deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 05:43:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into deploy-rings

Browse Source
This commit is contained in:
Joey Caparas
2020-10-23 11:58:57 -07:00
parent fa2eed169a c0145fb4cf
commit 02a980a5f5
12 changed files with 184 additions and 158 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
education/windows/windows-editions-for-education-customers.md
View File

@ -30,10 +30,10 @@ Windows 10, version 1607 introduces two editions designed for the unique needs o
Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
For Cortana<sup>[1](#footnote1)</sup>,
For Cortana<sup>[1](#footnote1)</sup>:
- If you're using version 1607, Cortana is removed.
- If you're using new devices with version 1703, Cortana is turned on by default.
- If you're upgrading from version 1607 to version 1703, Cortana will be enabled.
- If you're using new devices with version 1703 or later, Cortana is turned on by default.
- If you're upgrading from version 1607 to version 1703 or later, Cortana will be enabled.
You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
@ -49,10 +49,10 @@ Customers who deploy Windows 10 Pro are able to configure the product to have si
Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627).
For Cortana<sup>1</sup>,
For Cortana<sup>1</sup>:
- If you're using version 1607, Cortana<sup>1</sup> is removed.
- If you're using new devices with version 1703, Cortana is turned on by default.
- If you're upgrading from version 1607 to version 1703, Cortana will be enabled.
- If you're using new devices with version 1703 or later, Cortana is turned on by default.
- If you're upgrading from version 1607 to version 1703 or later, Cortana will be enabled.
You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).

9
windows/deployment/update/safeguard-holds.md
View File

@ -12,19 +12,20 @@ ms.topic: article
# Safeguard holds
Microsoft uses quality and compatibility data to identify issues that might cause a Windows 10 feature update to fail or roll back. When find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
Microsoft uses quality and compatibility data to identify issues that might cause a Windows 10 feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows 10.
The lifespan of holds varies depending on the time required to investigate and fix an issue. During this time Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the hold. Once we release the hold, Windows Update will resume offering new operating system versions to devices.
Safeguard holds only affect devices that use the Window Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services (WSUS)) to remain aware of known issues that might also be present in their environments.
Safeguard holds only affect devices that use the Window Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services) to remain aware of known issues that might also be present in their environments.
## Am I affected by a safeguard hold?
IT admins can use [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) to monitor various update health metrics for devices in their organization, including ones affected by a safeguard hold that prevents them from updating to a newer operating system version.
Queries identify Safeguard IDs for each affected device, giving IT admins a detailed view into the various protections extended to devices. Safeguard IDs for publicly discussed known issues are also included in the [Windows Release Health](https://docs.microsoft.com/windows/release-information/status-windows-10-1903) dashboard, where you can easily find information related to publicly available safeguards.
Queries identify Safeguard IDs for each affected device, giving IT admins a detailed view into the various protections extended to devices. Safeguard IDs for publicly discussed known issues are also included in the [Windows release health](https://aka.ms/windowsreleasehealth) dashboard, where you can easily find information related to publicly available safeguards.
On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message:
@ -40,4 +41,4 @@ We recommend that you do not attempt to manually update until issues have been r
> [!CAUTION]
> Opting out of a safeguard hold can put devices at risk from known performance issues. We strongly recommend that you complete robust testing to ensure the impact is acceptable before opting out.
With that in mind, IT admins who stay informed with [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) and the [Windows Release Health](https://docs.microsoft.com/windows/release-information/status-windows-10-1903) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, protection of safeguard holds is reinstated automatically.
With that in mind, IT admins who stay informed with [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) and the [Windows release health](https://aka.ms/windowsreleasehealth) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, the protection of safeguard holds is reinstated automatically.

