From 9f180218da5060741d8b090b9acb113e5596f8ba Mon Sep 17 00:00:00 2001 From: Ikko Ashimine Date: Sun, 19 Apr 2020 16:28:49 +0900 Subject: [PATCH 1/9] Fix typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Micosoft→Microsoft --- windows/client-management/mdm/get-seats.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/get-seats.md b/windows/client-management/mdm/get-seats.md index 21d8f631c1..a510b2460c 100644 --- a/windows/client-management/mdm/get-seats.md +++ b/windows/client-management/mdm/get-seats.md @@ -1,6 +1,6 @@ --- title: Get seats -description: The Get seats operation retrieves the information about active seats in the Micosoft Store for Business. +description: The Get seats operation retrieves the information about active seats in the Micorsoft Store for Business. ms.assetid: 32945788-47AC-4259-B616-F359D48F4F2F ms.reviewer: manager: dansimp @@ -14,7 +14,7 @@ ms.date: 09/18/2017 # Get seats -The **Get seats** operation retrieves the information about active seats in the Micosoft Store for Business. +The **Get seats** operation retrieves the information about active seats in the Microsoft Store for Business. ## Request From e27bb2da07fe243cbfc2f62aba41e26a05e455bf Mon Sep 17 00:00:00 2001 From: illfated Date: Sun, 19 Apr 2020 21:03:48 +0200 Subject: [PATCH 2/9] MD-ATP/Exploit Protection: corrections & updates Description: As reported in issue ticket #6531 (Redirect Exploit protection "Evaluation Package" link directly to right site), the aka.ms link to the Evaluation Package points to the Windows Defender test ground page. The suggestion is to point the link directly to the Exploit Protection (EP) page instead. Thanks to beerisgood for reporting this issue. Additional changes: Link corrections and updates to counteract the fact that some of the old technet links do not lead directly to the correct topic pages, so it is better to insert traceable direct links instead. I have not found any formatting worth correcting on this page, so the various outdated or bad links will be the main focus in this PR. Changes proposed: - Replace the aka.ms/mp7z2w link with the direct EP download page link - Replace technet/msdn links with current docs.microsoft.com page links - Replace 1 technet link with support.microsoft.com/help - Remove bad go.microsoft.com/fwlink (Windows 10 edition comparison PDF) - Insert direct link to local neighboring page for MD-ATP (same folder) Ticket closure or reference: Closes #6531 --- .../import-export-exploit-protection-emet-xml.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md index 174242a934..415a4bb13e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md @@ -21,11 +21,11 @@ manager: dansimp **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](microsoft-defender-advanced-threat-protection.md) Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. -Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are now included in exploit protection. +Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/help/2458544/) are now included in exploit protection. You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings. @@ -33,7 +33,7 @@ You can also convert and import an existing EMET configuration XML file into an This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration. -The [Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic. +The [Evaluation Package](https://demo.wd.microsoft.com/Page/EP) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic. ## Create and export a configuration file @@ -141,7 +141,7 @@ You can use Group Policy to deploy the configuration you've created to multiple ### Use Group Policy to distribute the configuration -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal)), right-click the Group Policy Object you want to configure and click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. @@ -158,7 +158,7 @@ You can use Group Policy to deploy the configuration you've created to multiple * https://localhost:8080/Config.xml * C:\ExploitConfigfile.xml -6. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). +6. Click **OK** and [Deploy the updated GPO as you normally do](https://docs.microsoft.com/windows/win32/srvnodes/group-policy). ## Related topics From 980c6e949d9d0048ddb28e82dfa630da98f241a4 Mon Sep 17 00:00:00 2001 From: illfated Date: Sun, 19 Apr 2020 21:10:50 +0200 Subject: [PATCH 3/9] XML Filename correction * Forgot to rename the XML filename in the main PR commit Ref. #6531 --- .../import-export-exploit-protection-emet-xml.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md index 415a4bb13e..f5e315dcb9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md @@ -33,7 +33,7 @@ You can also convert and import an existing EMET configuration XML file into an This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration. -The [Evaluation Package](https://demo.wd.microsoft.com/Page/EP) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic. +The [Evaluation Package](https://demo.wd.microsoft.com/Page/EP) contains a sample configuration file (name *ProcessMitigation.xml* (Selfhost v4) that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic. ## Create and export a configuration file From d88f5f4cb913d40074de759236397d3ce8bda1db Mon Sep 17 00:00:00 2001 From: illfated Date: Sun, 19 Apr 2020 21:28:41 +0200 Subject: [PATCH 4/9] Double closing bracket (link) correction * Oversight caused by my attempt at being quick & efficient (it hardly ever works for me, I just make more mistakes). Ref. #6531 --- .../import-export-exploit-protection-emet-xml.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md index f5e315dcb9..55dd84f8c5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md @@ -141,7 +141,7 @@ You can use Group Policy to deploy the configuration you've created to multiple ### Use Group Policy to distribute the configuration -1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal)), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. From 8672dd14638542fa6ea52447a5788c61ba1fb078 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Mon, 20 Apr 2020 09:08:09 -0700 Subject: [PATCH 5/9] note about Azure activationi --- windows/deployment/windows-10-subscription-activation.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index d953b17ab2..0f8c21c1b1 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -79,6 +79,9 @@ The following figure illustrates how deploying Windows 10 has evolved with each ### Windows 10 Enterprise requirements +> [!NOTE] +> The following requirements do not apply to general Windows 10 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](https://docs.microsoft.com/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines). + For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: - Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded. From 4eae06d0bd3820822a1938278bc3b6cfcb1f6752 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 20 Apr 2020 10:32:19 -0700 Subject: [PATCH 6/9] ioc content updates --- .../manage-indicators.md | 32 ++++++++++++++----- .../post-ti-indicator.md | 21 ++++++------ 2 files changed, 36 insertions(+), 17 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md index c6e5f743ca..354ce7015c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md @@ -1,7 +1,7 @@ --- title: Manage indicators ms.reviewer: -description: Create indicators for a file hash, IP address, URLs or domains that define the detection, prevention, and exclusion of entities. +description: Create indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities. keywords: manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -26,7 +26,7 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) -Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response). +Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response). Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to. @@ -54,7 +54,7 @@ You can create an indicator for: - URLs/domains >[!NOTE] ->There is a limit of 5000 indicators per tenant. +>There is a limit of 15,000 indicators per tenant. ![Image of indicators settings page](images/rules-indicators.png) @@ -103,17 +103,17 @@ One of the options when taking [response actions on a file](respond-file-alerts. When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in your organization attempts to run it. -Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue. +Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue. ## Create indicators for IPs and URLs/domains (preview) Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser. The threat intelligence data set for this has been managed by Microsoft. -By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others. +By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others. ### Before you begin -It's important to understand the following prerequisites prior to creating indicators for IPS, URLs or domains: +It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains: - URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Protect your network](network-protection.md). - The Antimalware client version must be 4.18.1906.x or later. - Supported on machines on Windows 10, version 1709 or later. @@ -132,7 +132,7 @@ It's important to understand the following prerequisites prior to creating indic >[!NOTE] >There may be up to 2 hours latency (usually less) between the time the action is taken, and the URL and IP being blocked. -### Create an indicator for IPs, URLs or domains from the settings page +### Create an indicator for IPs, URLs, or domains from the settings page 1. In the navigation pane, select **Settings** > **Indicators**. @@ -163,8 +163,24 @@ You can also choose to upload a CSV file that defines the attributes of indicato Download the sample CSV to know the supported column attributes. +The following table shows the supported parameters. + +Parameter | Type | Description +:---|:---|:--- +indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required** +indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. **Required** +action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required** +title | String | Indicator alert title. **Required** +description | String | Description of the indicator. **Required** +expirationTime | DateTimeOffset | The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. **Optional** +severity | Enum | The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional** +recommendedActions | String | TI indicator alert recommended actions. **Optional** +rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional** + + + + ## Related topic - [Create contextual IoC](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) - [Use the Microsoft Defender ATP indicators API](ti-indicator.md) - [Use partner integrated solutions](partner-applications.md) - diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md index b865033486..b02f9d6f58 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md @@ -71,6 +71,7 @@ description | String | Description of the indicator. **Required** expirationTime | DateTimeOffset | The expiration time of the indicator. **Optional** severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". **Optional** recommendedActions | String | TI indicator alert recommended actions. **Optional** +rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional** ## Response @@ -87,16 +88,18 @@ Here is an example of the request. POST https://api.securitycenter.windows.com/api/indicators Content-type: application/json { - "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f", - "indicatorType": "FileSha1", - "title": "test", - "application": "demo-test", - "expirationTime": "2020-12-12T00:00:00Z", - "action": "AlertAndBlock", - "severity": "Informational", - "description": "test", - "recommendedActions": "nothing" + "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "test", + "application": "demo-test", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "nothing", + “rbacGroupNames": [“group1”, “group2”] } +``` ## Related topic - [Manage indicators](manage-indicators.md) \ No newline at end of file From 34053af140ec96100b44f26220ea752e706fc84b Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 20 Apr 2020 10:36:44 -0700 Subject: [PATCH 7/9] add steps --- .../microsoft-defender-atp/manage-indicators.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md index 354ce7015c..76908992e4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md @@ -163,6 +163,16 @@ You can also choose to upload a CSV file that defines the attributes of indicato Download the sample CSV to know the supported column attributes. +1. In the navigation pane, select **Settings** > **Indicators**. + +2. Select the tab of the entity type you'd like to import indicators for. + +3. Select **Import** > **Choose file**. + +4. Select **Import**. Do this for all the files you'd like to import. + +5. Select **Done**. + The following table shows the supported parameters. Parameter | Type | Description @@ -179,7 +189,6 @@ rbacGroupNames | String | Comma-separated list of RBAC group names the indicator - ## Related topic - [Create contextual IoC](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) - [Use the Microsoft Defender ATP indicators API](ti-indicator.md) From 0fbb7fe300ddb889a2535c2b3bb5308ccda8047e Mon Sep 17 00:00:00 2001 From: illfated Date: Mon, 20 Apr 2020 21:25:02 +0200 Subject: [PATCH 8/9] BitLocker/MDT: TPM typo & link updates Description: As reported in issue ticket #6538 (TPM, not TMP), there is a typo where the initialism TPM is misspelled as "TMP". Although a common variable in the Microsoft Windows environment, it is not correct in this note. Thanks to ntw2 for reporting this typo. Further changes suggested: Replace 2 out of 3 fwlinks with their current target page links (the 3rd is a rabbit hole too deep for now). Changes proposed: - "TMP" corrected to TPM (as it should be) - fwlink/p/?LinkId=619548 -> docs.microsoft.com/previous-versions/ windows/it-pro/windows-7/dd875529(v=ws.10) ((could use a new page)) - fwlink/p/?LinkId=167133 -> gallery.technet.microsoft.com/ ScriptCenter/b4dee016-053e-4aa3-a278-3cebf70d1191 ((marked for retirement, needs a backup or replacement)) - Remove redundant end-of-line whitespace for 2 lines Additional notes: Please feel free to suggest improved link replacements, especially for the untouched fwlink, [Check to see if the TPM is enabled.] (https://go.microsoft.com/fwlink/p/?LinkId=619549) This link lands on the top blog archive menu: https://docs.microsoft.com/archive/blogs/ . Ticket closure or reference: Closes #6538 --- .../deploy-windows-mdt/set-up-mdt-for-bitlocker.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index d54f06dc77..c6400f67e9 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -31,15 +31,15 @@ To configure your environment for BitLocker, you will need to do the following: 4. Configure the rules (CustomSettings.ini) for BitLocker. > [!NOTE] -> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For additional information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds). +> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For additional information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. > [!NOTE] -> Backing up TMP to Active Directory was supported only on Windows 10 version 1507 and 1511. +> Backing up TPM to Active Directory was supported only on Windows 10 version 1507 and 1511. >[!NOTE] ->Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. - +>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-7/dd875529(v=ws.10)). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. + For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md). ## Configure Active Directory for BitLocker @@ -95,7 +95,7 @@ Following these steps, you enable the backup of BitLocker and TPM recovery infor ### Set permissions in Active Directory for BitLocker -In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://go.microsoft.com/fwlink/p/?LinkId=167133) from Microsoft to C:\\Setup\\Scripts on DC01. +In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://gallery.technet.microsoft.com/ScriptCenter/b4dee016-053e-4aa3-a278-3cebf70d1191) from Microsoft to C:\\Setup\\Scripts on DC01. 1. On DC01, start an elevated PowerShell prompt (run as Administrator). 2. Configure the permissions by running the following command: From 58f802b84e4b51f1a61a13daefc384cf9c300892 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 20 Apr 2020 16:35:23 -0700 Subject: [PATCH 9/9] Indented content in list items, added missing end punctuation --- ...port-export-exploit-protection-emet-xml.md | 34 ++++++++++--------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md index 55dd84f8c5..95806be4e6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md @@ -53,27 +53,28 @@ When you have configured exploit protection to your desired state (including bot 3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved. -> [!IMPORTANT] -> If you want to use Default configuration, use the settings "On by default" instead of "Use Default (On)" to get the settings exported correctly on the XML file. + > [!IMPORTANT] + > If you want to use Default configuration, use the settings "On by default" instead of "Use Default (On)" to get the settings exported correctly on the XML file. -![Highlight of the Export Settings option](../images/wdsc-exp-prot-export.png) + ![Highlight of the Export Settings option](../images/wdsc-exp-prot-export.png) -> [!NOTE] -> When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings. + > [!NOTE] + > When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections—either section will export all settings. ### Use PowerShell to export a configuration file -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. 2. Enter the following cmdlet: ```PowerShell Get-ProcessMitigation -RegistryConfigFilePath filename.xml ``` -Change `filename` to any name or location of your choosing. + Change `filename` to any name or location of your choosing. -Example command -**Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml** + Example command: + + **Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml** > [!IMPORTANT] > When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location. @@ -86,17 +87,18 @@ After importing, the settings will be instantly applied and can be reviewed in t ### Use PowerShell to import a configuration file -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. 2. Enter the following cmdlet: ```PowerShell Set-ProcessMitigation -PolicyFilePath filename.xml ``` -Change `filename` to the location and name of the exploit protection XML file. + Change `filename` to the location and name of the exploit protection XML file. -Example command -**Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml** + Example command: + + **Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml** > [!IMPORTANT] > @@ -116,14 +118,14 @@ You can only do this conversion in PowerShell. > > You can then convert that file using the PowerShell cmdlet described here before importing the settings into Exploit protection. -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. 2. Enter the following cmdlet: ```PowerShell ConvertTo-ProcessMitigationPolicy -EMETFilePath emetFile.xml -OutputFilePath filename.xml ``` -Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use. + Change `emetFile` to the name and location of the EMET configuration file, and change `filename` to whichever location and file name you want to use. > [!IMPORTANT] > @@ -151,7 +153,7 @@ You can use Group Policy to deploy the configuration you've created to multiple 4. Double-click the **Use a common set of Exploit protection settings** setting and set the option to **Enabled**. -5. In the **Options::** section, enter the location and filename of the Exploit protection configuration file that you want to use, such as in the following examples: +5. In the **Options::** section, enter the location and file name of the Exploit protection configuration file that you want to use, such as in the following examples: * C:\MitigationSettings\Config.XML * \\\Server\Share\Config.xml