From df3287c25480e2724463619a06f7f8007d8d12eb Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Tue, 7 Sep 2021 14:57:38 +0530 Subject: [PATCH 01/32] Updated1to20 --- ...duction-devices-to-the-membership-group-for-a-zone.md | 7 ++++--- ...dd-test-devices-to-the-membership-group-for-a-zone.md | 7 ++++--- ...gpo-template-files-for-settings-used-in-this-guide.md | 7 ++++--- .../assign-security-group-filters-to-the-gpo.md | 7 ++++--- .../windows-firewall/basic-firewall-policy-design.md | 9 +++++---- .../windows-firewall/best-practices-configuring.md | 5 +++-- .../windows-firewall/boundary-zone-gpos.md | 7 ++++--- .../threat-protection/windows-firewall/boundary-zone.md | 7 ++++--- .../certificate-based-isolation-policy-design-example.md | 7 ++++--- .../certificate-based-isolation-policy-design.md | 7 ++++--- .../change-rules-from-request-to-require-mode.md | 7 ++++--- .../checklist-configuring-basic-firewall-settings.md | 7 ++++--- ...list-configuring-rules-for-an-isolated-server-zone.md | 7 ++++--- ...s-for-servers-in-a-standalone-isolated-server-zone.md | 7 ++++--- .../checklist-configuring-rules-for-the-boundary-zone.md | 7 ++++--- ...hecklist-configuring-rules-for-the-encryption-zone.md | 7 ++++--- ...hecklist-configuring-rules-for-the-isolated-domain.md | 7 ++++--- .../checklist-creating-group-policy-objects.md | 9 +++++---- .../checklist-creating-inbound-firewall-rules.md | 7 ++++--- .../checklist-creating-outbound-firewall-rules.md | 7 ++++--- 20 files changed, 81 insertions(+), 61 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md index 9995f497a4..22c00f87cc 100644 --- a/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md +++ b/windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md @@ -1,5 +1,5 @@ --- -title: Add Production Devices to the Membership Group for a Zone (Windows 10) +title: Add Production Devices to the Membership Group for a Zone (Windows) description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group. ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices. diff --git a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md index 30d809e60c..14eaf54184 100644 --- a/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md +++ b/windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md @@ -1,5 +1,5 @@ --- -title: Add Test Devices to the Membership Group for a Zone (Windows 10) +title: Add Test Devices to the Membership Group for a Zone (Windows) description: Learn how to add devices to the group for a zone to test whether your Windows Defender Firewall with Advanced Security implementation works as expected. ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of devices only to be sure that the correct GPOs are being processed by each device. diff --git a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md index 0345da06fe..7a8c114351 100644 --- a/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md +++ b/windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md @@ -1,5 +1,5 @@ --- -title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows 10) +title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows) description: Use sample template files import an XML file containing customized registry preferences into a Group Policy Object (GPO). ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). diff --git a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md index 08a9798526..2fe271c315 100644 --- a/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md @@ -1,5 +1,5 @@ --- -title: Assign Security Group Filters to the GPO (Windows 10) +title: Assign Security Group Filters to the GPO (Windows) description: Learn how to use Group Policy Management MMC to assign security group filters to a GPO to make sure that the GPO is applied to the correct computers. ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/02/2019 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO. diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md index 76378c3a0f..0eda99ff36 100644 --- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md @@ -1,5 +1,5 @@ --- -title: Basic Firewall Policy Design (Windows 10) +title: Basic Firewall Policy Design (Windows) description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design. ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418 ms.reviewer: @@ -20,8 +20,9 @@ ms.technology: mde # Basic Firewall Policy Design **Applies to** -- Windows 10 -- Windows Server 2016 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization. @@ -37,7 +38,7 @@ Many network administrators do not want to tackle the difficult task of determin For example, when you install a server role, the appropriate firewall rules are created and enabled automatically. -- For other standard network behavior, the predefined rules that are built into Windows 10, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, and Windows 7 can easily be configured in a GPO and deployed to the devices in your organization. +- For other standard network behavior, the predefined rules that are built into Windows 11, Windows 10, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, and Windows 7 can easily be configured in a GPO and deployed to the devices in your organization. For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols. diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md index 5819f886fd..fde3e3850b 100644 --- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md +++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md @@ -20,9 +20,10 @@ ms.technology: mde **Applies to** -- Windows operating systems including Windows 10 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above -- Windows Server Operating Systems Windows Defender Firewall with Advanced Security provides host-based, two-way network traffic filtering and blocks unauthorized network traffic flowing into diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md index 50e2f66e16..d17a0d6cac 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md @@ -1,5 +1,5 @@ --- -title: Boundary Zone GPOs (Windows 10) +title: Boundary Zone GPOs (Windows) description: Learn about GPOs to create that must align with the group you create for the boundary zone in Windows Defender Firewall with Advanced Security. ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section. diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md index 37d7edb647..95c9a26f95 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md @@ -1,5 +1,5 @@ --- -title: Boundary Zone (Windows 10) +title: Boundary Zone (Windows) description: Learn how a boundary zone supports devices that must receive traffic from beyond an isolated domain in Windows Defender Firewall with Advanced Security. ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above In most organizations, some devices must be able to receive network traffic from devices that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md index 1b369d6c5e..be336a726b 100644 --- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md @@ -1,5 +1,5 @@ --- -title: Certificate-based Isolation Policy Design Example (Windows 10) +title: Certificate-based Isolation Policy Design Example (Windows) description: This example uses a fictitious company to illustrate certificate-based isolation policy design in Windows Defender Firewall with Advanced Security. ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md). diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md index 7c427d50e7..a59ba99025 100644 --- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md @@ -1,5 +1,5 @@ --- -title: Certificate-based Isolation Policy Design (Windows 10) +title: Certificate-based Isolation Policy Design (Windows) description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design. ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic. diff --git a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md index cbea6cabc0..eb09b78b9f 100644 --- a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md +++ b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md @@ -1,5 +1,5 @@ --- -title: Change Rules from Request to Require Mode (Windows 10) +title: Change Rules from Request to Require Mode (Windows) description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices. ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that are not part of the isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md index a3164b6f45..ec2429b56d 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md @@ -1,5 +1,5 @@ --- -title: Checklist Configuring Basic Firewall Settings (Windows 10) +title: Checklist Configuring Basic Firewall Settings (Windows) description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall. ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules. diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md index 2ecb358ade..5e8cd7d149 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md @@ -1,5 +1,5 @@ --- -title: Checklist Configuring Rules for an Isolated Server Zone (Windows 10) +title: Checklist Configuring Rules for an Isolated Server Zone (Windows) description: Use these tasks to configure connection security rules and IPsec settings in GPOs for servers in an isolated server zone that are part of an isolated domain. ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md). diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md index c07a12c977..c464183424 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md @@ -1,5 +1,5 @@ --- -title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows 10) +title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows) description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md index e10ef7fc18..2a908f4267 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md @@ -1,5 +1,5 @@ --- -title: Checklist Configuring Rules for the Boundary Zone (Windows 10) +title: Checklist Configuring Rules for the Boundary Zone (Windows) description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md index 180c4f2168..fc6329d478 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md @@ -1,5 +1,5 @@ --- -title: Checklist Configuring Rules for the Encryption Zone (Windows 10) +title: Checklist Configuring Rules for the Encryption Zone (Windows) description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md index 2bccefd09c..2a0fe73601 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md @@ -1,5 +1,5 @@ --- -title: Checklist Configuring Rules for the Isolated Domain (Windows 10) +title: Checklist Configuring Rules for the Isolated Domain (Windows) description: Use these tasks to configure connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md index d2ba4b5a27..b5113224e7 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md @@ -1,5 +1,5 @@ --- -title: Checklist Creating Group Policy Objects (Windows 10) +title: Checklist Creating Group Policy Objects (Windows) description: Learn to deploy firewall settings, IPsec settings, firewall rules, or connection security rules, by using Group Policy in AD DS. ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group. @@ -30,7 +31,7 @@ The checklists for firewall, domain isolation, and server isolation include a li ## About membership groups -For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 10, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied. +For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 11, Windows 10, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied. ## About exclusion groups diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md index 834016bd7b..53822035a9 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md @@ -1,5 +1,5 @@ --- -title: Checklist Creating Inbound Firewall Rules (Windows 10) +title: Checklist Creating Inbound Firewall Rules (Windows) description: Use these tasks for creating inbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security. ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This checklist includes tasks for creating firewall rules in your GPOs. diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md index b20cb735f9..445f1e1eda 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md @@ -1,5 +1,5 @@ --- -title: Checklist Creating Outbound Firewall Rules (Windows 10) +title: Checklist Creating Outbound Firewall Rules (Windows) description: Use these tasks for creating outbound firewall rules in your GPOs for Windows Defender Firewall with Advanced Security. ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This checklist includes tasks for creating outbound firewall rules in your GPOs. From e083dd5e3b756f7fa23d0577927ccbd64b12348f Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Tue, 7 Sep 2021 16:13:18 +0530 Subject: [PATCH 02/32] Updated boundary-zone.md --- .../windows-firewall/boundary-zone.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md index 95c9a26f95..a78415035a 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md @@ -25,13 +25,13 @@ ms.technology: mde - Windows 11 - Windows Server 2016 and above -In most organizations, some devices must be able to receive network traffic from devices that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain. +In most organizations, some devices can receive network traffic from devices that aren't part of the isolated domain, and therefore can't authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain. Devices in the boundary zone are trusted devices that can accept communication requests both from other isolated domain member devices and from untrusted devices. Boundary zone devices try to authenticate any incoming request by using IPsec, initiating an IKE negotiation with the originating device. -The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but do not require it. +The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but don't require it. -Because these boundary zone devices can receive unsolicited inbound communications from untrusted devices that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision. +These boundary zone devices receive unsolicited inbound communications from untrusted devices that use plaintext. Therefore, they must be carefully managed and secured in other ways. Mitigating this extra risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone minimizes the additional risk. The following illustration shows a sample process that can help make such a decision. ![design flowchart.](images/wfas-designflowchart1.gif) @@ -39,7 +39,7 @@ The goal of this process is to determine whether the risk of adding a device to You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically very similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain. -Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. + [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section discusses creation of the group and how to link it to the GPOs that apply the rules to members of the group. ## GPO settings for boundary zone servers running at least Windows Server 2008 @@ -50,13 +50,13 @@ The boundary zone GPO for devices running at least Windows Server 2008 should i 1. Exempt all ICMP traffic from IPsec. - 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems. + 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES, and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems. - 3. Data protection (quick mode) algorithm combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.. + 3. Data protection (quick mode) algorithm combinations. We recommend that you don't include DES or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies. - 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5, you must include certificate-based authentication as an optional authentication method. + 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members can't use Kerberos V5, you must include certificate-based authentication as an optional authentication method. - The following connection security rules: From ff1c9264915abab0b1cdca2d80b3d41693813d15 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Tue, 7 Sep 2021 17:56:45 +0530 Subject: [PATCH 03/32] Updated 21to40 files --- ...s-for-clients-of-a-standalone-isolated-server-zone.md | 7 ++++--- ...cklist-implementing-a-basic-firewall-policy-design.md | 9 +++++---- ...enting-a-certificate-based-isolation-policy-design.md | 7 ++++--- ...list-implementing-a-domain-isolation-policy-design.md | 7 ++++--- ...enting-a-standalone-server-isolation-policy-design.md | 7 ++++--- .../windows-firewall/configure-authentication-methods.md | 7 ++++--- .../configure-data-protection-quick-mode-settings.md | 7 ++++--- ...group-policy-to-autoenroll-and-deploy-certificates.md | 7 ++++--- .../configure-key-exchange-main-mode-settings.md | 7 ++++--- .../configure-the-rules-to-require-encryption.md | 4 ++-- .../configure-the-windows-firewall-log.md | 7 ++++--- ...he-workstation-authentication-certificate-template.md | 7 ++++--- ...o-suppress-notifications-when-a-program-is-blocked.md | 7 ++++--- .../confirm-that-certificates-are-deployed-correctly.md | 7 ++++--- .../windows-firewall/copy-a-gpo-to-create-a-new-gpo.md | 9 +++++---- .../create-a-group-account-in-active-directory.md | 7 ++++--- .../windows-firewall/create-a-group-policy-object.md | 7 ++++--- .../create-an-authentication-exemption-list-rule.md | 7 ++++--- .../create-an-authentication-request-rule.md | 7 ++++--- .../windows-firewall/create-an-inbound-icmp-rule.md | 7 ++++--- 20 files changed, 80 insertions(+), 61 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md index 4a4c525867..d57f7d5a5d 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md @@ -1,5 +1,5 @@ --- -title: Create Rules for Standalone Isolated Server Zone Clients (Windows 10) +title: Create Rules for Standalone Isolated Server Zone Clients (Windows) description: Checklist for when creating rules for clients of a Standalone Isolated Server Zone ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone. diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md index 1aa6060a8c..1d50c40f3d 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md @@ -1,5 +1,5 @@ --- -title: Checklist Implementing a Basic Firewall Policy Design (Windows 10) +title: Checklist Implementing a Basic Firewall Policy Design (Windows) description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation. ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. @@ -35,7 +36,7 @@ The procedures in this section use the Group Policy MMC snap-in interfaces to co | Task | Reference | | - | - | | Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Basic Firewall Policy Design](basic-firewall-policy-design.md)
[Firewall Policy Design Example](firewall-policy-design-example.md)
[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)| -| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 11, Windows 10, and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10 or Windows 11, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| | If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)| | Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)| | Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)| diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md index 52c11e99ed..1166334bca 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -1,5 +1,5 @@ --- -title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows 10) +title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows) description: Use these references to learn about using certificates as an authentication option and configure a certificate-based isolation policy design. ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design. diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md index 1261adcbb9..cf988d2a7d 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md @@ -1,5 +1,5 @@ --- -title: Checklist Implementing a Domain Isolation Policy Design (Windows 10) +title: Checklist Implementing a Domain Isolation Policy Design (Windows) description: Use these references to learn about the domain isolation policy design and links to other checklists to complete tasks require to implement this design. ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md index 1d53748cc1..b571f7dce4 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -1,5 +1,5 @@ --- -title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows 10) +title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows) description: Use these tasks to create a server isolation policy design that is not part of an isolated domain. See references to concepts and links to other checklists. ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md). diff --git a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md index e6fd6b4090..1841e7d9f5 100644 --- a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md +++ b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md @@ -1,5 +1,5 @@ --- -title: Configure Authentication Methods (Windows 10) +title: Configure Authentication Methods (Windows) description: Learn how to configure authentication methods for devices in an isolated domain or standalone server zone in Windows Defender Firewall with Advanced Security. ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone. diff --git a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md index 41b2b78f6c..2ef49bcb9e 100644 --- a/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md +++ b/windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md @@ -1,5 +1,5 @@ --- -title: Configure Data Protection (Quick Mode) Settings (Windows 10) +title: Configure Data Protection (Quick Mode) Settings (Windows) description: Learn how to configure the data protection settings for connection security rules in an isolated domain or a standalone isolated server zone. ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone. diff --git a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md index cfc3364fe7..064de062cf 100644 --- a/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md +++ b/windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md @@ -1,5 +1,5 @@ --- -title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows 10) +title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows) description: Learn how to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate. diff --git a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md index f1b75a3291..3164f07dea 100644 --- a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md +++ b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md @@ -1,5 +1,5 @@ --- -title: Configure Key Exchange (Main Mode) Settings (Windows 10) +title: Configure Key Exchange (Main Mode) Settings (Windows) description: Learn how to configure the main mode key exchange settings used to secure the IPsec authentication traffic in Windows Defender Firewall with Advanced Security. ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic. diff --git a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md index 561ea0f380..e3d4f8f8b6 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md @@ -1,5 +1,5 @@ --- -title: Configure the Rules to Require Encryption (Windows 10) +title: Configure the Rules to Require Encryption (Windows) description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that do not use encryption for zones that require encryption. ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md index 4c82249ccd..a4a7b01573 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md @@ -1,5 +1,5 @@ --- -title: Configure the Windows Defender Firewall Log (Windows 10) +title: Configure the Windows Defender Firewall Log (Windows) description: Learn how to configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections by using Group Policy Management MMC. ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in. diff --git a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md index 7ff2117797..58fdd2dd8a 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md @@ -1,5 +1,5 @@ --- -title: Configure the Workstation Authentication Template (Windows 10) +title: Configure the Workstation Authentication Template (Windows) description: Learn how to configure a workstation authentication certificate template, which is used for device certificates that are enrolled and deployed to workstations. ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6 ms.reviewer: @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp -ms.date: 07/30/2018 +ms.date: 09/07/2021 ms.technology: mde --- @@ -19,7 +19,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements. diff --git a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md index 200675b11a..ee29ef81e8 100644 --- a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md +++ b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md @@ -1,5 +1,5 @@ --- -title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows 10) +title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows) description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Bbocked ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To configure Windows Defender Firewall with Advanced Security to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console. diff --git a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md index 8af8ad2d89..6e1c2f5c0b 100644 --- a/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md +++ b/windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md @@ -1,5 +1,5 @@ --- -title: Confirm That Certificates Are Deployed Correctly (Windows 10) +title: Confirm That Certificates Are Deployed Correctly (Windows) description: Learn how to confirm that a Group Policy is being applied as expected and that the certificates are being properly installed on the workstations. ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices. diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md index 4020fab006..ac157cc912 100644 --- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md +++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md @@ -1,5 +1,5 @@ --- -title: Copy a GPO to Create a New GPO (Windows 10) +title: Copy a GPO to Create a New GPO (Windows) description: Learn how to make a copy of a GPO by using the Active Directory Users and devices MMC snap-in to create a GPO for boundary zone devices. ms.assetid: 7f6a23e5-4b3f-40d6-bf6d-7895558b1406 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To create the GPO for the boundary zone devices, make a copy of the main domain isolation GPO, and then change the settings to request, instead of require, authentication. To make a copy of a GPO, use the Active Directory Users and devices MMC snap-in. @@ -56,4 +57,4 @@ To complete this procedure, you must be a member of the Domain Administrators gr 12. Type the name of the group that contains members of the boundary zone, for example **CG\_DOMISO\_Boundary**, and then click **OK**. -13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO. +13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10 or Windows 11, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO. diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md index 3511ad7f7f..844bf1db69 100644 --- a/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md +++ b/windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md @@ -1,5 +1,5 @@ --- -title: Create a Group Account in Active Directory (Windows 10) +title: Create a Group Account in Active Directory (Windows) description: Learn how to create a security group for the computers that are to receive Group Policy settings by using the Active Directory Users and Computers console. ms.assetid: c3700413-e02d-4d56-96b8-7991f97ae432 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To create a security group to contain the computer accounts for the computers that are to receive a set of Group Policy settings, use the Active Directory Users and Computers console. diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md index e6e1e18867..b7b3944df5 100644 --- a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md +++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md @@ -1,5 +1,5 @@ --- -title: Create a Group Policy Object (Windows 10) +title: Create a Group Policy Object (Windows) description: Learn how to use the Active Directory Users and Computers MMC snap-in to create a GPO. You must be a member of the Domain Administrators group. ms.assetid: 72a50dd7-5033-4d97-a5eb-0aff8a35cced ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To create a new GPO, use the Active Directory Users and Computers MMC snap-in. diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md index 35cb8d066a..c28612d61c 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md @@ -1,5 +1,5 @@ --- -title: Create an Authentication Exemption List Rule (Windows 10) +title: Create an Authentication Exemption List Rule (Windows) description: Learn how to create rules that exempt devices that cannot communicate by using IPSec from the authentication requirements of your isolation policies. ms.assetid: 8f6493f3-8527-462a-82c0-fd91a6cb5dd8 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies. diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md index 43156e1bc5..b3a12b2ba9 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md @@ -1,5 +1,5 @@ --- -title: Create an Authentication Request Rule (Windows 10) +title: Create an Authentication Request Rule (Windows) description: Create a new rule for Windows Defender Firewall with Advanced Security so devices on the network use IPsec protocols and methods before they can communicate. ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to:** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you have configured IPsec algorithms and authentication methods, you can create the rule that requires the devices on the network to use those protocols and methods before they can communicate. diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md index c56953f28c..53f49581bd 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md @@ -1,5 +1,5 @@ --- -title: Create an Inbound ICMP Rule (Windows 10) +title: Create an Inbound ICMP Rule (Windows) description: Learn how to allow inbound ICMP traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. ms.assetid: 267b940a-79d9-4322-b53b-81901e357344 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network. From 10c89c2930e50cd9cf288ace3d2d038392a35cc5 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Wed, 8 Sep 2021 11:38:28 +0530 Subject: [PATCH 04/32] Updated 41 to 60 --- .../windows-firewall/create-an-inbound-port-rule.md | 7 ++++--- .../create-an-inbound-program-or-service-rule.md | 7 ++++--- .../create-an-outbound-port-rule.md | 7 ++++--- .../create-an-outbound-program-or-service-rule.md | 7 ++++--- .../create-inbound-rules-to-support-rpc.md | 7 ++++--- .../create-windows-firewall-rules-in-intune.md | 8 +++++--- .../create-wmi-filters-for-the-gpo.md | 13 +++++++------ ...dows-firewall-with-advanced-security-strategy.md | 7 ++++--- ...determining-the-trusted-state-of-your-devices.md | 7 ++++--- .../windows-firewall/documenting-the-zones.md | 7 ++++--- .../domain-isolation-policy-design-example.md | 7 ++++--- .../domain-isolation-policy-design.md | 7 ++++--- .../enable-predefined-inbound-rules.md | 7 ++++--- .../enable-predefined-outbound-rules.md | 7 ++++--- .../windows-firewall/encryption-zone-gpos.md | 7 ++++--- .../windows-firewall/encryption-zone.md | 7 ++++--- ...rewall-with-advanced-security-design-examples.md | 7 ++++--- .../exempt-icmp-from-authentication.md | 7 ++++--- .../windows-firewall/exemption-list.md | 7 ++++--- .../windows-firewall/firewall-gpos.md | 7 ++++--- 20 files changed, 84 insertions(+), 63 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md index 05df6a67cc..452b942ae5 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md @@ -1,5 +1,5 @@ --- -title: Create an Inbound Port Rule (Windows 10) +title: Create an Inbound Port Rule (Windows) description: Learn to allow traffic on specific ports by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. ms.assetid: a7b6c6ca-32fa-46a9-a5df-a4e43147da9f ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. diff --git a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md index bd01350eee..c3db4fccfa 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md @@ -1,5 +1,5 @@ --- -title: Create an Inbound Program or Service Rule (Windows 10) +title: Create an Inbound Program or Service Rule (Windows) description: Learn how to allow inbound traffic to a program or service by using the Group Policy Management MMC snap-in to create firewall rules. ms.assetid: 00b7fa60-7c64-4ba5-ba95-c542052834cf ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To allow inbound network traffic to a specified program or service, use the Windows Defender Firewall with Advanced Securitynode in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port. diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md index a463162a4d..ebce547b94 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md @@ -1,5 +1,5 @@ --- -title: Create an Outbound Port Rule (Windows 10) +title: Create an Outbound Port Rule (Windows) description: Learn to block outbound traffic on a port by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. ms.assetid: 59062b91-756b-42ea-8f2a-832f05d77ddf ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers. diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md index fe0b68eb1d..d3c40f879a 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md @@ -1,5 +1,5 @@ --- -title: Create an Outbound Program or Service Rule (Windows 10) +title: Create an Outbound Program or Service Rule (Windows) description: Use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. ms.assetid: f71db4fb-0228-4df2-a95d-b9c056aa9311 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port. diff --git a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md index 59cb4d71cb..07e8a14728 100644 --- a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md +++ b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md @@ -1,5 +1,5 @@ --- -title: Create Inbound Rules to Support RPC (Windows 10) +title: Create Inbound Rules to Support RPC (Windows) description: Learn how to allow RPC network traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. ms.assetid: 0b001c2c-12c1-4a30-bb99-0c034d7e6150 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To allow inbound remote procedure call (RPC) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper. diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index 479b2e67af..587339f4f2 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -1,5 +1,5 @@ --- -title: Create Windows Firewall rules in Intune (Windows 10) +title: Create Windows Firewall rules in Intune (Windows) description: Learn how to use Intune to create rules in Windows Defender Firewall with Advanced Security. Start by creating a profile in Device Configuration in Intune. ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431 ms.reviewer: @@ -21,12 +21,14 @@ ms.technology: mde **Applies to** - Windows 10 +- Windows 11 +- Windows Server 2016 and above >[!IMPORTANT] >This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. To get started, open Device Configuration in Intune, then create a new profile. -Choose Windows 10 as the platform, and Endpoint Protection as the profile type. +Choose Windows 10 or Windows 11 as the platform, and Endpoint Protection as the profile type. Select Windows Defender Firewall. ![Windows Defender Firewall in Intune.](images/windows-firewall-intune.png) @@ -35,7 +37,7 @@ Select Windows Defender Firewall. ## Firewall rule components -The firewall rule configurations in Intune use the Windows 10 CSP for Firewall. For more information, see [Firewall CSP](/windows/client-management/mdm/firewall-csp). +The firewall rule configurations in Intune use the Windows CSP for Firewall. For more information, see [Firewall CSP](/windows/client-management/mdm/firewall-csp). ## Application Control connections for an app or program. diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md index 78d50e3732..725f75af51 100644 --- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md @@ -1,5 +1,5 @@ --- -title: Create WMI Filters for the GPO (Windows 10) +title: Create WMI Filters for the GPO (Windows) description: Learn how to use WMI filters on a GPO to make sure that each GPO for a group can only be applied to devices running the correct version of Windows. ms.assetid: b1a6d93d-a3c8-4e61-a388-4a3323f0e74e ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/16/2021 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each device. @@ -58,13 +59,13 @@ First, create the WMI filter and configure it to look for a specified version (o select * from Win32_OperatingSystem where Version like "6.%" ``` - This query will return **true** for devices running at least Windows Vista and Windows Server 2008. To set a filter for just Windows 8 and Windows Server 2012, use "6.2%". For Windows 10 and Windows Server 2016, use "10.%". To specify multiple versions, combine them with or, as shown in the following: + This query will return **true** for devices running at least Windows Vista and Windows Server 2008. To set a filter for just Windows 8 and Windows Server 2012, use "6.2%". For Windows 11, Windows 10, and Windows Server 2016, use "10.%". To specify multiple versions, combine them with or, as shown in the following: ``` syntax ... where Version like "6.1%" or Version like "6.2%" ``` - To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers and for Windows 10 multi-session, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network. + To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers and for Windows 10 and Windows 11 multi-session, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network. The following clause returns **true** for all devices that are not domain controllers: @@ -72,7 +73,7 @@ First, create the WMI filter and configure it to look for a specified version (o ... where ProductType="1" or ProductType="3" ``` - The following complete query returns **true** for all devices running Windows 10, and returns **false** for any server operating system or any other client operating system. + The following complete query returns **true** for all devices running Windows 10 and Windows 11, and returns **false** for any server operating system or any other client operating system. ``` syntax select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1" diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md index 68a9281a43..52f4ad1566 100644 --- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -1,5 +1,5 @@ --- -title: Designing a Windows Defender Firewall Strategy (Windows 10) +title: Designing a Windows Defender Firewall Strategy (Windows) description: Answer the question in this article to design an effective Windows Defender Firewall with Advanced Security Strategy. ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices. diff --git a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md index 89fca32581..fe567b13bf 100644 --- a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md @@ -1,5 +1,5 @@ --- -title: Determining the Trusted State of Your Devices (Windows 10) +title: Determining the Trusted State of Your Devices (Windows) description: Learn how to define the trusted state of devices in your enterprise to help design your strategy for using Windows Defender Firewall with Advanced Security. ms.assetid: 3e77f0d0-43aa-47dd-8518-41ccdab2f2b2 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security cannot exceed the level of security set by the least secure client that achieves trusted status. diff --git a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md index e8f37ee452..990d2c4fec 100644 --- a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md @@ -1,5 +1,5 @@ --- -title: Documenting the Zones (Windows 10) +title: Documenting the Zones (Windows) description: Learn how to document the zone placement of devices in your design for Windows Defender Firewall with Advanced Security. ms.assetid: ebd7a650-4d36-42d4-aac0-428617f5a32d ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Defender Firewall with Advanced Security Strategy section. A sample is shown here: diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md index 8f27c49ab5..dffc684c37 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md @@ -1,5 +1,5 @@ --- -title: Domain Isolation Policy Design Example (Windows 10) +title: Domain Isolation Policy Design Example (Windows) description: This example uses a fictitious company to illustrate domain isolation policy design in Windows Defender Firewall with Advanced Security. ms.assetid: 704dcf58-286f-41aa-80af-c81720aa7fc5 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This design example continues to use the fictitious company Woodgrove Bank, and builds on the example described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section. See that example for an explanation of the basic corporate network infrastructure at Woodgrove Bank with diagrams. diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md index 659827d1c6..6d6e93c035 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md @@ -1,5 +1,5 @@ --- -title: Domain Isolation Policy Design (Windows 10) +title: Domain Isolation Policy Design (Windows) description: Learn how to design a domain isolation policy, based on which devices accept only connections from authenticated members of the same isolated domain. ms.assetid: 7475084e-f231-473a-9357-5e1d39861d66 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above In the domain isolation policy design, you configure the devices on your network to accept only connections coming from devices that are authenticated as members of the same isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md index 0a1b0212b6..e8cd903c18 100644 --- a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md @@ -1,5 +1,5 @@ --- -title: Enable Predefined Inbound Rules (Windows 10) +title: Enable Predefined Inbound Rules (Windows) description: Learn the rules for Windows Defender Firewall with Advanced Security for common networking roles and functions. ms.assetid: a4fff086-ae81-4c09-b828-18c6c9a937a7 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Windows Defender Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md index 28e4f8649e..8a3aa2796f 100644 --- a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md @@ -1,5 +1,5 @@ --- -title: Enable Predefined Outbound Rules (Windows 10) +title: Enable Predefined Outbound Rules (Windows) description: Learn to deploy predefined firewall rules that block outbound network traffic for common network functions in Windows Defender Firewall with Advanced Security. ms.assetid: 71cc4157-a1ed-41d9-91e4-b3140c67c1be ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/07/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above By default, Windows Defender Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Defender Firewall includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md index 9dc32a7f67..c57c92edcd 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md @@ -1,5 +1,5 @@ --- -title: Encryption Zone GPOs (Windows 10) +title: Encryption Zone GPOs (Windows) description: Learn how to add a device to an encryption zone by adding the device account to the encryption zone group in Windows Defender Firewall with Advanced Security. ms.assetid: eeb973dd-83a5-4381-9af9-65c43c98c29b ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section. diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md index 3fba99acba..31176e0204 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md @@ -1,5 +1,5 @@ --- -title: Encryption Zone (Windows 10) +title: Encryption Zone (Windows) description: Learn how to create an encryption zone to contain devices that host very sensitive data and require that the sensitive network traffic be encrypted. ms.assetid: 55a025ce-357f-4d1b-b2ae-6ee32c9abe13 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Some servers in the organization host data that's very sensitive, including medical, financial, or other personal data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices. diff --git a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md index 2f7a20377f..4aea9e2010 100644 --- a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md +++ b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md @@ -1,5 +1,5 @@ --- -title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows 10) +title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows) description: Evaluating Windows Defender Firewall with Advanced Security Design Examples ms.assetid: a591389b-18fa-4a39-ba07-b6fb61961cbd ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use Windows Defender Firewall to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall designs and to determine which design or combination of designs best suits the goals of your organization. diff --git a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md index 38c6fd67c7..2dfe9fd103 100644 --- a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md +++ b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md @@ -1,5 +1,5 @@ --- -title: Exempt ICMP from Authentication (Windows 10) +title: Exempt ICMP from Authentication (Windows) description: Learn how to add exemptions for any network traffic that uses the ICMP protocol in Windows Defender Firewall with Advanced Security. ms.assetid: c086c715-8d0c-4eb5-9ea7-2f7635a55548 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This procedure shows you how to add exemptions for any network traffic that uses the ICMP protocol. diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md index b923df309c..e4569e0cf8 100644 --- a/windows/security/threat-protection/windows-firewall/exemption-list.md +++ b/windows/security/threat-protection/windows-firewall/exemption-list.md @@ -1,5 +1,5 @@ --- -title: Exemption List (Windows 10) +title: Exemption List (Windows) description: Learn about reasons to add devices to an exemption list in Windows Defender Firewall with Advanced Security and the trade-offs of having too many exemptions. ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devices on the internal network, yet secured from network attacks. However, if they must remain available to all devices on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. diff --git a/windows/security/threat-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md index faa8a0d788..8482ee05ce 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-gpos.md +++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md @@ -1,5 +1,5 @@ --- -title: Firewall GPOs (Windows 10) +title: Firewall GPOs (Windows) description: In this example, a Group Policy Object is linked to the domain container because the domain controllers are not part of the isolated domain. ms.assetid: 720645fb-a01f-491e-8d05-c9c6d5e28033 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters. From 871eacc1653bd07c6c8e10cfaeaa99e0ec828a9b Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Wed, 8 Sep 2021 14:43:44 +0530 Subject: [PATCH 05/32] Updating 61 to 80 --- .../windows-firewall/firewall-policy-design-example.md | 9 +++++---- ...formation-about-your-active-directory-deployment.md | 7 ++++--- ...mation-about-your-current-network-infrastructure.md | 7 ++++--- .../gathering-information-about-your-devices.md | 7 ++++--- .../gathering-other-relevant-information.md | 7 ++++--- .../gathering-the-information-you-need.md | 7 ++++--- .../windows-firewall/gpo-domiso-boundary.md | 7 ++++--- .../windows-firewall/gpo-domiso-encryption.md | 4 ++-- .../windows-firewall/gpo-domiso-firewall.md | 7 ++++--- .../gpo-domiso-isolateddomain-clients.md | 7 ++++--- .../gpo-domiso-isolateddomain-servers.md | 7 ++++--- ...firewall-with-advanced-security-deployment-goals.md | 9 +++++---- ...dows-firewall-with-advanced-security-design-plan.md | 7 ++++--- .../windows-firewall/isolated-domain-gpos.md | 7 ++++--- .../windows-firewall/isolated-domain.md | 10 +++++----- .../windows-firewall/isolating-apps-on-your-network.md | 9 +++++---- .../windows-firewall/link-the-gpo-to-the-domain.md | 7 ++++--- ...a-windows-firewall-with-advanced-security-design.md | 7 ++++--- ...-apply-to-a-different-zone-or-version-of-windows.md | 7 ++++--- ...olicy-management-console-to-ip-security-policies.md | 7 ++++--- 20 files changed, 82 insertions(+), 64 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md index 5a6acfea96..85ce84a2a9 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md @@ -1,5 +1,5 @@ --- -title: Basic Firewall Policy Design Example (Windows 10) +title: Basic Firewall Policy Design Example (Windows) description: This example features a fictitious company and illustrates firewall policy design for Windows Defender Firewall with Advanced Security. ms.assetid: 0dc3bcfe-7a4d-4a15-93a9-64b13bd775a7 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above In this example, the fictitious company Woodgrove Bank is a financial services institution. @@ -67,7 +68,7 @@ Other traffic notes: Woodgrove Bank uses Active Directory groups and Group Policy Objects to deploy the firewall settings and rules to the devices on their network. They know that they must deploy policies to the following collections of devices: -- Client devices that run Windows 10, Windows 8, or Windows 7 +- Client devices that run Windows 11, Windows 10, Windows 8, or Windows 7 - WGBank front-end servers that run Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 or Windows Server 2008 R2 (there are none in place yet, but their solution must support adding them) diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md index 35ed36b193..07fea715ef 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md @@ -1,5 +1,5 @@ --- -title: Gathering Information about Your Active Directory Deployment (Windows 10) +title: Gathering Information about Your Active Directory Deployment (Windows) description: Learn about gathering Active Directory information, including domain layout, organizational unit architecture, and site topology, for your firewall deployment. ms.assetid: b591b85b-12ac-4329-a47e-bc1b03e66eb0 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Defender Firewall with Advanced Security. Review the following list for information needed: diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md index 97aed509bc..08f2987678 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md @@ -1,5 +1,5 @@ --- -title: Gathering Info about Your Network Infrastructure (Windows 10) +title: Gathering Info about Your Network Infrastructure (Windows) description: Learn how to gather info about your network infrastructure so that you can effectively plan for Windows Defender Firewall with Advanced Security deployment. ms.assetid: f98d2b17-e71d-4ffc-b076-118b4d4782f9 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Perhaps the most important aspect of planning for Windows Defender Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Defender Firewall solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project: diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md index 1e9b7fee54..c5f34e8ce7 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md @@ -1,5 +1,5 @@ --- -title: Gathering Information about Your Devices (Windows 10) +title: Gathering Information about Your Devices (Windows) description: Learn what information to gather about the devices in your enterprise to plan your Windows Defender Firewall with Advanced Security deployment. ms.assetid: 7f7cd3b9-de8e-4fbf-89c6-3d1a47bc2beb ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above One of the most valuable benefits of conducting an asset discovery project is the large amount of data that is obtained about the client and server devices on the network. When you start designing and planning your isolation zones, you must make decisions that require accurate information about the state of all hosts to ensure that they can use IPsec as planned. diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md index e75e426e2c..a34c386f5c 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md +++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md @@ -1,5 +1,5 @@ --- -title: Gathering Other Relevant Information (Windows 10) +title: Gathering Other Relevant Information (Windows) description: Learn about additional information you may need to gather to deploy Windows Defender Firewall with Advanced Security policies in your organization. ms.assetid: 87ccca07-4346-496b-876d-cdde57d0ce17 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Defender Firewall with Advanced Security policies in your organization. diff --git a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md index fbdf23f73f..aad5e33e18 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md +++ b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md @@ -1,5 +1,5 @@ --- -title: Gathering the Information You Need (Windows 10) +title: Gathering the Information You Need (Windows) description: Collect and analyze information about your network, directory services, and devices to prepare for Windows Defender Firewall with Advanced Security deployment. ms.assetid: 545fef02-5725-4b1e-b67a-a32d94c27d15 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Before starting the planning process for a Windows Defender Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation. diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md index 4ea713f793..3eb3e0fb2b 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md @@ -1,5 +1,5 @@ --- -title: GPO\_DOMISO\_Boundary (Windows 10) +title: GPO\_DOMISO\_Boundary (Windows) description: This example GPO supports devices that are not part of the isolated domain to access specific servers that must be available to those untrusted devices. ms.assetid: ead3a510-c329-4c2a-9ad2-46a3b4975cfd ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md index 7c81975bea..bf33747880 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md @@ -1,5 +1,5 @@ --- -title: GPO\_DOMISO\_Encryption\_WS2008 (Windows 10) +title: GPO\_DOMISO\_Encryption\_WS2008 (Windows) description: This example GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. ms.assetid: 84375480-af6a-4c79-aafe-0a37115a7446 ms.reviewer: @@ -14,7 +14,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md index 7799c8484f..f625255685 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md @@ -1,5 +1,5 @@ --- -title: GPO\_DOMISO\_Firewall (Windows 10) +title: GPO\_DOMISO\_Firewall (Windows) description: Learn about the settings and rules in this example GPO, which is authored by using the Group Policy editing tools. ms.assetid: 318467d2-5698-4c5d-8000-7f56f5314c42 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008. diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md index c5c16902b2..ce42bb0dd3 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md @@ -1,5 +1,5 @@ --- -title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows 10) +title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows) description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. ms.assetid: 73cd9e25-f2f1-4ef6-b0d1-d36209518cd9 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista. diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md index a7e5651251..ca3da60412 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md @@ -1,5 +1,5 @@ --- -title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows 10) +title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows) description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. ms.assetid: 33aed8f3-fdc3-4f96-985c-e9d2720015d3 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This GPO is authored by using the Windows Defender Firewall interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008. diff --git a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index 738e348ccd..a3648e301a 100644 --- a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -1,5 +1,5 @@ --- -title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment (Windows 10) +title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment (Windows) description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) implementation goals ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba ms.reviewer: @@ -14,14 +14,15 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- # Identifying Windows Defender Firewall with Advanced Security implementation goals **Applies to** -- Windows 10 -- Windows Server 2016 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above Correctly identifying your Windows Defender Firewall with Advanced Security implementation goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your implementation goals. Prioritize and, if possible, combine your implementation goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall implementation goals presented in this guide that are relevant to your scenarios. diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md index 265019f489..adb0db7bd9 100644 --- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -1,5 +1,5 @@ --- -title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows 10) +title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows) description: Implementing Your Windows Defender Firewall with Advanced Security Design Plan ms.assetid: 15f609d5-5e4e-4a71-9eff-493a2e3e40f9 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The following are important factors in the implementation of your Windows Defender Firewall design plan: diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md index 878839f37f..72632250e3 100644 --- a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md +++ b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md @@ -1,5 +1,5 @@ --- -title: Isolated Domain GPOs (Windows 10) +title: Isolated Domain GPOs (Windows) description: Learn about GPOs for isolated domains in this example configuration of Windows Defender Firewall with Advanced Security. ms.assetid: e254ce4a-18c6-4868-8179-4078d9de215f ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above All of the devices in the isolated domain are added to the group CG\_DOMISO\_IsolatedDomain. You must create multiple GPOs to align with this group, one for each Windows operating system that must have different rules or settings to implement the basic isolated domain functionality that you have in your isolated domain. This group is granted Read and Apply Group Policy permissions on all the GPOs described in this section. diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md index b9656fd06d..037bf1f77b 100644 --- a/windows/security/threat-protection/windows-firewall/isolated-domain.md +++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md @@ -1,5 +1,5 @@ --- -title: Isolated Domain (Windows 10) +title: Isolated Domain (Windows) description: Learn about the isolated domain, which is the primary zone for trusted devices, which use connection security and firewall rules to control communication. ms.assetid: d6fa8d67-0078-49f6-9bcc-db1f24816c5e ms.reviewer: @@ -14,16 +14,16 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- # Isolated Domain **Applies to:** -- Windows 10 -- Windows Server 2016 -- Windows Server 2019 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above The isolated domain is the primary zone for trusted devices. The devices in this zone use connection security and firewall rules to control the communications that can be sent between devices in the zone. diff --git a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md index bfd7f19f0a..6e2fcee3e3 100644 --- a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md +++ b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md @@ -1,5 +1,5 @@ --- -title: Isolating Microsoft Store Apps on Your Network (Windows 10) +title: Isolating Microsoft Store Apps on Your Network (Windows) description: Learn how to customize your firewall configuration to isolate the network access of the new Microsoft Store apps that run on devices added to your network. ms.prod: m365-security ms.mktglfcycl: deploy @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 10/13/2017 +ms.date: 09/08/2021 ms.reviewer: ms.author: dansimp ms.technology: mde @@ -21,7 +21,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Microsoft Store apps that run on them. Developers who build Microsoft Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app. @@ -65,7 +66,7 @@ To isolate Microsoft Store apps on your network, you need to use Group Policy to - The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Microsoft Store app when you create Windows Defender Firewall rules. - >**Note:**  You can install the RSAT on your device running Windows 10 from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). + >**Note:**  You can install the RSAT on your device running Windows from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).   ## Step 1: Define your network diff --git a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md index 7759669531..c50865a29b 100644 --- a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md +++ b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md @@ -1,5 +1,5 @@ --- -title: Link the GPO to the Domain (Windows 10) +title: Link the GPO to the Domain (Windows) description: Learn how to link a GPO to the Active Directory container for the target devices, after you configure it in Windows Defender Firewall with Advanced Security. ms.assetid: 746d4553-b1a6-4954-9770-a948926b1165 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you create the GPO and configure it with security group filters and WMI filters, you must link the GPO to the container in Active Directory that contains all of the target devices. diff --git a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md index ee043c54a0..048875eafd 100644 --- a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md @@ -1,5 +1,5 @@ --- -title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows 10) +title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows) description: Mapping your implementation goals to a Windows Firewall with Advanced Security design ms.assetid: 7e68c59e-ba40-49c4-8e47-5de5d6b5eb22 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you finish reviewing the existing Windows Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design. > [!IMPORTANT] diff --git a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md index 2f2ec6ad54..037b3a66d6 100644 --- a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md +++ b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md @@ -1,5 +1,5 @@ --- -title: Modify GPO Filters (Windows 10) +title: Modify GPO Filters (Windows) description: Learn how to modify GPO filters to apply to a different zone or version of windows in Windows Defender Firewall with Advanced Security. ms.assetid: 24ede9ca-a501-4025-9020-1129e2cdde80 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above You must reconfigure your copied GPO so that it contains the correct security group and WMI filters for its new role. If you are creating the GPO for the isolated domain, use the [Block members of a group from applying a GPO](#to-block-members-of-a-group-from-applying-a-gpo) procedure to prevent members of the boundary and encryption zones from incorrectly applying the GPOs for the main isolated domain. diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md index 7046b6230b..43485b62d6 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md @@ -1,5 +1,5 @@ --- -title: Open the Group Policy Management Console to IP Security Policies (Windows 10) +title: Open the Group Policy Management Console to IP Security Policies (Windows) description: Learn how to open the Group Policy Management Console to IP Security Policies to configure GPOs for earlier versions of the Windows operating system. ms.assetid: 235f73e4-37b7-40f4-a35e-3e7238bbef43 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Procedures in this guide that refer to GPOs for earlier versions of the Windows operating system instruct you to work with the IP Security Policy section in the Group Policy Management Console (GPMC). From bd2d5f0f974637aa741d43df98bd5aacc2e91cd0 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Wed, 8 Sep 2021 17:14:56 +0530 Subject: [PATCH 06/32] Updated 81 to 100 --- ...console-to-windows-firewall-with-advanced-security.md | 7 ++++--- ...roup-policy-management-console-to-windows-firewall.md | 7 ++++--- .../open-windows-firewall-with-advanced-security.md | 7 ++++--- .../planning-certificate-based-authentication.md | 7 ++++--- .../windows-firewall/planning-domain-isolation-zones.md | 7 ++++--- .../windows-firewall/planning-gpo-deployment.md | 7 ++++--- ...g-group-policy-deployment-for-your-isolation-zones.md | 7 ++++--- .../planning-isolation-groups-for-the-zones.md | 7 ++++--- .../windows-firewall/planning-network-access-groups.md | 7 ++++--- .../windows-firewall/planning-server-isolation-zones.md | 7 ++++--- .../planning-settings-for-a-basic-firewall-policy.md | 7 ++++--- .../windows-firewall/planning-the-gpos.md | 9 +++++---- ...-to-deploy-windows-firewall-with-advanced-security.md | 7 ++++--- ...our-windows-firewall-with-advanced-security-design.md | 7 ++++--- .../windows-firewall/procedures-used-in-this-guide.md | 7 ++++--- .../protect-devices-from-unwanted-network-traffic.md | 7 ++++--- .../threat-protection/windows-firewall/quarantine.md | 2 +- ...ryption-when-accessing-sensitive-network-resources.md | 7 ++++--- ...restrict-access-to-only-specified-users-or-devices.md | 7 ++++--- .../restrict-access-to-only-trusted-devices.md | 7 ++++--- 20 files changed, 78 insertions(+), 59 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md index 5c3d340ea4..1239f18bf3 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md @@ -1,5 +1,5 @@ --- -title: Group Policy Management of Windows Firewall with Advanced Security (Windows 10) +title: Group Policy Management of Windows Firewall with Advanced Security (Windows) description: Group Policy Management of Windows Firewall with Advanced Security ms.assetid: 28afab36-8768-4938-9ff2-9d6dab702e98 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Most of the procedures in this guide instruct you to use Group Policy settings for Windows Firewall with Advanced Security. diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md index 2c7d2f500b..a4cba8e7c3 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md @@ -1,5 +1,5 @@ --- -title: Group Policy Management of Windows Defender Firewall (Windows 10) +title: Group Policy Management of Windows Defender Firewall (Windows) description: Group Policy Management of Windows Defender Firewall with Advanced Security ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/02/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To open a GPO to Windows Defender Firewall: diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md index 1b99cfae07..8dda8bcf96 100644 --- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md @@ -1,5 +1,5 @@ --- -title: Open Windows Defender Firewall with Advanced Security (Windows 10) +title: Open Windows Defender Firewall with Advanced Security (Windows) description: Learn how to open the Windows Defender Firewall with Advanced Security console. You must be a member of the Administrators group. ms.assetid: 788faff2-0f50-4e43-91f2-3e2595c0b6a1 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This procedure shows you how to open the Windows Defender Firewall with Advanced Security console. diff --git a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md index 0f8b7c455f..2291806174 100644 --- a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md +++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md @@ -1,5 +1,5 @@ --- -title: Planning Certificate-based Authentication (Windows 10) +title: Planning Certificate-based Authentication (Windows) description: Learn how a device unable to join an Active Directory domain can still participate in an isolated domain by using certificate-based authentication. ms.assetid: a55344e6-d0df-4ad5-a6f5-67ccb6397dec ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Sometimes a device cannot join an Active Directory domain, and therefore cannot use Kerberos V5 authentication with domain credentials. However, the device can still participate in the isolated domain by using certificate-based authentication. diff --git a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md index af5214261c..0a5d687d62 100644 --- a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md @@ -1,5 +1,5 @@ --- -title: Planning Domain Isolation Zones (Windows 10) +title: Planning Domain Isolation Zones (Windows) description: Learn how to use information you have gathered to make decisions about isolation zones for your environment in Windows Defender Firewall with Advanced Security. ms.assetid: 70bc7c52-91f0-4a0d-a64a-69d3ea1c6d05 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you have the required information about your network, Active Directory, and client and server devices, you can use that information to make decisions about the isolation zones you want to use in your environment. diff --git a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md index 0f0993409e..fd986acbbd 100644 --- a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md +++ b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md @@ -1,5 +1,5 @@ --- -title: Planning GPO Deployment (Windows 10) +title: Planning GPO Deployment (Windows) description: Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory. ms.assetid: b38adfb1-1371-4227-a887-e6d118809de1 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above You can control which GPOs are applied to devices in Active Directory in a combination of three ways: diff --git a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md index 7899c1c091..47d3282978 100644 --- a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md @@ -1,5 +1,5 @@ --- -title: Planning Group Policy Deployment for Your Isolation Zones (Windows 10) +title: Planning Group Policy Deployment for Your Isolation Zones (Windows) description: Learn how to plan a group policy deployment for your isolation zones after you determine the best logical design for your isolation environment. ms.assetid: ea7c0acd-af28-4347-9d4a-4801b470557c ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you have decided on the best logical design of your isolation environment for the network and device security requirements, you can start the implementation plan. diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md index c4fff5ce81..6ac5c58afd 100644 --- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md @@ -1,5 +1,5 @@ --- -title: Planning Isolation Groups for the Zones (Windows 10) +title: Planning Isolation Groups for the Zones (Windows) description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs. ms.assetid: be4b662d-c1ce-441e-b462-b140469a5695 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group which represents that zone. diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md index 57d452edac..d767a7db71 100644 --- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md +++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md @@ -1,5 +1,5 @@ --- -title: Planning Network Access Groups (Windows 10) +title: Planning Network Access Groups (Windows) description: Learn how to implement a network access group for users and devices that can access an isolated server in Windows Defender Firewall with Advanced Security. ms.assetid: 56ea1717-1731-4a5d-b277-5a73eb86feb0 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above A network access group (NAG) is used to identify users and devices that have permission to access an isolated server. The server is configured with firewall rules that allow only network connections that are authenticated as originating from a device, and optionally a user, whose accounts are members of its NAG. A member of the isolated domain can belong to as many NAGs as required. diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md index a89145ab4a..2a5a06d873 100644 --- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md @@ -1,5 +1,5 @@ --- -title: Planning Server Isolation Zones (Windows 10) +title: Planning Server Isolation Zones (Windows) description: Learn how to restrict access to a server to approved users by using a server isolation zone in Windows Defender Firewall with Advanced Security. ms.assetid: 5f63c929-589e-4b64-82ea-515d62765b7b ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Sometimes a server hosts data that is sensitive. If your servers host data that must not be compromised, you have several options to help protect that data. One was already addressed: adding the server to the encryption zone. Membership in that zone prevents the server from being accessed by any devices that are outside the isolated domain, and encrypts all network connections to server. diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md index ce989c23c6..e843a202ac 100644 --- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md +++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md @@ -1,5 +1,5 @@ --- -title: Planning Settings for a Basic Firewall Policy (Windows 10) +title: Planning Settings for a Basic Firewall Policy (Windows) description: Learn how to design a basic policy for Windows Defender Firewall with Advanced Security, the settings and rules that enforce your requirements on devices. ms.assetid: 4c90df5a-3cbc-4b85-924b-537c2422d735 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you have identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices. diff --git a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md index 8bb1208626..67f3121c36 100644 --- a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md +++ b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md @@ -1,5 +1,5 @@ --- -title: Planning the GPOs (Windows 10) +title: Planning the GPOs (Windows) description: Learn about planning Group Policy Objects for your isolation zones in Windows Defender Firewall with Advanced Security, after you design the zone layout. ms.assetid: 11949ca3-a11c-4a16-b297-0862432eb5b4 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above When you plan the GPOs for your different isolation zones, you must complete the layout of the required zones and their mappings to the groups that link the devices to the zones. @@ -42,7 +43,7 @@ A few things to consider as you plan the GPOs: - Windows Defender Firewall* in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the device. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the device handles network traffic will change accordingly. We recommend for stationary devices, such as desktops and servers, that you assign any rule for the device to all profiles. Apply GPOs that change rules per network location to devices that must move between networks, such as your portable devices. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles. -*Windows Defender Firewall is now called Windows Defender Firewall with Advanced Security in Windows 10. +*Windows Defender Firewall is now called Windows Defender Firewall with Advanced Security in Windows 10 and Windows 11. > [!NOTE] > Devices running Windows 7, Windows Server 2008 R2, and later support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Defender Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network. diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md index 7dabf87126..8d60afedaf 100644 --- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -1,5 +1,5 @@ --- -title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows 10) +title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows) description: Use the design information in this article to plan for the deployment of Windows Defender Firewall with Advanced Security in your organization. ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you collect information about your environment and decide on a design by following the guidance in the [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Defender Firewall with Advanced Security in your organization. diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md index 437bb3fbeb..8459640ec7 100644 --- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md @@ -1,5 +1,5 @@ --- -title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows 10) +title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows) description: After you gather the relevant information, select the design or combination of designs for Windows Defender Firewall with Advanced Security in your environment. ms.assetid: f3ac3d49-ef4c-4f3c-a16c-e107284e169f ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. diff --git a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md index e301390ef9..305d69aef6 100644 --- a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md +++ b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md @@ -1,5 +1,5 @@ --- -title: Procedures Used in This Guide (Windows 10) +title: Procedures Used in This Guide (Windows) description: Refer to this summary of procedures for Windows Defender Firewall with Advanced Security from checklists in this guide. ms.assetid: 45c0f549-e4d8-45a3-a600-63e2a449e178 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The procedures in this section appear in the checklists found earlier in this document. They should be used only in the context of the checklists in which they appear. They are presented here in alphabetical order. diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md index 233776996f..f0fc035973 100644 --- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md +++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md @@ -1,5 +1,5 @@ --- -title: Protect devices from unwanted network traffic (Windows 10) +title: Protect devices from unwanted network traffic (Windows) description: Learn how running a host-based firewall on every device in your organization can help protect against attacks as part of a defense-in-depth security strategy. ms.assetid: 307d2b38-e8c4-4358-ae16-f2143af965dc ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable device are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats. diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md index bd087a2124..17ab51f503 100644 --- a/windows/security/threat-protection/windows-firewall/quarantine.md +++ b/windows/security/threat-protection/windows-firewall/quarantine.md @@ -14,7 +14,7 @@ ms.localizationpriority: normal audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/17/2020 +ms.date: 09/08/2021 ms.technology: mde --- diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md index 8fbeb35412..a3963db1f2 100644 --- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md @@ -1,5 +1,5 @@ --- -title: Require Encryption When Accessing Sensitive Network Resources (Windows 10) +title: Require Encryption When Accessing Sensitive Network Resources (Windows) description: Windows Defender Firewall with Advanced Security allows you to require that all network traffic in an isolated domain be encrypted. ms.assetid: da980d30-a68b-4e2a-ba63-94726355ce6f ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted. diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md index 1a7c288575..e546bbf39d 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md @@ -1,5 +1,5 @@ --- -title: Restrict Access to Only Specified Users or Devices (Windows 10) +title: Restrict Access to Only Specified Users or Devices (Windows) description: Restrict access to devices and users that are members of domain groups authorized to access that device using Windows Defender Firewall with Advanced Security. ms.assetid: a6106a07-f9e5-430f-8dbd-06d3bf7406df ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) prevents devices that are members of the isolated domain from accepting network traffic from untrusted devices. However, some devices on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data. diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md index 5285e56ad9..d3d0f94001 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md @@ -1,5 +1,5 @@ --- -title: Restrict access to only trusted devices (Windows 10) +title: Restrict access to only trusted devices (Windows) description: Windows Defender Firewall with Advanced Security enables you to isolate devices you trust and restrict access of untrusted devices to trusted devices. ms.assetid: bc1f49a4-7d54-4857-8af9-b7c79f47273b ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that are not owned by your organization to your network. Because you do not manage those devices, you cannot trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it is truly required. From 961fa414d108e1e43a906ad646ec82a7c5038e91 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Wed, 8 Sep 2021 17:40:48 +0530 Subject: [PATCH 07/32] Updated as per 5358843-files276to300 --- windows/security/threat-protection/auditing/event-5148.md | 6 +----- windows/security/threat-protection/auditing/event-5149.md | 6 +----- windows/security/threat-protection/auditing/event-5150.md | 6 +----- windows/security/threat-protection/auditing/event-5151.md | 6 +----- windows/security/threat-protection/auditing/event-5152.md | 6 +----- windows/security/threat-protection/auditing/event-5153.md | 6 +----- windows/security/threat-protection/auditing/event-5154.md | 6 +----- windows/security/threat-protection/auditing/event-5155.md | 6 +----- windows/security/threat-protection/auditing/event-5156.md | 6 +----- windows/security/threat-protection/auditing/event-5157.md | 6 +----- windows/security/threat-protection/auditing/event-5158.md | 6 +----- windows/security/threat-protection/auditing/event-5159.md | 6 +----- windows/security/threat-protection/auditing/event-5168.md | 6 +----- windows/security/threat-protection/auditing/event-5376.md | 6 +----- windows/security/threat-protection/auditing/event-5377.md | 6 +----- windows/security/threat-protection/auditing/event-5378.md | 6 +----- windows/security/threat-protection/auditing/event-5447.md | 6 +----- windows/security/threat-protection/auditing/event-5632.md | 6 +----- windows/security/threat-protection/auditing/event-5633.md | 6 +----- windows/security/threat-protection/auditing/event-5712.md | 6 +----- windows/security/threat-protection/auditing/event-5888.md | 6 +----- windows/security/threat-protection/auditing/event-5889.md | 6 +----- windows/security/threat-protection/auditing/event-5890.md | 6 +----- windows/security/threat-protection/auditing/event-6144.md | 6 +----- windows/security/threat-protection/auditing/event-6145.md | 6 +----- 25 files changed, 25 insertions(+), 125 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md index 23a31eb1a6..1946129b9b 100644 --- a/windows/security/threat-protection/auditing/event-5148.md +++ b/windows/security/threat-protection/auditing/event-5148.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 05/29/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5148(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. -**Applies to** -- Windows 10 -- Windows Server 2016 - In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack starts or was detected. diff --git a/windows/security/threat-protection/auditing/event-5149.md b/windows/security/threat-protection/auditing/event-5149.md index 04f6c8747a..467c7145cc 100644 --- a/windows/security/threat-protection/auditing/event-5149.md +++ b/windows/security/threat-protection/auditing/event-5149.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 05/29/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5149(F): The DoS attack has subsided and normal processing is being resumed. -**Applies to** -- Windows 10 -- Windows Server 2016 - In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack ended. diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md index 7e8b6a5cc1..9d9c830f21 100644 --- a/windows/security/threat-protection/auditing/event-5150.md +++ b/windows/security/threat-protection/auditing/event-5150.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5150(-): The Windows Filtering Platform blocked a packet. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event is logged if the Windows Filtering Platform [MAC filter](/windows-hardware/drivers/network/using-layer-2-filtering) blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md index 611541553e..6601b86883 100644 --- a/windows/security/threat-protection/auditing/event-5151.md +++ b/windows/security/threat-protection/auditing/event-5151.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5151(-): A more restrictive Windows Filtering Platform filter has blocked a packet. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event is logged if a more restrictive Windows Filtering Platform [MAC filter](/windows-hardware/drivers/network/using-layer-2-filtering) has blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md index cb8da40be3..d4bcbf8042 100644 --- a/windows/security/threat-protection/auditing/event-5152.md +++ b/windows/security/threat-protection/auditing/event-5152.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5152(F): The Windows Filtering Platform blocked a packet. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5152 illustration diff --git a/windows/security/threat-protection/auditing/event-5153.md b/windows/security/threat-protection/auditing/event-5153.md index ce3f53f60d..eee4621b4d 100644 --- a/windows/security/threat-protection/auditing/event-5153.md +++ b/windows/security/threat-protection/auditing/event-5153.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5153(S): A more restrictive Windows Filtering Platform filter has blocked a packet. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event is logged if a more restrictive Windows Filtering Platform filter has blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md index ea9c8ea638..6d0b939b64 100644 --- a/windows/security/threat-protection/auditing/event-5154.md +++ b/windows/security/threat-protection/auditing/event-5154.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5154 illustration diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index d00134db41..166520ef13 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. -**Applies to** -- Windows 10 -- Windows Server 2016 - By default Windows firewall won't prevent a port from being listened by an application. In the other word, Windows system will not generate Event 5155 by itself. diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md index b7aa9709b2..d0af703c34 100644 --- a/windows/security/threat-protection/auditing/event-5156.md +++ b/windows/security/threat-protection/auditing/event-5156.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5156(S): The Windows Filtering Platform has permitted a connection. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5156 illustration diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md index 73d84e9d53..c20c64f670 100644 --- a/windows/security/threat-protection/auditing/event-5157.md +++ b/windows/security/threat-protection/auditing/event-5157.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5157(F): The Windows Filtering Platform has blocked a connection. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5157 illustration diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md index d863b08c36..f35938a490 100644 --- a/windows/security/threat-protection/auditing/event-5158.md +++ b/windows/security/threat-protection/auditing/event-5158.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5158(S): The Windows Filtering Platform has permitted a bind to a local port. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5158 illustration diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md index fb896131ac..95ac21b41a 100644 --- a/windows/security/threat-protection/auditing/event-5159.md +++ b/windows/security/threat-protection/auditing/event-5159.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5159(F): The Windows Filtering Platform has blocked a bind to a local port. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5159 illustration diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md index bb9371baff..5d1e8bf0d8 100644 --- a/windows/security/threat-protection/auditing/event-5168.md +++ b/windows/security/threat-protection/auditing/event-5168.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5168(F): SPN check for SMB/SMB2 failed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5168 illustration diff --git a/windows/security/threat-protection/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md index 3cbb58cf29..1b77d59d7e 100644 --- a/windows/security/threat-protection/auditing/event-5376.md +++ b/windows/security/threat-protection/auditing/event-5376.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5376(S): Credential Manager credentials were backed up. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5376 illustration diff --git a/windows/security/threat-protection/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md index 3be670da7b..82af29b1d7 100644 --- a/windows/security/threat-protection/auditing/event-5377.md +++ b/windows/security/threat-protection/auditing/event-5377.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5377(S): Credential Manager credentials were restored from a backup. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5377 illustration diff --git a/windows/security/threat-protection/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md index 0025f40837..7880067fb3 100644 --- a/windows/security/threat-protection/auditing/event-5378.md +++ b/windows/security/threat-protection/auditing/event-5378.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5378(F): The requested credentials delegation was disallowed by policy. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5378 illustration diff --git a/windows/security/threat-protection/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md index 2b5c265e83..c7e89a3513 100644 --- a/windows/security/threat-protection/auditing/event-5447.md +++ b/windows/security/threat-protection/auditing/event-5447.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5447(S): A Windows Filtering Platform filter has been changed. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5447 illustration diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md index ad0e108238..fd3345a565 100644 --- a/windows/security/threat-protection/auditing/event-5632.md +++ b/windows/security/threat-protection/auditing/event-5632.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5632(S, F): A request was made to authenticate to a wireless network. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5632 illustration diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md index ba78854b75..d72afb75da 100644 --- a/windows/security/threat-protection/auditing/event-5633.md +++ b/windows/security/threat-protection/auditing/event-5633.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5633(S, F): A request was made to authenticate to a wired network. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5633 illustration diff --git a/windows/security/threat-protection/auditing/event-5712.md b/windows/security/threat-protection/auditing/event-5712.md index 5bb81e6f09..48363c3beb 100644 --- a/windows/security/threat-protection/auditing/event-5712.md +++ b/windows/security/threat-protection/auditing/event-5712.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5712(S): A Remote Procedure Call (RPC) was attempted. -**Applies to** -- Windows 10 -- Windows Server 2016 - It appears that this event never occurs. diff --git a/windows/security/threat-protection/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md index 8d2ea38fcb..4a22ab0013 100644 --- a/windows/security/threat-protection/auditing/event-5888.md +++ b/windows/security/threat-protection/auditing/event-5888.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5888(S): An object in the COM+ Catalog was modified. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5888 illustration diff --git a/windows/security/threat-protection/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md index e3d65ee453..d0d9842512 100644 --- a/windows/security/threat-protection/auditing/event-5889.md +++ b/windows/security/threat-protection/auditing/event-5889.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5889(S): An object was deleted from the COM+ Catalog. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5889 illustration diff --git a/windows/security/threat-protection/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md index 9b7a9f515c..f7bf90b524 100644 --- a/windows/security/threat-protection/auditing/event-5890.md +++ b/windows/security/threat-protection/auditing/event-5890.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 5890(S): An object was added to the COM+ Catalog. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 5890 illustration diff --git a/windows/security/threat-protection/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md index 7565e8f794..0ed126dc60 100644 --- a/windows/security/threat-protection/auditing/event-6144.md +++ b/windows/security/threat-protection/auditing/event-6144.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6144(S): Security policy in the group policy objects has been applied successfully. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6144 illustration diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md index b70a0844a2..ff67ad627d 100644 --- a/windows/security/threat-protection/auditing/event-6145.md +++ b/windows/security/threat-protection/auditing/event-6145.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6145(F): One or more errors occurred while processing security policy in the group policy objects. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6145 illustration From 445cb5de6f4e9afa8cfaaa539c56f6a4b2cb7bb1 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Wed, 8 Sep 2021 18:02:50 +0530 Subject: [PATCH 08/32] Updated 101 to 112 --- ...estrict-server-access-to-members-of-a-group-only.md | 7 ++++--- ...ring-end-to-end-ipsec-connections-by-using-ikev2.md | 7 ++++--- .../windows-firewall/server-isolation-gpos.md | 7 ++++--- .../server-isolation-policy-design-example.md | 7 ++++--- .../windows-firewall/server-isolation-policy-design.md | 7 ++++--- ...-windows-firewall-and-configure-default-behavior.md | 7 ++++--- ...s-firewall-with-advanced-security-design-process.md | 4 ++-- .../verify-that-network-traffic-is-authenticated.md | 7 ++++--- ...-security-administration-with-windows-powershell.md | 7 ++++--- ...firewall-with-advanced-security-deployment-guide.md | 7 ++++--- ...ows-firewall-with-advanced-security-design-guide.md | 9 +++++---- .../windows-firewall-with-advanced-security.md | 10 +++++----- 12 files changed, 48 insertions(+), 38 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md index a9a24aa516..c0d7282746 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md +++ b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md @@ -1,5 +1,5 @@ --- -title: Restrict Server Access to Members of a Group Only (Windows 10) +title: Restrict Server Access to Members of a Group Only (Windows) description: Create a firewall rule to access isolated servers running Windows Server 2008 or later and restrict server access to members of a group. ms.assetid: ea51c55b-e1ed-44b4-82e3-3c4287a8628b ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you have configured the IPsec connection security rules that force client devices to authenticate their connections to the isolated server, you must configure the rules that restrict access to only those devices or users who have been identified through the authentication process as members of the isolated server’s access group. diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md index 8cb2a35d50..aa6d7c5117 100644 --- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -1,5 +1,5 @@ --- -title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 (Windows 10) +title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 (Windows) description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 ms.prod: m365-security ms.mktglfcycl: deploy @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.reviewer: ms.author: dansimp ms.technology: mde @@ -21,7 +21,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above IKEv2 offers the following: diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md index bb23429112..74da744d30 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md @@ -1,5 +1,5 @@ --- -title: Server Isolation GPOs (Windows 10) +title: Server Isolation GPOs (Windows) description: Learn about required GPOs for isolation zones and how many server isolation zones you need in Windows Defender Firewall with Advanced Security. ms.assetid: c97b1f2f-51d8-4596-b38a-8a3f6f706be4 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Each set of devices that have different users or devices accessing them require a separate server isolation zone. Each zone requires one GPO for each version of Windows running on devices in the zone. The Woodgrove Bank example has an isolation zone for their devices that run SQL Server. The server isolation zone is logically considered part of the encryption zone. Therefore, server isolation zone GPOs must also include rules for encrypting all isolated server traffic. Woodgrove Bank copied the encryption zone GPOs to serve as a starting point, and renamed them to reflect their new purpose. diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md index a0070cf114..fd8fad7308 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md @@ -1,5 +1,5 @@ --- -title: Server Isolation Policy Design Example (Windows 10) +title: Server Isolation Policy Design Example (Windows) description: Learn about server isolation policy design in Windows Defender Firewall with Advanced Security by referring to this example of a fictitious company. ms.assetid: 337e5f6b-1ec5-4b83-bee5-d0aea1fa5fc6 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above This design example continues to use the fictitious company Woodgrove Bank, as described in the [Firewall Policy Design Example](firewall-policy-design-example.md) section and the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) section. diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md index 7d44e7c17c..3d5d5e9694 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md @@ -1,5 +1,5 @@ --- -title: Server Isolation Policy Design (Windows 10) +title: Server Isolation Policy Design (Windows) description: Learn about server isolation policy design, where you assign servers to a zone that allows access only to members of an approved network access group. ms.assetid: f93f65cd-b863-461e-ab5d-a620fd962c9a ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above In the server isolation policy design, you assign servers to a zone that allows access only to users and devices that authenticate as members of an approved network access group (NAG). diff --git a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md index b6a468447e..8f2dd62bfc 100644 --- a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md +++ b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md @@ -1,5 +1,5 @@ --- -title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior (Windows 10) +title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior (Windows) description: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior ms.assetid: 3c3fe832-ea81-4227-98d7-857a3129db74 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above To enable Windows Defender Firewall with Advanced Security and configure its default behavior, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console. diff --git a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md index 6a77eda3f7..6f83b6d42d 100644 --- a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md +++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md @@ -1,5 +1,5 @@ --- -title: Understand WFAS Deployment (Windows 10) +title: Understand WFAS Deployment (Windows) description: Resources for helping you understand the Windows Defender Firewall with Advanced Security (WFAS) Design Process ms.prod: m365-security ms.mktglfcycl: deploy @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.reviewer: ms.author: dansimp ms.technology: mde diff --git a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md index 113c3c0cc2..633bcb4aed 100644 --- a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md +++ b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md @@ -1,5 +1,5 @@ --- -title: Verify That Network Traffic Is Authenticated (Windows 10) +title: Verify That Network Traffic Is Authenticated (Windows) description: Learn how to confirm that network traffic is being protected by IPsec authentication after you configure your domain isolation rule to require authentication. ms.assetid: cc1fb973-aedf-4074-ad4a-7376b24f03d2 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above After you have configured your domain isolation rule to request, rather than require, authentication, you must confirm that the network traffic sent by the devices on the network is being protected by IPsec authentication as expected. If you switch your rules to require authentication before all of the devices have received and applied the correct GPOs, or if there are any errors in your rules, then communications on the network can fail. By first setting the rules to request authentication, any network connections that fail authentication can continue in clear text while you diagnose and troubleshoot. diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index bf70a3a3b7..c4e919e41a 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell (Windows 10) +title: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell (Windows) description: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell ms.prod: m365-security ms.mktglfcycl: deploy @@ -11,7 +11,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.reviewer: ms.author: dansimp ms.technology: mde @@ -21,7 +21,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above The Windows Defender Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Defender Firewall management. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Defender Firewall management in Windows. diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md index 9a3954cc03..8e4af001ae 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Firewall with Advanced Security deployment overview (Windows 10) +title: Windows Defender Firewall with Advanced Security deployment overview (Windows) description: Use this guide to deploy Windows Defender Firewall with Advanced Security for your enterprise to help protect devices and data that they share across a network. ms.assetid: 56b51b97-1c38-481e-bbda-540f1216ad56 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/17/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above You can use the Windows Defender Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network. diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md index e1a438412f..702acc0dcf 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Firewall with Advanced Security design guide (Windows 10) +title: Windows Defender Firewall with Advanced Security design guide (Windows) description: Learn about common goals for using Windows Defender Firewall with Advanced Security to choose or create a design for deploying the firewall in your enterprise. ms.assetid: 5c631389-f232-4b95-9e48-ec02b8677d51 ms.reviewer: @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 10/05/2017 +ms.date: 09/08/2021 ms.technology: mde --- @@ -22,7 +22,8 @@ ms.technology: mde **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and above Windows Defender Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Defender Firewall supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot authenticate cannot communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices. @@ -87,7 +88,7 @@ The following table identifies and defines terms used throughout this guide. | Certificate-based isolation | A way to add devices that cannot use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every device in the isolated domain and the devices that cannot use Kerberos V5 are provided with a device certificate that can be used to authenticate with each other. Certificate-based isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a commercial certificate provider).| | Domain isolation | A technique for helping protect the devices in an organization by requiring that the devices authenticate each other's identity before exchanging information, and refusing connection requests from devices that cannot authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see "Isolated domain" in this table.| | Encryption zone | A subset of the devices in an isolated domain that process sensitive data. Devices that are part of the encryption zone have all network traffic encrypted to prevent viewing by non-authorized users. Devices that are part of the encryption zone also typically are subject to the access control restrictions of server isolation.| -| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.
By default, the firewall rules in Windows Server 2016. Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. | +| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.
By default, the firewall rules in Windows Server 2016. Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 11, Windows 10, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. | | Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).| | IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.| | Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones).
