You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: ATPDocs/deploy/remote-calls-sam.md
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,7 +27,7 @@ This article describes the configuration changes required to allow the Defender
27
27
To ensure that Windows clients and servers allow your Defender for Identity Directory Services Account (DSA) to perform SAM-R queries, you must modify the **Group Policy** and add the DSA, in **addition to the configured accounts** listed in the **Network access** policy. Make sure to apply group policies to all computers **except domain controllers**.
28
28
29
29
> [!IMPORTANT]
30
-
> Perform this procedure in [*audit mode*](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls#audit-only-mode) first, verifying the compatibility of the proposed configuration before making the changes to your production environment.
30
+
> Perform this procedure in the [*audit mode*](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls#audit-only-mode) first, by verifying the compatibility of the proposed configuration before making the changes to your production environment.
31
31
>
32
32
> Testing in audit mode is critical in ensuring that your environment remains secure, and any changes will not impact your application compatibility. You may observe increased SAM-R traffic, generated by the Defender for Identity sensors.
33
33
>
@@ -38,9 +38,9 @@ To ensure that Windows clients and servers allow your Defender for Identity Dire
38
38
39
39
:::image type="content" source="../media/samr-policy-location.png" alt-text="Screenshot of the Network access policy selected." lightbox="../media/samr-policy-location.png":::
40
40
41
-
1. Add the DSA to the list of approved accounts able to perform this action, together with any other account that you've discovered during audit mode
41
+
1. Add the DSA to the list of approved accounts able to perform this action, together with any other account that you've discovered during audit mode.
42
42
43
-
For more information, see [Network access: Restrict clients allowed to make remote calls to SAM](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls).
43
+
For more information, see [Network access: Restrict clients allowed to make remote calls to SAM](/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls).
44
44
45
45
## Make sure the DSA is allowed to access computers from the network (optional)
46
46
@@ -55,16 +55,16 @@ For more information, see [Network access: Restrict clients allowed to make remo
55
55
56
56
1. Add the Defender for Identity Directory Service account to the list of approved accounts.
57
57
58
-
> [!IMPORTANT]
59
-
> When configuring user rights assignments in group policies, it's important to note that the setting *replaces* the previous one rather than adding to it. Therefore, make sure to include *all* the desired accounts in the effective group policy. By default, workstations and servers include the following accounts: Administrators, Backup Operators, Users, and Everyone
60
-
>
61
-
> The [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319) recommends replacing the default *Everyone* with *Authenticated Users* to prevent anonymous connections from performing network sign-ins. Review your local policy settings before managing the [Access this computer from the network](/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network) setting from a GPO, and consider including *Authenticated Users* in the GPO if needed.
58
+
> [!IMPORTANT]
59
+
> When configuring user rights assignments in group policies, it's important to note that the setting *replaces* the previous one rather than adding to it. Therefore, make sure to include *all* the desired accounts in the effective group policy. By default, workstations and servers include the following accounts: Administrators, Backup Operators, Users, and Everyone.
60
+
>
61
+
> The [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319) recommends replacing the default *Everyone* with *Authenticated Users* to prevent anonymous connections from performing network sign-ins. Review your local policy settings before managing the [Access this computer from the network](/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network) setting from a GPO, and consider including *Authenticated Users* in the GPO if needed.
62
62
63
63
## Configure a Device profile for Microsoft Entra hybrid joined devices only
64
64
65
65
This procedure describes how to use the [Microsoft Intune admin center](https://intune.microsoft.com/) to configure the policies in a Device profile if you're working with Microsoft Entra hybrid joined devices.
66
66
67
-
1. In the Microsoft Intune admin center, create a new Device profile, defining the following values:
67
+
1. In the Microsoft Intune admin center, create a new Device profile, define the following values:
68
68
69
69
-**Platform**: Windows 10 or later
70
70
-**Profile type**: Settings catalog
@@ -93,7 +93,7 @@ This procedure describes how to use the [Microsoft Intune admin center](https://
93
93
94
94
1. Continue the wizard to select the **scope tags** and **assignments**, and select **Create** to create your profile.
95
95
96
-
For more information, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles).
96
+
For more information, see [Apply features and settings on your devices using device profiles in Microsoft Intune](/mem/intune/configuration/device-profiles).
0 commit comments