From 16519e54bdf06756f3dde67f6affbf672808a447 Mon Sep 17 00:00:00 2001 From: Padma Jayaraman Date: Tue, 10 Dec 2024 20:41:33 +0530 Subject: [PATCH] Corrected some typos --- ATPDocs/deploy/remote-calls-sam.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/ATPDocs/deploy/remote-calls-sam.md b/ATPDocs/deploy/remote-calls-sam.md index e6b07da590..ca014aca1a 100644 --- a/ATPDocs/deploy/remote-calls-sam.md +++ b/ATPDocs/deploy/remote-calls-sam.md @@ -27,7 +27,7 @@ This article describes the configuration changes required to allow the Defender To ensure that Windows clients and servers allow your Defender for Identity Directory Services Account (DSA) to perform SAM-R queries, you must modify the **Group Policy** and add the DSA, in **addition to the configured accounts** listed in the **Network access** policy. Make sure to apply group policies to all computers **except domain controllers**. > [!IMPORTANT] -> Perform this procedure in [*audit mode*](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls#audit-only-mode) first, verifying the compatibility of the proposed configuration before making the changes to your production environment. +> Perform this procedure in the [*audit mode*](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls#audit-only-mode) first, by verifying the compatibility of the proposed configuration before making the changes to your production environment. > > Testing in audit mode is critical in ensuring that your environment remains secure, and any changes will not impact your application compatibility. You may observe increased SAM-R traffic, generated by the Defender for Identity sensors. > @@ -38,9 +38,9 @@ To ensure that Windows clients and servers allow your Defender for Identity Dire :::image type="content" source="../media/samr-policy-location.png" alt-text="Screenshot of the Network access policy selected." lightbox="../media/samr-policy-location.png"::: -1. Add the DSA to the list of approved accounts able to perform this action, together with any other account that you've discovered during audit mode +1. Add the DSA to the list of approved accounts able to perform this action, together with any other account that you've discovered during audit mode. -For more information, see [Network access: Restrict clients allowed to make remote calls to SAM](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls). + For more information, see [Network access: Restrict clients allowed to make remote calls to SAM](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls). ## Make sure the DSA is allowed to access computers from the network (optional) @@ -55,16 +55,16 @@ For more information, see [Network access: Restrict clients allowed to make remo 1. Add the Defender for Identity Directory Service account to the list of approved accounts. -> [!IMPORTANT] -> When configuring user rights assignments in group policies, it's important to note that the setting *replaces* the previous one rather than adding to it. Therefore, make sure to include *all* the desired accounts in the effective group policy. By default, workstations and servers include the following accounts: Administrators, Backup Operators, Users, and Everyone -> -> The [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319) recommends replacing the default *Everyone* with *Authenticated Users* to prevent anonymous connections from performing network sign-ins. Review your local policy settings before managing the [Access this computer from the network](/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network) setting from a GPO, and consider including *Authenticated Users* in the GPO if needed. + > [!IMPORTANT] + > When configuring user rights assignments in group policies, it's important to note that the setting *replaces* the previous one rather than adding to it. Therefore, make sure to include *all* the desired accounts in the effective group policy. By default, workstations and servers include the following accounts: Administrators, Backup Operators, Users, and Everyone. + > + > The [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319) recommends replacing the default *Everyone* with *Authenticated Users* to prevent anonymous connections from performing network sign-ins. Review your local policy settings before managing the [Access this computer from the network](/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network) setting from a GPO, and consider including *Authenticated Users* in the GPO if needed. ## Configure a Device profile for Microsoft Entra hybrid joined devices only This procedure describes how to use the [Microsoft Intune admin center](https://intune.microsoft.com/) to configure the policies in a Device profile if you're working with Microsoft Entra hybrid joined devices. -1. In the Microsoft Intune admin center, create a new Device profile, defining the following values: +1. In the Microsoft Intune admin center, create a new Device profile, define the following values: - **Platform**: Windows 10 or later - **Profile type**: Settings catalog @@ -93,7 +93,7 @@ This procedure describes how to use the [Microsoft Intune admin center](https:// 1. Continue the wizard to select the **scope tags** and **assignments**, and select **Create** to create your profile. -For more information, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles). + For more information, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles). ## Next step