From 8d5aefa6bf00959945fe756b7498b6d5250ece13 Mon Sep 17 00:00:00 2001 From: Ben McGarry <9434920+BenMcGarry@users.noreply.github.com> Date: Mon, 24 Aug 2020 15:06:41 +0100 Subject: [PATCH 1/6] Update WDAC hunting query Existing query does not appear to work within WDATP Advanced hunting, this updates the query to return the expected result. --- ...ation-control-events-centrally-using-advanced-hunting.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md index 3b0e313266..19bcd021e5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md +++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md @@ -30,10 +30,10 @@ This capability is supported beginning with Windows version 1607. Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Microsoft Defender ATP: ``` -MiscEvents -| where EventTime > ago(7d) and +DeviceEvents +| where Timestamp > ago(7d) and ActionType startswith "AppControl" -| summarize Machines=dcount(ComputerName) by ActionType +| summarize Machines=dcount(DeviceName) by ActionType | order by Machines desc ``` From 2b6ec3393ea3b7f2f3d0b7634a91cf02fcffb7cc Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 25 Aug 2020 21:02:02 +0500 Subject: [PATCH 2/6] Update advanced-security-audit-policy-settings.md --- .../auditing/advanced-security-audit-policy-settings.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md index e36022563e..1ce7884399 100644 --- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md @@ -64,7 +64,6 @@ Detailed Tracking security policy settings and audit events can be used to monit - [Audit Process Creation](audit-process-creation.md) - [Audit Process Termination](audit-process-termination.md) - [Audit RPC Events](audit-rpc-events.md) -- [Audit Credential Validation](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-credential-validation) - [Audit Token Right Adjusted](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-token-right-adjusted) ## DS Access From 032a7518c5047cdcacbab7c2202ae93ee1101351 Mon Sep 17 00:00:00 2001 From: Mark Wodrich Date: Thu, 3 Sep 2020 16:54:44 -0700 Subject: [PATCH 3/6] Update StackPivot compatibility considerations --- .../microsoft-defender-atp/exploit-protection-reference.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md index d8f35500f4..388335525b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md @@ -667,7 +667,7 @@ Compatibility issues are uncommon. Applications which depend on replacing Window ### Description -The *validate stack integrity (StackPivot) mitigation helps protect against the Stack Pivot attack, a ROP attack where an attacker creates a fake stack in heap memory, and then tricks the application into returning into the fake stack which controls the flow of execution. +The *validate stack integrity (StackPivot)* mitigation helps protect against the Stack Pivot attack, a ROP attack where an attacker creates a fake stack in heap memory, and then tricks the application into returning into the fake stack which controls the flow of execution. This mitigation intercepts a number of Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated. @@ -710,7 +710,10 @@ The APIs intercepted by this mitigation are: ### Compatibility considerations -Compatibility issues are uncommon. Applications which are leveraging fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications. +Applications which are leveraging fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications. +Applications which perform API interception, particularly security software, can cause compatibility problems with this mitigation. + +This mitigation is incompatible with the Arbitrary Code Guard mitigation. ### Configuration options From ae76541e4ff5c03ea8f69a10255ca577cc96713b Mon Sep 17 00:00:00 2001 From: Ben Watt <13239035+wattbt@users.noreply.github.com> Date: Fri, 4 Sep 2020 14:09:05 +0100 Subject: [PATCH 4/6] Added missing final steps The steps for deploying the custom configuration profile did not finish as the previous section did, by explaining how the configuration profile should be assigned. I have added identical steps to the Systems Extension Policy before it. --- .../microsoft-defender-atp/mac-sysext-policies.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md index 3cd6ef23e7..a146b082c5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md @@ -279,3 +279,5 @@ To deploy this custom configuration profile: ![System extension in Intune screenshot](images/mac-system-extension-intune.png) +5. In the `Assignments` tab, assign this profile to **All Users & All devices**. +6. Review and create this configuration profile. From b0e6671ccc3b523ce436b631830e781f70645ec5 Mon Sep 17 00:00:00 2001 From: Eddy Ng <57738387+WplusAzureAuto@users.noreply.github.com> Date: Mon, 14 Sep 2020 11:00:14 +0800 Subject: [PATCH 5/6] Update waas-delivery-optimization-setup.md Amended line 149 from Get-DeliveryOptimizationPerfSnap to Get-DeliveryOptimizationStatus, this command is validated from windows powershell to be the valid command that has -peerinfo switch --- windows/deployment/update/waas-delivery-optimization-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index a93a577f74..9cc82a5183 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -146,7 +146,7 @@ Using the `-Verbose` option returns additional information: - Bytes from CDN (the number of bytes received over HTTP) - Average number of peer connections per download  -**Starting in Windows 10, version 2004**, `Get-DeliveryOptimizationPerfSnap` has a new option `-PeerInfo` which returns a real-time list of the connected peers. +**Starting in Windows 10, version 2004**, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers. Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. From 59463d206e29a5ee8fb326e07451b2a8b02ac6c7 Mon Sep 17 00:00:00 2001 From: Caroline Gitonga Date: Tue, 15 Sep 2020 19:20:07 +0300 Subject: [PATCH 6/6] Update value for DODownloadMode(99) --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index ba4a8aff28..d53f7dc795 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -152,7 +152,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt 1. [ApplicationManagement/AllowAppStoreAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate). Specifies whether automatic update of apps from Microsoft Store are allowed. **Set to 0 (zero)** 1. **Apps for websites** - [ApplicationDefaults/EnableAppUriHandlers](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationdefaults#applicationdefaults-enableappurihandlers). This policy setting determines whether Windows supports web-to-app linking with app URI handlers. **Set to 0 (zero)** 1. **Windows Update Delivery Optimization** - The following Delivery Optimization MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - 1. [DeliveryOptimization/DODownloadMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode). Let’s you choose where Delivery Optimization gets or sends updates and apps. **Set to 100 (one hundred)** + 1. [DeliveryOptimization/DODownloadMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode). Let’s you choose where Delivery Optimization gets or sends updates and apps. **Set to 99 (ninety-nine)** 1. **Windows Update** 1. [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Control automatic updates. **Set to 5 (five)** 1. Windows Update Allow Update Service - [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice). Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. **Set to 0 (zero)**