From 3824cdf52c6576ccddbcfa53bab5a9822605fd11 Mon Sep 17 00:00:00 2001
From: amirsc3 <42802974+amirsc3@users.noreply.github.com>
Date: Mon, 13 Apr 2020 18:30:19 +0300
Subject: [PATCH 01/10] Update configure-endpoints-vdi.md
Providing clarification on servicing non-persistent Master images with Defender ATP.
---
.../configure-endpoints-vdi.md | 23 +++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index 449dd5010c..a7f11fde8f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -95,6 +95,29 @@ The following steps will guide you through onboarding VDI machines and will high
8. Use the search function by entering the machine name and select **Machine** as search type.
+# Updating non-persistent virtual desktop infrastructure (VDI) images
+- As a best practice, we recommend using offline servicing tools to patch golden/master images.
+For example, you can use the below commands to install an update while the image remains offline:
+DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing"
+DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu"
+DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit
+
+For more information on DISM commands and offline servicing, please refer to the articles below:
+https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism
+https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14
+https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/reduce-the-size-of-the-component-store-in-an-offline-windows-image
+
+- If offline servicing is not an a viable option for your non-persistent VDI environment, then the following steps should be taken to ensure consistency and sensor health:
+1. After booting the master image for online servicing or patching, run the offboarding script to turn off the defender ATP sensor.
+2. Ensure the sensor is off by running 'sc query sense'.
+3. Service the image as needed.
+4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumelated since boot:
+*PsExec.exe -s cmd.exe*
+*cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"*
+*del ``*.*`` /f /s /q*
+*exit*
+5. Re-seal the golden/master image as you normally would.
+
## Related topics
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
From 66987cd3f34fa3dbb60246654b31619c14f0f60b Mon Sep 17 00:00:00 2001
From: amirsc3 <42802974+amirsc3@users.noreply.github.com>
Date: Mon, 13 Apr 2020 18:33:48 +0300
Subject: [PATCH 02/10] Update configure-endpoints-vdi.md
Changing commands to italic text
---
.../microsoft-defender-atp/configure-endpoints-vdi.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index a7f11fde8f..3b13abc972 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -98,9 +98,9 @@ The following steps will guide you through onboarding VDI machines and will high
# Updating non-persistent virtual desktop infrastructure (VDI) images
- As a best practice, we recommend using offline servicing tools to patch golden/master images.
For example, you can use the below commands to install an update while the image remains offline:
-DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing"
-DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu"
-DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit
+*DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing"*
+*DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu"*
+*DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit*
For more information on DISM commands and offline servicing, please refer to the articles below:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism
From 31ec79e9c9418982d5d0f3b946dd206935e26ca9 Mon Sep 17 00:00:00 2001
From: amirsc3 <42802974+amirsc3@users.noreply.github.com>
Date: Mon, 13 Apr 2020 18:36:31 +0300
Subject: [PATCH 03/10] Update configure-endpoints-vdi.md
Minor text changes
---
.../microsoft-defender-atp/configure-endpoints-vdi.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index 3b13abc972..2310049183 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -108,7 +108,9 @@ https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-image
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/reduce-the-size-of-the-component-store-in-an-offline-windows-image
- If offline servicing is not an a viable option for your non-persistent VDI environment, then the following steps should be taken to ensure consistency and sensor health:
-1. After booting the master image for online servicing or patching, run the offboarding script to turn off the defender ATP sensor.
+1. After booting the master image for online servicing or patching, run an offboarding script to turn off the defender ATP sensor.
+Refer to the article below for guidance on offboarding script:
+https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script#offboard-machines-using-a-local-script
2. Ensure the sensor is off by running 'sc query sense'.
3. Service the image as needed.
4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumelated since boot:
From 4de7b9e9349c552f1dbf810631c631849c64bd7b Mon Sep 17 00:00:00 2001
From: amirsc3 <42802974+amirsc3@users.noreply.github.com>
Date: Mon, 13 Apr 2020 18:41:36 +0300
Subject: [PATCH 04/10] Update configure-endpoints-vdi.md
fixed typo... should be "accumulated" instead of "accumelated"
---
.../microsoft-defender-atp/configure-endpoints-vdi.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index 2310049183..a8ea3f78e2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -113,7 +113,7 @@ Refer to the article below for guidance on offboarding script:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script#offboard-machines-using-a-local-script
2. Ensure the sensor is off by running 'sc query sense'.
3. Service the image as needed.
-4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumelated since boot:
+4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumulated since boot:
*PsExec.exe -s cmd.exe*
*cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"*
*del ``*.*`` /f /s /q*
From 03fe9e3e855fdf7d534a241d07653a19b421a937 Mon Sep 17 00:00:00 2001
From: jcaparas
Date: Mon, 13 Apr 2020 10:24:22 -0700
Subject: [PATCH 05/10] Update
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../microsoft-defender-atp/configure-endpoints-vdi.md | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index a8ea3f78e2..049359c4b1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -102,10 +102,10 @@ For example, you can use the below commands to install an update while the image
*DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu"*
*DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit*
-For more information on DISM commands and offline servicing, please refer to the articles below:
-https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism
-https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14
-https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/reduce-the-size-of-the-component-store-in-an-offline-windows-image
+For more information on DISM commands and offline servicing, please refer to the articles below:
+- [Modify a Windows image using DISM](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism)
+- [DISM Image Management Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14)
+- [Reduce the Size of the Component Store in an Offline Windows Image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reduce-the-size-of-the-component-store-in-an-offline-windows-image)
- If offline servicing is not an a viable option for your non-persistent VDI environment, then the following steps should be taken to ensure consistency and sensor health:
1. After booting the master image for online servicing or patching, run an offboarding script to turn off the defender ATP sensor.
@@ -127,4 +127,3 @@ https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-de
- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
-
From c0b24b332d9de75171c42411c3378bb34deeaba7 Mon Sep 17 00:00:00 2001
From: jcaparas
Date: Mon, 13 Apr 2020 10:24:30 -0700
Subject: [PATCH 06/10] Update
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../configure-endpoints-vdi.md | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index 049359c4b1..1a18153408 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -107,18 +107,18 @@ For more information on DISM commands and offline servicing, please refer to the
- [DISM Image Management Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14)
- [Reduce the Size of the Component Store in an Offline Windows Image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reduce-the-size-of-the-component-store-in-an-offline-windows-image)
-- If offline servicing is not an a viable option for your non-persistent VDI environment, then the following steps should be taken to ensure consistency and sensor health:
+- If offline servicing is not a viable option for your non-persistent VDI environment, then the following steps should be taken to ensure consistency and sensor health:
1. After booting the master image for online servicing or patching, run an offboarding script to turn off the defender ATP sensor.
-Refer to the article below for guidance on offboarding script:
-https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script#offboard-machines-using-a-local-script
-2. Ensure the sensor is off by running 'sc query sense'.
-3. Service the image as needed.
+Refer to the article below for guidance on using an offboarding script:
+https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script#offboard-machines-using-a-local-script
+2. Ensure the sensor is off by running 'sc query sense'.
+3. Service the image as needed.
4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumulated since boot:
*PsExec.exe -s cmd.exe*
*cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"*
*del ``*.*`` /f /s /q*
-*exit*
-5. Re-seal the golden/master image as you normally would.
+*exit*
+5. Re-seal the golden/master image as you normally would.
## Related topics
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
@@ -126,4 +126,3 @@ https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-de
- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
-
From 228b47e6c7d252cf654bd64cdd8f6b9051a12ce4 Mon Sep 17 00:00:00 2001
From: jcaparas
Date: Mon, 13 Apr 2020 10:30:09 -0700
Subject: [PATCH 07/10] Update configure-endpoints-vdi.md
---
.../configure-endpoints-vdi.md | 22 ++++++++++++-------
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index 1a18153408..6f8288d1fa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -108,16 +108,22 @@ For more information on DISM commands and offline servicing, please refer to the
- [Reduce the Size of the Component Store in an Offline Windows Image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reduce-the-size-of-the-component-store-in-an-offline-windows-image)
- If offline servicing is not a viable option for your non-persistent VDI environment, then the following steps should be taken to ensure consistency and sensor health:
-1. After booting the master image for online servicing or patching, run an offboarding script to turn off the defender ATP sensor.
-Refer to the article below for guidance on using an offboarding script:
-https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script#offboard-machines-using-a-local-script
+
+1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Microsoft Defender ATP sensor. For more information, see [Offboard machines using a local script](onfigure-endpoints-script.md#offboard-machines-using-a-local-script).
+
2. Ensure the sensor is off by running 'sc query sense'.
+
3. Service the image as needed.
-4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumulated since boot:
-*PsExec.exe -s cmd.exe*
-*cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"*
-*del ``*.*`` /f /s /q*
-*exit*
+
+4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumulated since boot:
+
+```
+PsExec.exe -s cmd.exe
+cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"
+del ``*.*`` /f /s /q
+exit
+```
+
5. Re-seal the golden/master image as you normally would.
## Related topics
From 957dd0686cb2b0a95114c7f73feb07e0185ba9ff Mon Sep 17 00:00:00 2001
From: jcaparas
Date: Mon, 13 Apr 2020 10:30:51 -0700
Subject: [PATCH 08/10] Update configure-endpoints-vdi.md
---
.../microsoft-defender-atp/configure-endpoints-vdi.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index 6f8288d1fa..6735bd018b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -120,7 +120,7 @@ For more information on DISM commands and offline servicing, please refer to the
```
PsExec.exe -s cmd.exe
cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"
-del ``*.*`` /f /s /q
+del *.* /f /s /q
exit
```
From ad0ff9739b45abee792295a7e77300b439480c75 Mon Sep 17 00:00:00 2001
From: jcaparas
Date: Mon, 13 Apr 2020 10:57:30 -0700
Subject: [PATCH 09/10] Update configure-endpoints-vdi.md
---
.../microsoft-defender-atp/configure-endpoints-vdi.md | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index 6735bd018b..37dc800e2e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -97,10 +97,13 @@ The following steps will guide you through onboarding VDI machines and will high
# Updating non-persistent virtual desktop infrastructure (VDI) images
- As a best practice, we recommend using offline servicing tools to patch golden/master images.
-For example, you can use the below commands to install an update while the image remains offline:
-*DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing"*
-*DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu"*
-*DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit*
+For example, you can use the below commands to install an update while the image remains offline:
+
+```
+DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing"
+DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu"
+DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit
+```
For more information on DISM commands and offline servicing, please refer to the articles below:
- [Modify a Windows image using DISM](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism)
From f9de90c5815216da00cd5837ba233fd3498a2b62 Mon Sep 17 00:00:00 2001
From: Tina Burden
Date: Thu, 16 Apr 2020 10:20:14 -0700
Subject: [PATCH 10/10] pencil edits
---
.../microsoft-defender-atp/configure-endpoints-vdi.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
index ee074d0b7c..121fd50e7c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@@ -96,8 +96,8 @@ The following steps will guide you through onboarding VDI machines and will high
8. Use the search function by entering the machine name and select **Machine** as search type.
-# Updating non-persistent virtual desktop infrastructure (VDI) images
-- As a best practice, we recommend using offline servicing tools to patch golden/master images.
+## Updating non-persistent virtual desktop infrastructure (VDI) images
+As a best practice, we recommend using offline servicing tools to patch golden/master images.
For example, you can use the below commands to install an update while the image remains offline:
```
@@ -113,7 +113,7 @@ For more information on DISM commands and offline servicing, please refer to the
- If offline servicing is not a viable option for your non-persistent VDI environment, then the following steps should be taken to ensure consistency and sensor health:
-1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Microsoft Defender ATP sensor. For more information, see [Offboard machines using a local script](onfigure-endpoints-script.md#offboard-machines-using-a-local-script).
+1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Microsoft Defender ATP sensor. For more information, see [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script).
2. Ensure the sensor is off by running 'sc query sense'.