From 8fef1868fd38cfebf37bc06875553e64f9eea5a1 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 19 Mar 2020 10:20:30 -0700 Subject: [PATCH 01/20] Updated the example --- .../mdm/policy-csp-restrictedgroups.md | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index ceef7004b4..37921c714c 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -122,24 +122,26 @@ Starting in Windows 10, version 1809, you can use this schema for retrieval and -Here is an example: +Here's an example: ``` - - - - + + + - - + + + ``` +where: +- `` contains the local group SID or group name to configure. If an SID is specified here, the policy uses [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``. +- `` contains the members to add to the group in ``. If a Name is specified here, the policy will try to get the corresponding SID using [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (Note: This doesn't query Azure AD). For best results, use SID for ``. Groups can be renamed and account name lookups are limited to AD/local machine, so SID is the best and most deterministic way to configure. +The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. +- `Group1` and `Group2` are group locals on the device being configured. -> [!Note] -> * You should include the local administrator while modifying the administrators group to prevent accidental loss of access -> * Include the entire UPN after AzureAD From b970f8dc2db128f7593a3ccf14774410ba1a8614 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 19 Mar 2020 11:45:31 -0700 Subject: [PATCH 02/20] minor updates --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 37921c714c..45f5805676 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -138,7 +138,7 @@ Here's an example: ``` where: - `` contains the local group SID or group name to configure. If an SID is specified here, the policy uses [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``. -- `` contains the members to add to the group in ``. If a Name is specified here, the policy will try to get the corresponding SID using [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (Note: This doesn't query Azure AD). For best results, use SID for ``. Groups can be renamed and account name lookups are limited to AD/local machine, so SID is the best and most deterministic way to configure. +- `` contains the members to add to the group in ``. If a name is specified here, the policy will try to get the corresponding SID using [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (**Note:** This doesn't query Azure AD). For best results, use SID for ``. As groups can be renamed and account name lookups are limited to AD/local machine, hence SID is the best and most deterministic way to configure. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. - `Group1` and `Group2` are group locals on the device being configured. From 93aa06ca24f68fc7e558191c72f06e9a44f3da9a Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 19 Mar 2020 12:05:34 -0700 Subject: [PATCH 03/20] minor update --- .../client-management/mdm/policy-csp-restrictedgroups.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 45f5805676..aba7ce2672 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -137,9 +137,9 @@ Here's an example: ``` where: -- `` contains the local group SID or group name to configure. If an SID is specified here, the policy uses [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``. -- `` contains the members to add to the group in ``. If a name is specified here, the policy will try to get the corresponding SID using [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (**Note:** This doesn't query Azure AD). For best results, use SID for ``. As groups can be renamed and account name lookups are limited to AD/local machine, hence SID is the best and most deterministic way to configure. -The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. +- `` contains the local group SID or group name to configure. If an SID is specified here, the policy uses the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``. +- `` contains the members to add to the group in ``. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (**Note:** This doesn't query Azure AD). For best results, use SID for ``. As groups can be renamed and account name lookups are limited to AD/local machine, hence SID is the best and most deterministic way to configure. +The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. - `Group1` and `Group2` are group locals on the device being configured. From 33aeb5c7cc5bc172e5a115967639bc0a4a0d4fe8 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 20 Mar 2020 13:18:03 -0700 Subject: [PATCH 04/20] Added review feedback --- .../mdm/policy-csp-restrictedgroups.