diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 31a3184bdb..cfc3df66f0 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -500,8 +500,8 @@ No. Only one MDM is allowed. Entry | Description --------------- | -------------------- What is dmwappushsvc? | It is a Windows service that ships in Windows 10 operating system as a part of the windows management platform. It is used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | -What data is handled by dmwappushsvc? | It is a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. | -How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this. | +What data is handled by dmwappushsvc? | It is a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. This service does not send telemetry.| +How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this. Disabling this will cause your management to fail.| ## Change history for MDM documentation diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index 27c1aceaf0..0ed48a5776 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -10,7 +10,7 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 06/03/2020 +ms.date: 10/28/2020 --- # Policy DDF file @@ -20,6 +20,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Policy* You can view various Policy DDF files by clicking the following links: +- [View the Policy DDF file for Windows 10, version 20H2](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_20H2.xml) - [View the Policy DDF file for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_2004.xml) - [View the Policy DDF file for Windows 10, version 1903](https://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml) - [View the Policy DDF file for Windows 10, version 1809](https://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml) @@ -32,7 +33,7 @@ You can view various Policy DDF files by clicking the following links: You can download DDF files for various CSPs from [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the DDF for Windows 10, version 2004. +The XML below is the DDF for Windows 10, version 20H2. ```xml @@ -8713,6 +8714,52 @@ Related policy: + + Multitasking + + + + + + + + + + + + + + + + + + + + + BrowserAltTabBlowout + + + + + + + + Configures the inclusion of Edge tabs into Alt-Tab. + + + + + + + + + + + text/plain + + + + Notifications @@ -18919,6 +18966,55 @@ Related policy: + + Multitasking + + + + + + + + + + + + + + + + + + + BrowserAltTabBlowout + + + + + 1 + Configures the inclusion of Edge tabs into Alt-Tab. + + + + + + + + + + + text/plain + + + phone + multitasking.admx + AltTabFilterDropdown + multitasking~AT~WindowsComponents~MULTITASKING + MultiTaskingAltTabFilter + LastWrite + + + Notifications @@ -29757,6 +29853,30 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor + + DisableCloudOptimizedContent + + + + + + + + This policy controls Windows experiences that use the cloud optimized content client component. If you enable this policy, they will present only default content. If you disable or do not configure this policy, they will be able to use cloud provided content. + + + + + + + + + + + text/plain + + + DoNotShowFeedbackNotifications @@ -38353,6 +38473,60 @@ The options are: + + LocalUsersAndGroups + + + + + + + + + + + + + + + + + + + + + Configure + + + + + + + + This Setting allows an administrator to manage local groups on a Device. + Possible settings: + 1. Update Group Membership: Update a group and add and/or remove members though the 'U' action. + When using Update, existing group members that are not specified in the policy remain untouched. + 2. Replace Group Membership: Restrict a group by replacing group membership through the 'R' action. + When using Replace, existing group membership is replaced by the list of members specified in + the add member section. This option works in the same way as a Restricted Group and any group + members that are not specified in the policy are removed. + Caution: If the same group is configured with both Replace and Update, then Replace will win. + + + + + + + + + + + text/plain + + + + LockDown @@ -38563,6 +38737,148 @@ The options are: + + MixedReality + + + + + + + + + + + + + + + + + + + + + AADGroupMembershipCacheValidityInDays + + + + + + + + + + + + + + + + + + + text/plain + + + + + BrightnessButtonDisabled + + + + + + + + + + + + + + + + + + + text/plain + + + + + FallbackDiagnostics + + + + + + + + + + + + + + + + + + + text/plain + + + + + MicrophoneDisabled + + + + + + + + + + + + + + + + + + + text/plain + + + + + VolumeButtonDisabled + + + + + + + + + + + + + + + + + + + text/plain + + + + MSSecurityGuide @@ -47384,6 +47700,30 @@ If you disable or do not configure this policy setting, the wake setting as spec + + DisableWUfBSafeguards + + + + + + + + + + + + + + + + + + + text/plain + + + EngagedRestartDeadline @@ -48152,6 +48492,30 @@ If you disable or do not configure this policy setting, the wake setting as spec + + SetProxyBehaviorForUpdateDetection + + + + + + + + + + + + + + + + + + + text/plain + + + TargetReleaseVersion @@ -61298,6 +61662,33 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor LowestValueMostSecure + + DisableCloudOptimizedContent + + + + + 0 + This policy controls Windows experiences that use the cloud optimized content client component. If you enable this policy, they will present only default content. If you disable or do not configure this policy, they will be able to use cloud provided content. + + + + + + + + + + + text/plain + + + CloudContent.admx + CloudContent~AT~WindowsComponents~CloudContent + DisableCloudOptimizedContent + HighestValueMostSecure + + DoNotShowFeedbackNotifications @@ -70811,6 +71202,116 @@ The options are: + + LocalUsersAndGroups + + + + + + + + + + + + + + + + + + + Configure + + + + + + This Setting allows an administrator to manage local groups on a Device. + Possible settings: + 1. Update Group Membership: Update a group and add and/or remove members though the 'U' action. + When using Update, existing group members that are not specified in the policy remain untouched. + 2. Replace Group Membership: Restrict a group by replacing group membership through the 'R' action. + When using Replace, existing group membership is replaced by the list of members specified in + the add member section. This option works in the same way as a Restricted Group and any group + members that are not specified in the policy are removed. + Caution: If the same group is configured with both Replace and Update, then Replace will win. + + + + + + + + + + + text/plain + + phone + LastWrite + + + + + + + + + + + + Group Configuration Action + + + + + + + + Group Member to Add + + + + + + + + Group Member to Remove + + + + + + + + Group property to configure + + + + + + + + + + + + + + + + Local Group Configuration + + + + + + + + + LockDown @@ -71027,6 +71528,146 @@ The options are: + + MixedReality + + + + + + + + + + + + + + + + + + + AADGroupMembershipCacheValidityInDays + + + + + 0 + + + + + + + + + + + + text/plain + + + LastWrite + + + + BrightnessButtonDisabled + + + + + 0 + + + + + + + + + + + + text/plain + + + HighestValueMostSecure + + + + FallbackDiagnostics + + + + + 2 + + + + + + + + + + + + text/plain + + + LastWrite + + + + MicrophoneDisabled + + + + + 0 + + + + + + + + + + + + text/plain + + + HighestValueMostSecure + + + + VolumeButtonDisabled + + + + + 0 + + + + + + + + + + + + text/plain + + + HighestValueMostSecure + + + MSSecurityGuide @@ -80733,6 +81374,30 @@ If you disable or do not configure this policy setting, the wake setting as spec LastWrite + + DisableWUfBSafeguards + + + + + 0 + + + + + + + + + + + + text/plain + + + LastWrite + + EngagedRestartDeadline @@ -81607,6 +82272,34 @@ If you disable or do not configure this policy setting, the wake setting as spec LastWrite + + SetProxyBehaviorForUpdateDetection + + + + + 0 + + + + + + + + + + + + text/plain + + + WindowsUpdate.admx + SetProxyBehaviorForUpdateDetection + WindowsUpdate~AT~WindowsComponents~WindowsUpdateCat + CorpWuURL + LastWrite + + TargetReleaseVersion diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 1bc4e0ffb8..d65d59a04d 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -247,9 +247,9 @@ This policy allows you to specify how your client(s) can discover Delivery Optim - 1 = DHCP Option 235. - 2 = DHCP Option 235 Force. -with either option, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set. +With either option, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set. -Set this policy to designate one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. You can add one or more value either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas. +Set this policy to designate one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. Specify the custom DHCP option on your server as *text* type. You can add one or more values as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address with commas. > [!NOTE] > If you format the DHCP Option ID incorrectly, the client will fall back to the Cache Server Hostname policy value if that value has been set. diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md index 4bf706bbbc..824c20a5f1 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md +++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md @@ -26,9 +26,9 @@ Debugging and tracing smart card issues requires a variety of tools and approach - [Certutil](#certutil) -- [Debugging and tracing using WPP](#debugging-and-tracing-using-wpp) +- [Debugging and tracing using Windows software trace preprocessor (WPP)](#debugging-and-tracing-using-wpp) -- [Kerberos protocol, KDC, and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing) +- [Kerberos protocol, Key Distribution Center (KDC), and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing) - [Smart Card service](#smart-card-service) @@ -42,22 +42,22 @@ For a complete description of Certutil including examples that show how to use i ### List certificates available on the smart card -To list certificates that are available on the smart card, type certutil -scinfo. +To list certificates that are available on the smart card, type `certutil -scinfo`. > [!NOTE] > Entering a PIN is not required for this operation. You can press ESC if you are prompted for a PIN. ### Delete certificates on the smart card -Each certificate is enclosed in a container. When you delete a certificate on the smart card, you are deleting the container for the certificate. +Each certificate is enclosed in a container. When you delete a certificate on the smart card, you're deleting the container for the certificate. -To find the container value, type certutil -scinfo. +To find the container value, type `certutil -scinfo`. To delete a container, type **certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider"** "<*ContainerValue*>". ## Debugging and tracing using WPP -Windows software trace preprocessor (WPP) simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx). +WPP simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx). ### Enable the trace @@ -65,21 +65,21 @@ Using WPP, use one of the following commands to enable tracing: - **tracelog.exe -kd -rt -start** <*FriendlyName*> **-guid \#**<*GUID*> **-f .\\**<*LogFileName*>**.etl -flags** <*flags*> **-ft 1** -- **logman start** <*FriendlyName*> **-ets -p {**<*GUID*>**} -**<*Flags*> **-ft 1 -rt -o .\\**<*LogFileName*>**.etl -mode 0x00080000* +- **logman start** <*FriendlyName*> **-ets -p {**<*GUID*>**} -**<*Flags*> **-ft 1 -rt -o .