From 032ab23a764e62a1bc39a8e69e51f8d9325592c4 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 25 Jun 2020 11:11:06 +0500 Subject: [PATCH 1/9] Note Addition As suggested, added a note in the documents regarding usage of 1903 settings in 1909 version as 1909 is incremental version of 1903. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5930 --- ...-windows-operating-system-components-to-microsoft-services.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 7d7448f4d5..d72c9f1fbd 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -30,6 +30,7 @@ This article describes the network connections that Windows 10 components make t Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. >[!IMPORTANT] +> - The downloadable 1903 scripts/settings can be used on 1909 devices. > - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic) > - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. > - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features. From 40254907157f3e6c999a6f04b51f9388d0cea212 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 25 Jun 2020 12:31:59 +0500 Subject: [PATCH 2/9] Update windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index d72c9f1fbd..d5c9df4cc7 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -30,7 +30,7 @@ This article describes the network connections that Windows 10 components make t Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. >[!IMPORTANT] -> - The downloadable 1903 scripts/settings can be used on 1909 devices. +> - The downloadable Windows 10, version 1903 scripts/settings can be used on Windows 10, version 1909 devices. > - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic) > - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. > - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features. From b81e04747b95046a0548b367cac19ddf76b31338 Mon Sep 17 00:00:00 2001 From: Tom Henderson Date: Fri, 24 Jul 2020 07:58:23 +1200 Subject: [PATCH 3/9] Add missing TOC entry --- windows/security/threat-protection/TOC.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 8285168070..da07070744 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -842,6 +842,8 @@ ####### [Event 4689 S: A process has exited.](auditing/event-4689.md) ###### [Audit RPC Events](auditing/audit-rpc-events.md) ####### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](auditing/event-5712.md) +###### [Audit Token Right Adjusted](auditing/audit-token-right-adjusted.md) +####### [Event 4703 S: A user right was adjusted.](auditing/event-4703.md) ###### [Audit Detailed Directory Service Replication](auditing/audit-detailed-directory-service-replication.md) ####### [Event 4928 S, F: An Active Directory replica source naming context was established.](auditing/event-4928.md) ####### [Event 4929 S, F: An Active Directory replica source naming context was removed.](auditing/event-4929.md) From bda28068451fc6081533622683b8ee216ba76808 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 24 Jul 2020 09:50:15 -0700 Subject: [PATCH 4/9] Update index.yml --- windows/privacy/index.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml index 8096eb0de3..b9b6ce81fd 100644 --- a/windows/privacy/index.yml +++ b/windows/privacy/index.yml @@ -14,7 +14,7 @@ metadata: author: danihalfin ms.author: daniha manager: dansimp - ms.date: 02/21/2019 #Required; mm/dd/yyyy format. + ms.date: 07/21/2020 #Required; mm/dd/yyyy format. ms.localizationpriority: high # highlightedContent section (optional) @@ -55,7 +55,7 @@ productDirectory: - title: Changes to Windows diagnostic data collection imageSrc: https://docs.microsoft.com/media/common/i_build.svg summary: See what changes Windows is making to align to the new data collection taxonomy - url: windows-diagnostic-data.md + url: changes-to-windows-diagnostic-data-collection.md # conceptualContent section (optional) # conceptualContent: @@ -179,4 +179,4 @@ additionalContent: - text: Support for GDPR Accountability on Service Trust Portal url: https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted # footer (optional) - # footer: "footertext [linktext](https://docs.microsoft.com/footerfile)" \ No newline at end of file + # footer: "footertext [linktext](https://docs.microsoft.com/footerfile)" From 770318a6cff010219c5032ba4519bf8c04078c5a Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Fri, 24 Jul 2020 10:07:38 -0700 Subject: [PATCH 5/9] Release notes for 101.03.73 --- .../microsoft-defender-atp/linux-whatsnew.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md index d2a63d964c..b20e62b3b0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md @@ -19,6 +19,10 @@ ms.topic: conceptual # What's new in Microsoft Defender Advanced Threat Protection for Linux +## 101.03.73 + +- Bug fixes + ## 101.02.55 - Fixed an issue where the product sometimes does not start following a reboot / upgrade From fa5e594f63e7ad63b1dd7d8df99d86f42623ea4e Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Fri, 24 Jul 2020 11:01:09 -0700 Subject: [PATCH 6/9] Fix build number --- .../threat-protection/microsoft-defender-atp/linux-whatsnew.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md index b20e62b3b0..a35d6e6d1a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md @@ -19,7 +19,7 @@ ms.topic: conceptual # What's new in Microsoft Defender Advanced Threat Protection for Linux -## 101.03.73 +## 101.03.48 - Bug fixes From fd46fdefc9fdbf701c6f7adca77a259a587baec8 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Fri, 24 Jul 2020 13:51:09 -0700 Subject: [PATCH 7/9] Updating note about collected diagnostic data --- .../microsoft-defender-antivirus/collect-diagnostic-data.md | 3 +++ .../microsoft-defender-atp/investigate-machines.md | 3 +++ 2 files changed, 6 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md index 840b26d06e..ea6ee23720 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md @@ -25,6 +25,9 @@ manager: dansimp This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV. +> [!NOTE] +> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices). + On at least two devices that are experiencing the same issue, obtain the .cab diagnostic file by taking the following steps: 1. Open an administrator-level version of the command prompt as follows: diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md index 5fd56526b0..19f12472bc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md @@ -27,6 +27,9 @@ ms.topic: article Investigate the details of an alert raised on a specific device to identify other behaviors or events that might be related to the alert or the potential scope of the breach. +> [!NOTE] +> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices). + You can click on affected devices whenever you see them in the portal to open a detailed report about that device. Affected devices are identified in the following areas: - [Devices list](investigate-machines.md) From 7551a2b349b0d61907a5caef844b0e6d8820f27c Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Fri, 24 Jul 2020 14:15:23 -0700 Subject: [PATCH 8/9] Update collect-diagnostic-data.md --- .../microsoft-defender-antivirus/collect-diagnostic-data.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md index ea6ee23720..876f707fc7 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md @@ -26,7 +26,7 @@ manager: dansimp This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV. > [!NOTE] -> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices). +> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices). On at least two devices that are experiencing the same issue, obtain the .cab diagnostic file by taking the following steps: From ecc19d563e847b7011eea592d17227a88c9afeb3 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Fri, 24 Jul 2020 14:15:40 -0700 Subject: [PATCH 9/9] Update investigate-machines.md --- .../microsoft-defender-atp/investigate-machines.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md index 19f12472bc..bd6a081f9a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md @@ -28,7 +28,7 @@ ms.topic: article Investigate the details of an alert raised on a specific device to identify other behaviors or events that might be related to the alert or the potential scope of the breach. > [!NOTE] -> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices). +> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices). You can click on affected devices whenever you see them in the portal to open a detailed report about that device. Affected devices are identified in the following areas: