From 84f185edd619282636ecaee93761d566c3629ac2 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 4 Jan 2021 16:59:42 -0800 Subject: [PATCH 1/7] Added vertical space --- .../microsoft-defender-atp/basic-permissions.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md index 9cddee17c5..1c8fc2eacd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md @@ -63,10 +63,13 @@ Assigning read-only access rights requires adding the users to the "Security Rea Use the following steps to assign security roles: - For **read and write** access, assign users to the security administrator role by using the following command: + ```PowerShell Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com" ``` + - For **read-only** access, assign users to the security reader role by using the following command: + ```PowerShell Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com" ``` From b5a5fb637f136d31a5276e2db48a68958a5b6d8a Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 4 Jan 2021 17:00:10 -0800 Subject: [PATCH 2/7] Labeled code blocks with valid content types --- .../microsoft-defender-atp/get-ip-statistics.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index 8b78df80cd..c34fe0e526 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -51,7 +51,8 @@ Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' >- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ## HTTP request -``` + +```http GET /api/ips/{ip}/stats ``` @@ -75,7 +76,7 @@ If successful and ip exists - 200 OK with statistical data in the body. IP do no Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats ``` @@ -84,7 +85,7 @@ GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats Here is an example of the response. -``` +```http HTTP/1.1 200 OK Content-type: application/json { From 695fb9a00ff804726b428b58a636280353a0e394 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 4 Jan 2021 17:06:33 -0800 Subject: [PATCH 3/7] Corrected code block labels and second-level list formatting Valid types for code blocks are listed here: https://review.docs.microsoft.com/en-us/help/contribute/metadata-taxonomies?branch=master --- .../microsoft-defender-atp/respond-file-alerts.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index ef8a82a89f..05fd5e59e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -94,6 +94,7 @@ This action takes effect on devices with Windows 10, version 1703 or later, wher ![Image of stop and quarantine file modal window](images/atp-stop-quarantine.png) The Action center shows the submission information: + ![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png) - **Submission time** - Shows when the action was submitted. @@ -118,13 +119,13 @@ You can roll back and remove a file from quarantine if you’ve determined that 1. Open an elevated command–line prompt on the device: - a. Go to **Start** and type _cmd_. + 1. Go to **Start** and type _cmd_. - b. Right–click **Command prompt** and select **Run as administrator**. + 1. Right–click **Command prompt** and select **Run as administrator**. 2. Enter the following command, and press **Enter**: - ```Powershell + ```powershell “%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All ``` @@ -273,11 +274,14 @@ The details provided can help you investigate if there are indications of a pote If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps. 1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications). + 1. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified. + 1. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error. + 1. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value: - ```Powershell + ```powershell Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection Name: AllowSampleCollection Type: DWORD @@ -287,6 +291,7 @@ If you encounter a problem when trying to submit a file, try each of the followi ``` 1. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md). + 1. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com). ## Related topics From a66d47b32a6d637cdcea3a823c9da0577323836e Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 5 Jan 2021 10:20:55 +0530 Subject: [PATCH 4/7] typo correction as per the user report #8904, so I corrected the word cashed to cached --- windows/security/threat-protection/auditing/event-4624.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index b310cd06ca..637a86a151 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -156,7 +156,7 @@ This event generates when a logon session is created (on destination machine). I | `9` | `NewCredentials` | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. | | `10` | `RemoteInteractive` | A user logged on to this computer remotely using Terminal Services or Remote Desktop. | | `11` | `CachedInteractive` | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. | -| `12` | `CashedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing. | +| `12` | `CachedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing. | | `13` | `CachedUnlock` | Workstation logon. | - **Restricted Admin Mode** \[Version 2\] \[Type = UnicodeString\]**:** Only populated for **RemoteInteractive** logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10. From d33137e0bf65103de2c2868e90baf82b0ca95ee0 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 5 Jan 2021 07:58:24 -0800 Subject: [PATCH 5/7] Update bitlocker-csp.md --- windows/client-management/mdm/bitlocker-csp.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 652a24f8e4..adf3b8c44c 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -19,6 +19,9 @@ The BitLocker configuration service provider (CSP) is used by the enterprise to > Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes. > You must send all the settings together in a single SyncML to be effective. +> [!NOTE] Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern +> Standby devices will not be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN. + A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns the setting configured by the admin. From 9d17692d214d9b40210111a0f9322dd3e8627b73 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 5 Jan 2021 08:03:33 -0800 Subject: [PATCH 6/7] Update bitlocker-csp.md --- windows/client-management/mdm/bitlocker-csp.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index adf3b8c44c..aafdb95416 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -19,7 +19,8 @@ The BitLocker configuration service provider (CSP) is used by the enterprise to > Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes. > You must send all the settings together in a single SyncML to be effective. -> [!NOTE] Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern +> [!NOTE] +> Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern > Standby devices will not be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN. A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns From 67149abc4a71a56cb8ac5bb02a39291d9f31a654 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 5 Jan 2021 10:12:07 -0800 Subject: [PATCH 7/7] Update bitlocker-csp.md --- windows/client-management/mdm/bitlocker-csp.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index aafdb95416..03a48da95f 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -19,10 +19,6 @@ The BitLocker configuration service provider (CSP) is used by the enterprise to > Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes. > You must send all the settings together in a single SyncML to be effective. -> [!NOTE] -> Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern -> Standby devices will not be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN. - A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns the setting configured by the admin. @@ -304,6 +300,10 @@ If you disable or do not configure this setting, users can configure only basic > [!NOTE] > If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard. +> [!NOTE] +> Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern +> Standby devices will not be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN. + Sample value for this node to enable this policy is: ```xml