\\**<*LogFileName*>**.etl -mode 0x00080000** You can use the parameters in the following table. | Friendly name | GUID | Flags | |-------------------|--------------------------------------|-----------| -| scardsvr | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff | -| winscard | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff | -| basecsp | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 | -| scksp | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 | -| msclmd | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7 | -| credprov | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff | -| certprop | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff | -| scfilter | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff | -| wudfusbccid | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff | +| `scardsvr` | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff | +| `winscard` | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff | +| `basecsp` | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 | +| `scksp` | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 | +| `msclmd` | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7 | +| `credprov` | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff | +| `certprop` | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff | +| `scfilter` | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff | +| `wudfusbccid` | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff | Examples @@ -109,7 +109,7 @@ To stop a trace: - **logman -stop scardsvr -ets** -## Kerberos protocol, KDC and NTLM debugging and tracing +## Kerberos protocol, KDC, and NTLM debugging and tracing @@ -119,11 +119,11 @@ You can use these resources to troubleshoot these protocols and the KDC: - [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit).  You can use the trace log tool in this SDK to debug Kerberos authentication failures. -To begin tracing, you can use Tracelog. Different components use different control GUIDs as explained in these examples. For more information, see [Tracelog](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx). +To begin tracing, you can use `Tracelog`. Different components use different control GUIDs as explained in these examples. For more information, see [`Tracelog`](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx). ### NTLM -To enable tracing for NTLM authentication, run the following at the command line: +To enable tracing for NTLM authentication, run the following command on the command line: - **tracelog.exe -kd -rt -start ntlm -guid \#5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\\ntlm.etl -flags 0x15003 -ft 1** @@ -143,11 +143,11 @@ To stop tracing for Kerberos authentication, run this command: ### KDC -To enable tracing for the Key Distribution Center (KDC), run the following at the command line: +To enable tracing for the KDC, run the following command on the command line: - **tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\\kdc.etl -flags 0x803 -ft 1** -To stop tracing for the KDC, run the following at the command line: +To stop tracing for the KDC, run the following command on the command line: - **tracelog.exe -stop kdc** @@ -166,7 +166,7 @@ You can also configure tracing by editing the Kerberos registry values shown in | Kerberos | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos
Value name: LogToFile
Value type: DWORD
Value data: 00000001

HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters
Value name: KerbDebugLevel
Value type: DWORD
Value data: c0000043

HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters
Value name: LogToFile
Value type: DWORD
Value data: 00000001 | | KDC | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Kdc
Value name: KdcDebugLevel
Value type: DWORD
Value data: c0000803 | -If you used Tracelog, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl. +If you used `Tracelog`, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl. If you used the registry key settings shown in the previous table, look for the trace log files in the following locations: @@ -176,7 +176,7 @@ If you used the registry key settings shown in the previous table, look for the - KDC: %systemroot%\\tracing\\kdcsvc  -To decode event trace files, you can use Tracefmt (tracefmt.exe). Tracefmt is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. Tracefmt can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [Tracefmt](https://msdn.microsoft.com/library/ff552974.aspx). +To decode event trace files, you can use `Tracefmt` (tracefmt.exe). `Tracefmt` is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. `Tracefmt` can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [`Tracefmt`](https://msdn.microsoft.com/library/ff552974.aspx). ## Smart Card service @@ -184,11 +184,11 @@ The smart card resource manager service runs in the context of a local service. **To check if Smart Card service is running** -1. Press CTRL+ALT+DEL, and then click **Start Task Manager**. +1. Press CTRL+ALT+DEL, and then select **Start Task Manager**. -2. In the **Windows Task Manager** dialog box, click the **Services** tab. +2. In the **Windows Task Manager** dialog box, select the **Services** tab. -3. Click the **Name** column to sort the list alphabetically, and then type **s**. +3. Select the **Name** column to sort the list alphabetically, and then type **s**. 4. In the **Name** column, look for **SCardSvr**, and then look under the **Status** column to see if the service is running or stopped. @@ -196,15 +196,15 @@ The smart card resource manager service runs in the context of a local service. 1. Run as administrator at the command prompt. -2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. +2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. -3. At the command prompt, type **net stop SCardSvr**. +3. At the command prompt, type `net stop SCardSvr`. -4. At the command prompt, type **net start SCardSvr**. +4. At the command prompt, type `net start SCardSvr`. -You can use the following command at the command prompt to check whether the service is running: **sc queryex scardsvr**. +You can use the following command at the command prompt to check whether the service is running: `sc queryex scardsvr`. -This is an example output from this command: +The following code sample is an example output from this command: ```console SERVICE_NAME: scardsvr @@ -228,14 +228,14 @@ As with any device connected to a computer, Device Manager can be used to view p 1. Navigate to **Computer**. -2. Right-click **Computer**, and then click **Properties**. +2. Right-click **Computer**, and then select **Properties**. -3. Under **Tasks**, click **Device Manager**. +3. Under **Tasks**, select **Device Manager**. -4. In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then click **Properties**. +4. In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then select **Properties**. > [!NOTE] -> If the smart card reader is not listed in Device Manager, in the **Action** menu, click **Scan for hardware changes**. +> If the smart card reader is not listed in Device Manager, in the **Action** menu, select **Scan for hardware changes**. ## CryptoAPI 2.0 Diagnostics diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md index d6bad09f03..c248a61b46 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md @@ -29,16 +29,16 @@ ms.custom: bitlocker Stored information | Description -------------------|------------ Hash of the TPM owner password | Beginning with Windows 10, the password hash is not stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in. -BitLocker recovery password | The recovery password allows you to unlock and access the drive in the event of a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md). -BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, Repair-bde. +BitLocker recovery password | The recovery password allows you to unlock and access the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md). +BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, `Repair-bde`. ## What if BitLocker is enabled on a computer before the computer has joined the domain? -If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered** and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require that the computer be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS. +If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). -The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt: +The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The `manage-bde` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt: ```PowerShell $BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive @@ -61,13 +61,13 @@ Ultimately, determining whether a legitimate backup exists in AD DS requires qu No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object. -## What happens if the backup initially fails? Will BitLocker retry the backup? +## What happens if the backup initially fails? Will BitLocker retry it? If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS. -When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, **Choose how BitLocker-protected removable data drives can be recovered** policy settings, this prevents users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization. +When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md). -When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored. +When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored. diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index dc0d879c78..8ad995065c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -1,6 +1,6 @@ --- title: BitLocker basic deployment (Windows 10) -description: This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. +description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4 ms.reviewer: ms.prod: w10 @@ -24,7 +24,7 @@ ms.custom: bitlocker - Windows 10 -This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. +This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. ## Using BitLocker to encrypt volumes @@ -39,12 +39,12 @@ BitLocker encryption can be done using the following methods: - BitLocker control panel - Windows Explorer -- manage-bde command line interface +- manage-bde command-line interface - BitLocker Windows PowerShell cmdlets ### Encrypting volumes using the BitLocker control panel -Encrypting volumes with the BitLocker control panel (click **Start**, type **bitlocker**, click **Manage BitLocker**) is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet. +Encrypting volumes with the BitLocker control panel (select **Start**, type *bitlocker*, select **Manage BitLocker**) is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet. To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume). ### Operating system volume @@ -54,7 +54,7 @@ Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets t |Requirement|Description| |--- |--- | |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.| -|Operating system|BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later.| +|Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.| |Hardware TPM|TPM version 1.2 or 2.0.

A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.| |BIOS configuration|

  • A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
  • The boot order must be set to start first from the hard disk, and not the USB or CD drives.
  • The firmware must be able to read from a USB flash drive during startup.
    • | |File system|For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive.