47
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -21,8 +21,7 @@ ms.custom:
# Manage Windows Defender Credential Guard
**Applies to**
- Windows 10 <=1903 Enterprise and Education SKUs
- Windows 10 >=1909
- Windows 10 Enterprise or Education SKUs
- Windows Server 2016
- Windows Server 2019
@ -119,12 +118,15 @@ You can do this by using either the Control Panel or the Deployment Image Servic
2. Enable virtualization-based security:
- Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
- Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
- Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
3. Enable Windows Defender Credential Guard:
- Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
- Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it.
4. Close Registry Editor.
@ -145,6 +147,7 @@ DG_Readiness_Tool.ps1 -Enable -AutoReboot
> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
>
> This is a known issue.
### Review Windows Defender Credential Guard performance
@ -171,6 +174,7 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
>
> This is a known issue.
> [!NOTE]
@ -179,15 +183,25 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised, which is why we recommend turning on Credential Guard as early as possible.
- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
- **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
- **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: \[**0x0** \| **0x1** \| **0x2**\], **0**
- The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run.
- The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**.
- **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard.
- **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
- **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -&gt; **Windows** -&gt; **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**.
- **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
- **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: \[**0x0** \| **0x1** \| **0x2**\], **0**
- The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run.
- The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**.
- **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard.
- **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
- **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -&gt; **Windows** -&gt; **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**.
- You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command:
```powershell
@ -195,10 +209,13 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
```
This command generates the following output:
- **0**: Windows Defender Credential Guard is disabled (not running)
- **1**: Windows Defender Credential Guard is enabled (running)
> [!NOTE]
> Checking the task list or Task Manager to see if LSAISO.exe is running is not a recommended method for determining whether Windows Defender Credential Guard is running.
> [!NOTE]
> Checking the task list or Task Manager to see if LSAISO.exe is running is not a recommended method for determining whether Windows Defender Credential Guard is running.
## Disable Windows Defender Credential Guard
@ -207,12 +224,15 @@ To disable Windows Defender Credential Guard, you can use the following set of p
1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Device Guard** -&gt; **Turn on Virtualization Based Security**).
2. Delete the following registry settings:
- HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags
3. If you also wish to disable virtualization-based security delete the following registry settings:
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures
> [!IMPORTANT]
> If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
@ -261,6 +281,7 @@ DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
> [!IMPORTANT]
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
>
> This is a known issue.
#### Disable Windows Defender Credential Guard for a virtual machine

6
windows/security/identity-protection/credential-guard/credential-guard-requirements.md
View File

@ -58,11 +58,11 @@ For information about Windows Defender Remote Credential Guard hardware and soft
When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatibility with the reduced functionality.
>[!WARNING]
> [!WARNING]
> Enabling Windows Defender Credential Guard on domain controllers is not supported.
> The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes.
>[!NOTE]
> [!NOTE]
> Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
Applications will break if they require:
@ -140,7 +140,7 @@ The following table lists qualifications for Windows 10, version 1703, which are
> [!IMPORTANT]
>
>Regarding **VBS enablement of NX protection for UEFI runtime services**:
> Regarding **VBS enablement of NX protection for UEFI runtime services**:
>
> - This only applies to UEFI runtime service memory, and not UEFI boot service memory.
>