In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.| diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md index e3becc881c..7a9d7305a5 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Firewall with Advanced Security (Windows 10) +title: Windows Defender Firewall with Advanced Security (Windows) description: Learn overview information about the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. ms.prod: m365-security ms.mktglfcycl: deploy @@ -12,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 10/21/2020 +ms.date: 09/08/2021 ms.reviewer: ms.custom: asr ms.technology: mde @@ -21,9 +21,9 @@ ms.technology: mde # Windows Defender Firewall with Advanced Security **Applies to** -- Windows 10 -- Windows Server 2016 -- Windows Server 2019 +- Windows 10 +- Windows 11 +- Windows Server 2016 and above This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. From aba3cec174bc60c9da8efef4e5242479b755878c Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Thu, 9 Sep 2021 11:40:01 +0530 Subject: [PATCH 09/32] Updated as per 5358843-files301to325 --- windows/security/threat-protection/auditing/event-6281.md | 6 +----- windows/security/threat-protection/auditing/event-6400.md | 6 +----- windows/security/threat-protection/auditing/event-6401.md | 6 +----- windows/security/threat-protection/auditing/event-6402.md | 6 +----- windows/security/threat-protection/auditing/event-6403.md | 6 +----- windows/security/threat-protection/auditing/event-6404.md | 6 +----- windows/security/threat-protection/auditing/event-6405.md | 6 +----- windows/security/threat-protection/auditing/event-6406.md | 6 +----- windows/security/threat-protection/auditing/event-6407.md | 6 +----- windows/security/threat-protection/auditing/event-6408.md | 6 +----- windows/security/threat-protection/auditing/event-6409.md | 6 +----- windows/security/threat-protection/auditing/event-6410.md | 6 +----- windows/security/threat-protection/auditing/event-6416.md | 6 +----- windows/security/threat-protection/auditing/event-6419.md | 6 +----- windows/security/threat-protection/auditing/event-6420.md | 6 +----- windows/security/threat-protection/auditing/event-6421.md | 6 +----- windows/security/threat-protection/auditing/event-6422.md | 6 +----- windows/security/threat-protection/auditing/event-6423.md | 6 +----- windows/security/threat-protection/auditing/event-6424.md | 6 +----- .../auditing/file-system-global-object-access-auditing.md | 4 +--- .../auditing/how-to-list-xml-elements-in-eventdata.md | 4 +--- .../monitor-central-access-policy-and-rule-definitions.md | 4 +--- .../threat-protection/auditing/monitor-claim-types.md | 4 +--- .../auditing/monitor-resource-attribute-definitions.md | 4 +--- ...ral-access-policies-associated-with-files-and-folders.md | 4 +--- 25 files changed, 25 insertions(+), 113 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md index e6ec5bea59..28b9c2e509 100644 --- a/windows/security/threat-protection/auditing/event-6281.md +++ b/windows/security/threat-protection/auditing/event-6281.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6281(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. -**Applies to** -- Windows 10 -- Windows Server 2016 - The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md index 511aeb3ae9..214d0c5b93 100644 --- a/windows/security/threat-protection/auditing/event-6400.md +++ b/windows/security/threat-protection/auditing/event-6400.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6400(-): BranchCache: Received an incorrectly formatted response while discovering availability of content. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md index 829c3215c9..7ae7c5a3ab 100644 --- a/windows/security/threat-protection/auditing/event-6401.md +++ b/windows/security/threat-protection/auditing/event-6401.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6401(-): BranchCache: Received invalid data from a peer. Data discarded. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md index 2aee0f9232..ca0ea21dbe 100644 --- a/windows/security/threat-protection/auditing/event-6402.md +++ b/windows/security/threat-protection/auditing/event-6402.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6402(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md index ec9028c852..dfa11c62ac 100644 --- a/windows/security/threat-protection/auditing/event-6403.md +++ b/windows/security/threat-protection/auditing/event-6403.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6403(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md index eaa912b6e3..fb4bccd26f 100644 --- a/windows/security/threat-protection/auditing/event-6404.md +++ b/windows/security/threat-protection/auditing/event-6404.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6404(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md index fc188cce3b..557c8ebabe 100644 --- a/windows/security/threat-protection/auditing/event-6405.md +++ b/windows/security/threat-protection/auditing/event-6405.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6405(-): BranchCache: %2 instance(s) of event id %1 occurred. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md index 689085b2fd..dbaeb0e873 100644 --- a/windows/security/threat-protection/auditing/event-6406.md +++ b/windows/security/threat-protection/auditing/event-6406.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6406(-): %1 registered to Windows Firewall to control filtering for the following: %2. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md index 3273efaba1..28612dacba 100644 --- a/windows/security/threat-protection/auditing/event-6407.md +++ b/windows/security/threat-protection/auditing/event-6407.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6407(-): 1%. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6408.md b/windows/security/threat-protection/auditing/event-6408.md index 7b29a0468c..c36f520a60 100644 --- a/windows/security/threat-protection/auditing/event-6408.md +++ b/windows/security/threat-protection/auditing/event-6408.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6408(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md index 6855ea810d..1ac08c75f1 100644 --- a/windows/security/threat-protection/auditing/event-6409.md +++ b/windows/security/threat-protection/auditing/event-6409.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6409(-): BranchCache: A service connection point object could not be parsed. -**Applies to** -- Windows 10 -- Windows Server 2016 - [BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document. diff --git a/windows/security/threat-protection/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md index a306a98882..a9f5e5111f 100644 --- a/windows/security/threat-protection/auditing/event-6410.md +++ b/windows/security/threat-protection/auditing/event-6410.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6410(F): Code integrity determined that a file does not meet the security requirements to load into a process. -**Applies to** -- Windows 10 -- Windows Server 2016 - [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. diff --git a/windows/security/threat-protection/auditing/event-6416.md b/windows/security/threat-protection/auditing/event-6416.md index 4b85673aa7..337a5395be 100644 --- a/windows/security/threat-protection/auditing/event-6416.md +++ b/windows/security/threat-protection/auditing/event-6416.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6416(S): A new external device was recognized by the System. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6416 illustration diff --git a/windows/security/threat-protection/auditing/event-6419.md b/windows/security/threat-protection/auditing/event-6419.md index 90c145ff77..69a6f30def 100644 --- a/windows/security/threat-protection/auditing/event-6419.md +++ b/windows/security/threat-protection/auditing/event-6419.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6419(S): A request was made to disable a device. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6419 illustration diff --git a/windows/security/threat-protection/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md index 51570d3ab3..3a2dc5c9d9 100644 --- a/windows/security/threat-protection/auditing/event-6420.md +++ b/windows/security/threat-protection/auditing/event-6420.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6420(S): A device was disabled. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6420 illustration diff --git a/windows/security/threat-protection/auditing/event-6421.md b/windows/security/threat-protection/auditing/event-6421.md index ef4e0b856f..8ac5372312 100644 --- a/windows/security/threat-protection/auditing/event-6421.md +++ b/windows/security/threat-protection/auditing/event-6421.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6421(S): A request was made to enable a device. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6421 illustration diff --git a/windows/security/threat-protection/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md index 2b2f45d1b8..7e577f25c3 100644 --- a/windows/security/threat-protection/auditing/event-6422.md +++ b/windows/security/threat-protection/auditing/event-6422.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6422(S): A device was enabled. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6422 illustration diff --git a/windows/security/threat-protection/auditing/event-6423.md b/windows/security/threat-protection/auditing/event-6423.md index 3332a01011..5f8278b20e 100644 --- a/windows/security/threat-protection/auditing/event-6423.md +++ b/windows/security/threat-protection/auditing/event-6423.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6423(S): The installation of this device is forbidden by system policy. -**Applies to** -- Windows 10 -- Windows Server 2016 - Event 6423 illustration diff --git a/windows/security/threat-protection/auditing/event-6424.md b/windows/security/threat-protection/auditing/event-6424.md index 8ca1ce36d6..ba3fcbffe7 100644 --- a/windows/security/threat-protection/auditing/event-6424.md +++ b/windows/security/threat-protection/auditing/event-6424.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # 6424(S): The installation of this device was allowed, after having previously been forbidden by policy. -**Applies to** -- Windows 10 -- Windows Server 2016 - This event occurs rarely, and in some situations may be difficult to reproduce. diff --git a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md index 1093140e38..9c7941df2b 100644 --- a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md +++ b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # File System (Global Object Access Auditing) -**Applies to** -- Windows 10 This topic for the IT professional describes the Advanced Security Audit policy setting, **File System (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the file system for an entire computer. diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md index 1efc819647..cc3bf79488 100644 --- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md +++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp -ms.date: 10/22/2018 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,8 +16,6 @@ ms.technology: mde # How to get a list of XML data name elements in EventData -**Applies to** -- Windows 10 The Security log uses a manifest where you can get all of the event schema. diff --git a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md index 3c07a1dae0..c446bdec67 100644 --- a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md +++ b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor central access policy and rule definitions -**Applies to** -- Windows 10 This article for IT professionals describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects. diff --git a/windows/security/threat-protection/auditing/monitor-claim-types.md b/windows/security/threat-protection/auditing/monitor-claim-types.md index baf7d9e8a7..b9e1ea714f 100644 --- a/windows/security/threat-protection/auditing/monitor-claim-types.md +++ b/windows/security/threat-protection/auditing/monitor-claim-types.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor claim types -**Applies to** -- Windows 10 This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options. diff --git a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md index ed4d03037f..791549bb4f 100644 --- a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md +++ b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor resource attribute definitions -**Applies to** -- Windows 10 This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects. Resource attribute definitions define the basic properties of resource attributes, such as what it means for a resource to be defined as “high business value.” Resource attribute definitions are stored in AD DS under the Resource Properties container. Changes to these definitions could significantly change the protections that govern a resource, even if the resource attributes that apply to the resource remain unchanged. Changes can be monitored like any other AD DS object. diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md index f034f7c0fc..ece759aeb6 100644 --- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md +++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor the central access policies associated with files and folders -**Applies to** -- Windows 10 This article for IT professionals describes how to monitor changes to the central access policies that are associated with files and folders when you're using advanced security auditing options to monitor dynamic access control objects. From 64a004b6725c82409b78a0e0d29a13143e745550 Mon Sep 17 00:00:00 2001 From: Ashok Lobo Date: Thu, 9 Sep 2021 12:12:20 +0530 Subject: [PATCH 10/32] Updated as per 5358843-files326to336 --- ...e-central-access-policies-that-apply-on-a-file-server.md | 4 +--- .../monitor-the-resource-attributes-on-files-and-folders.md | 4 +--- .../monitor-the-use-of-removable-storage-devices.md | 4 +--- .../monitor-user-and-device-claims-during-sign-in.md | 4 +--- windows/security/threat-protection/auditing/other-events.md | 6 +----- ...anning-and-deploying-advanced-security-audit-policies.md | 4 +--- .../auditing/registry-global-object-access-auditing.md | 4 +--- .../auditing/security-auditing-overview.md | 4 +--- ...ing-options-to-monitor-dynamic-access-control-objects.md | 4 +--- .../auditing/view-the-security-event-log.md | 4 +--- ...f-windows-support-advanced-audit-policy-configuration.md | 4 +--- 11 files changed, 11 insertions(+), 35 deletions(-) diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md index 12dedf0d60..2d50a5c7db 100644 --- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md +++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor the central access policies that apply on a file server -**Applies to** -- Windows 10 This article describes how to monitor changes to the central access policies (CAPs) that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. CAPs are created on a domain controller and then applied to file servers through Group Policy management. diff --git a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md index f1676a1640..f223b3433d 100644 --- a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md +++ b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor the resource attributes on files and folders -**Applies to** -- Windows 10 This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects. diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md index 04ac1c7929..af897bbd62 100644 --- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md +++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: +ms.date: 09/09/2021 ms.technology: mde --- # Monitor the use of removable storage devices -**Applies to** -- Windows 10 This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects. diff --git a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md index edaf8e590f..7f950dd7b1 100644 --- a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md +++ b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Monitor user and device claims during sign-in -**Applies to** -- Windows 10 This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects. diff --git a/windows/security/threat-protection/auditing/other-events.md b/windows/security/threat-protection/auditing/other-events.md index e74cf80553..a54f6a6f1c 100644 --- a/windows/security/threat-protection/auditing/other-events.md +++ b/windows/security/threat-protection/auditing/other-events.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: medium author: dansimp -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -16,10 +16,6 @@ ms.technology: mde # Other Events -**Applies to** -- Windows 10 -- Windows Server 2016 - Events in this section generate automatically and are enabled by default. diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md index 068c8792d4..d47efbedbf 100644 --- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Plan and deploy advanced security audit policies -**Applies to** -- Windows 10 This article for IT professionals explains the options that security policy planners should consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies. diff --git a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md index 3c5c1ece1e..a01a3a3514 100644 --- a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md +++ b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Registry (Global Object Access Auditing) -**Applies to** -- Windows 10 This topic for the IT professional describes the Advanced Security Audit policy setting, **Registry (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the registry of a computer. diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md index ec89d5ef53..fb1184eed7 100644 --- a/windows/security/threat-protection/auditing/security-auditing-overview.md +++ b/windows/security/threat-protection/auditing/security-auditing-overview.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Security auditing -**Applies to** -- Windows 10 Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network. diff --git a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md index 6e90c989e0..dd8bb6516d 100644 --- a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md +++ b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Using advanced security auditing options to monitor dynamic access control objects -**Applies to** -- Windows 10 This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012. diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md index 84a296e182..5b89a3802e 100644 --- a/windows/security/threat-protection/auditing/view-the-security-event-log.md +++ b/windows/security/threat-protection/auditing/view-the-security-event-log.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # View the security event log -**Applies to** -- Windows 10 The security log records each event as defined by the audit policies you set on each object. diff --git a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md index 4b20841dd8..8e1db3e1b0 100644 --- a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md +++ b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md @@ -14,14 +14,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 09/09/2021 ms.technology: mde --- # Which editions of Windows support advanced audit policy configuration -**Applies to** -- Windows 10 Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows Vista. There is no difference in security auditing support between 32-bit and 64-bit versions. From 6a4dabdafe3f88d9fb3b108aca7c08ecc57debd6 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Wed, 15 Sep 2021 11:54:17 +0530 Subject: [PATCH 11/32] Updated Policy-CSP-Experience with Feeds Policy Updated policy settings in Experience with Feeds --- .../mdm/policy-csp-experience.md | 550 +++++++++++------- 1 file changed, 341 insertions(+), 209 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index ff50ae9cb0..697cc4af50 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -37,9 +37,6 @@ manager: dansimp
Experience/AllowManualMDMUnenrollment
-
- Experience/AllowNewsAndInterestsOnTheTaskbar -
Experience/AllowSaveAsOfOfficeFiles
@@ -88,6 +85,9 @@ manager: dansimp
Experience/DoNotSyncBrowserSettings
+
+ Experience/Feeds +
Experience/PreventUsersFromTurningOnBrowserSyncing
@@ -105,28 +105,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark5YesYes
Businesscheck mark5YesYes
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
@@ -184,28 +190,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -252,28 +264,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -314,28 +332,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscross markNoNo
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
@@ -384,28 +408,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -442,65 +472,6 @@ The following list shows the supported values:
- - -**Experience/AllowNewsAndInterestsOnTheTaskbar** - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Machine - -
- - - -Specifies whether to allow "News and interests" on the Taskbar. - - - -The values for this policy are 1 and 0. This policy defaults to 1. - -- 1 - Default - News and interests feature will be allowed on the taskbar. The settings UI will be present in Taskbar context menu, and users will be able to turn off or switch mode. - -- 0 - News and interests feature will be turned off completely, and the settings UI in Taskbar context menu will be removed. - - - - -
Experience/AllowSaveAsOfOfficeFiles @@ -531,28 +502,34 @@ This policy is deprecated. - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -589,28 +566,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscross markNoNo
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
@@ -665,28 +648,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark1YesYes
Businesscheck mark1YesYes
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
@@ -735,28 +724,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -808,28 +803,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
@@ -880,28 +881,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
@@ -951,28 +958,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1021,28 +1034,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
@@ -1093,28 +1112,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1159,28 +1184,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1217,28 +1248,34 @@ The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
@@ -1286,28 +1323,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecheck mark9YesYes
Procheck mark9YesYes
Businesscheck mark9YesYes
Enterprisecheck mark9YesYes
Educationcheck mark9YesYes
@@ -1356,28 +1399,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark1YesYes
Businesscheck mark1YesYes
Enterprisecheck mark1YesYes
Educationcheck mark1YesYes
@@ -1426,28 +1475,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
@@ -1514,34 +1569,105 @@ _**Turn syncing off by default but don’t disable**_
+ +**Experience/Feeds** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Specifies whether "Feeds" is enabled on the taskbar. + + + +The values for this policy are 1 and 0. This policy defaults to 1. + +- 1 - Default - "Feeds" feature will be allowed on the taskbar. The settings UI will be present in Taskbar context menu, and users will be able to turn off or switch mode. + +- 0 - "Feeds" feature will be turned off completely, and the settings UI in Taskbar context menu will be removed. + + + + +
+ **Experience/PreventUsersFromTurningOnBrowserSyncing** - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark5YesYes
Educationcheck mark5YesYes
@@ -1615,28 +1741,34 @@ Validation procedure: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscheck mark6YesYes
Enterprisecheck mark6YesYes
Educationcheck mark6YesYes
From f58bdbb941fec3bd6d7cd9afc278f9d2d54246a6 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 16 Sep 2021 15:15:39 +0530 Subject: [PATCH 12/32] Up --- ...in-policy-csp-supported-by-group-policy.md | 1 + .../policy-configuration-service-provider.md | 8 ++ .../mdm/policy-csp-experience.md | 70 -------------- .../client-management/mdm/policy-csp-feeds.md | 94 +++++++++++++++++++ 4 files changed, 103 insertions(+), 70 deletions(-) create mode 100644 windows/client-management/mdm/policy-csp-feeds.md diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index d7d340e2b5..eee115e673 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -262,6 +262,7 @@ ms.date: 07/18/2019 - [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing) - [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile) - [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings) +- [Feeds/FeedsEnabled](./policy-csp-feeds-feedsenabled.md#feeds-feedsenabled) - [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) - [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) - [Handwriting/PanelDefaultModeDocked](./policy-csp-handwriting.md#handwriting-paneldefaultmodedocked) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 6922bada43..d55c3144ba 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -6025,6 +6025,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC +### Feeds policies + +
+
+ Feeds/FeedsEnabled +
+
+ ### FileExplorer policies
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 697cc4af50..27eaa323af 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -85,9 +85,6 @@ manager: dansimp
Experience/DoNotSyncBrowserSettings
-
- Experience/Feeds -
Experience/PreventUsersFromTurningOnBrowserSyncing
@@ -1567,73 +1564,6 @@ _**Turn syncing off by default but don’t disable**_ -
- - -**Experience/Feeds** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -Specifies whether "Feeds" is enabled on the taskbar. - - - -The values for this policy are 1 and 0. This policy defaults to 1. - -- 1 - Default - "Feeds" feature will be allowed on the taskbar. The settings UI will be present in Taskbar context menu, and users will be able to turn off or switch mode. - -- 0 - "Feeds" feature will be turned off completely, and the settings UI in Taskbar context menu will be removed. - - - - -
- **Experience/PreventUsersFromTurningOnBrowserSyncing** diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md new file mode 100644 index 0000000000..e0fca8ab18 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-feeds.md @@ -0,0 +1,94 @@ +--- +title: Policy CSP - Feeds +description: Define the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 09/27/2019 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - Feeds + + +
+ + +## Feeds policies + +
+
+ Feeds/FeedsEnabled +
+
+ + +