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index aba7ce2672..bc428c7e27 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -74,10 +74,17 @@ manager: dansimp -This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group. +This security setting allows an administrator to define the members that are part of a security-sensitive (restricted) group. When a Restricted Groups policy is enforced, any current member of a restricted group that is not on the Members list is removed, except for the built-in administrator in the built-in Administrators group. Any user on the Members list who is not currently a member of the restricted group is added. An empty Members list means that the restricted group has no members. The membership configuration is based on SIDS, therefore renaming these built-in groups does not affect retention of this special membership. + +For example, you can create a Restricted Groups policy to allow only specified users, Alice and John, to be members of the Administrators group. When this policy is refreshed, only Alice and John will remain as members of the Administrators group. > [!CAUTION] -> If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. +> Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: + +> | Error Code in Hex | Error Code in Dec| Symbolic Name | Error Description | Header | +> |----------|----------|----------|----------|----------| +> |0x55b|1371|ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|winerror.h| + Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution. @@ -140,7 +147,7 @@ where: - `` contains the local group SID or group name to configure. If an SID is specified here, the policy uses the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for ``. - `` contains the members to add to the group in ``. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (**Note:** This doesn't query Azure AD). For best results, use SID for ``. As groups can be renamed and account name lookups are limited to AD/local machine, hence SID is the best and most deterministic way to configure. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API. -- `Group1` and `Group2` are group locals on the device being configured. +- In this example, `Group1` and `Group2` are local groups on the device being configured. From ce9870d29438e1d007c049a46c4696baa0dfa1cf Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 23 Mar 2020 15:59:41 -0700 Subject: [PATCH 05/20] Updated example --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index bc428c7e27..b9d942f86e 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -76,7 +76,7 @@ manager: dansimp This security setting allows an administrator to define the members that are part of a security-sensitive (restricted) group. When a Restricted Groups policy is enforced, any current member of a restricted group that is not on the Members list is removed, except for the built-in administrator in the built-in Administrators group. Any user on the Members list who is not currently a member of the restricted group is added. An empty Members list means that the restricted group has no members. The membership configuration is based on SIDS, therefore renaming these built-in groups does not affect retention of this special membership. -For example, you can create a Restricted Groups policy to allow only specified users, Alice and John, to be members of the Administrators group. When this policy is refreshed, only Alice and John will remain as members of the Administrators group. +For example, you can create a Restricted Groups policy to allow only specified users, Alice and John, to be members of the Backup Operators group. When this policy is refreshed, only Alice and John will remain as members of the Backup Operators group and all other members will be removed. > [!CAUTION] > Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: From d4bcfdea0c85980db3d9d9ff8fa5ee953e00e72e Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 23 Mar 2020 17:04:42 -0700 Subject: [PATCH 06/20] minor change to trigger publishing --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index b9d942f86e..8109b11730 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -7,7 +7,8 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 03/12/2020 +ms.date: 03/23/2020 + ms.reviewer: manager: dansimp --- From f5a8683ab62dd60fa76cb28d03cc3f2ce1d49029 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Tue, 24 Mar 2020 10:59:23 -0700 Subject: [PATCH 07/20] Add known issue on CentOS 7.0 and 7.1 --- .../microsoft-defender-atp/microsoft-defender-atp-linux.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index a9f725d9fc..34bd1f07fc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -53,6 +53,7 @@ This topic describes how to install, configure, update, and use Microsoft Defend ### Known issues - Logged on users do not appear in the ATP portal. +- Running the product on CentOS / RHEL / Oracle Linux 7.0 or 7.1 with kernel versions lower than 3.19.8 can result in hanging of the operating system. - In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered: ```bash From 1ce7af4a6976e9e4d3224b09525e030c9ea6acd2 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 24 Mar 2020 14:34:04 -0700 Subject: [PATCH 08/20] Incorporated PubOps feedback --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 8109b11730..375410ceae 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -81,7 +81,6 @@ For example, you can create a Restricted Groups policy to allow only specified u > [!CAUTION] > Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: - > | Error Code in Hex | Error Code in Dec| Symbolic Name | Error Description | Header | > |----------|----------|----------|----------|----------| > |0x55b|1371|ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|winerror.h| From a15c4f78e87380fb023105d99e6fe614e448ff70 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 24 Mar 2020 14:46:14 -0700 Subject: [PATCH 09/20] Formatting --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 375410ceae..135ea0963e 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -81,6 +81,7 @@ For example, you can create a Restricted Groups policy to allow only specified u > [!CAUTION] > Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: +> > | Error Code in Hex | Error Code in Dec| Symbolic Name | Error Description | Header | > |----------|----------|----------|----------|----------| > |0x55b|1371|ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|winerror.h| From 9f0d66c64bc5e5b9f9c112607f8476c8e7ce4e36 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 24 Mar 2020 14:55:37 -0700 Subject: [PATCH 10/20] Formatting --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 135ea0963e..77dbb8f681 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -80,8 +80,7 @@ This security setting allows an administrator to define the members that are par For example, you can create a Restricted Groups policy to allow only specified users, Alice and John, to be members of the Backup Operators group. When this policy is refreshed, only Alice and John will remain as members of the Backup Operators group and all other members will be removed. > [!CAUTION] -> Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: -> +> Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: > | Error Code in Hex | Error Code in Dec| Symbolic Name | Error Description | Header | > |----------|----------|----------|----------|----------| > |0x55b|1371|ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|winerror.h| From b1148fab9b9994ac373b9f8b1e91e9cb67f90ab0 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 24 Mar 2020 15:00:42 -0700 Subject: [PATCH 11/20] Formatting --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 77dbb8f681..0c768e2b75 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -81,9 +81,9 @@ For example, you can create a Restricted Groups policy to allow only specified u > [!CAUTION] > Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: -> | Error Code in Hex | Error Code in Dec| Symbolic Name | Error Description | Header | +> | Error Code | Symbolic Name | Error Description | Header | > |----------|----------|----------|----------|----------| -> |0x55b|1371|ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|winerror.h| +> |0x55b (Hex)
1371 (Dec)|ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|winerror.h| Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution. From e646fc36c5a824b6fab56e29e7d1565062f5e3a0 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 24 Mar 2020 15:10:28 -0700 Subject: [PATCH 12/20] minor update --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 0c768e2b75..43888ae836 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 03/23/2020 +ms.date: 03/24/2020 ms.reviewer: manager: dansimp From 8ff1fc92f66a9faa18138c75c6e728076ffc01f8 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 24 Mar 2020 15:19:42 -0700 Subject: [PATCH 13/20] Formatting --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 43888ae836..3f27668d11 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -81,6 +81,7 @@ For example, you can create a Restricted Groups policy to allow only specified u > [!CAUTION] > Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: +> > | Error Code | Symbolic Name | Error Description | Header | > |----------|----------|----------|----------|----------| > |0x55b (Hex)
1371 (Dec)|ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|winerror.h| From 94a788e1e77248ccf7ec7e0fdf29fba268dedfa4 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 24 Mar 2020 15:27:03 -0700 Subject: [PATCH 14/20] update to trigger build --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 3f27668d11..dc3e4f0f4e 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -86,7 +86,6 @@ For example, you can create a Restricted Groups policy to allow only specified u > |----------|----------|----------|----------|----------| > |0x55b (Hex)
1371 (Dec)|ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|winerror.h| - Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution. ```xml From d075491f7c1ce3f6d8961e3aea28d3e1fa2c7059 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 24 Mar 2020 15:36:34 -0700 Subject: [PATCH 15/20] Table format update --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index dc3e4f0f4e..69c1cffc16 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -83,7 +83,7 @@ For example, you can create a Restricted Groups policy to allow only specified u > Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: > > | Error Code | Symbolic Name | Error Description | Header | -> |----------|----------|----------|----------|----------| +> |----------|----------|----------|----------| > |0x55b (Hex)
1371 (Dec)|ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|winerror.h| Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution. From a22b2731f67ff827a36eda67a8efaa3a979ea78b Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Tue, 24 Mar 2020 15:37:00 -0700 Subject: [PATCH 16/20] Fixes --- .../microsoft-defender-atp-linux.md | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index 34bd1f07fc..38477041ca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -38,10 +38,6 @@ This topic describes how to install, configure, update, and use Microsoft Defend > [!CAUTION] > Running other third-party endpoint protection products alongside Microsoft Defender ATP for Linux is likely to cause performance problems and unpredictable system errors. - - - - ## How to install Microsoft Defender ATP for Linux ### Prerequisites @@ -53,7 +49,7 @@ This topic describes how to install, configure, update, and use Microsoft Defend ### Known issues - Logged on users do not appear in