    For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
    For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.| @@ -75,11 +75,11 @@ It is recommended that drives with little to no data utilize the **used disk spa > [!NOTE] > Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools. -Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. It is recommended to run this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows. +Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. We recommend running this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows. After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel. -Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning BitLocker off. +Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker. ### Data volume @@ -97,12 +97,12 @@ Encryption status displays in the notification area or within the BitLocker cont There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers are not members of a domain and that the user is using a Microsoft Account. Local accounts do not give the option to utilize OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that are not joined to a domain. -Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive, +Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder that is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name. ### Using BitLocker within Windows Explorer -Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by right clicking on a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, you must first install the BitLocker and Desktop-Experience features for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel. +Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, you must first install the BitLocker and Desktop-Experience features for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel. ## Down-level compatibility @@ -118,13 +118,13 @@ Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Window |Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A| |Partially encrypted volume from Windows 7|Windows 10 and Windows 8.1 will complete encryption regardless of policy|Windows 8 will complete encryption regardless of policy|N/A| -## Encrypting volumes using the manage-bde command line interface +## Encrypting volumes using the manage-bde command-line interface Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). -Manage-bde offers a multitude of wider options for configuring BitLocker. This means that using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. +Manage-bde offers a multitude of wider options for configuring BitLocker. So using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. -Command line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes. +Command-line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes. ### Operating system volume @@ -136,7 +136,7 @@ A good practice when using manage-bde is to determine the volume status on the t `manage-bde -status` -This command returns the volumes on the target, current encryption status and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment. +This command returns the volumes on the target, current encryption status, and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment. **Enabling BitLocker without a TPM** @@ -149,29 +149,29 @@ manage-bde -on C: **Enabling BitLocker with a TPM only** -It is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is: +It is possible to encrypt the operating system volume without any defined protectors by using manage-bde. Use this command: `manage-bde -on C:` -This will encrypt the drive using the TPM as the protector. If a user is unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information with the command: +This command will encrypt the drive using the TPM as the protector. If a user is unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information with the command: `manage-bde -protectors -get ` **Provisioning BitLocker with two protectors** -Another example is a user on non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. This is done with the command: +Another example is a user on non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. Use this command: `manage-bde -protectors -add C: -pw -sid ` -This command will require the user to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn BitLocker on. +This command will require the user to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn on BitLocker. ### Data volume -Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or users can choose to add protectors to the volume. It is recommended that at least one primary protector and a recovery protector be added to a data volume. +Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or users can choose to add protectors to the volume. We recommend that you add at least one primary protector and a recovery protector to a data volume. **Enabling BitLocker with a password** -A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on. +A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn on BitLocker. ```powershell manage-bde -protectors -add -pw C: @@ -322,7 +322,7 @@ Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** Get-BitLockerVolume C: | fl ``` -If you wanted to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed. +If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this task requires the GUID associated with the protector to be removed. A simple script can pipe the values of each **Get-BitLockerVolume** return out to another variable as seen below: ```powershell @@ -330,7 +330,7 @@ $vol = Get-BitLockerVolume $keyprotectors = $vol.KeyProtector ``` -Using this, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector. +Using this script, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector. Using this information, we can then remove the key protector for a specific volume using the command: ```powershell @@ -343,7 +343,8 @@ Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" ### Operating system volume Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell. -To enable BitLocker with just the TPM protector. This can be done using the command: + +To enable BitLocker with just the TPM protector, use this command: ```powershell Enable-BitLocker C: @@ -357,7 +358,7 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTes ### Data volume -Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. Last, encryption begins. +Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password. Last, encryption begins. ```powershell $pw = Read-Host -AsSecureString @@ -365,14 +366,14 @@ $pw = Read-Host -AsSecureString Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw ``` -### Using a SID based protector in Windows PowerShell +### Using a SID-based protector in Windows PowerShell -The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and be unlocked to any member computer of the cluster. +The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over and be unlocked to any member computer of the cluster. > [!WARNING] > The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes. -To add an ADAccountOrGroup protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. +To add an ADAccountOrGroup protector to a volume, you need either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. ```powershell Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator @@ -389,7 +390,7 @@ Get-ADUser -filter {samaccountname -eq "administrator"} > > **Tip:**  In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features. -In the example below, the user wishes to add a domain SID based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: +In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: ```powershell Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "" @@ -400,7 +401,7 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup " ## Checking BitLocker status -To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We will look at each of the available methods in the following section. +To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We will look at each of the available methods in the following section. ### Checking BitLocker status with the control panel @@ -421,7 +422,7 @@ Once BitLocker protector activation is completed, the completion notice is displ ### Checking BitLocker status with manage-bde -Administrators who prefer a command line interface can utilize manage-bde to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, manage-bde can display the BitLocker version in use, the encryption type, and the protectors associated with a volume. +Administrators who prefer a command-line interface can utilize manage-bde to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, manage-bde can display the BitLocker version in use, the encryption type, and the protectors associated with a volume. To check the status of a volume using manage-bde, use the following command: @@ -446,7 +447,7 @@ This command will display information about the encryption method, volume type, ### Provisioning BitLocker during operating system deployment -Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment. This is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes. +Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment. This task is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes. ### Decrypting BitLocker volumes @@ -461,9 +462,9 @@ The control panel does not report decryption progress but displays it in the not Once decryption is complete, the drive will update its status in the control panel and is available for encryption. -### Decrypting volumes using the manage-bde command line interface +### Decrypting volumes using the manage-bde command-line interface -Decrypting volumes using manage-bde is very straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is: +Decrypting volumes using manage-bde is straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is: ```powershell manage-bde -off C: diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md index ea8ab3bf7a..064a82cf8e 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md @@ -37,7 +37,7 @@ Generally it imposes a single-digit percentage performance overhead. ## How long will initial encryption take when BitLocker is turned on? -Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive. +Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting large drives, you may want to set encryption to occur during times when you will not be using the drive. You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted. @@ -82,11 +82,11 @@ The TPM is not involved in any recovery scenarios, so recovery is still possible ## What can prevent BitLocker from binding to PCR 7? -This happens if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it. +BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it. ## Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive? -Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts. +Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive. So if you want to prepare a backup operating system or data drive in case a disk fails, make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts. ## Can I access my BitLocker-protected drive if I insert the hard disk into a different computer? diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index f31dcd8374..4f3681db63 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -1,6 +1,6 @@ --- title: BitLocker recovery guide (Windows 10) -description: This topic for IT professionals describes how to recover BitLocker keys from AD DS. +description: This article for IT professionals describes how to recover BitLocker keys from AD DS. ms.assetid: d0f722e9-1773-40bf-8456-63ee7a95ea14 ms.reviewer: ms.prod: w10 @@ -24,7 +24,7 @@ ms.custom: bitlocker - Windows 10 -This topic for IT professionals describes how to recover BitLocker keys from AD DS. +This article for IT professionals describes how to recover BitLocker keys from AD DS. Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended. @@ -46,11 +46,11 @@ BitLocker recovery is the process by which you can restore access to a BitLocker The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive: -- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout. +- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout. - On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised. - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD. - Failing to boot from a network drive before booting from the hard drive. -- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. This means that if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked. +- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. So if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked. - Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition. - Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed. - Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if you are using USB-based keys instead of a TPM. @@ -64,7 +64,7 @@ The following list provides examples of specific events that will cause BitLocke - Changes to the master boot record on the disk. - Changes to the boot manager on the disk. - Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software. -- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs. +- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This problem can prevent the entry of enhanced PINs. - Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change. > [!NOTE] @@ -93,25 +93,25 @@ For planned scenarios, such as a known hardware or firmware upgrades, you can av > [!NOTE] > If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool. -If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method. +If software maintenance requires the computer to be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method. Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user. ## Testing recovery -Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The –forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation. +Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The -forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation. **To force a recovery for the local computer:** -1. Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**. -2. At the command prompt, type the following command and then press ENTER: +1. Select the **Start** button, type *cmd* in the **Start Search** box, right-click **cmd.exe**, and then select **Run as administrator**. +2. At the command prompt, type the following command and then press **Enter**: `manage-bde -forcerecovery ` **To force recovery for a remote computer:** -1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**. +1. On the Start screen, type **cmd.exe**, and then select **Run as administrator**. 2. At the command prompt, type the following command and then press ENTER: `manage-bde -ComputerName -forcerecovery ` @@ -125,7 +125,7 @@ When planning the BitLocker recovery process, first consult your organization's Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/). -After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. You must consider both self-recovery and recovery password retrieval methods for your organization. +After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for your organization. When you determine your recovery process, you should: @@ -141,12 +141,12 @@ When you determine your recovery process, you should: ### Self-recovery -In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified. +In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag, then it's easy for an unauthorized user to access the PC. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified. ### Recovery password retrieval -If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain the recovery password can be backed up to AD DS. However, this does not happen by default, you must have configured the appropriate Group Policy settings before BitLocker was enabled on the PC. BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. +If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. However, this does not happen by default. You must have configured the appropriate Group Policy settings before BitLocker was enabled on the PC. BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used. - **Choose how BitLocker-protected operating system drives can be recovered** - **Choose how BitLocker-protected fixed drives can be recovered** @@ -176,7 +176,7 @@ You can use the name of the user's computer to locate the recovery password in A ### Verify the user's identity -You should verify that the person that is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify that the computer with the name the user provided belongs to the user. +Verify that the person that is asking for the recovery password is truly the authorized user of that computer. You might also want to verify that the computer with the name the user provided belongs to the user. ### Locate the recovery password in AD DS @@ -200,7 +200,7 @@ Before you give the user the recovery password, you should gather any informatio ### Give the user the recovery password -Because the recovery password is 48 digits long the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password. +Because the recovery password is 48 digits long, the user might need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password. > [!NOTE] > Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors. @@ -228,11 +228,11 @@ Review and answer the following questions for your organization: 1. What BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC? 2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be? 3. If TPM mode was in effect, was recovery caused by a boot file change? -4. If recovery was caused by a boot file change, is this due to an intended user action (for example, BIOS upgrade), or to malicious software? +4. If recovery was caused by a boot file change, was the change an intended user action (for example, BIOS upgrade), or was it caused by malicious software? 5. When was the user last able to start the computer successfully, and what might have happened to the computer since then? 6. Might the user have encountered malicious software or left the computer unattended since the last successful startup? -To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if boot file change occurred). Both of these capabilities can be performed remotely. +To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if the boot file changed). Both of these capabilities can be performed remotely. ### Resolve the root cause @@ -257,9 +257,9 @@ If a user has forgotten the PIN, you must reset the PIN while you are logged on 1. Unlock the computer using the recovery password. 2. Reset the PIN: - 1. Right-click the drive and then click **Change PIN**. - 2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account you must provide administrative credentials at this time. - 3. In the PIN reset dialog, provide and confirm the new PIN to use and then click **Finish**. + 1. Right-click the drive and then select **Change PIN**. + 2. In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If you are not logged in with an administrator account, provide administrative credentials at this time. + 3. In the PIN reset dialog, provide and confirm the new PIN to use and then select **Finish**. 3. You will use the new PIN the next time you unlock the drive. @@ -271,17 +271,17 @@ If you have lost the USB flash drive that contains the startup key, then you mus 1. Log on as an administrator to the computer that has the lost startup key. 2. Open Manage BitLocker. -3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then click **Save**. +3. Select **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then select **Save**. ### Changes to boot files -This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time. +This error might occur if you updated the firmware. As a best practice, you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This action prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on, then log on to the computer using the recovery password, and the platform validation profile will be updated so that recovery will not occur the next time. ## Windows RE and BitLocker Device Encryption -Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. +Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. ## BitLocker recovery screen @@ -307,7 +307,7 @@ Example of customized recovery screen: ### BitLocker recovery key hints -BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen. +BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen. ![Customized BitLocker recovery screen](./images/bl-password-hint2.png) @@ -337,7 +337,7 @@ There are rules governing which hint is shown during the recovery (in order of p | Printed | No | | Saved to file | No | -**Result:** The hint for the Microsoft Account and custom URL are displayed. +**Result:** The hint for the Microsoft Account and the custom URL are displayed. ![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.PNG) @@ -378,7 +378,7 @@ There are rules governing which hint is shown during the recovery (in order of p |----------------------|-----------------| | Saved to Microsoft Account | No | | Saved to Azure AD | No | -| Saved to Acive Directory | No | +| Saved to Active Directory | No | | Printed | No | | Saved to file | Yes | | Creation time | **1PM** | @@ -444,17 +444,17 @@ If the recovery methods discussed earlier in this document do not unlock the vol > [!NOTE] > You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package. -The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc). +The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS, you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details about how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc). ## Resetting recovery passwords -You should invalidate a recovery password after it has been provided and used. It should also be done when you intentionally want to invalidate an existing recovery password for any reason. +Invalidate a recovery password after it has been provided and used. It should also be done when you intentionally want to invalidate an existing recovery password for any reason. You can reset the recovery password in two ways: -- **Use manage-bde** You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method. -- **Run a script** You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords. +- **Use manage-bde**: You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method. +- **Run a script**: You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords. **To reset a recovery password using manage-bde:** @@ -470,13 +470,13 @@ You can reset the recovery password in two ways: Manage-bde –protectors –add C: -RecoveryPassword ``` -3. Get the ID of the new recovery password. From the screen copy the ID of the recovery password. +3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password. ```powershell Manage-bde –protectors –get C: -Type RecoveryPassword ``` -4. Backup the new recovery password to AD DS +4. Back up the new recovery password to AD DS. ```powershell Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} @@ -488,7 +488,7 @@ You can reset the recovery password in two ways: **To run the sample recovery password script:** 1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs. -2. At the command prompt, type a command similar to the following: +2. At the command prompt, type a command similar to the following sample script: **cscript ResetPassword.vbs** @@ -576,15 +576,15 @@ WScript.Echo "A new recovery password has been added. Old passwords have been re You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#bkmk-usingaddrecovery): -- **Export a previously-saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS. +- **Export a previously saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS. - **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred. -The following sample script exports all previously-saved key packages from AD DS. +The following sample script exports all previously saved key packages from AD DS. **To run the sample key package retrieval script:** 1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackageADDS.vbs. -2. At the command prompt, type a command similar to the following: +2. At the command prompt, type a command similar to the following sample script: **cscript GetBitLockerKeyPackageADDS.vbs -?** @@ -733,7 +733,7 @@ The following sample script exports a new key package from an unlocked, encrypte **To run the sample key package retrieval script:** 1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackage.vbs -2. Open an administrator command prompt, type a command similar to the following: +2. Open an administrator command prompt, and then type a command similar to the following sample script: **cscript GetBitLockerKeyPackage.vbs -?** diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md index c34ddf46f1..871f49b5a8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md @@ -1,6 +1,6 @@ --- title: BitLocker To Go FAQ (Windows 10) -description: Learn more about BitLocker To Go — BitLocker drive encryption for removable drives. +description: "Learn more about BitLocker To Go: BitLocker drive encryption for removable drives." ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee ms.reviewer: ms.author: dansimp @@ -25,7 +25,14 @@ ms.custom: bitlocker ## What is BitLocker To Go? -BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](https://docs.microsoft.com/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements). +BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of: -As with BitLocker, drives that are encrypted using BitLocker To Go can be opened with a password or smart card on another computer by using **BitLocker Drive Encryption** in Control Panel. +- USB flash drives +- SD cards +- External hard disk drives +- Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. + +Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](https://docs.microsoft.com/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements). + +As with BitLocker, you can open drives that are encrypted by BitLocker To Go by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**. diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index bf20c5efdd..793722ef06 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -1,6 +1,6 @@ --- title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10) -description: This topic for the IT professional describes how to use tools to manage BitLocker. +description: This article for the IT professional describes how to use tools to manage BitLocker. ms.assetid: e869db9c-e906-437b-8c70-741dd61b5ea6 ms.reviewer: ms.prod: w10 @@ -23,9 +23,9 @@ ms.custom: bitlocker **Applies to** - Windows 10 -This topic for the IT professional describes how to use tools to manage BitLocker. +This article for the IT professional describes how to use tools to manage BitLocker. -BitLocker Drive Encryption Tools include the command line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell. +BitLocker Drive Encryption Tools include the command-line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios. @@ -39,11 +39,11 @@ Repair-bde is a special circumstance tool that is provided for disaster recovery Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the manage-bde options, see the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line reference. -Manage-bde includes less default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde. +Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde. ### Using manage-bde with operating system volumes -Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on ` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. It is recommended that at least one primary protector and a recovery protector be added to an operating system volume. +Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on ` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. We recommend that you add at least one primary protector and a recovery protector to an operating system volume. A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status: @@ -54,7 +54,7 @@ This command returns the volumes on the target, current encryption status, encry ![Using manage-bde to check encryption status](images/manage-bde-status.png) -The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process. +The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process. ```powershell manage-bde –protectors -add C: -startupkey E: @@ -63,30 +63,30 @@ manage-bde -on C: >**Note:**  After the encryption is completed, the USB startup key must be inserted before the operating system can be started. -An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. This is done with the command: +An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. To add them, use this command: ```powershell manage-bde -protectors -add C: -pw -sid ``` -This command will require you to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, you can then turn BitLocker on. +This command will require you to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, you can then turn on BitLocker. -On computers with a TPM it is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is: +On computers with a TPM, it is possible to encrypt the operating system volume without any defined protectors using manage-bde. Use this command: ```powershell manage-bde -on C: ``` -This will encrypt the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command: +This command encrypts the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command: ```powershell manage-bde -protectors -get ``` ### Using manage-bde with data volumes -Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or you can choose to add additional protectors to the volume first. It is recommended that at least one primary protector and a recovery protector be added to a data volume. +Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or you can choose to add additional protectors to the volume first. We recommend that you add at least one primary protector and a recovery protector to a data volume. -A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on. +A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn on BitLocker. ```powershell manage-bde -protectors -add -pw C: @@ -101,11 +101,11 @@ The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a >**Tip:**  