21
windows/security/identity-protection/remote-credential-guard.md
View File

@ -53,7 +53,7 @@ Use the following table to compare different Remote Desktop connection security
<br />
| **Feature** | **Remote Desktop** | **Windows Defender Remote Credential Guard** | **Restricted Admin mode** |
| Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode |
|--------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server |
| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**. <br /><br />For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). |
@ -67,7 +67,7 @@ Use the following table to compare different Remote Desktop connection security
<br />
For further technical information, see [Remote Desktop Protocol](https://msdn.microsoft.com/library/aa383015(v=vs.85).aspx)
and [How Kerberos works](https://technet.microsoft.com/library/cc961963.aspx(d=robot))
and [How Kerberos works](https://technet.microsoft.com/library/cc961963.aspx(d=robot)).
<br />
@ -93,8 +93,11 @@ To use Windows Defender Remote Credential Guard, the Remote Desktop client and r
The Remote Desktop client device:
- Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine.
- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the users signed-in credentials. This requires the users account be able to sign in to both the client device and the remote host.
- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard.
- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk.
The Remote Desktop remote host:
@ -108,9 +111,13 @@ There are no hardware requirements for Windows Defender Remote Credential Guard.
> [!NOTE]
> Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain.
>
> GPO [Remote host allows delegation of non-exportable credentials](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialsdelegation) should be enabled for delegation of non-exportable credentials.
- For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication.
- The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard.
## Enable Windows Defender Remote Credential Guard
@ -118,15 +125,20 @@ There are no hardware requirements for Windows Defender Remote Credential Guard.
You must enable Restricted Admin or Windows Defender Remote Credential Guard on the remote host by using the Registry.
1. Open Registry Editor on the remote host.
2. Enable Restricted Admin and Windows Defender Remote Credential Guard:
- Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
- Add a new DWORD value named **DisableRestrictedAdmin**.
- To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard.
3. Close Registry Editor.
You can add this by running the following command from an elevated command prompt:
```
```console
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
```
@ -143,6 +155,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
![Windows Defender Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png)
3. Under **Use the following restricted mode**:
- If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
> [!NOTE]
@ -163,7 +176,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection.
```
```console
mstsc.exe /remoteGuard
```

29
windows/security/identity-protection/user-account-control/how-user-account-control-works.md
View File

@ -109,9 +109,7 @@ To better understand each component, review the table below:
<th>Description</th>
</tr>
<tr>
<td>
<p><b>User</b></p>
</td>
<th colspan="2">User</th>
</tr>
<tr>
<td>
@ -138,9 +136,7 @@ To better understand each component, review the table below:
</td>
</tr>
<tr>
<td>
<p><b>System</b></p>
</td>
<th colspan="2">System</th>
</tr>
<tr>
<td>
@ -248,8 +244,7 @@ To better understand each component, review the table below:
</td>
</tr>
<tr>
<td>
<p><b>Kernel</b></p>
<th colspan="2">Kernel</th>
</td>
</tr>
<tr>
@ -276,9 +271,11 @@ The slider will never turn UAC completely off. If you set it to <b>Never notify<
- Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.
- Automatically deny all elevation requests for standard users.
> **Important:** In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.
>
> **Warning:** Universal Windows apps will not work when UAC is disabled.
> [!IMPORTANT]
> In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.
> [!WARNING]
> Some Universal Windows Platform apps may not work when UAC is disabled.
### Virtualization
@ -291,7 +288,9 @@ Most app tasks operate properly by using virtualization features. Although virtu
Virtualization is not an option in the following scenarios:
- Virtualization does not apply to apps that are elevated and run with a full administrative access token.
- Virtualization supports only 32-bit apps. Non-elevated 64-bit apps simply receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations.
- Virtualization is disabled if the app includes an app manifest with a requested execution level attribute.
### Request execution levels
@ -319,6 +318,8 @@ Before a 32-bit process is created, the following attributes are checked to dete
- Key attributes in the resource script data are linked in the executable file.
- There are targeted sequences of bytes within the executable file.
> **Note:** The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
>
> **Note:** The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for installer detection to detect installation programs. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
> [!NOTE]
> The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
> [!NOTE]
> The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for installer detection to detect installation programs. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).

10
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
View File

@ -82,20 +82,24 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if
### Using System information
1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar.
2. Check the value of **Kernel DMA Protection**.
![Kernel DMA protection in System Information](bitlocker/images/kernel-dma-protection.png)
3. If the current state of **Kernel DMA Protection** is OFF and **Hyper-V - Virtualization Enabled in Firmware** is NO:
- Reboot into BIOS settings
- Turn on Intel Virtualization Technology.
- Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
- Reboot system into Windows 10.
>[!NOTE]
> **Hyper-V - Virtualization Enabled in Firmware** is NOT shown when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is shown because this means that **Hyper-V - Virtualization Enabled in Firmware** is YES.
>[!NOTE]
> **Hyper-V - Virtualization Enabled in Firmware** is NOT shown when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is shown because this means that **Hyper-V - Virtualization Enabled in Firmware** is YES and the **Hyper-V** Windows feature is enabled. Enabling both is needed to enable **Kernel DMA Protection** even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-kernel-dma-protection).
4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.
For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
## Frequently asked questions

