ec12645e1d..2b5e042c13 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -25,13 +25,13 @@ ms.reviewer:
- Hybrid Deployment
- Certificate Trust
-Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer.
+Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly-issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows between them and the client computer.
-All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificate to registration authorities to provide defense-in-depth security for issuing user authentication certificates.
+All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users with a sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificates to registration authorities to provide defense-in-depth security when issuing user authentication certificates.
## Certificate Templates
-This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authority.
+This section has you configure certificate templates on your Windows Server 2012 (or later) Active Directory Certificate Services issuing certificate authority.
### Domain Controller certificate template
@@ -39,13 +39,13 @@ Clients need to trust domain controllers and the best way to do this is to ensur
Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Inclusion of the **KDC Authentication** OID in domain controller certificate is not required for key trust authentication from Hybrid Azure AD joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD joined devices. The steps below to *Create a Domain Controller Authentication (Kerberos) Certificate Template* and *Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template* to include the **KDC Authentication** OID in the domain controller certificate may be skipped if you only have Hybrid Azure AD Joined devices in your environment, but we recommend completing these steps if you are considering adding Azure AD joined devices to your environment in the future.
-By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template as a baseline to create an updated domain controller certificate template.
+By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template as a baseline to create an updated domain controller certificate template.
#### Create a Domain Controller Authentication (Kerberos) Certificate Template
Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
-1. Open the **Certificate Authority** management console.
+1. Open the **Certification Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
@@ -66,15 +66,15 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
#### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template
-Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers--the domain controller certificate template. Later releases provided a new certificate template--the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension.
+Many domain controllers may have an existing domain controller certificate. Active Directory Certificate Services provides a default certificate template for domain controllers--the Domain Controller certificate template. Later releases provided a new certificate template--the Domain Controller Authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the **KDC Authentication** extension.
-The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later).
+The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers, and should be the one you deploy to all your domain controllers (2008 or later).
-The auto-enrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template.
+The auto-enrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate based on the Kerberos Authentication certificate template.
Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
-1. Open the **Certificate Authority** management console.
+1. Open the **Certification Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
@@ -86,31 +86,32 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**.
-7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**.
+7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template, and click **OK**.
8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab.
9. Click **OK** and close the **Certificate Templates** console.
-The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
+The certificate template is configured to supersede all the certificate templates listed in the superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
> [!NOTE]
-> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
+> A domain controller's certificate must chain to a certificate in the NTAuth store in Active Directory. By default, online "Enterprise" Active Directory Certificate Authority certificates are added to the NTAuth store at installation time. If you are using a third-party CA, this is not done by default. If the domain controller certificate does not chain to a trusted CA in the NTAuth store, user authentication will fail.
+> You can view an AD forest's NTAuth store (NTAuthCertificates) using PKIVIEW.MSC from an ADCS CA. Open PKIView.msc, then click the Action menu -> Manage AD Containers.
### Enrollment Agent certificate template
-Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate life-cycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
+Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request, or when the service first starts.
-Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
+Approximately 60 days prior to the enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew and expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
> [!IMPORTANT]
-> Follow the procedures below based on the AD FS service account used in your environment.
+> Follow the procedures below based on the AD FS service account used in your environment.
#### Creating an Enrollment Agent certificate for Group Managed Service Accounts
-Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+Sign-in to a certificate authority or management workstation with _Domain Admin_ equivalent credentials.
-1. Open the **Certificate Authority Management** console.
+1. Open the **Certification Authority Management** console.
2. Right-click **Certificate Templates** and click **Manage**.
@@ -123,7 +124,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
> [!NOTE]
- > The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
+ > The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the _Build from this Active Directory information_ option, which will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with _Supply in the request_ to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
@@ -139,9 +140,9 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
#### Creating an Enrollment Agent certificate for typical Service Accounts
-Sign-in a certificate authority or management workstations with *Domain Admin* equivalent credentials.
+Sign-in to a certificate authority or management workstation with *Domain Admin* equivalent credentials.
-1. Open the **Certificate Authority** management console.
+1. Open the **Certification Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
@@ -163,11 +164,11 @@ Sign-in a certificate authority or management workstations with *Domain Admin* e
### Creating Windows Hello for Business authentication certificate template
-During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring.
+During Windows Hello for Business provisioning, a Windows 10 client requests an authentication certificate from the Active Directory Federation Service, which requests an authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You set the name of the certificate template when configuring it.
-Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
+Sign-in to a certificate authority or management workstation with _Domain Admin equivalent_ credentials.
-1. Open the **Certificate Authority** management console.
+1. Open the **Certification Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
@@ -175,10 +176,10 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
-5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
+5. On the **General** tab, type **WHFB Authentication** or your choice of template name in **Template display name**. Note the short template name for later use with CertUtil. Adjust the validity and renewal period to meet your enterprise's needs.
> [!NOTE]
- > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
+ > If you use different template names, you'll need to remember and substitute these names in the relevant portions of the deployment.
6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
@@ -231,39 +232,39 @@ CertUtil: -dsTemplate command completed successfully."
```
> [!NOTE]
-> If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority.
+> If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
## Publish Templates
### Publish Certificate Templates to a Certificate Authority
-The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
+The certificate authority only issues certificates for certificate templates which are published by that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
#### Publish Certificate Templates to the Certificate Authority
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
-1. Open the **Certificate Authority** management console.