If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume. -The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. You should use Repair-bde if the following conditions are true: +The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true: -1. You have encrypted the drive by using BitLocker Drive Encryption. -2. Windows does not start, or you cannot start the BitLocker recovery console. -3. You do not have a copy of the data that is contained on the encrypted drive. +- You have encrypted the drive by using BitLocker Drive Encryption. +- Windows does not start, or you cannot start the BitLocker recovery console. +- You do not have a copy of the data that is contained on the encrypted drive. >**Note:**  Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers. @@ -249,7 +249,7 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets. A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the Get-BitLockerVolume cmdlet. -The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status and other details. +The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status, and other details. >**Tip:**  Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors. `Get-BitLockerVolume C: | fl` @@ -263,9 +263,9 @@ $vol = Get-BitLockerVolume $keyprotectors = $vol.KeyProtector ``` -Using this, you can display the information in the $keyprotectors variable to determine the GUID for each protector. +By using this script, you can display the information in the $keyprotectors variable to determine the GUID for each protector. -Using this information, you can then remove the key protector for a specific volume using the command: +By using this information, you can then remove the key protector for a specific volume using the command: ```powershell Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" @@ -291,8 +291,8 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTes ### Using the BitLocker Windows PowerShell cmdlets with data volumes -Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a -SecureString value to store the user defined password. +Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a +SecureString value to store the user-defined password. ```powershell $pw = Read-Host -AsSecureString @@ -301,11 +301,11 @@ Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw ``` ### Using an AD Account or Group protector in Windows PowerShell -The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover to and be unlocked by any member computer of the cluster. +The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and be unlocked by any member computer of the cluster. >**Warning:**  The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes -To add an **ADAccountOrGroup** protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. +To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. ```powershell Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md index ac4286c885..e71fba3cbd 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md @@ -37,7 +37,7 @@ BitLocker has a storage driver stack that ensures memory dumps are encrypted whe ## Can BitLocker support smart cards for pre-boot authentication? -BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them very difficult. +BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them difficult. ## Can I use a non-Microsoft TPM driver? @@ -69,7 +69,7 @@ The **Save to USB** option is not shown by default for removable drives. If the ## Why am I unable to automatically unlock my drive? -Automatic unlocking for fixed data drives requires that the operating system drive also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers. +Automatic unlocking for fixed data drives requires the operating system drive to also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers. ## Can I use BitLocker in Safe Mode? @@ -95,8 +95,8 @@ Yes. However, shadow copies made prior to enabling BitLocker will be automatical ## Does BitLocker support virtual hard disks (VHDs)? BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run. -- With TPM - Yes it is supported -- Without TPM - Yes it is supported (with password protector) +- With TPM: Yes, it is supported. +- Without TPM: Yes, it is supported (with password protector). BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012. diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index ac7c00f8b6..01a07590a5 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -1,6 +1,6 @@ --- title: Protecting cluster shared volumes and storage area networks with BitLocker (Windows 10) -description: This topic for IT pros describes how to protect CSVs and SANs with BitLocker. +description: This article for IT pros describes how to protect CSVs and SANs with BitLocker. ms.assetid: ecd25a10-42c7-4d31-8a7e-ea52c8ebc092 ms.reviewer: ms.prod: w10 @@ -23,7 +23,7 @@ ms.custom: bitlocker **Applies to** - Windows Server 2016 -This topic for IT pros describes how to protect CSVs and SANs with BitLocker. +This article for IT pros describes how to protect CSVs and SANs with BitLocker. BitLocker can protect both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators can also add an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume. @@ -38,15 +38,15 @@ BitLocker on volumes within a cluster are managed based on how the cluster servi Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume will need to turn on BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete. -Windows PowerShell or the manage-bde command line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item. +Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item. >**Note:**  Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption. -For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. +For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This action is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space. ### Active Directory-based protector -You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order: +You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order: 1. Clear key 2. Driver-based auto-unlock key @@ -61,7 +61,7 @@ You can also use an Active Directory Domain Services (AD DS) protector for prote ### Turning on BitLocker before adding disks to a cluster using Windows PowerShell -BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster, do the following: +BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster: 1. Install the BitLocker Drive Encryption feature if it is not already installed. 2. Ensure the disk is formatted NTFS and has a drive letter assigned to it. @@ -84,7 +84,7 @@ BitLocker encryption is available for disks before or after addition to a cluste ### Turning on BitLocker for a clustered disk using Windows PowerShell -When the cluster service owns a disk resource already, it needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning BitLocker on for a clustered disk: +When the cluster service owns a disk resource already, it needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning on BitLocker for a clustered disk: 1. Install the BitLocker Drive Encryption feature if it is not already installed. 2. Check the status of the cluster disk using Windows PowerShell. @@ -122,11 +122,11 @@ When the cluster service owns a disk resource already, it needs to be set into m ### Adding BitLocker encrypted volumes to a cluster using manage-bde -You can also use manage-bde to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster includes the following: +You can also use manage-bde to enable BitLocker on clustered volumes. Follow these steps to add a physical disk resource or CSV2.0 volume to an existing cluster: 1. Verify the BitLocker Drive Encryption feature is installed on the computer. 2. Ensure new storage is formatted as NTFS. -3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using the manage-bde command line interface (see example): +3. Encrypt the volume, add a recovery key, and add the cluster administrator as a protector key by using the manage-bde command-line interface (see example): - `Manage-bde -on -used -RP -sid domain\CNO$ -sync` @@ -135,16 +135,17 @@ You can also use manage-bde to enable BitLocker on clustered volumes. The steps 4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered - - Once the disk is clustered it can also be enabled for CSV. + - Once the disk is clustered, it can also be enabled for CSV. 5. During the resource online operation, cluster will check to see if the disk is BitLocker encrypted. 1. If the volume is not BitLocker enabled, traditional cluster online operations occur. 2. If the volume is BitLocker enabled, the following check occurs: - - If volume is **locked**, BitLocker will impersonate the CNO and unlock the volume using the CNO protector. If this operation fails an event will be logged that the volume could not be unlocked and the online operation will fail. + - If volume is **locked**, BitLocker will impersonate the CNO and unlock the volume using the CNO protector. If this operation fails, an event will be logged that the volume could not be unlocked and the online operation will fail. + +6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource and choosing **Add to cluster shared volumes**. -6. Once the disk is online in the storage pool, it can be added to a CSV by right clicking on the disk resource and choosing "**Add to cluster shared volumes**". CSVs can include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators can utilize the manage-bde -status command with a path to the volume inside the CSV namespace as seen in the example command line below. ```powershell @@ -153,11 +154,11 @@ manage-bde -status "C:\ClusterStorage\volume1" ### Physical Disk Resources -Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This means that operations such as encrypting, decrypting, locking or unlocking volumes require context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available. +Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. So operations such as encrypting, decrypting, locking, or unlocking volumes require context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available. ### Restrictions on BitLocker actions with cluster volumes -The following table contains information about both Physical Disk Resources (i.e. traditional failover cluster volumes) and Cluster Shared Volumes (CSV) and the actions that are allowed by BitLocker in each situation. +The following table contains information about both Physical Disk Resources (that is, traditional failover cluster volumes) and Cluster Shared Volumes (CSV) and the actions that are allowed by BitLocker in each situation. @@ -268,7 +269,7 @@ In the case where a physical disk resource experiences a failover event during c ### Other considerations when using BitLocker on CSV2.0 -Some other considerations to take into account for BitLocker on clustered storage include the following: +Also take these considerations into account for BitLocker on clustered storage: - BitLocker volumes have to be initialized and beginning encryption before they are available to add to a CSV2.0 volume. - If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete. - If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it in maintenance mode. diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md index 84ea720232..e72f8d6c68 100644 --- a/windows/security/information-protection/index.md +++ b/windows/security/information-protection/index.md @@ -1,6 +1,6 @@ --- title: Information protection (Windows 10) -description: Learn more about how to protect sesnsitive data across your ogranization. +description: Learn more about how to protect sensitive data across your organization. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index c2913b23a2..1d2ce21e5e 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -65,6 +65,7 @@ ##### [Remediate vulnerabilities](microsoft-defender-atp/tvm-remediation.md) ##### [Exceptions for security recommendations](microsoft-defender-atp/tvm-exception.md) ##### [Plan for end-of-support software](microsoft-defender-atp/tvm-end-of-support-software.md) +##### [Mitigate zero-day vulnerabilities](microsoft-defender-atp/tvm-zero-day-vulnerabilities.md) #### [Understand vulnerabilities on your devices]() ##### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md) ##### [Vulnerabilities in my organization](microsoft-defender-atp/tvm-weaknesses.md) diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md index 0762f04322..58bd7574f2 100644 --- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md +++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md @@ -1,6 +1,6 @@ --- title: How to get a list of XML data name elements in (Windows 10) -description: This reference topic for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in . +description: This reference article for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in . ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -20,15 +20,15 @@ ms.author: dansimp The Security log uses a manifest where you can get all of the event schema. -Run the following from an elevated PowerShell prompt: +Run the following command from an elevated PowerShell prompt: ```powershell $secEvents = get-winevent -listprovider "microsoft-windows-security-auditing" ``` -The .events property is a collection of all of the events listed in the manifest on the local machine. +The `.events` property is a collection of all of the events listed in the manifest on the local machine. -For each event, there is a .Template property for the XML template used for the event properties (if there are any). +For each event, there is a `.Template` property for the XML template used for the event properties (if there are any). For example: @@ -90,7 +90,7 @@ PS C:\WINDOWS\system32> $SecEvents.events[100].Template You can use the <Template> and <Description> to map the data name elements that appear in XML view to the names that appear in the event description. -The <Description> is just the format string (if you’re used to Console.Writeline or sprintf statements) and the <Template> is the source of the input parameters for the <Description>. +The <Description> is just the format string (if you’re used to `Console.Writeline` or `sprintf` statements), and the <Template> is the source of the input parameters for the <Description>. Using Security event 4734 as an example: @@ -124,9 +124,9 @@ Description : A security-enabled local group was deleted. ``` -For the **Subject: Security Id:** text element, it will use the fourth element in the Template, **SubjectUserSid**. +For the **Subject: Security ID:** text element, it will use the fourth element in the Template, **SubjectUserSid**. -For **Additional Information Privileges:**, it would use the eighth element **PrivilegeList**. +For **Additional Information Privileges:**, it would use the eighth element, **PrivilegeList**. -A caveat to this is an oft-overlooked property of events called Version (in the <SYSTEM> element) that indicates the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description. +A caveat to this principle is an often overlooked property of events called Version (in the <SYSTEM> element) that indicates the revision of the event schema and description. Most events have one version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least three versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description. diff --git a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md index df44f6142a..bd1b4f57e7 100644 --- a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md +++ b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md @@ -17,22 +17,22 @@ search.appverid: met150 --- # Troubleshooting malware submission errors caused by administrator block -In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this. +In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this problem. ## Review your settings Open your Azure [Enterprise application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/). Under **Enterprise Applications** > **Users can consent to apps accessing company data on their behalf**, check whether Yes or No is selected. -- If this is set to **No**, an AAD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with AAD, users might be able to submit a request right from the same dialog box. If there’s no option to ask for admin consent, users need to request for these permissions to be added to their AAD admin. Go to the following section for more information. +- If **No** is selected, an Azure AD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with Azure AD, users might be able to submit a request right from the same dialog box. If there’s no option to ask for admin consent, users need to request for these permissions to be added to their Azure AD admin. Go to the following section for more information. -- It this is set to **Yes**, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign-in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If this is set to **No** you'll need to request an AAD admin enable it. +- If **Yes** is selected, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If **No** is selected, you'll need to request an Azure AD admin enable it.   ## Implement Required Enterprise Application permissions This process requires a global or application admin in the tenant. 1. Open [Enterprise Application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). - 2. Click **Grant admin consent for organization**. - 3. If you're able to do so, Review the API permissions required for this application. This should be exactly the same as in the following image. Provide consent for the tenant. + 2. Select **Grant admin consent for organization**. + 3. If you're able to do so, review the API permissions required for this application, as the following image shows. Provide consent for the tenant. - ![grant consent image](images/msi-grant-admin-consent.jpg) + ![grant consent image](images/msi-grant-admin-consent.jpg) 4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds.   @@ -59,15 +59,15 @@ This process requires that global admins go through the Enterprise customer sign ![Consent sign in flow](images/msi-microsoft-permission-required.jpg) -Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and click **Accept**. +Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and then select **Accept**. All users in the tenant will now be able to use this application. -## Option 3: Delete and re-add app permissions +## Option 3: Delete and readd app permissions If neither of these options resolve the issue, try the following steps (as an admin): 1. Remove previous configurations for the application. Go to [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/982e94b2-fea9-4d1f-9fca-318cda92f90b) -and click **delete**. +and select **delete**. ![Delete app permissions](images/msi-properties.png) @@ -78,7 +78,7 @@ and click **delete**. ![Permissions needed](images/msi-microsoft-permission-requested-your-organization.png) -4. Review the permissions required by the application, and then click **Accept**. +4. Review the permissions required by the application, and then select **Accept**. 5. Confirm the permissions are applied in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/ce60a464-5fca-4819-8423-bcb46796b051). diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index a89853180f..8facb0d850 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -50,7 +50,7 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh (1) On Windows Server 2016 or 2019, Microsoft Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Microsoft Defender Antivirus on Windows Server 2016 or 2019](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-microsoft-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine. -If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key: +If you are using Windows Server, version 1803 or Windows Server 2019, you can enable passive mode by setting this registry key: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` - Name: ForceDefenderPassiveMode - Type: REG_DWORD @@ -78,7 +78,7 @@ The following table summarizes the functionality and features that are available - In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself). - In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode. -- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) (currently in private preview) is turned on, Microsoft Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items. +- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on, Microsoft Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items. - In Automatic disabled mode, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. ## Keep the following points in mind diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md index 0d6e8dcd1c..03ef3030af 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md @@ -52,7 +52,7 @@ DO NOT USE THE APPLICATION.** 1. **INSTALLATION AND USE RIGHTS.** 1. **Installation and Use.** You may install and use any number of copies - of this application on Android enabled device or devices which you own + of this application on Android enabled device or devices that you own or control. You may use this application with your company's valid subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or an online service that includes MDATP functionalities. @@ -60,13 +60,13 @@ DO NOT USE THE APPLICATION.** 2. **Updates.** Updates or upgrades to MDATP may be required for full functionality. Some functionality may not be available in all countries. - 3. **Third Party Programs.** The application may include third party + 3. **Third-Party Programs.** The application may include third-party programs that Microsoft, not the third party, licenses to you under this agreement. Notices, if any, for the third-party program are included for your information only. 2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to - Internet access, data transfer and other services per the terms of the data + Internet access, data transfer, and other services per the terms of the data service plan and any other agreement you have with your network operator due to use of the application. You are solely responsible for any network operator charges. @@ -92,21 +92,21 @@ DO NOT USE THE APPLICATION.** improve Microsoft products and services and enhance your experience. You may limit or control collection of some usage and performance data through your device settings. Doing so may disrupt your use of - certain features of the application. For additional information on - Microsoft's data collection and use, see the [Online Services + certain features of the application. For more information about + Microsoft data collection and use, see the [Online Services Terms](https://go.microsoft.com/fwlink/?linkid=2106777). 2. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could harm it or impair anyone else's use of it or the wireless network. You may not use the service to try to gain - unauthorized access to any service, data, account or network by any + unauthorized access to any service, data, account, or network by any means. 4. **FEEDBACK.** If you give feedback about the application to Microsoft, you - give to Microsoft, without charge, the right to use, share and commercialize + give to Microsoft, without charge, the right to use, share, and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, - technologies and services to use or interface with any specific parts of a + technologies, and services to use or interface with any specific parts of a Microsoft software or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback @@ -130,35 +130,34 @@ DO NOT USE THE APPLICATION.** - publish the application for others to copy; - - rent, lease or lend the application; or + - rent, lease, or lend the application; or - transfer the application or this agreement to any third party. 6. **EXPORT RESTRICTIONS.** The application is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the application. These laws - include restrictions on destinations, end users and end use. For additional + include restrictions on destinations, end users, and end use. For more information, - see[www.microsoft.com/exporting](https://www.microsoft.com/exporting). + see [www.microsoft.com/exporting](https://www.microsoft.com/exporting). 7. **SUPPORT SERVICES.** Because this application is "as is," we may not provide support services for it. If you have any issues or questions about your use of this application, including questions about your company's - privacy policy, please contact your company's admin. Do not contact the + privacy policy, contact your company's admin. Do not contact the application store, your network operator, device manufacturer, or Microsoft. The application store provider has no obligation to furnish support or maintenance with respect to the application. 8. **APPLICATION STORE.** - 1. If you obtain the application through an application store (e.g., Google - Play), please review the applicable application store terms to ensure + 1. If you obtain the application through an application store (for example, Google + Play), review the applicable application store terms to ensure your download and use of the application complies with such terms. - Please note that these Terms are between you and Microsoft and not with + Note that these Terms are between you and Microsoft and not with the application store. - 2. The respective application store provider and its subsidiaries are third - party beneficiaries of these Terms, and upon your acceptance of these + 2. The respective application store provider and its subsidiaries are third-party beneficiaries of these Terms, and upon your acceptance of these Terms, the application store provider(s) will have the right to directly enforce and rely upon any provision of these Terms that grants them a benefit or rights. @@ -213,20 +212,20 @@ DO NOT USE THE APPLICATION.** This limitation applies to: - anything related to the application, services, content (including code) on - third party Internet sites, or third party programs; and + third-party internet sites, or third-party programs; and -- claims for breach of contract, warranty, guarantee or condition; consumer +- claims for breach of contract, warranty, guarantee, or condition; consumer protection; deception; unfair competition; strict liability, negligence, - misrepresentation, omission, trespass or other tort; violation of statute or + misrepresentation, omission, trespass, or other tort; violation of statute or regulation; or unjust enrichment; all to the extent permitted by applicable law. It also applies even if: -a. Repair, replacement or refund for the application does not fully compensate +a. Repair, replacement, or refund for the application does not fully compensate you for any losses; or b. Covered Parties knew or should have known about the possibility of the damages. -The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. +The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential, or other damages. diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index 7687279880..a6b6b5a359 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb audience: ITPro -ms.date: 08/25/2020 +ms.date: 11/05/2020 ms.reviewer: v-maave manager: dansimp ms.custom: asr @@ -42,7 +42,7 @@ Apps can also be manually added to the trusted list via Configuration Manager an Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. -The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. +The protected folders include common system folders (including boot sectors), and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 36216eb833..109f729fae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -84,7 +84,7 @@ The following is a sample for reference, using [GUID values for ASR rules](attac `OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules` -`Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1` +`Value: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84=2|3B576869-A4EC-4529-8536-B80A7769E899=1|D4F940AB-401B-4EfC-AADC-AD5F3C50688A=2|D3E037E1-3EB8-44C8-A917-57927947596D=1|5BEB7EFE-FD9A-4556-801D-275E5FFC04CC=0|BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550=1` The values to enable, disable, or enable in audit mode are: diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md index 5e45dab3cc..22c665b822 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md @@ -49,7 +49,7 @@ To get preview features for Mac, you must set up your device to be an "Insider" 1. From the JAMF console, navigate to  **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select  **Custom Settings**. -1. Create an entry with com.microsoft.wdav as the preference domain and upload the .plist created earlier. +1. Create an entry with com.microsoft.wdav as the preference domain and upload the `.plist` created earlier. > [!WARNING] > You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product @@ -117,7 +117,7 @@ To get preview features for Mac, you must set up your device to be an "Insider" 1. Choose a name for the profile. Change  **Platform=macOS**  to  **Profile type=Custom**. Select  **Configure**. -1. Save the .plist created earlier as com.microsoft.wdav.xml. +1. Save the `.plist` created earlier as com.microsoft.wdav.xml. 1. Enter com.microsoft.wdav as the custom configuration profile name. @@ -150,17 +150,17 @@ For versions earlier than 100.78.0, run: To get the latest version of the Microsoft Defender ATP for Mac, set the Microsoft AutoUpdate to “Fast Ring”. To get “Microsoft AutoUpdate”, download it from [Release history for Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/officeupdates/release-history-microsoft-autoupdate). -To verify you are running the correct version, run ‘mdatp --health’ on the device. +To verify you are running the correct version, run `mdatp --health` on the device. * The required version is 100.72.15 or later. -* If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running ‘defaults read com.microsoft.autoupdate2’ from terminal. -* To change update settings use documentation in [Update Office for Mac automatically](https://support.office.com/article/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1). +* If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running `defaults read com.microsoft.autoupdate2` from the terminal. +* To change update settings, see [Update Office for Mac automatically](https://support.office.com/article/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1). * If you are not using Office for Mac, download and run the AutoUpdate tool. ### A device still does not appear on Microsoft Defender Security Center -After a successful deployment and onboarding of the correct version, check that the device has connectivity to the cloud service by running ‘mdatp --connectivity-test’. +After a successful deployment and onboarding of the correct version, check that the device has connectivity to the cloud service by running `mdatp --connectivity-test`. -* Check that you enabled the early preview flag. In terminal run “mdatp –health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”. +* Check that you enabled the early preview flag. In the terminal, run `mdatp –health` and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”. If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation-macos-1015-and-older-versions) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment). diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-patch.