diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index ad38fb9081..aac758fa29 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -21,7 +21,7 @@ Microsoft Surface Dock Firmware Update supersedes the earlier Microsoft Surface > [!IMPORTANT] >Microsoft periodically releases new versions of Surface Dock Firmware Update. The MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version. -## Monitor the Surface Dock Firmare Update +## Monitor the Surface Dock Firmware Update This section is optional and provides an overview of how to monitor installation of the firmware update. When you are ready to install the update, see [Install the Surface Dock Firmware Update](#install-the-surface-dock-firmware-update) below. For more detailed information about monitoring the update process, see the following sections in this article: - [How to verify completion of firmware update](#how-to-verify-completion-of-the-firmware-update) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index a7c0f2f152..3afcb4da3f 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -65,7 +65,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu ## Supported configurations -In organizations that have integrated Active Directory and Azure AD, you can connect from a domain-joined PC to an Azure AD-joined PC using: +In organizations that have integrated Active Directory and Azure AD, you can connect from a Hybrid-joined PC to an Azure AD-joined PC using: - Password - Smartcards diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index 9a229185cc..86f5ade189 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -9,7 +9,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.localizationpriority: medium ms.date: 03/11/2019 ms.topic: article @@ -34,8 +35,9 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for - [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access and all updates applied - [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036) - [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) +- alternatively any full SQL instance e.g. SQL Server 2014 or newer incl. CU / SP -### Install SQL Server 2017 Express +### Install SQL Server 2017 Express / alternatively use any Full SQL instance e.g. SQL Server 2014 or newer 1. Download and open the [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package. 2. Select **Basic**. @@ -46,20 +48,23 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for ### Install VAMT using the ADK -1. Download and open the [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036) package. +1. Download and open the [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) package. +Reminder: There won't be new ADK release for 1909. 2. Enter an install location or use the default path, and then select **Next**. 3. Select a privacy setting, and then select **Next**. 4. Accept the license terms. 5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.) 6. On the completion page, select **Close**. -### Configure VAMT to connect to SQL Server 2017 Express +### Configure VAMT to connect to SQL Server 2017 Express or full SQL Server 1. Open **Volume Active Management Tool 3.1** from the Start menu. -2. Enter the server instance name and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example. +2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL. ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png) +for remote SQL Server use +servername.yourdomain.com diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 33ef3a0add..2c744d7f98 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -73,7 +73,7 @@ The Administrator account has full control of the files, directories, services, The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled. -In Windows 10 and Windows Server 20016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation. +In Windows 10 and Windows Server 2016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation. **Account group membership** diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index aaf98a84f7..8879dec483 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -73,8 +73,8 @@ Microsoft has made a concerted effort to enlighten several of our more popular a - Microsoft Remote Desktop ->[!NOTE] ->Microsoft Visio and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining. +> [!NOTE] +> Microsoft Visio, Microsoft Office Access and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining. ## List of WIP-work only apps from Microsoft Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions. diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index ff92a6c111..8b5a188647 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -115,7 +115,7 @@ This table provides info about the most common problems you might encounter whil WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager. - Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.

If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see Can't open files offline when you use Offline Files and Windows Information Protection. + Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders. You can configure this parameter, as described here.