the ATP portal. -- Running the product on CentOS / RHEL / Oracle Linux 7.0 or 7.1 with kernel versions lower than 3.19.8 can result in hanging of the operating system. +- Running the product on CentOS / RHEL / Oracle Linux 7.0 or 7.1 with kernel versions lower than 3.10.0-327 can result in hanging the operating system. We recommend that you upgrade to version 7.2 or newer. - In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered: ```bash @@ -78,12 +74,12 @@ In general you need to take the following steps: - Supported Linux server distributions and versions: - - Red Hat Enterprise Linux 7 or higher - - CentOS 7 or higher + - Red Hat Enterprise Linux 7.2 or higher + - CentOS 7.2 or higher - Ubuntu 16.04 LTS or higher LTS - Debian 9 or higher - SUSE Linux Enterprise Server 12 or higher - - Oracle Linux 7 + - Oracle Linux 7.2 or higher - Minimum kernel version 2.6.38 - The `fanotify` kernel option must be enabled From 76f2391de5d1a01ef147785e178fd4318124b6f1 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 24 Mar 2020 15:41:46 -0700 Subject: [PATCH 17/20] Minor update --- windows/client-management/mdm/policy-csp-restrictedgroups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 69c1cffc16..959f35a071 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -84,7 +84,7 @@ For example, you can create a Restricted Groups policy to allow only specified u > > | Error Code | Symbolic Name | Error Description | Header | > |----------|----------|----------|----------| -> |0x55b (Hex)
1371 (Dec)|ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.|winerror.h| +> | 0x55b (Hex)
1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h | Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution. From eb07a9b365438dd7d3f50fcc99f5249db6d9af23 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 24 Mar 2020 16:06:49 -0700 Subject: [PATCH 18/20] Removed "/en-us" in a Microsoft URL --- .../windows-autopilot/windows-autopilot-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index afedf2b235..ec42f18fb9 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -81,7 +81,7 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti Office 365As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above). Certificate revocation lists (CRLs)Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at Office 365 URLs and IP address ranges and Office 365 Certificate Chains. Hybrid AAD joinThe device can be hybrid AAD joined. The computer should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode -Autopilot Self-Deploying mode and Autopilot White GloveFirmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips (including devices from any other manufacturer) come with these certificates preinstalled. See TPM recommendations for more details. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested: +Autopilot Self-Deploying mode and Autopilot White GloveFirmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips (including devices from any other manufacturer) come with these certificates preinstalled. See TPM recommendations for more details. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested:
Intel- https://ekop.intel.com/ekcertservice
Qualcomm- https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1
AMD- https://ftpm.amd.com/pki/aia From 07556f20b3b5e8c00aa3d5f4d45e117da8a4ea1c Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 24 Mar 2020 16:08:30 -0700 Subject: [PATCH 19/20] Capitalized "directory" in "Azure Active directory" --- windows/deployment/windows-autopilot/white-glove.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md index bbffd240e3..88eb4f33e3 100644 --- a/windows/deployment/windows-autopilot/white-glove.md +++ b/windows/deployment/windows-autopilot/white-glove.md @@ -30,7 +30,7 @@ With **Windows Autopilot for white glove deployment**, the provisioning process ![OEM](images/wg02.png) -Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove deployment capabilities build on top of existing Windows Autopilot [user-driven scenarios](user-driven.md), supporting both the user-driven mode for Azure Active Directory Join, and user-driven mode for Hybrid Azure Active directory join scenarios. +Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove deployment capabilities build on top of existing Windows Autopilot [user-driven scenarios](user-driven.md), supporting both the user-driven mode for Azure Active Directory Join, and user-driven mode for Hybrid Azure Active Directory join scenarios. ## Prerequisites From f76b1d94326b522ab7a4ad29bc7c9817e751b70e Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 24 Mar 2020 16:10:02 -0700 Subject: [PATCH 20/20] Capitalized "semi-annual channel" --- .../windows-autopilot/windows-autopilot-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index ec42f18fb9..e1b8727f43 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -27,7 +27,7 @@ Windows Autopilot depends on specific capabilities available in Windows 10, Azur ## Software requirements -- A [supported version](https://docs.microsoft.com/windows/release-information/) of Windows 10 semi-annual channel is required. Windows 10 Enterprise 2019 long-term servicing channel (LTSC) is also supported. +- A [supported version](https://docs.microsoft.com/windows/release-information/) of Windows 10 Semi-Annual Channel is required. Windows 10 Enterprise 2019 long-term servicing channel (LTSC) is also supported. - The following editions are supported: - Windows 10 Pro - Windows 10 Pro Education