33
windows/security/threat-protection/auditing/basic-audit-logon-events.md
View File

@ -38,33 +38,12 @@ You can configure this security setting by opening the appropriate policy under
| Logon events | Description |
| - | - |
| 528 | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below. |
| 529 | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. |
| 530 | Logon failure. A logon attempt was made user account tried to log on outside of the allowed time. |
| 531 | Logon failure. A logon attempt was made using a disabled account. |
| 532 | Logon failure. A logon attempt was made using an expired account. |
| 533 | Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer. |
| 534 | Logon failure. The user attempted to log on with a type that is not allowed. |
| 535 | Logon failure. The password for the specified account has expired. |
| 536 | Logon failure. The Net Logon service is not active. |
| 537 | Logon failure. The logon attempt failed for other reasons. |
| 538 | The logoff process was completed for a user. |
| 539 | Logon failure. The account was locked out at the time the logon attempt was made. |
| 540 | A user successfully logged on to a network. |
| 541 | Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel. |
| 542 | A data channel was terminated. |
| 543 | Main mode was terminated. |
| 544 | Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated. |
| 545 | Main mode authentication failed because of a Kerberos failure or a password that is not valid. |
| 546 | IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid. |
| 547 | A failure occurred during an IKE handshake. |
| 548 | Logon failure. The security ID (SID) from a trusted domain does not match the account domain SID of the client. |
| 549 | Logon failure. All SIDs corresponding to untrusted namespaces were filtered out during an authentication across forests. |
| 550 | Notification message that could indicate a possible denial-of-service attack. |
| 551 | A user initiated the logoff process. |
| 552 | A user successfully logged on to a computer using explicit credentials while already logged on as a different user. |
| 682 | A user has reconnected to a disconnected terminal server session. |
| 683 | A user disconnected a terminal server session without logging off. |
| 4624 | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below. |
| 4625 | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. |
| 4634 | The logoff process was completed for a user. |
| 4647 | A user initiated the logoff process. |
| 4648 | A user successfully logged on to a computer using explicit credentials while already logged on as a different user. |
| 4779 | A user disconnected a terminal server session without logging off. |
When event 528 is logged, a logon type is also listed in the event log. The following table describes each logon type.