If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see Can't open files offline when you use Offline Files and Windows Information Protection. @@ -138,5 +138,7 @@ This table provides info about the most common problems you might encounter whil > When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files. > [!NOTE] -> Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +> Chromium-based versions of Microsoft Edge (versions since 79) don't fully support WIP yet. The functionality could be partially enabled by going to the local page **edge://flags/#edge-dataprotection** and setting the **Windows Information Protection** flag to **enabled**. +> [!NOTE] +> Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 3344f60ecf..a3b27f24c3 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -26,15 +26,12 @@ This can cause devices or software to malfunction and in rare cases may result i If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. >[!NOTE] ->HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required *Mode based execution control (MBE) Virtualization*. AMD CPUs do not have MBE. - ->[!TIP] -> "The Secure Kernel relies on the Mode-Based Execution Control (MBEC) feature, if present in hardware, which enhances the SLAT with a user/kernel executable bit, or the hypervisor’s software emulation of this feature, called Restricted User Mode (RUM)." Mark Russinovich and Alex Ionescu. Windows Internals 7th Edition book +>Because it makes use of *Mode Based Execution Control*, HVCI works better with Intel Kaby Lake or AMD Zen 2 CPUs and newer. Processors without MBEC will rely on an emulation of this feature, called *Restricted User Mode*, which has a bigger impact on performance. ## HVCI Features -* HVCI protects modification of the Code Flow Guard (CFG) bitmap. -* HVCI also ensure your other Truslets, like Credential Guard have a valid certificate. +* HVCI protects modification of the Control Flow Guard (CFG) bitmap. +* HVCI also ensure your other Truslets, like Credential Guard, have a valid certificate. * Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI. ## How to turn on HVCI in Windows 10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index 3c6f9f6bc7..64488a550e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -29,7 +29,9 @@ Network protection helps reduce the attack surface of your devices from Internet Network protection expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). -Network protection is supported beginning with Windows 10, version 1709. +Network protection is supported beginning with Windows 10, version 1709. + +For more details about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network. > [!TIP] > You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md index c9c8515fe5..a20693d19b 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md @@ -32,6 +32,9 @@ If smart cards are used for authentication, the device should automatically lock If you select **Force Logoff** in the property sheet for this policy setting, the user is automatically logged off when the smart card is removed. Users will have to reinsert their smart cards and reenter their PINs when they return to their workstations. +> [!NOTE] +> This policy depends on **Smart Card Removal Policy** service. The service must be running for the policy to take effect, so it is recommended to set the startup type of the service to **Automatic**. + ### Possible values - No Action diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index c5ea9149b8..af838d196f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -50,7 +50,7 @@ Block at first sight requires a number of settings to be configured correctly or ### Confirm block at first sight is enabled with Intune -1. In Intune, navigate to **Device configuration - Profiles > *Profile name* > Device restrictions > Windows Defender Antivirus**. +1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Windows Defender Antivirus**. > [!NOTE] > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type. @@ -119,19 +119,19 @@ If you had to change any of the settings, you should re-deploy the Group Policy ### Confirm block at first sight is enabled with the Windows Security app -You can confirm that block at first sight is enabled in Windows Settings. +You can confirm that block at first sight is enabled in your Windows security settings. -Block at first sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on. +Block at first sight is automatically enabled as long as **Cloud-delivered protection** and **Automatic sample submission** are both turned on. ### Confirm Block at First Sight is enabled on individual clients -1. Open the Windows Security app by clicking the shield icon in the task bar. +1. Open the Windows Security app. -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Manage Settings** under **Virus & threat protection settings**: +2. Select **Virus & threat protection**, and then, under **Virus & threat protection settings**, select **Manage Settings**. ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) -3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. +3. Confirm that **Cloud-delivered protection** and **Automatic sample submission** are both turned on. > [!NOTE] > If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md index fa061b9284..59f19f11c9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 02/13/2020 ms.reviewer: manager: dansimp --- @@ -47,7 +47,7 @@ To configure these settings: 5. Deploy the Group Policy Object as usual. -Location | Setting | Configuration topic +Location | Setting | Article ---|---|---|--- MAPS | Configure local setting override for reporting to Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) @@ -67,13 +67,13 @@ Scan | Configure local setting override for the scan type to use for a scheduled ## Configure how locally and globally defined threat remediation and exclusions lists are merged -You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md) and [specified remediation lists](configure-remediation-windows-defender-antivirus.md). +You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md), [specified remediation lists](configure-remediation-windows-defender-antivirus.md), and [attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction). By default, lists that have been configured in local group policy and the Windows Security app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally-defined list takes precedence. You can disable this setting to ensure that only globally-defined lists (such as those from any deployed GPOs) are used. -**Use Group Policy to disable local list merging:** +### Use Group Policy to disable local list merging 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index ba4929c2f6..b3b52de9b2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -46,7 +46,7 @@ Windows 10 includes two technologies that can be used for application control de Windows Defender Application Control (WDAC) was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC). > [!NOTE] -> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity policies. +> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI) policies. WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on: - Attributes of the codesigning certificate(s) used to sign an app and its binaries; @@ -58,9 +58,8 @@ WDAC policies apply to the managed computer as a whole and affects all users of ### WDAC System Requirements -WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Windows Server 2016 and above. -They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune. -Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above. +WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above. +WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a scripthost like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10. ## AppLocker