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-patch.jpg new file mode 100644 index 0000000000..e0fa906808 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-patch.jpg differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-security-recommendation.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-security-recommendation.png new file mode 100644 index 0000000000..a1f9e7d70a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-security-recommendation.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout-400.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout-400.png new file mode 100644 index 0000000000..04b9835601 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout-400.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout.png new file mode 100644 index 0000000000..941dd99ba8 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-inventory.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-inventory.png new file mode 100644 index 0000000000..b4b4696b61 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-inventory.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-page.png new file mode 100644 index 0000000000..b3fd3b18a8 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-security-recommendations.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-security-recommendations.png new file mode 100644 index 0000000000..1957e7f571 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-security-recommendations.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-software.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-software.png new file mode 100644 index 0000000000..094e2a7992 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-software.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-weakness-name.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-weakness-name.png new file mode 100644 index 0000000000..ac2610fdaa Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-weakness-name.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md new file mode 100644 index 0000000000..e0d5af00f8 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md @@ -0,0 +1,103 @@ +--- +title: Mitigate zero-day vulnerabilities - threat and vulnerability management +description: Learn how to find and mitigate zero-day vulnerabilities in your environment. +keywords: mdatp tvm zero day vulnerabilities, tvm, threat & vulnerability management, zero day, 0-day, mitigate 0 day vulnerabilities, vulnerable CVE +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: article +--- + +# Mitigate zero-day vulnerabilities - threat and vulnerability management + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) + +A zero-day vulnerability is a publicly disclosed vulnerability for which no official patches or security updates have been released. Zero-day vulnerabilities often have high severity levels and are actively exploited. + +Threat and vulnerability management will only display zero-day vulnerabilities it has information about. + +## Find information about zero-day vulnerabilities + +Once a zero-day vulnerability has been found, information about it will be conveyed through the following experiences in the Microsoft Defender Security Center. + +### Threat and vulnerability management dashboard + +Look for recommendations with a zero-day tag in the “Top security recommendations” card. + +![Top recommendations with a zero-day tag.](images/tvm-zero-day-top-security-recommendations.png) + +Find top software with the zero-day tag in the "Top vulnerable software" card. + +![Top vulnerable software with a zero-day tag.](images/tvm-zero-day-top-software.png) + +### Weaknesses page + +Look for the named zero-day vulnerability along with a description and details. + +- If this vulnerability has a CVE-ID assigned, you’ll see the zero-day label next to the CVE name. + +- If this vulnerability has no CVE-ID assigned, you will find it under an internal, temporary name that looks like “TVM-XXXX-XXXX”. The name will be updated once an official CVE-ID has been assigned, but the previous internal name will still be searchable and found in the side-panel. + +![Zero day example for CVE-2020-17087 in weaknesses page.](images/tvm-zero-day-weakness-name.png) + +### Software inventory page + +Look for software with the zero-day tag. Filter by the "zero day" tag to only see software with zero-day vulnerabilities. + +![Zero day example of Windows Server 2016 in the software inventory page.](images/tvm-zero-day-software-inventory.png) + +### Software page + +Look for a zero-day tag for each software that has been affected by the zero–day vulnerability. + +![Zero day example for Windows Server 2016 software page.](images/tvm-zero-day-software-page.png) + +### Security recommendations page + +View clear suggestions regarding remediation and mitigation options, including workarounds if they exist. Filter by the "zero day" tag to only see security recommendations addressing zero-day vulnerabilities. + +If there is software with a zero-day vulnerability and additional vulnerabilities to address, you will get one recommendation regarding all vulnerabilities. + +![Zero day example of Windows Server 2016 in the security recommendations page.](images/tvm-zero-day-security-recommendation.png) + +## Addressing zero-day vulnerabilities + +Go to the security recommendation page and select a recommendation with a zero-day. A flyout will open with information about the zero-day and other vulnerabilities for that software. + +There will be a link to mitigation options and workarounds if they are available. Workarounds may help reduce the risk posed by this zero-day vulnerability until a patch or security update can be deployed. + +Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose “update.” + +![Zero day flyout example of Windows Server 2016 in the security recommendations page.](images/tvm-zero-day-software-flyout-400.png) + +## Patching zero-day vulnerabilities + +When a patch is released for the zero-day, the recommendation will be changed to “Update” and a blue label next to it that says “New security update for zero day.” It will no longer consider as a zero-day, the zero-day tag will be removed from all pages. + +![Recommendation for "Update Microsoft Windows 10" with new patch label.](images/tvm-zero-day-patch.jpg) + +## Related topics + +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) +- [Dashboard](tvm-dashboard-insights.md) +- [Security recommendations](tvm-security-recommendation.md) +- [Software inventory](tvm-software-inventory.md) +- [Vulnerabilities in my organization](tvm-weaknesses.md) diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md index 263e076dda..9b9d8baad8 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md @@ -42,7 +42,7 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor - + @@ -160,7 +160,7 @@ For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser]
    Windows 10, version 2004:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control    		 Windows 10, version 1703:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control    		 Windows 10, version 1703This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

    This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

    Important: Using a trustworthy browser helps ensure that these protections work as expected.

    		This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

    This setting does not protect against malicious content from USB devices, network shares, or other non-internet sources.

    Important: Using a trustworthy browser helps ensure that these protections work as expected.
    Windows 10, version 2004:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

    Windows 10, version 1703:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

    Windows 10, Version 1607 and earlier:
    Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen

    ## Recommended Group Policy and MDM settings for your organization -By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning. +By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this feature can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning. To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings. diff --git a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md index 60fe8eaa5f..073cfbd4cb 100644 --- a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md +++ b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md @@ -1,6 +1,6 @@ --- title: Access Credential Manager as a trusted caller (Windows 10) -description: Describes best practices, security considerations and more for the security policy setting, Access Credential Manager as a trusted caller. +description: Describes best practices, security considerations, and more for the security policy setting, Access Credential Manager as a trusted caller. ms.assetid: a51820d2-ca5b-47dd-8e9b-d7008603db88 ms.reviewer: ms.author: dansimp @@ -22,11 +22,11 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management, and security considerations for the **Access Credential Manager as a trusted caller** security policy setting. +This article describes the recommended practices, location, values, policy management, and security considerations for the **Access Credential Manager as a trusted caller** security policy setting. ## Reference -The **Access Credential Manager as a trusted caller** policy setting is used by Credential Manager during backup and restore. No accounts should have this privilege because it is assigned only to the Winlogon service. Saved credentials of users may be compromised if this privilege is given to other entities. +The **Access Credential Manager as a trusted caller** policy setting is used by Credential Manager during backup and restore. No accounts should have this privilege because it's assigned only to the Winlogon service. Saved credentials of users may be compromised if this privilege is given to other entities. Constant: SeTrustedCredManAccessPrivilege @@ -37,7 +37,7 @@ Constant: SeTrustedCredManAccessPrivilege ### Best practices -- Do not modify this policy setting from the default. +- Don't modify this policy setting from the default. ### Location @@ -45,6 +45,8 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use ### Default values +The following table shows the default value for the server type or Group Policy Object (GPO). + | Server type or GPO | Default value | | - | - | | Default domain policy | Not defined | @@ -58,7 +60,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use This section describes features, tools, and guidance to help you manage this policy. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -82,7 +84,7 @@ If an account is given this user right, the user of the account may create an ap ### Countermeasure -Do not define the **Access Credential Manager as a trusted caller** policy setting for any accounts besides Credential Manager. +Don't define the **Access Credential Manager as a trusted caller** policy setting for any accounts besides Credential Manager. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md index ab09ef2ca5..d9c2770ad4 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md @@ -39,7 +39,7 @@ It is possible to configure the following values for the **Account lockout thres - A user-defined number from 0 through 999 - Not defined -Because vulnerabilities can exist when this value is configured and when it is not, organizations should weigh their identified threats and the risks that they are trying to mitigate. For information these settings, see [Countermeasure](#bkmk-countermeasure) in this topic. +Because vulnerabilities can exist when this value is configured and when it is not, organizations should weigh their identified threats and the risks that they are trying to mitigate. For information these settings, see [Countermeasure](#bkmk-countermeasure) in this article. ### Best practices @@ -47,7 +47,7 @@ The threshold that you select is a balance between operational efficiency and se As with other account lockout settings, this value is more of a guideline than a rule or best practice because there is no "one size fits all." For more information, see [Configuring Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/). -Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this topic. +Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this article. ### Location @@ -76,13 +76,13 @@ None. Changes to this policy setting become effective without a computer restart ### Implementation considerations -Implementation of this policy setting is dependent on your operational environment. You should consider threat vectors, deployed operating systems, and deployed apps, for example: +Implementation of this policy setting depends on your operational environment. Consider threat vectors, deployed operating systems, and deployed apps. For example: -- The likelihood of an account theft or a DoS attack is based on the security design for your systems and environment. You should set the account lockout threshold in consideration of the known and perceived risk of those threats. +- The likelihood of an account theft or a DoS attack is based on the security design for your systems and environment. Set the account lockout threshold in consideration of the known and perceived risk of those threats. - When negotiating encryption types between clients, servers, and domain controllers, the Kerberos protocol can automatically retry account sign-in attempts that count toward the threshold limits that you set in this policy setting. In environments where different versions of the operating system are deployed, encryption type negotiation increases. -- Not all apps that are used in your environment effectively manage how many times a user can attempt to sign-in. For instance, if a connection drops repeatedly when a user is running the app, all subsequent failed sign-in attempts count toward the account lockout threshold. +- Not all apps that are used in your environment effectively manage how many times a user can attempt to sign in. For instance, if a connection drops repeatedly when a user is running the app, all subsequent