151
windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Enable Block at First Sight to detect malware in seconds
description: Turn on the block at first sight feature to detect and block malware within seconds, and validate that it is configured correctly.
title: Enable block at first sight to detect malware in seconds
description: Turn on the block at first sight feature to detect and block malware within seconds.
keywords: scan, BAFS, malware, first seen, first sight, cloud, defender
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -12,7 +12,7 @@ ms.author: deniseb
ms.reviewer:
manager: dansimp
ms.custom: nextgen
ms.date: 08/26/2020
ms.date: 10/22/2020
---
# Turn on block at first sight
@ -24,9 +24,9 @@ ms.date: 08/26/2020
- Microsoft Defender Antivirus
Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention.
Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are enabled. These settings include cloud-delivered protection, a specified sample submission timeout (such as 50 seconds), and a file-blocking level of high. In most enterprise organizations, these settings are enabled by default with Microsoft Defender Antivirus deployments.
You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL.
You can [specify how long a file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL.
>[!TIP]
>Visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
@ -40,109 +40,75 @@ Microsoft Defender Antivirus uses multiple detection and prevention technologies
In Windows 10, version 1803 or later, block at first sight can block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file.
Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if the file is a previously undetected file.
If the cloud backend is unable to make a determination, Microsoft Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe.
In many cases, this process can reduce the response time for new malware from hours to seconds.
## Confirm and validate that block at first sight is turned on
## Turn on block at first sight with Microsoft Intune
Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Microsoft Defender Antivirus deployments.
> [!TIP]
> Microsoft Intune is now part of Microsoft Endpoint Manager.
### Confirm block at first sight is turned on with Intune
1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Devices** > **Configuration profiles**.
1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Microsoft Defender Antivirus**.
2. Select or create a profile using the **Device restrictions** profile type.
> [!NOTE]
> The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type.
3. In the **Configuration settings** for the Device restrictions profile, set or confirm the following settings under **Microsoft Defender Antivirus**:
2. Verify these settings are configured as follows:
- **Cloud-delivered protection**: **Enable**
- **File Blocking Level**: **High**
- **Time extension for file scanning by the cloud**: **50**
- **Prompt users before sample submission**: **Send all data without prompting**
- **Cloud-delivered protection**: Enabled
- **File Blocking Level**: High
- **Time extension for file scanning by the cloud**: 50
- **Prompt users before sample submission**: Send all data without prompting
![Intune config](images/defender/intune-block-at-first-sight.png)
> [!WARNING]
> Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus).
4. Save your settings.
For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
> [!TIP]
> - Setting the file blocking level to **High** applies a strong level of detection. In the unlikely event that file blocking causes a false positive detection of legitimate files, you can [restore quarantined files](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus).
> - For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
> - For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus).
For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus).
## Turn on block at first sight with Microsoft Endpoint Manager
### Turn on block at first sight with Microsoft Endpoint Configuration Manager
> [!TIP]
> If you're looking for Microsoft Endpoint Configuration Manager, it's now part of Microsoft Endpoint Manager.
1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**.
1. In Microsoft Endpoint Manager ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), go to **Endpoint security** > **Antivirus**.
2. Click **Home** > **Create Antimalware Policy**.
2. Select an existing policy, or create a new policy using the **Microsoft Defender Antivirus** profile type.
3. Enter a name and a description, and add these settings:
- **Real time protection**
- **Advanced**
- **Cloud Protection Service**
3. Set or confirm the following configuration settings:
4. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
![Enable real-time protection](images/defender/sccm-real-time-protection.png)
- **Turn on cloud-delivered protection**: Yes
- **Cloud-delivered protection level**: High
- **Defender Cloud Extended Timeout in Seconds**: 50
5. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
![Enable Advanced settings](images/defender/sccm-advanced-settings.png)
:::image type="content" source="images/endpointmgr-antivirus-cloudprotection.png" alt-text="Block at first sight settings in Endpoint Manager":::
6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking suspicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds.
![Enable Cloud Protection Service](images/defender/sccm-cloud-protection-service.png)
4. Apply the Microsoft Defender Antivirus profile to a group, such as **All users**, **All devices**, or **All users and devices**.
7. Click **OK** to create the policy.
## Turn on block at first sight with Group Policy
### Confirm block at first sight is turned on with Group Policy
> [!NOTE]
> We recommend using Intune or Microsoft Endpoint Manager to turn on block at first sight.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. Using the **Group Policy Management Editor** go to **Computer configuration** > **Administrative templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**:
3. In the MAPS section, double-click **Configure the 'Block at First Sight' feature**, and set it to **Enabled**, and then select **OK**.
1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**.
2. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**.
> [!WARNING]
> [!IMPORTANT]
> Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function.
4. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Real-time Protection**:
4. In the MAPS section, double-click **Send file samples when further analysis is required**, and set it to **Enabled**. Under **Send file samples when further analysis is required**, select **Send all samples**, and then click **OK**.
1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**, and then click **OK**.
5. If you changed any settings, redeploy the Group Policy Object across your network to ensure all endpoints are covered.
2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**, and then click **OK**.
5. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MpEngine**:
1. Double-click **Select cloud protection level** and ensure the option is set to **Enabled**.
2. Ensure that **Select cloud blocking level** section on the same page is set to **High blocking level**, and then click **OK**.
If you had to change any of the settings, you should redeploy the Group Policy Object across your network to ensure all endpoints are covered.
### Confirm block at first sight is turned on with Registry editor
1. Start Registry Editor.
2. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet`, and make sure that
1. **SpynetReporting** key is set to **1**
2. **SubmitSamplesConsent** key is set to either **1** (Send safe samples) or **3** (Send all samples)
3. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection`, and make sure that
1. **DisableIOAVProtection** key is set to **0**
2. **DisableRealtimeMonitoring** key is set to **0**
4. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine`, and make sure that the **MpCloudBlockLevel** key is set to **2**
### Confirm Block at First Sight is enabled on individual clients
## Confirm block at first sight is enabled on individual clients
You can confirm that block at first sight is enabled on individual clients using Windows security settings.
@ -157,24 +123,43 @@ Block at first sight is automatically enabled as long as **Cloud-delivered prote
3. Confirm that **Cloud-delivered protection** and **Automatic sample submission** are both turned on.
> [!NOTE]
> If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
> - If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints.
> - Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
### Validate block at first sight is working
## Validate block at first sight is working
You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
To validate that the feature is working, follow the guidance in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
## Turn off block at first sight
> [!WARNING]
> Turning off block at first sight will lower the protection state of the endpoint and your network.
> [!CAUTION]
> Turning off block at first sight will lower the protection state of your device(s) and your network.
You may choose to disable block at first sight if you want to retain the prerequisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
You might choose to disable block at first sight if you want to retain the prerequisite settings without actually using block at first sight protection. You might do temporarily turn block at first sight off if you are experiencing latency issues or you want to test the feature's impact on your network. However, we do not recommend disabling block at first sight protection permanently.
### Turn off block at first sight with Microsoft Endpoint Manager
1. Go to Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
2. Go to **Endpoint security** > **Antivirus**, and then select your Microsoft Defender Antivirus policy.
3. Under **Manage**, choose **Properties**.
4. Next to **Configuration settings**, choose **Edit**.
5. Change one or more of the following settings:
- Set **Turn on cloud-delivered protection** to **No** or **Not configured**.
- Set **Cloud-delivered protection level** to **Not configured**.
- Clear the **Defender Cloud Extended Timeout In Seconds** box.
6. Review and save your settings.
### Turn off block at first sight with Group Policy
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and then click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. Using the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree through **Windows components** > **Microsoft Defender Antivirus** > **MAPS**.