+1. Open the **Certification Authority** management console.
2. Expand the parent node from the navigation pane.
3. Click **Certificate Templates** in the navigation pane.
-4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
+4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template to issue**.
-5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
+5. In the **Enable Certificates Templates** window, Ctrl-select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
6. Close the console.
#### Unpublish Superseded Certificate Templates
-The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates.
+The certificate authority only issues certificates based on published certificate templates. For defense-in-depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes any pre-published certificate templates from the role installation and any superseded certificate templates.
-The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities.
+The newly-created Kerberos authentication-based Domain Controller certificate template supersedes any previous domain controller certificate templates. Therefore, you should unpublish these certificate templates from all issuing certificate authorities.
-Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials.
+Sign-in to each certificate authority, or a management workstation with _Enterprise Admin_ equivalent credentials.
-1. Open the **Certificate Authority** management console.
+1. Open the **Certification Authority** management console.
2. Expand the parent node from the navigation pane.
From 7f67353b01d6be65d5556b6ce8fdbd16831ab6d7 Mon Sep 17 00:00:00 2001
From: Paul Huijbregts <30799281+pahuijbr@users.noreply.github.com>
Date: Thu, 4 Feb 2021 13:49:07 -0800
Subject: [PATCH 25/30] Update
manage-updates-baselines-microsoft-defender-antivirus.md
---
.../manage-updates-baselines-microsoft-defender-antivirus.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
index a93bfb03a8..cc3faf4943 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@@ -90,7 +90,6 @@ All our updates contain
### What's new
- Improved SmartScreen status support logging
-- Apply CPU throttling policy to manually initiated scans
### Known Issues
No known issues
From a056b6666433d506ac2794163026df64a3c0e070 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 4 Feb 2021 13:52:11 -0800
Subject: [PATCH 26/30] Update
manage-updates-baselines-microsoft-defender-antivirus.md
---
.../manage-updates-baselines-microsoft-defender-antivirus.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
index cc3faf4943..cc8b19bee3 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer: pahuijbr
manager: dansimp
-ms.date: 01/07/2021
+ms.date: 02/04/2021
ms.technology: mde
---
From bf4e78eb163328ce27ca5ee63c0745156ac27656 Mon Sep 17 00:00:00 2001
From: Daniel Simpson
Date: Thu, 4 Feb 2021 15:11:26 -0800
Subject: [PATCH 27/30] Update
windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../microsoft-defender-atp/indicator-ip-domain.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
index bfa5bf0c44..7f68650da3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
@@ -46,7 +46,7 @@ It's important to understand the following prerequisites prior to creating indic
- The Antimalware client version must be 4.18.1906.x or later.
- Supported on machines on Windows 10, version 1709 or later.
- Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security Center > Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md).
-- For support of indicators on iOS, please [see](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features#configure-custom-indicators)
+- For support of indicators on iOS, please see [Configure custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features#configure-custom-indicators).
>[!IMPORTANT]
From f894c637829a7df259eceb508003089fd5a9522f Mon Sep 17 00:00:00 2001
From: Daniel Simpson
Date: Thu, 4 Feb 2021 15:11:36 -0800
Subject: [PATCH 28/30] Update
windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../microsoft-defender-atp/indicator-ip-domain.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
index 7f68650da3..988db9e418 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
@@ -49,7 +49,7 @@ It's important to understand the following prerequisites prior to creating indic
- For support of indicators on iOS, please see [Configure custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features#configure-custom-indicators).
->[!IMPORTANT]
+> [!IMPORTANT]
> Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.
> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement:
> NOTE:
From e8e39fe4bac27f2e3ffebac0252920d48352958f Mon Sep 17 00:00:00 2001
From: Daniel Simpson
Date: Thu, 4 Feb 2021 15:12:17 -0800
Subject: [PATCH 29/30] Update indicator-ip-domain.md
---
.../microsoft-defender-atp/indicator-ip-domain.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
index 988db9e418..4491cd3549 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
@@ -46,7 +46,7 @@ It's important to understand the following prerequisites prior to creating indic
- The Antimalware client version must be 4.18.1906.x or later.
- Supported on machines on Windows 10, version 1709 or later.
- Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security Center > Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md).
-- For support of indicators on iOS, please see [Configure custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features#configure-custom-indicators).
+- For support of indicators on iOS, see [Configure custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features#configure-custom-indicators).
> [!IMPORTANT]
From 4a5634de8151504ebb2496e294fecff9c83bc387 Mon Sep 17 00:00:00 2001
From: garycentric
Date: Thu, 4 Feb 2021 20:40:04 -0800
Subject: [PATCH 30/30] Removed /en-us from a Microsoft URL, added in the
public repo
---
windows/deployment/volume-activation/install-vamt.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 8fc4fde224..38d957f492 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -49,7 +49,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
### Install VAMT using the ADK
-1. Download the latest version of [Windows 10 ADK](https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install).
+1. Download the latest version of [Windows 10 ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
If an older version is already installed, it is recommended to uninstall the older ADK and install the latest version. Existing VAMT data is maintained in the VAMT database.
2. Enter an install location or use the default path, and then select **Next**.
3. Select a privacy setting, and then select **Next**.