+ + +**Feeds/FeedsEnabled** + +< + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +Specifies whether "Feeds" is enabled on the taskbar. + +The values for this policy are 1 and 0. This policy defaults to 1. + +1 - Default - "Feeds" feature will be allowed on the taskbar. The settings UI will be present in Taskbar context menu, and users will be able to turn off or switch mode. + +0 - "Feeds" feature will be turned off completely, and the settings UI in Taskbar context menu will be removed. + + + + + From a34f21eac242530f27f1b80afc05b3f33409c00a Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 16 Sep 2021 15:23:03 +0530 Subject: [PATCH 13/32] Update toc.yml --- windows/client-management/mdm/toc.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 04c1850c2f..354021ef05 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -705,6 +705,8 @@ items: href: policy-csp-experience.md - name: ExploitGuard href: policy-csp-exploitguard.md + - name: Feeds + href: policy-csp-feeds.md - name: FileExplorer href: policy-csp-fileexplorer.md - name: Games From 18f536a2b00f8110d147ca856089731b0adaabf5 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 16 Sep 2021 17:19:56 +0530 Subject: [PATCH 14/32] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 1 + ...in-policy-csp-supported-by-group-policy.md | 1 - .../policy-configuration-service-provider.md | 15 ++- .../mdm/policy-csp-admx-feeds.md | 111 ++++++++++++++++++ .../client-management/mdm/policy-csp-feeds.md | 94 --------------- 5 files changed, 119 insertions(+), 103 deletions(-) create mode 100644 windows/client-management/mdm/policy-csp-admx-feeds.md delete mode 100644 windows/client-management/mdm/policy-csp-feeds.md diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 586e5edcc6..282b9ad9c4 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -280,6 +280,7 @@ ms.date: 10/08/2020 - [ADMX_ExternalBoot/PortableOperatingSystem_Hibernate](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_hibernate) - [ADMX_ExternalBoot/PortableOperatingSystem_Sleep](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_sleep) - [ADMX_ExternalBoot/PortableOperatingSystem_Launcher](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_launcher) +- [ADMX_Feeds/FeedsEnabled](./policy-csp-admx-feeds.md#admx-feeds-feedsEnabled) - [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy) - [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol) - [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index eee115e673..d7d340e2b5 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -262,7 +262,6 @@ ms.date: 07/18/2019 - [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing) - [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile) - [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings) -- [Feeds/FeedsEnabled](./policy-csp-feeds-feedsenabled.md#feeds-feedsenabled) - [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) - [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) - [Handwriting/PanelDefaultModeDocked](./policy-csp-handwriting.md#handwriting-paneldefaultmodedocked) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index d55c3144ba..fa753bd3f4 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1144,6 +1144,13 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_Feeds policies +
+
+ ADMX_Feeds/FeedsEnabled +
+
+ ### ADMX_FileRecovery policies
@@ -6025,14 +6032,6 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
-### Feeds policies - -
-
- Feeds/FeedsEnabled -
-
- ### FileExplorer policies
diff --git a/windows/client-management/mdm/policy-csp-admx-feeds.md b/windows/client-management/mdm/policy-csp-admx-feeds.md new file mode 100644 index 0000000000..b96c8f3500 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-feeds.md @@ -0,0 +1,111 @@ +--- +title: Policy CSP - ADMX_Feeds +description: Policy CSP - ADMX_Feeds +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/16/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_Feeds +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +
+
+ ADMX_Feeds/FeedsEnabled +
+
+ + +
+ + +**ADMX_Feeds/FeedsEnabled** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + + + + +This policy setting specifies whether news and interests is allowed on the device. + +The values for this policy are 1 and 0. This policy defaults to 1. + +- 1 - Default - News and interests feature will be allowed on the taskbar. The settings UI will be present in Taskbar context menu, and users will be able to turn off or switch mode. + +- 0 - News and interests feature will be turned off completely, and the settings UI in Taskbar context menu will be removed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Enable news and interests on the taskbar.* +- GP name: *FeedsEnabled* +- GP path: *Windows Components\News and interests* +- GP ADMX file name: *Feeds.admx* + + + +
+ +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. + + + diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md deleted file mode 100644 index e0fca8ab18..0000000000 --- a/windows/client-management/mdm/policy-csp-feeds.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -title: Policy CSP - Feeds -description: Define the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.localizationpriority: medium -ms.date: 09/27/2019 -ms.reviewer: -manager: dansimp ---- - -# Policy CSP - Feeds - - -
- - -## Feeds policies - -
-
- Feeds/FeedsEnabled -
-
- - -
- - -**Feeds/FeedsEnabled** - -< - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - - -Specifies whether "Feeds" is enabled on the taskbar. - -The values for this policy are 1 and 0. This policy defaults to 1. - -1 - Default - "Feeds" feature will be allowed on the taskbar. The settings UI will be present in Taskbar context menu, and users will be able to turn off or switch mode. - -0 - "Feeds" feature will be turned off completely, and the settings UI in Taskbar context menu will be removed. - - - - - From 3fe3d1ca56695eeb1683d1748a47d0140366939b Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 16 Sep 2021 17:25:30 +0530 Subject: [PATCH 15/32] Update toc.yml --- windows/client-management/mdm/toc.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 354021ef05..753d778986 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -480,7 +480,9 @@ items: - name: ADMX_Explorer href: policy-csp-admx-explorer.md - name: ADMX_ExternalBoot - href: policy-csp-admx-externalboot.md + href: policy-csp-admx-externalboot.md + - name: Feeds + href: policy-csp-admx-feeds.md - name: ADMX_FileRecovery href: policy-csp-admx-filerecovery.md - name: ADMX_FileRevocation @@ -705,8 +707,6 @@ items: href: policy-csp-experience.md - name: ExploitGuard href: policy-csp-exploitguard.md - - name: Feeds - href: policy-csp-feeds.md - name: FileExplorer href: policy-csp-fileexplorer.md - name: Games From b6c6c91d1cc874cc45abb3ebf8723cc6b29dd6fb Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 16 Sep 2021 17:30:43 +0530 Subject: [PATCH 16/32] Update policies-in-policy-csp-admx-backed.md --- .../client-management/mdm/policies-in-policy-csp-admx-backed.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 282b9ad9c4..e215f891b8 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -280,7 +280,7 @@ ms.date: 10/08/2020 - [ADMX_ExternalBoot/PortableOperatingSystem_Hibernate](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_hibernate) - [ADMX_ExternalBoot/PortableOperatingSystem_Sleep](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_sleep) - [ADMX_ExternalBoot/PortableOperatingSystem_Launcher](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_launcher) -- [ADMX_Feeds/FeedsEnabled](./policy-csp-admx-feeds.md#admx-feeds-feedsEnabled) +- [ADMX_Feeds/FeedsEnabled](./policy-csp-admx-feeds.md#admx-feeds-feedsenabled) - [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy) - [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol) - [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression) From 3db89c2afdcc8d5d10e07ad603bb85bc7adc654e Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Fri, 17 Sep 2021 15:40:54 +0530 Subject: [PATCH 17/32] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 1 - .../policy-configuration-service-provider.md | 7 ---- ...-csp-admx-feeds.md => policy-csp-feeds.md} | 36 ++++++++----------- 3 files changed, 15 insertions(+), 29 deletions(-) rename windows/client-management/mdm/{policy-csp-admx-feeds.md => policy-csp-feeds.md} (53%) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index e215f891b8..586e5edcc6 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -280,7 +280,6 @@ ms.date: 10/08/2020 - [ADMX_ExternalBoot/PortableOperatingSystem_Hibernate](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_hibernate) - [ADMX_ExternalBoot/PortableOperatingSystem_Sleep](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_sleep) - [ADMX_ExternalBoot/PortableOperatingSystem_Launcher](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_launcher) -- [ADMX_Feeds/FeedsEnabled](./policy-csp-admx-feeds.md#admx-feeds-feedsenabled) - [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy) - [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol) - [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index fa753bd3f4..6922bada43 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1144,13 +1144,6 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
-### ADMX_Feeds policies -
-
- ADMX_Feeds/FeedsEnabled -
-
- ### ADMX_FileRecovery policies
diff --git a/windows/client-management/mdm/policy-csp-admx-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md similarity index 53% rename from windows/client-management/mdm/policy-csp-admx-feeds.md rename to windows/client-management/mdm/policy-csp-feeds.md index b96c8f3500..bc8b0b1996 100644 --- a/windows/client-management/mdm/policy-csp-admx-feeds.md +++ b/windows/client-management/mdm/policy-csp-feeds.md @@ -1,27 +1,30 @@ --- -title: Policy CSP - ADMX_Feeds -description: Policy CSP - ADMX_Feeds +title: Policy CSP - Feeds +description: Use the Policy CSP - Feeds setting policy specifies whether news and interests is allowed on the device. +. ms.author: dansimp -ms.localizationpriority: medium ms.topic: article ms.prod: w10 ms.technology: windows author: nimishasatapathy -ms.date: 09/16/2021 +ms.localizationpriority: medium +ms.date: 09/17/2021 ms.reviewer: manager: dansimp --- -# Policy CSP - ADMX_Feeds -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +# Policy CSP - Feeds + +
+## Feeds policies +
- ADMX_Feeds/FeedsEnabled + Feeds/FeedsEnabled
@@ -29,7 +32,7 @@ manager: dansimp
-**ADMX_Feeds/FeedsEnabled** +**Feeds/FeedsEnabled** @@ -74,9 +77,10 @@ manager: dansimp > [!div class = "checklist"] > * Machine +
+ - This policy setting specifies whether news and interests is allowed on the device. The values for this policy are 1 and 0. This policy defaults to 1. @@ -86,26 +90,16 @@ The values for this policy are 1 and 0. This policy defaults to 1. - 0 - News and interests feature will be turned off completely, and the settings UI in Taskbar context menu will be removed. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: -- GP Friendly name: *Enable news and interests on the taskbar.* +- GP Friendly name: *Enable news and interests on the taskbar* - GP name: *FeedsEnabled* - GP path: *Windows Components\News and interests* - GP ADMX file name: *Feeds.admx* -
- -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. From d91709bf3260bef8981cf359afafe2c6822766e7 Mon Sep 17 00:00:00 2001 From: Asha Iyengar Date: Sat, 18 Sep 2021 13:52:21 +0530 Subject: [PATCH 18/32] minor changes --- .../threat-protection/windows-firewall/boundary-zone.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md index a78415035a..9c0d1186eb 100644 --- a/windows/security/threat-protection/windows-firewall/boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md @@ -31,7 +31,7 @@ Devices in the boundary zone are trusted devices that can accept communication r The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but don't require it. -These boundary zone devices receive unsolicited inbound communications from untrusted devices that use plaintext. Therefore, they must be carefully managed and secured in other ways. Mitigating this extra risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone minimizes the additional risk. The following illustration shows a sample process that can help make such a decision. +These boundary zone devices might receive unsolicited inbound communications from untrusted devices that use plaintext and must be carefully managed and secured in other ways. Mitigating this extra risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone minimizes the additional risk. The following illustration shows a sample process that can help make such a decision. ![design flowchart.](images/wfas-designflowchart1.gif) From 8448a97857577e19e94c129d751077dfd78310e3 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 20 Sep 2021 00:03:15 +0530 Subject: [PATCH 19/32] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 1 + .../mdm/policy-configuration-service-provider.md | 7 +++++++ .../client-management/mdm/policy-csp-experience.md | 12 ++++++------ windows/client-management/mdm/policy-csp-feeds.md | 1 - windows/client-management/mdm/toc.yml | 2 ++ 5 files changed, 16 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 586e5edcc6..33771b68a4 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -1431,6 +1431,7 @@ ms.date: 10/08/2020 - [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog) - [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog) - [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog) +- [Feeds/FeedsEnabled](./policy-csp-feeds.md#feeds-feedsenabled) - [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) - [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) - [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 6922bada43..f5507cb383 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -6025,6 +6025,13 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC +### Feeds policies +
+
+ Feeds/FeedsEnabled +
+
+ ### FileExplorer policies
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 27eaa323af..61abaceb22 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1192,22 +1192,22 @@ The following list shows the supported values:
- - + + - - + + - + - +
ProYesYesNoNo
BusinessYesYesNoNo
EnterpriseYesNo Yes
EducationYesNo Yes
diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md index bc8b0b1996..7cf158d3b9 100644 --- a/windows/client-management/mdm/policy-csp-feeds.md +++ b/windows/client-management/mdm/policy-csp-feeds.md @@ -16,7 +16,6 @@ manager: dansimp # Policy CSP - Feeds -
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 753d778986..0abecf442a 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -707,6 +707,8 @@ items: href: policy-csp-experience.md - name: ExploitGuard href: policy-csp-exploitguard.md + - name: Feeds + href: policy-csp-feedsenabled.md - name: FileExplorer href: policy-csp-fileexplorer.md - name: Games From 221bd0216a87203ad16cad9f41d87f72de15afdc Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 20 Sep 2021 00:10:38 +0530 Subject: [PATCH 20/32] Updated --- windows/client-management/mdm/policy-csp-feeds.md | 3 +-- windows/client-management/mdm/toc.yml | 6 ++---- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md index 7cf158d3b9..834c6f8226 100644 --- a/windows/client-management/mdm/policy-csp-feeds.md +++ b/windows/client-management/mdm/policy-csp-feeds.md @@ -1,8 +1,7 @@ --- title: Policy CSP - Feeds description: Use the Policy CSP - Feeds setting policy specifies whether news and interests is allowed on the device. -. -ms.author: dansimp +ms.author: v-nsatapathy ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 0abecf442a..5c32037d42 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -480,9 +480,7 @@ items: - name: ADMX_Explorer href: policy-csp-admx-explorer.md - name: ADMX_ExternalBoot - href: policy-csp-admx-externalboot.md - - name: Feeds - href: policy-csp-admx-feeds.md + href: policy-csp-admx-externalboot.md - name: ADMX_FileRecovery href: policy-csp-admx-filerecovery.md - name: ADMX_FileRevocation @@ -708,7 +706,7 @@ items: - name: ExploitGuard href: policy-csp-exploitguard.md - name: Feeds - href: policy-csp-feedsenabled.md + href: policy-csp-feeds.md - name: FileExplorer href: policy-csp-fileexplorer.md - name: Games From 83de1a36e71618e763c3964eee0bacd496e385b8 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Mon, 20 Sep 2021 11:17:13 +0530 Subject: [PATCH 21/32] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 1 + .../policy-configuration-service-provider.md | 8 ++ .../policy-csp-admx-locationprovideradm.md | 112 ++++++++++++++++++ windows/client-management/mdm/toc.yml | 2 + 4 files changed, 123 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-locationprovideradm.md diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 33771b68a4..2cccb73779 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -423,6 +423,7 @@ ms.date: 10/08/2020 - [ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enableofflinefilesforcashares) - [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablelltdio) - [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablerspndr) +- [ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1](./policy-csp-admx-locationprovideradm.md#admx-locationprovideradm-disablewindowslocationprovider_1) - [ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin](./policy-csp-admx-logon.md#admx-logon-blockuserfromshowingaccountdetailsonsignin) - [ADMX_Logon/DisableAcrylicBackgroundOnLogon](./policy-csp-admx-logon.md#admx-logon-disableacrylicbackgroundonlogon) - [ADMX_Logon/DisableExplorerRunLegacy_1](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunlegacy-1) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index f5507cb383..b65e797058 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1636,6 +1636,14 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_LocationProviderAdm policies + +
+
+ ADMX_LocationProviderAdm/BlockUserFromShowingAccountDetailsOnSignin +
+
+ ### ADMX_Logon policies
diff --git a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md new file mode 100644 index 0000000000..c1280d5f04 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md @@ -0,0 +1,112 @@ +--- +title: Policy CSP - ADMX_LocationProviderAdm +description: Policy CSP - ADMX_LocationProviderAdm +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/20/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_LocationProviderAdm +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_LocationProviderAdm policies + +
+
+ ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1 +
+
+ + +
+ + +**ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +This policy setting turns off the Windows Location Provider feature for this computer. + +- If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the Windows Location Provider feature. + +- If you disable or do not configure this policy setting, all programs on this computer can use the Windows Location Provider feature. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Turn off Windows Location Provider* +- GP name: *DisableWindowsLocationProvider_1* +- GP path: *Windows Components\Location and Sensors\Windows Location Provider* +- GP ADMX file name: *LocationProviderAdm.admx* + + + +
+ +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. + + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 5c32037d42..3af12f96b7 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -511,6 +511,8 @@ items: href: policy-csp-admx-lanmanworkstation.md - name: ADMX_LinkLayerTopologyDiscovery href: policy-csp-admx-linklayertopologydiscovery.md + - name: ADMX_LocationProviderAdm + href: policy-csp-admx-locationprovideradm.md - name: ADMX_Logon href: policy-csp-admx-logon.md - name: ADMX_MicrosoftDefenderAntivirus From 04b929803969b0bd2b5ed4bae640b4618cd21e61 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Mon, 20 Sep 2021 10:16:28 -0700 Subject: [PATCH 22/32] a few more updates --- .../update/deployment-service-overview.md | 25 +++++++++++-------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 4eca196e15..01812adc48 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -16,7 +16,10 @@ ms.topic: article # Windows Update for Business deployment service -> Applies to: Windows 10 +**Applies to** + +- Windows 10 +- Windows 11 The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update. It's designed to work in harmony with your existing Windows Update for Business policies. @@ -56,18 +59,18 @@ The deployment service exposes these capabilities through Microsoft [Graph REST To work with the deployment service, devices must meet all these requirements: -- Be running Windows 10, version 1709 or later +- Be running Windows 10, version 1709 or later (or Windows 11) - Be joined to Azure Active Directory (AD) or Hybrid AD -- Have one of the following Windows 10 editions installed: - - Windows 10 Pro - - Windows 10 Enterprise - - Windows 10 Education - - Windows 10 Pro Education - - Windows 10 Pro for Workstations +- Have one of the following Windows 10 or Windows 11 editions installed: + - Pro + - Enterprise + - Education + - Pro Education + - Pro for Workstations Additionally, your organization must have one of the following subscriptions: -- Windows 10 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) -- Windows 10 Education A3 or A5 (included in Microsoft 365 A3 or A5) +- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) +- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) - Windows Virtual Desktop Access E3 or E5 - Microsoft 365 Business Premium @@ -78,7 +81,7 @@ To use the deployment service, you use a management tool built on the platform, ### Using Microsoft Endpoint Manager -Microsoft Endpoint Manager integrates with the deployment service to provide Windows 10 update management capabilities. For more information, see [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates). +Microsoft Endpoint Manager integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates). ### Scripting common actions using PowerShell From 877ef1bebf8c99859d7aa562af7aff7739487fdb Mon Sep 17 00:00:00 2001 From: jaimeo Date: Mon, 20 Sep 2021 10:40:38 -0700 Subject: [PATCH 23/32] adding article on safeguard holds --- windows/deployment/update/safeguard-holds.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md index 735acd6e97..eb28dce097 100644 --- a/windows/deployment/update/safeguard-holds.md +++ b/windows/deployment/update/safeguard-holds.md @@ -12,9 +12,14 @@ ms.topic: article # Safeguard holds -Microsoft uses quality and compatibility data to identify issues that might cause a Windows 10 feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available. +**Applies to** -Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows 10. +- Windows 10 +- Windows 11 + +Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available. + +Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows client. The lifespan of holds varies depending on the time required to investigate and fix an issue. During this time Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the hold. Once we release the hold, Windows Update will resume offering new operating system versions to devices. From 97b2691d63b6e1e56b69f84155dd20217ccd349d Mon Sep 17 00:00:00 2001 From: Kaushik Ainapure Date: Tue, 21 Sep 2021 00:23:48 +0530 Subject: [PATCH 24/32] Format changes and additional error codes 1. Updated article with H2 formatting for better discoverability of the error codes. 2. Updated article to include 17 additional error codes. --- .../update/windows-update-errors.md | 227 ++++++++++++++++-- 1 file changed, 205 insertions(+), 22 deletions(-) diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index eb178f7528..0604df39cc 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -3,13 +3,14 @@ title: Windows Update common errors and mitigation description: In this article, learn about some common issues you might experience with Windows Update, as well as steps to resolve them. ms.prod: w10 ms.mktglfcycl: -audience: itpro itproauthor: jaimeo ms.audience: itpro author: jaimeo -ms.reviewer: -manager: laurawi -ms.topic: article +ms.reviewer: kaushika +manager: dcscontentpm +audience: itpro +ms.topic: troubleshooting +ms.technology: windows-client-deployment ms.custom: seo-marvel-apr2020 --- @@ -22,22 +23,204 @@ ms.custom: seo-marvel-apr2020 The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. +## 0x8024402F -| Error Code | Message | Description | Mitigation | -|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | -| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
Ren %systemroot%\system32\catroot2 \*.bak | -| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system. | -| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | -| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


You can also take a network trace to check what is timing out. \ | -| 0x80072EFD
0x80072EFE 
0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | -| 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | -| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | -| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | -| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update installation. | -| 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | -| 0x8024000B | WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | -| 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | -| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | -| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | -| 0x80070422 | | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.
| +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | + +## 0x80242006 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
- Ren %systemroot%\system32\catroot2 \*.bak | + +## 0x80070BC9 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system | + +## 0x80200053 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc).| + +## 0x80072EE2 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


You can also take a network trace to check what is timing out. \ | + +## 0x80072EFD or 0x80072EFE or 0x80D02002 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | + +## 0X8007000D + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred.| Attempt to re-download the update and initiate installation. | + +## 0x8024A10A + +| Message | Description | Mitigation | +|---------|-------------|------------| +| USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | + +## 0x80240020 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | + +## 0x80242014 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update nstallation. | + +## 0x80246017 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator).| + +## 0x8024000B + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | + +## 0x8024000E + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | + +## 0x8024D009 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | + +## 0x80244007 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | + +## 0x80070422 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| NA | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.
| + +## 0x800f0821 + + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_ABORT; client abort, IDABORT returned by ICbsUIHandler method except Error() | CBS transaction timeout exceeded. | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has hung. Extending the timeout will mitigate the issue. Increase the machine resources. If a virtual machine, increase virtual CPU and memory to speedup the operation. Make sure the machine as at least the KB4493473, if not please download and manually install it.| + +## 0x800f0825 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_CANNOT_UNINSTALL; Package cannot be uninstalled. | Typically component store corruption caused when a component is in a partially installed state. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x800F0920 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_HANG_DETECTED; A hang was detected while processing the operation. | Subsequent error logged after getting 0x800f0821 | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has hung. Extending the timeout will mitigate the issue. Increase the machine resources. If a virtual machine, increase virtual CPU and memory to speedup the operation. Make sure the machine as at least the KB4493473, if not please download and manually install it. | + +## 0x800f081f + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_SOURCE_MISSING; source for package or file not found, ResolveSource() unsuccessful | Component Store corruption | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x800f0831 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_STORE_CORRUPTION; CBS store is corrupted. | Corruption in the Windows Component Store. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x80070005 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an ACCESS DENIED.
Go to %Windir%\logs\CBS and open the last CBS.log and search for “, error” and match with the timestamp. After finding the error, scroll up and try to determine what caused the ACCESS DENIED, it could be acess denied to a file, registry key,etc. Determine what object needs the right permissions and change the permissions | + +## 0x80070570 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_FILE_CORRUPT; The file or directory is corrupted and unreadable. | Component Store corruption | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + + +## 0x80070003 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS and open the last CBS.log and search for “, error” and match with the timestamp. | + + +## 0x80070020 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by 3rd party filter drivers like Antivirus.