BIN
windows/security/threat-protection/microsoft-defender-antivirus/images/endpointmgr-antivirus-cloudprotection.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

16
windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
View File

@ -338,6 +338,18 @@ Specify whether to show or hide the status menu icon in the top-right corner of
| **Data type** | Boolean |
| **Possible values** | false (default) <br/> true |
#### Show / hide option to send feedback
Specify whether users can submit feedback to Microsoft by going to `Help` > `Send Feedback`.
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
| **Key** | userInitiatedFeedback |
| **Data type** | String |
| **Possible values** | enabled (default) <br/> disabled |
| **Comments** | Available in Microsoft Defender ATP version 101.19.61 or higher. |
### Endpoint detection and response preferences
Manage the preferences of the endpoint detection and response (EDR) component of Microsoft Defender ATP for Mac.
@ -626,6 +638,8 @@ The following templates contain entries for all settings described in this docum
<dict>
<key>hideStatusMenuIcon</key>
<false/>
<key>userInitiatedFeedback</key>
<string>enabled</string>
</dict>
</dict>
</plist>
@ -766,6 +780,8 @@ The following templates contain entries for all settings described in this docum
<dict>
<key>hideStatusMenuIcon</key>
<false/>
<key>userInitiatedFeedback</key>
<string>enabled</string>
</dict>
</dict>
</array>

6
windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
View File

@ -43,6 +43,12 @@ ms.topic: conceptual
> 2. Refer to this documentation for detailed configuration information and instructions: [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md).
> 3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update.
## 101.09.61
- Added a new managed preference for [disabling the option to send feedback](mac-preferences.md#show--hide-option-to-send-feedback)
- Status menu icon now shows a healthy state when the product settings are managed. Previously, the status menu icon was displaying a warning or error state, even though the product settings were managed by the administrator
- Performance improvements & bug fixes
## 101.09.50
- This product version has been validated on macOS Big Sur 11 beta 9