1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/)
2. Download the sysinternal tool process monitor -> https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
3. Run procmon.exe. It will start data capture automatically
4. Install the Update package again
5. With procmon program main window in focus, press Ctrl + E or click the magnifying glass to terminate data capture
6. Click File > Save > All Events > PML, and choose an adequate path to save the .PML file
7. Go to %windir%\logs\cbs and open the last cbs.log file and search for the error
8. After finding the error line a bit above you should have the file being accessed during the installation that is giving the sharing violation error
9. In the Procmon windows filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”)
10. After checking which process is accessing that file try to stop it or uninstall it from the machine | + +## 0x80073701 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_SXS_ASSEMBLY_MISSING; The referenced assembly could not be found. | Typically component store corruption caused when a component is in a partially installed state. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x8007371b + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE; One or more required members of the transaction are not present. | Component Store corruption. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x80072EFE + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_CONNECTION_ABORTED; The connection with the server was terminated abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking/downloading updates.
From a cmd prompt run: **BITSADMIN /LIST /ALLUSERS /VERBOSE**
Search for the 0x80072EFE error code. You should see a reference to a HTTP code with a specific file, try to download it manually from your browser making sure you’re using your proxy organization settings. If it fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. | + +## 0x80072F8F + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client machine. | This error generally means that the Windows Update Agent was unable to decode the received content. You need to install and configure TLS 1.2 by installing this KB: https://support.microsoft.com/help/3140245/ + +## 0x80072EE2 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to WU, SCCM, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own configured WSUS/SCCM/MEM/etc.
Check with your network team if the machine is able to get to your WSUS/SCCM/MEM/etc or the internet servers. See, https://docs.microsoft.com/en-US/troubleshoot/mem/configmgr/troubleshoot-software-update-scan-failures
In case you’re using the public MS update servers, check that your device can access the following Windows Update endpoints:
http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
https://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com | + +## 0x80240022 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_ALL_UPDATES_FAILED; Operation failed for all the updates. | Multiple root causes for this error.| Most common issue is where Anti-Virus software is blocking access to certain folders (like SoftwareDistribution). CBS.log analysis needed to determine the file or folder being protected. | + +## 0x8024401B + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ; Same as HTTP status 407 - proxy authentication is required. | Unable to authenticate through a proxy server. | Either the Winhttp proxy or WinInet proxy settings are not configured correctly. This error generally means that the Windows Update Agent was unable to connect to the update servers or your own configured WSUS/SCCM/MEM/etc due to a Proxy error.
- Verify the proxy settings on the client, and make sure that they are configured correctly. The Windows Update Agent uses WinHTTP to scan for available updates. So, when there is a proxy server between the client and the WSUS computer, the proxy settings must be configured correctly on the clients to enable them to communicate with WSUS by using the computer's FQDN.
- Check with your network team and proxy team if the machine is able to get to your WSUS/SCCM7MEM/etc or the internet servers without the proxy requiring user authentication | + + +## 0x80244022 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_HTTP_STATUS_SERVICE_UNAVAILABLE; Same as HTTP status 503 - the service is temporarily overloaded. | Unable to connect to the configured update source. | Network troubleshooting needed to resolve the connectivity issue. Check with your network team and proxy team if the machine is able to get to your WSUS/SCCM7MEM/etc or the internet servers without the proxy requiring user authentication. | From 8018fc90224e43e4c1c5f9c078bbad24e7c0e0e8 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 20 Sep 2021 13:44:38 -0700 Subject: [PATCH 25/32] Fixed broken note; added vertical space for nicer layout --- .../update/deployment-service-overview.md | 20 ++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 01812adc48..f78e87008d 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -136,26 +136,35 @@ To enroll devices in Windows Update for Business cloud processing, set the **All > [!NOTE] > Setting this policy by using Group Policy isn't currently supported. - -| Policy | Sets registry key under **HKLM\\Software** | -|--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------| -| MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing | +> +> | Policy | Sets registry key under **HKLM\\Software** | +> |--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------| +> | MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing | Following is an example of setting the policy using Microsoft Endpoint Manager: 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + 2. Select **Devices** > **Configuration profiles** > **Create profile**. + 3. Select **Windows 10 and later** in **Platform**, select **Templates** in **Profile type**, select **Custom** in **Template name**, and then select **Create**. + 4. In **Basics**, enter a meaningful name and a description for the policy, and then select **Next**. + 5. In **Configuration settings**, select **Add**, enter the following settings, select **Save**, and then select **Next**. - Name: **AllowWUfBCloudProcessing** - Description: Enter a description. - OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing` - Data type: **Integer** - Value: **8** + 6. In **Assignments**, select the groups that will receive the profile, and then select **Next**. + 7. In **Review + create**, review your settings, and then select **Create**. -8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**. + +8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: + + **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing** ## Best practices Follow these suggestions for the best results with the service. @@ -163,6 +172,7 @@ Follow these suggestions for the best results with the service. ### Device onboarding - Wait until devices finish provisioning before managing with the service. If a device is being provisioned by Autopilot, it can only be managed by the deployment service after it finishes provisioning (typically one day). + - Use the deployment service for feature update management without feature update deferral policy. If you want to use the deployment service to manage feature updates on a device that previously used a feature update deferral policy, it's best to set the feature update deferral policy to **0** days to avoid having multiple conditions governing feature updates. You should only change the feature update deferral policy value to 0 days after you've confirmed that the device was enrolled in the service with no errors. ### General From 03c5cb308d48731ed17a3a6c2597f31f78645c83 Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Mon, 20 Sep 2021 13:47:16 -0700 Subject: [PATCH 26/32] Revert "Format changes and additional error codes" --- .../update/windows-update-errors.md | 227 ++---------------- 1 file changed, 22 insertions(+), 205 deletions(-) diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index 0604df39cc..eb178f7528 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -3,14 +3,13 @@ title: Windows Update common errors and mitigation description: In this article, learn about some common issues you might experience with Windows Update, as well as steps to resolve them. ms.prod: w10 ms.mktglfcycl: +audience: itpro itproauthor: jaimeo ms.audience: itpro author: jaimeo -ms.reviewer: kaushika -manager: dcscontentpm -audience: itpro -ms.topic: troubleshooting -ms.technology: windows-client-deployment +ms.reviewer: +manager: laurawi +ms.topic: article ms.custom: seo-marvel-apr2020 --- @@ -23,204 +22,22 @@ ms.custom: seo-marvel-apr2020 The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. -## 0x8024402F -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | - -## 0x80242006 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
- Ren %systemroot%\system32\catroot2 \*.bak | - -## 0x80070BC9 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system | - -## 0x80200053 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc).| - -## 0x80072EE2 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


You can also take a network trace to check what is timing out. \ | - -## 0x80072EFD or 0x80072EFE or 0x80D02002 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | - -## 0X8007000D - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred.| Attempt to re-download the update and initiate installation. | - -## 0x8024A10A - -| Message | Description | Mitigation | -|---------|-------------|------------| -| USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | - -## 0x80240020 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | - -## 0x80242014 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update nstallation. | - -## 0x80246017 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator).| - -## 0x8024000B - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | - -## 0x8024000E - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | - -## 0x8024D009 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | - -## 0x80244007 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | - -## 0x80070422 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| NA | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.
| - -## 0x800f0821 - - -| Message | Description | Mitigation | -|---------|-------------|------------| -| CBS_E_ABORT; client abort, IDABORT returned by ICbsUIHandler method except Error() | CBS transaction timeout exceeded. | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has hung. Extending the timeout will mitigate the issue. Increase the machine resources. If a virtual machine, increase virtual CPU and memory to speedup the operation. Make sure the machine as at least the KB4493473, if not please download and manually install it.| - -## 0x800f0825 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| CBS_E_CANNOT_UNINSTALL; Package cannot be uninstalled. | Typically component store corruption caused when a component is in a partially installed state. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | - -## 0x800F0920 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| CBS_E_HANG_DETECTED; A hang was detected while processing the operation. | Subsequent error logged after getting 0x800f0821 | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has hung. Extending the timeout will mitigate the issue. Increase the machine resources. If a virtual machine, increase virtual CPU and memory to speedup the operation. Make sure the machine as at least the KB4493473, if not please download and manually install it. | - -## 0x800f081f - -| Message | Description | Mitigation | -|---------|-------------|------------| -| CBS_E_SOURCE_MISSING; source for package or file not found, ResolveSource() unsuccessful | Component Store corruption | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | - -## 0x800f0831 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| CBS_E_STORE_CORRUPTION; CBS store is corrupted. | Corruption in the Windows Component Store. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | - -## 0x80070005 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an ACCESS DENIED.
Go to %Windir%\logs\CBS and open the last CBS.log and search for “, error” and match with the timestamp. After finding the error, scroll up and try to determine what caused the ACCESS DENIED, it could be acess denied to a file, registry key,etc. Determine what object needs the right permissions and change the permissions | - -## 0x80070570 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_FILE_CORRUPT; The file or directory is corrupted and unreadable. | Component Store corruption | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | - - -## 0x80070003 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS and open the last CBS.log and search for “, error” and match with the timestamp. | - - -## 0x80070020 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by 3rd party filter drivers like Antivirus.
1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/)
2. Download the sysinternal tool process monitor -> https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
3. Run procmon.exe. It will start data capture automatically
4. Install the Update package again
5. With procmon program main window in focus, press Ctrl + E or click the magnifying glass to terminate data capture
6. Click File > Save > All Events > PML, and choose an adequate path to save the .PML file
7. Go to %windir%\logs\cbs and open the last cbs.log file and search for the error
8. After finding the error line a bit above you should have the file being accessed during the installation that is giving the sharing violation error
9. In the Procmon windows filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”)
10. After checking which process is accessing that file try to stop it or uninstall it from the machine | - -## 0x80073701 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_SXS_ASSEMBLY_MISSING; The referenced assembly could not be found. | Typically component store corruption caused when a component is in a partially installed state. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | - -## 0x8007371b - -| Message | Description | Mitigation | -|---------|-------------|------------| -| ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE; One or more required members of the transaction are not present. | Component Store corruption. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | - -## 0x80072EFE - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WININET_E_CONNECTION_ABORTED; The connection with the server was terminated abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking/downloading updates.
From a cmd prompt run: **BITSADMIN /LIST /ALLUSERS /VERBOSE**
Search for the 0x80072EFE error code. You should see a reference to a HTTP code with a specific file, try to download it manually from your browser making sure you’re using your proxy organization settings. If it fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. | - -## 0x80072F8F - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client machine. | This error generally means that the Windows Update Agent was unable to decode the received content. You need to install and configure TLS 1.2 by installing this KB: https://support.microsoft.com/help/3140245/ - -## 0x80072EE2 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to WU, SCCM, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own configured WSUS/SCCM/MEM/etc.
Check with your network team if the machine is able to get to your WSUS/SCCM/MEM/etc or the internet servers. See, https://docs.microsoft.com/en-US/troubleshoot/mem/configmgr/troubleshoot-software-update-scan-failures
In case you’re using the public MS update servers, check that your device can access the following Windows Update endpoints:
http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
https://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com | - -## 0x80240022 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_ALL_UPDATES_FAILED; Operation failed for all the updates. | Multiple root causes for this error.| Most common issue is where Anti-Virus software is blocking access to certain folders (like SoftwareDistribution). CBS.log analysis needed to determine the file or folder being protected. | - -## 0x8024401B - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ; Same as HTTP status 407 - proxy authentication is required. | Unable to authenticate through a proxy server. | Either the Winhttp proxy or WinInet proxy settings are not configured correctly. This error generally means that the Windows Update Agent was unable to connect to the update servers or your own configured WSUS/SCCM/MEM/etc due to a Proxy error.
- Verify the proxy settings on the client, and make sure that they are configured correctly. The Windows Update Agent uses WinHTTP to scan for available updates. So, when there is a proxy server between the client and the WSUS computer, the proxy settings must be configured correctly on the clients to enable them to communicate with WSUS by using the computer's FQDN.
- Check with your network team and proxy team if the machine is able to get to your WSUS/SCCM7MEM/etc or the internet servers without the proxy requiring user authentication | - - -## 0x80244022 - -| Message | Description | Mitigation | -|---------|-------------|------------| -| WU_E_PT_HTTP_STATUS_SERVICE_UNAVAILABLE; Same as HTTP status 503 - the service is temporarily overloaded. | Unable to connect to the configured update source. | Network troubleshooting needed to resolve the connectivity issue. Check with your network team and proxy team if the machine is able to get to your WSUS/SCCM7MEM/etc or the internet servers without the proxy requiring user authentication. | +| Error Code | Message | Description | Mitigation | +|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | +| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
Ren %systemroot%\system32\catroot2 \*.bak | +| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system. | +| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | +| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


You can also take a network trace to check what is timing out. \ | +| 0x80072EFD
0x80072EFE 
0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | +| 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | +| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | +| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | +| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update installation. | +| 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | +| 0x8024000B | WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | +| 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | +| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | +| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | +| 0x80070422 | | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.
| From 2ad81bb7395678071dc8e7d13c3c254d1e767f21 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 20 Sep 2021 13:58:02 -0700 Subject: [PATCH 27/32] Revert joining of note with table --- windows/deployment/update/deployment-service-overview.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index f78e87008d..63c9c6aa24 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -136,10 +136,10 @@ To enroll devices in Windows Update for Business cloud processing, set the **All > [!NOTE] > Setting this policy by using Group Policy isn't currently supported. -> -> | Policy | Sets registry key under **HKLM\\Software** | -> |--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------| -> | MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing | + +| Policy | Sets registry key under **HKLM\\Software** | +|--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------| +| MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing | Following is an example of setting the policy using Microsoft Endpoint Manager: From 6d84f71eeb16a186c780a703f7bb007653d4d5f0 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 21 Sep 2021 10:13:18 +0530 Subject: [PATCH 28/32] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 1 - windows/client-management/mdm/policy-csp-feeds.md | 8 ++++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 2cccb73779..5ceb9db7c3 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -1432,7 +1432,6 @@ ms.date: 10/08/2020 - [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog) - [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog) - [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog) -- [Feeds/FeedsEnabled](./policy-csp-feeds.md#feeds-feedsenabled) - [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) - [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) - [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider) diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md index 834c6f8226..0f683d9be9 100644 --- a/windows/client-management/mdm/policy-csp-feeds.md +++ b/windows/client-management/mdm/policy-csp-feeds.md @@ -47,22 +47,22 @@ manager: dansimp Pro Yes - Yes + No Business Yes - Yes + No Enterprise Yes - Yes + No Education Yes - Yes + No From 3778ff2e807d4b8965db0ce8d25a4c705ade4901 Mon Sep 17 00:00:00 2001 From: Kaushik Ainapure Date: Tue, 21 Sep 2021 18:56:56 +0530 Subject: [PATCH 29/32] Format changes with additional error codes 1. Updated article to include 17 additional error codes. 2. Updated article with H2 formatting for better discoverability of the error codes. ------- cc: @jaimeo --- .../update/windows-update-errors.md | 216 ++++++++++++++++-- 1 file changed, 196 insertions(+), 20 deletions(-) diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index eb178f7528..982fac6d52 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -7,9 +7,9 @@ audience: itpro itproauthor: jaimeo ms.audience: itpro author: jaimeo -ms.reviewer: +ms.reviewer: kaushika manager: laurawi -ms.topic: article +ms.topic: troubleshooting ms.custom: seo-marvel-apr2020 --- @@ -22,22 +22,198 @@ ms.custom: seo-marvel-apr2020 The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. +## 0x8024402F -| Error Code | Message | Description | Mitigation | -|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | -| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
Ren %systemroot%\system32\catroot2 \*.bak | -| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system. | -| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | -| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


You can also take a network trace to check what is timing out. \ | -| 0x80072EFD
0x80072EFE 
0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | -| 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | -| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | -| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | -| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update installation. | -| 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | -| 0x8024000B | WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | -| 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | -| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | -| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | -| 0x80070422 | | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.
| +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | + +## 0x80242006 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
- Ren %systemroot%\system32\catroot2 \*.bak | + +## 0x80070BC9 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system | + +## 0x80200053 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc).| + +## 0x80072EFD or 0x80072EFE or 0x80D02002 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | + +## 0X8007000D + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred.| Attempt to re-download the update and initiate installation. | + +## 0x8024A10A + +| Message | Description | Mitigation | +|---------|-------------|------------| +| USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | + +## 0x80240020 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | + +## 0x80242014 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update nstallation. | + +## 0x80246017 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator).| + +## 0x8024000B + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | + +## 0x8024000E + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | + +## 0x8024D009 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | + +## 0x80244007 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | + +## 0x80070422 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| NA | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.
| + +## 0x800f0821 + + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_ABORT; client abort, IDABORT returned by ICbsUIHandler method except Error() | CBS transaction timeout exceeded. | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has hung. Extending the timeout will mitigate the issue. Increase the machine resources. If a virtual machine, increase virtual CPU and memory to speedup the operation. Make sure the machine as at least the KB4493473, if not please download and manually install it.| + +## 0x800f0825 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_CANNOT_UNINSTALL; Package cannot be uninstalled. | Typically component store corruption caused when a component is in a partially installed state. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x800F0920 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_HANG_DETECTED; A hang was detected while processing the operation. | Subsequent error logged after getting 0x800f0821 | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has hung. Extending the timeout will mitigate the issue. Increase the machine resources. If a virtual machine, increase virtual CPU and memory to speedup the operation. Make sure the machine as at least the KB4493473, if not please download and manually install it. | + +## 0x800f081f + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_SOURCE_MISSING; source for package or file not found, ResolveSource() unsuccessful | Component Store corruption | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x800f0831 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| CBS_E_STORE_CORRUPTION; CBS store is corrupted. | Corruption in the Windows Component Store. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x80070005 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an ACCESS DENIED.
Go to %Windir%\logs\CBS and open the last CBS.log and search for “, error” and match with the timestamp. After finding the error, scroll up and try to determine what caused the ACCESS DENIED, it could be acess denied to a file, registry key,etc. Determine what object needs the right permissions and change the permissions | + +## 0x80070570 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_FILE_CORRUPT; The file or directory is corrupted and unreadable. | Component Store corruption | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + + +## 0x80070003 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS and open the last CBS.log and search for “, error” and match with the timestamp. | + + +## 0x80070020 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by 3rd party filter drivers like Antivirus.
1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/)
2. Download the sysinternal tool process monitor -> https://docs.microsoft.com/sysinternals/downloads/procmon
3. Run procmon.exe. It will start data capture automatically
4. Install the Update package again
5. With procmon program main window in focus, press Ctrl + E or click the magnifying glass to terminate data capture
6. Click File > Save > All Events > PML, and choose an adequate path to save the .PML file
7. Go to %windir%\logs\cbs and open the last cbs.log file and search for the error
8. After finding the error line a bit above you should have the file being accessed during the installation that is giving the sharing violation error
9. In the Procmon windows filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”)
10. After checking which process is accessing that file try to stop it or uninstall it from the machine | + +## 0x80073701 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_SXS_ASSEMBLY_MISSING; The referenced assembly could not be found. | Typically component store corruption caused when a component is in a partially installed state. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x8007371b + +| Message | Description | Mitigation | +|---------|-------------|------------| +| ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE; One or more required members of the transaction are not present. | Component Store corruption. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | + +## 0x80072EFE + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_CONNECTION_ABORTED; The connection with the server was terminated abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking/downloading updates.
From a cmd prompt run: **BITSADMIN /LIST /ALLUSERS /VERBOSE**
Search for the 0x80072EFE error code. You should see a reference to a HTTP code with a specific file, try to download it manually from your browser making sure you’re using your proxy organization settings. If it fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. | + +## 0x80072F8F + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client machine. | This error generally means that the Windows Update Agent was unable to decode the received content. You need to install and configure TLS 1.2 by installing this KB: https://support.microsoft.com/help/3140245/ + +## 0x80072EE2 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to WU, SCCM, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own configured WSUS/SCCM/MEM/etc.
Check with your network team if the machine is able to get to your WSUS/SCCM/MEM/etc or the internet servers. See, https://docs.microsoft.com/troubleshoot/mem/configmgr/troubleshoot-software-update-scan-failures
In case you’re using the public MS update servers, check that your device can access the following Windows Update endpoints:
http://windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
https://*.update.microsoft.com
https://*.update.microsoft.com
https://*.windowsupdate.com
https://download.windowsupdate.com
https://download.microsoft.com
https://*.download.windowsupdate.com
https://wustat.windows.com
https://ntservicepack.microsoft.com | + +## 0x80240022 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_ALL_UPDATES_FAILED; Operation failed for all the updates. | Multiple root causes for this error.| Most common issue is where Anti-Virus software is blocking access to certain folders (like SoftwareDistribution). CBS.log analysis needed to determine the file or folder being protected. | + +## 0x8024401B + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ; Same as HTTP status 407 - proxy authentication is required. | Unable to authenticate through a proxy server. | Either the Winhttp proxy or WinInet proxy settings are not configured correctly. This error generally means that the Windows Update Agent was unable to connect to the update servers or your own configured WSUS/SCCM/MEM/etc due to a Proxy error.
- Verify the proxy settings on the client, and make sure that they are configured correctly. The Windows Update Agent uses WinHTTP to scan for available updates. So, when there is a proxy server between the client and the WSUS computer, the proxy settings must be configured correctly on the clients to enable them to communicate with WSUS by using the computer's FQDN.
- Check with your network team and proxy team if the machine is able to get to your WSUS/SCCM7MEM/etc or the internet servers without the proxy requiring user authentication | + + +## 0x80244022 + +| Message | Description | Mitigation | +|---------|-------------|------------| +| WU_E_PT_HTTP_STATUS_SERVICE_UNAVAILABLE; Same as HTTP status 503 - the service is temporarily overloaded. | Unable to connect to the configured update source. | Network troubleshooting needed to resolve the connectivity issue. Check with your network team and proxy team if the machine is able to get to your WSUS/SCCM7MEM/etc or the internet servers without the proxy requiring user authentication. | From 8dc6c215513a38d68523028a8c101aec55d05cdd Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Tue, 21 Sep 2021 09:20:54 -0700 Subject: [PATCH 30/32] Update windows-update-errors.md Various typo, style, terminology, and capitalization fixes. --- .../update/windows-update-errors.md | 62 +++++++++---------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index 982fac6d52..20dc038060 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -26,55 +26,55 @@ The following table provides information about common errors you might run into | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed | +| WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External .cab file processing completed with some errors | This can be caused by the Lightspeed Rocket for web filtering software.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed Rocket. | ## 0x80242006 | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
- Ren %systemroot%\system32\catroot2 \*.bak | +| WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename the software redistribution folder and try to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2

Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
- Ren %systemroot%\system32\catroot2 \*.bak | ## 0x80070BC9 | Message | Description | Mitigation | |---------|-------------|------------| -| ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system | +| ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. Restart the system to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system. | ## 0x80200053 | Message | Description | Mitigation | |---------|-------------|------------| -| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc).| +| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update client.

If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc).| ## 0x80072EFD or 0x80072EFE or 0x80D02002 | Message | Description | Mitigation | |---------|-------------|------------| -| TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | +| TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxies that block Microsoft download URLs.
Take a network monitor trace to understand better. \ | ## 0X8007000D | Message | Description | Mitigation | |---------|-------------|------------| -| ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred.| Attempt to re-download the update and initiate installation. | +| ERROR_INVALID_DATA | Indicates data that isn't valid was downloaded or corruption occurred.| Attempt to re-download the update and start installation. | ## 0x8024A10A | Message | Description | Mitigation | |---------|-------------|------------| -| USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity, the system failing to respond leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the upgrade. | +| USO_E_SERVICE_SHUTTING_DOWN | Indicates that the Windows Update Service is shutting down. | This can occur after a very long period of time of inactivity. The system fails to respond, leading to the service being idle and causing the service to shut down. Ensure that the system remains active and the connections remain established to complete the installation. | ## 0x80240020 | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Sign in to the device to start the installation and allow the device to restart. | +| WU_E_NO_INTERACTIVE_USER | Operation did not complete because no interactive user is signed in. | Sign in to the device to start the installation and allow the device to restart. | ## 0x80242014 | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows Updates require the device to be restarted. Restart the device to complete update nstallation. | +| WU_E_UH_POSTREBOOTSTILLPENDING | The post-restart operation for the update is still in progress. | Some Windows updates require the device to be restarted. Restart the device to complete update installation. | ## 0x80246017 @@ -86,134 +86,134 @@ The following table provides information about common errors you might run into | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | +| WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we're unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | ## 0x8024000E | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | +| WU_E_XML_INVALID | Windows Update Agent found information in the update's XML data that isn't valid. | Certain drivers contain additional metadata information in Update.xml, which Orchestrator can interpret as data that isn't valid. Ensure that you have the latest Windows Update Agent installed on the device. | ## 0x8024D009 | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | +| WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the Wuident.cab file. | You might encounter this error when WSUS is not sending the self-update to the clients.

Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | ## 0x80244007 | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | +| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows can't renew the cookies for Windows Update.

Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | ## 0x80070422 | Message | Description | Mitigation | |---------|-------------|------------| -| NA | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.
| +| NA | This issue occurs when the Windows Update service stops working or isn't running. | Check if the Windows Update service is running.
| ## 0x800f0821 | Message | Description | Mitigation | |---------|-------------|------------| -| CBS_E_ABORT; client abort, IDABORT returned by ICbsUIHandler method except Error() | CBS transaction timeout exceeded. | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has hung. Extending the timeout will mitigate the issue. Increase the machine resources. If a virtual machine, increase virtual CPU and memory to speedup the operation. Make sure the machine as at least the KB4493473, if not please download and manually install it.| +| CBS_E_ABORT; client abort, IDABORT returned by ICbsUIHandler method except Error() | CBS transaction timeout exceeded. | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires. Extending the timeout will mitigate the issue. Increase the resources on the device. If a virtual machine, increase virtual CPU and memory to speed up operations. Make sure the has installed the update in KB4493473 or later.| ## 0x800f0825 | Message | Description | Mitigation | |---------|-------------|------------| -| CBS_E_CANNOT_UNINSTALL; Package cannot be uninstalled. | Typically component store corruption caused when a component is in a partially installed state. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | +| CBS_E_CANNOT_UNINSTALL; Package cannot be uninstalled. | Typically this is due component store corruption caused when a component is in a partially installed state. | Repair the component store with the **Dism RestoreHealth** command or manually repair with a payload from the partially installed component. From an elevated command prompt, run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device. | ## 0x800F0920 | Message | Description | Mitigation | |---------|-------------|------------| -| CBS_E_HANG_DETECTED; A hang was detected while processing the operation. | Subsequent error logged after getting 0x800f0821 | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has hung. Extending the timeout will mitigate the issue. Increase the machine resources. If a virtual machine, increase virtual CPU and memory to speedup the operation. Make sure the machine as at least the KB4493473, if not please download and manually install it. | +| CBS_E_HANG_DETECTED; A failure to respond was detected while processing the operation. | Subsequent error logged after getting 0x800f0821 | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has stopped responding. Extending the timeout will mitigate the issue. Increase the resources on the device. If a virtual machine, increase virtual CPU and memory to speed up operations. Make sure the device has installed the update in KB4493473 or later.| ## 0x800f081f | Message | Description | Mitigation | |---------|-------------|------------| -| CBS_E_SOURCE_MISSING; source for package or file not found, ResolveSource() unsuccessful | Component Store corruption | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | +| CBS_E_SOURCE_MISSING; source for package or file not found, ResolveSource() unsuccessful | Component Store corruption | Repair the component store with the **Dism RestoreHealth** command or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device. | ## 0x800f0831 | Message | Description | Mitigation | |---------|-------------|------------| -| CBS_E_STORE_CORRUPTION; CBS store is corrupted. | Corruption in the Windows Component Store. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | +| CBS_E_STORE_CORRUPTION; CBS store is corrupted. | Corruption in the Windows Component Store. | Repair the component store with **Dism RestoreHealth** or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device. | ## 0x80070005 | Message | Description | Mitigation | |---------|-------------|------------| -| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an ACCESS DENIED.
Go to %Windir%\logs\CBS and open the last CBS.log and search for “, error” and match with the timestamp. After finding the error, scroll up and try to determine what caused the ACCESS DENIED, it could be acess denied to a file, registry key,etc. Determine what object needs the right permissions and change the permissions | +| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an access was denied.
Go to %Windir%\logs\CBS, open the last CBS.log and search for “, error” and match with the timestamp. After finding the error, scroll up and try to determine what caused the access denial. It could be acess denied to a file, registry key. Determine what object needs the right permissions and change the permissions as needed. | ## 0x80070570 | Message | Description | Mitigation | |---------|-------------|------------| -| ERROR_FILE_CORRUPT; The file or directory is corrupted and unreadable. | Component Store corruption | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | +| ERROR_FILE_CORRUPT; The file or directory is corrupted and unreadable. | Component Store corruption | Repair the component store with **Dism RestoreHealth** or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device.| ## 0x80070003 | Message | Description | Mitigation | |---------|-------------|------------| -| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS and open the last CBS.log and search for “, error” and match with the timestamp. | +| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS, open the last CBS.log, and search for “, error” and match with the timestamp. | ## 0x80070020 | Message | Description | Mitigation | |---------|-------------|------------| -| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by 3rd party filter drivers like Antivirus.
1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/)
2. Download the sysinternal tool process monitor -> https://docs.microsoft.com/sysinternals/downloads/procmon
3. Run procmon.exe. It will start data capture automatically
4. Install the Update package again
5. With procmon program main window in focus, press Ctrl + E or click the magnifying glass to terminate data capture
6. Click File > Save > All Events > PML, and choose an adequate path to save the .PML file
7. Go to %windir%\logs\cbs and open the last cbs.log file and search for the error
8. After finding the error line a bit above you should have the file being accessed during the installation that is giving the sharing violation error
9. In the Procmon windows filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”)
10. After checking which process is accessing that file try to stop it or uninstall it from the machine | +| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by non-Microsoft filter drivers like antivirus.
1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/)
2. Download the sysinternal tool [Process Monitor](https://docs.microsoft.com/sysinternals/downloads/procmon).
3. Run Procmon.exe. It will start data capture automatically.
4. Install the update package again
5. With the Process Monitor main window in focus, press CTRL + E or select the magnifying glass to stop data capture.
6. Select **File > Save > All Events > PML**, and choose a path to save the .PML file
7. Go to %windir%\logs\cbs, open the last Cbs.log file, and search for the error. After finding the error line a bit above, you should have the file being accessed during the installation that is giving the sharing violation error
8. In Process Monitor, filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”).
9. Try to stop it or uninstall the process causing the error. | ## 0x80073701 | Message | Description | Mitigation | |---------|-------------|------------| -| ERROR_SXS_ASSEMBLY_MISSING; The referenced assembly could not be found. | Typically component store corruption caused when a component is in a partially installed state. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | +| ERROR_SXS_ASSEMBLY_MISSING; The referenced assembly could not be found. | Typically, a component store corruption caused when a component is in a partially installed state. | Repair the component store with **Dism RestoreHealth command** or manually repair it with the payload from the partially installed component. From an elevated command prompt and run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device. | ## 0x8007371b | Message | Description | Mitigation | |---------|-------------|------------| -| ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE; One or more required members of the transaction are not present. | Component Store corruption. | Repair component store with Dism RestoreHealth command OR manually repair with payload from the partially installed component. Open and elevated command prompt and execute the below commands, by order:
1. DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH
2. DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT
3. DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH
4. Sfc /Scannow
5. Reboot the machine | +| ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE; One or more required members of the transaction are not present. | Component Store corruption. | Repair the component store with **Dism RestoreHealth command** or manually repair it with the payload from the partially installed component. From an elevated command prompt and run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device. | ## 0x80072EFE | Message | Description | Mitigation | |---------|-------------|------------| -| WININET_E_CONNECTION_ABORTED; The connection with the server was terminated abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking/downloading updates.
From a cmd prompt run: **BITSADMIN /LIST /ALLUSERS /VERBOSE**
Search for the 0x80072EFE error code. You should see a reference to a HTTP code with a specific file, try to download it manually from your browser making sure you’re using your proxy organization settings. If it fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. | +| WININET_E_CONNECTION_ABORTED; The connection with the server was closed abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking or downloading updates.
From a cmd prompt run: *BITSADMIN /LIST /ALLUSERS /VERBOSE*
Search for the 0x80072EFE error code. You should see a reference to an HTTP code with a specific file. Using a browser, try to download it manually, making sure you’re using your organization's proxy settings. If the download fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. | ## 0x80072F8F | Message | Description | Mitigation | |---------|-------------|------------| -| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client machine. | This error generally means that the Windows Update Agent was unable to decode the received content. You need to install and configure TLS 1.2 by installing this KB: https://support.microsoft.com/help/3140245/ +| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client. | This error generally means that the Windows Update Agent was unable to decode the received content. Install and configure TLS 1.2 by installing the update in [KB3140245](https://support.microsoft.com/help/3140245/). ## 0x80072EE2 | Message | Description | Mitigation | |---------|-------------|------------| -| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to WU, SCCM, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own configured WSUS/SCCM/MEM/etc.
Check with your network team if the machine is able to get to your WSUS/SCCM/MEM/etc or the internet servers. See, https://docs.microsoft.com/troubleshoot/mem/configmgr/troubleshoot-software-update-scan-failures
In case you’re using the public MS update servers, check that your device can access the following Windows Update endpoints:
http://windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
https://*.update.microsoft.com
https://*.update.microsoft.com
https://*.windowsupdate.com
https://download.windowsupdate.com
https://download.microsoft.com
https://*.download.windowsupdate.com
https://wustat.windows.com
https://ntservicepack.microsoft.com | +| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to Windows Update, Configuration Manager, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager.
Check with your network team to ensure that the device can reach the update sources. For more info, see [Troubleshoot software update scan failures in Configuration Manager](/mem/configmgr/troubleshoot-software-update-scan-failures).
If you’re using the public Microsoft update servers, check that your device can access the following Windows Update endpoints:
`http://windowsupdate.microsoft.com`
https://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
https://*.update.microsoft.com
https://*.update.microsoft.com
https://*.windowsupdate.com
https://download.windowsupdate.com
https://download.microsoft.com
https://*.download.windowsupdate.com
https://wustat.windows.com
https://ntservicepack.microsoft.com | ## 0x80240022 | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_ALL_UPDATES_FAILED; Operation failed for all the updates. | Multiple root causes for this error.| Most common issue is where Anti-Virus software is blocking access to certain folders (like SoftwareDistribution). CBS.log analysis needed to determine the file or folder being protected. | +| WU_E_ALL_UPDATES_FAILED; Operation failed for all the updates. | Multiple root causes for this error.| Most common issue is that antivirus software is blocking access to certain folders (like SoftwareDistribution). CBS.log analysis needed to determine the file or folder being protected. | ## 0x8024401B | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ; Same as HTTP status 407 - proxy authentication is required. | Unable to authenticate through a proxy server. | Either the Winhttp proxy or WinInet proxy settings are not configured correctly. This error generally means that the Windows Update Agent was unable to connect to the update servers or your own configured WSUS/SCCM/MEM/etc due to a Proxy error.
- Verify the proxy settings on the client, and make sure that they are configured correctly. The Windows Update Agent uses WinHTTP to scan for available updates. So, when there is a proxy server between the client and the WSUS computer, the proxy settings must be configured correctly on the clients to enable them to communicate with WSUS by using the computer's FQDN.
- Check with your network team and proxy team if the machine is able to get to your WSUS/SCCM7MEM/etc or the internet servers without the proxy requiring user authentication | +| WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ; Same as HTTP status 407 - proxy authentication is required. | Unable to authenticate through a proxy server. | Either the Winhttp proxy or WinInet proxy settings are not configured correctly. This error generally means that the Windows Update Agent was unable to connect to the update servers or your own update source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager, due to a proxy error.
Verify the proxy settings on the client. The Windows Update Agent uses WinHTTP to scan for available updates. When there is a proxy server between the client and the update source, the proxy settings must be configured correctly on the clients to enable them to communicate by using the source's FQDN.
Check with your network and proxy teams to confirm that the device can the update source without the proxy requiring user authentication. | ## 0x80244022 | Message | Description | Mitigation | |---------|-------------|------------| -| WU_E_PT_HTTP_STATUS_SERVICE_UNAVAILABLE; Same as HTTP status 503 - the service is temporarily overloaded. | Unable to connect to the configured update source. | Network troubleshooting needed to resolve the connectivity issue. Check with your network team and proxy team if the machine is able to get to your WSUS/SCCM7MEM/etc or the internet servers without the proxy requiring user authentication. | +| WU_E_PT_HTTP_STATUS_SERVICE_UNAVAILABLE; Same as HTTP status 503 - the service is temporarily overloaded. | Unable to connect to the configured update source. | Network troubleshooting needed to resolve the connectivity issue. Check with your network and proxy teams to confirm that the device can the update source without the proxy requiring user authentication. | From f464d757d3934fe33f6dd79b8a7182417969ff3e Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Tue, 21 Sep 2021 09:52:50 -0700 Subject: [PATCH 31/32] Update windows-update-errors.md Fixing a link. --- windows/deployment/update/windows-update-errors.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index 20dc038060..ac67414ec6 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -167,7 +167,7 @@ The following table provides information about common errors you might run into | Message | Description | Mitigation | |---------|-------------|------------| -| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by non-Microsoft filter drivers like antivirus.
1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/)
2. Download the sysinternal tool [Process Monitor](https://docs.microsoft.com/sysinternals/downloads/procmon).
3. Run Procmon.exe. It will start data capture automatically.
4. Install the update package again
5. With the Process Monitor main window in focus, press CTRL + E or select the magnifying glass to stop data capture.
6. Select **File > Save > All Events > PML**, and choose a path to save the .PML file
7. Go to %windir%\logs\cbs, open the last Cbs.log file, and search for the error. After finding the error line a bit above, you should have the file being accessed during the installation that is giving the sharing violation error
8. In Process Monitor, filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”).
9. Try to stop it or uninstall the process causing the error. | +| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by non-Microsoft filter drivers like antivirus.
1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/)
2. Download the sysinternal tool [Process Monitor](/sysinternals/downloads/procmon).
3. Run Procmon.exe. It will start data capture automatically.
4. Install the update package again
5. With the Process Monitor main window in focus, press CTRL + E or select the magnifying glass to stop data capture.
6. Select **File > Save > All Events > PML**, and choose a path to save the .PML file
7. Go to %windir%\logs\cbs, open the last Cbs.log file, and search for the error. After finding the error line a bit above, you should have the file being accessed during the installation that is giving the sharing violation error
8. In Process Monitor, filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”).
9. Try to stop it or uninstall the process causing the error. | ## 0x80073701 From a811de340bd5ca74bf50ad4b46e5a68a292d3267 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Tue, 21 Sep 2021 14:29:35 -0700 Subject: [PATCH 32/32] Corrected the minversion's since cscript/wscript do not follow typical win10 bin versions --- .../microsoft-recommended-block-rules.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 0365837d1b..d9e8974465 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -151,7 +151,7 @@ Select the correct version of each .dll for the Windows release you plan to supp - + @@ -181,7 +181,7 @@ Select the correct version of each .dll for the Windows release you plan to supp - +