failed sign-in attempts count toward the account lockout threshold. For more information about Windows security baseline recommendations for account lockout, see [Configuring Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/). @@ -108,8 +108,8 @@ Because vulnerabilities can exist when this value is configured and when it is n - Configure the **Account lockout threshold** setting to 0. This configuration ensures that accounts will not be locked, and it will prevent a DoS attack that intentionally attempts to lock accounts. This configuration also helps reduce Help Desk calls because users cannot accidentally lock themselves out of their accounts. Because it does not prevent a brute force attack, this configuration should be chosen only if both of the following criteria are explicitly met: - - The password policy setting requires all users to have complex passwords of 8 or more characters. - - A robust audit mechanism is in place to alert administrators when a series of failed sign-ins occur in the environment. + - The password policy setting requires all users to have complex passwords of eight or more characters. + - A robust audit mechanism is in place to alert administrators when a series of failed sign-ins occurs in the environment. - Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account. @@ -121,9 +121,9 @@ Because vulnerabilities can exist when this value is configured and when it is n If this policy setting is enabled, a locked account is not usable until it is reset by an administrator or until the account lockout duration expires. Enabling this setting will likely generate a number of additional Help Desk calls. -If you configure the **Account lockout threshold** policy setting to 0, there is a possibility that an malicious user's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism is not in place. +If you configure the **Account lockout threshold** policy setting to 0, there is a possibility that a malicious user's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism is not in place. -If you configure this policy setting to a number greater than 0, an attacker can easily lock any accounts for which the account name is known. This is especially dangerous considering that no credentials other than access to the network are necessary to lock the accounts. +If you configure this policy setting to a number greater than 0, an attacker can easily lock any accounts for which the account name is known. This situation is especially dangerous considering that no credentials other than access to the network are necessary to lock the accounts. ## Related topics [Account Lockout Policy](account-lockout-policy.md) diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md index 9a078921e7..4c8003e0f3 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md @@ -1,6 +1,6 @@ --- -title: Audit Audit the use of Backup and Restore privilege (Windows 10) -description: Describes the best practices, location, values, and security considerations for the Audit Audit the use of Backup and Restore privilege security policy setting. +title: "Audit: Audit the use of Backup and Restore privilege (Windows 10)" +description: "Describes the best practices, location, values, and security considerations for the 'Audit: Audit the use of Backup and Restore privilege' security policy setting." ms.assetid: f656a2bb-e8d6-447b-8902-53df3a7756c5 ms.reviewer: ms.author: dansimp @@ -65,9 +65,9 @@ None. Changes to this policy become effective without a computer restart when th ### Auditing -Enabling this policy setting in conjunction with the **Audit privilege use** policy setting records any instance of user rights that are being exercised in the security log. If **Audit privilege use** is enabled but **Audit: Audit the use of Backup and Restore privilege** is disabled, when users use backup or restore user rights, those events will not be audited. +Enabling this policy setting in conjunction with the **Audit privilege use** policy setting records any instance of user rights that are being exercised in the security log. If **Audit privilege use** is enabled but **Audit: Audit the use of Backup and Restore privilege** is disabled, when users back up or restore user rights, those events will not be audited. -Enabling this policy setting when the **Audit privilege use** policy setting is also enabled generates an audit event for every file that is backed up or restored. This can help you to track down an administrator who is accidentally or maliciously restoring data in an unauthorized manner. +Enabling this policy setting when the **Audit privilege use** policy setting is also enabled generates an audit event for every file that is backed up or restored. This setup can help you to track down an administrator who is accidentally or maliciously restoring data in an unauthorized manner. Alternately, you can use the advanced audit policy, [Audit Sensitive Privilege Use](../auditing/audit-sensitive-privilege-use.md), which can help you manage the number of events generated. diff --git a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md index 550e21d847..a431f30baf 100644 --- a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md +++ b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md @@ -1,6 +1,6 @@ --- title: Back up files and directories - security policy setting (Windows 10) -description: Describes the best practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting. +description: Describes the recommended practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting. ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae ms.reviewer: ms.author: dansimp @@ -22,13 +22,13 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management, and security considerations for the **Back up files and directories** security policy setting. +This article describes the recommended practices, location, values, policy management, and security considerations for the **Back up files and directories** security policy setting. ## Reference -This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This user right is effective only when an application attempts access through the NTFS backup application programming interface (API) through a backup tool such as NTBACKUP.EXE. Otherwise, standard file and directory permissions apply. +This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This user right is effective only when an application attempts access through the NTFS backup application programming interface (API) through a tool such as NTBACKUP.EXE. Otherwise, standard file and directory permissions apply. -This user right is similar to granting the following permissions to the user or group you have selected on all files and folders on the system: +This user right is similar to granting the following permissions to the user or group you selected on all files and folders on the system: - Traverse Folder/Execute File - List Folder/Read Data @@ -56,8 +56,8 @@ Constant: SeBackupPrivilege ### Best practices -1. Restrict the **Back up files and directories** user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. Because there is no way to be sure that a user is backing up data, stealing data, or copying data to be distributed, only assign this user right to trusted users. -2. If you are using backup software that runs under specific service accounts, only these accounts (and not the IT staff) should have the **Back up files and directories** user right. +1. Restrict the **Back up files and directories** user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. Because there's no way to be sure that a user is backing up data, stealing data, or copying data to be distributed, only assign this user right to trusted users. +2. If your backup software runs under specific service accounts, only these accounts (and not the IT staff) should have the user right to back up files and directories. ### Location @@ -67,7 +67,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use By default, this right is granted to Administrators and Backup Operators on workstations and servers. On domain controllers, Administrators, Backup Operators, and Server Operators have this right. -The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. +The following table lists the actual and effective default policy values for the server type or Group Policy Object (GPO). Default values are also listed on the policy’s property page. | Server type or GPO | Default value | | - | - | @@ -80,13 +80,13 @@ The following table lists the actual and effective default policy values. Defaul ## Policy management -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. ### Group Policy -Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: +Settings are applied in the following order through a GPO, which will overwrite settings on the local computer at the next Group Policy update: 1. Local policy settings 2. Site policy settings @@ -101,15 +101,15 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Users who can back up data from a device could take the backup media to a non-domain computer on which they have administrative privileges, and then restore the data. They could take ownership of the files and view any unencrypted data that is contained within the backup set. +Users who can back up data from a device to separate media could take the media to a non-domain computer on which they have administrative privileges, and then restore the data. They could take ownership of the files and view any unencrypted data that is contained within the data set. ### Countermeasure -Restrict the **Back up files and directories** user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. If you are using backup software that runs under specific service accounts, only these accounts (and not the IT staff) should have the **Back up files and directories** user right. +Restrict the **Back up files and directories** user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. If you use software that backs up data under specific service accounts, only these accounts (and not the IT staff) should have the right to back up files and directories. ### Potential impact -Changes in the membership of the groups that have the **Back up files and directories** user right could limit the abilities of users who are assigned to specific administrative roles in your environment. You should confirm that authorized backup administrators can still perform backup operations. +Changes in the membership of the groups that have the user right to back up files and directories could limit the abilities of users who are assigned to specific administrative roles in your environment. Confirm that authorized administrators can still back up files and directories. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md index 869edc69a5..55281194fb 100644 --- a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md +++ b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md @@ -26,7 +26,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -Windows designates a section of the hard drive as virtual memory known as the page file, or more specifically, as pagefile.sys. It is used to supplement the computer’s Random Access Memory (RAM) to improve performance for programs and data that are used frequently. Although the file is hidden from browsing, you can manage it using the system settings. +Windows designates a section of the hard drive as virtual memory known as the page file, or more specifically, as pagefile.sys. It is used to supplement the computer’s Random Access Memory (RAM) to improve performance for frequently used programs and data. Although the file is hidden from browsing, you can manage it using the system settings. This policy setting determines which users can create and change the size of a page file. It determines whether users can specify a page file size for a particular drive in the **Performance Options** box located on the **Advanced** tab of the **System Properties** dialog box or through using internal application interfaces (APIs). diff --git a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md index c07cb74837..696c309ef6 100644 --- a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md +++ b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md @@ -28,7 +28,7 @@ Describes the best practices, location, values, policy management, and security This user right determines if users can create a symbolic link from the device they are logged on to. -A symbolic link is a file-system object that points to another file-system object. The object that is pointed to is called the target. Symbolic links are transparent to users. The links appear as normal files or directories, and they can be acted upon by the user or application in exactly the same manner. Symbolic links are designed to aid in migration and application compatibility with UNIX operating systems. Microsoft has implemented symbolic links to function just like UNIX links. +A symbolic link is a file-system object that points to another file-system object. The object that's pointed to is called the target. Symbolic links are transparent to users. The links appear as normal files or directories, and they can be acted upon by the user or application in exactly the same manner. Symbolic links are designed to aid in migration and application compatibility with UNIX operating systems. Microsoft has implemented symbolic links to function just like UNIX links. >**Warning:**   This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Constant: SeCreateSymbolicLinkPrivilege @@ -40,7 +40,7 @@ Constant: SeCreateSymbolicLinkPrivilege ### Best practices -- This user right should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that are not designed to handle them. +- Only trusted users should get this user right. Symbolic links can expose security vulnerabilities in applications that are not designed to handle them. ### Location @@ -73,16 +73,16 @@ Any change to the user rights assignment for an account becomes effective the ne Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: -1. Local policy settings -2. Site policy settings -3. Domain policy settings -4. OU policy settings +- Local policy settings +- Site policy settings +- Domain policy settings +- OU policy settings When a local setting is greyed out, it indicates that a GPO currently controls that setting. ### Command-line tools -This setting can be used in conjunction with a symbolic link file system setting that can be manipulated with the command-line tool to control the kinds of symlinks that are allowed on the device. For more info, type **fsutil behavior set symlinkevaluation /?** at the command prompt. +This setting can be used in conjunction with a symbolic link file system setting that can be manipulated with the command-line tool to control the kinds of symlinks that are allowed on the device. For more info, type `fsutil behavior set symlinkevaluation /?` at the command prompt. ## Security considerations diff --git a/windows/security/threat-protection/security-policy-settings/debug-programs.md b/windows/security/threat-protection/security-policy-settings/debug-programs.md index cb03383fb3..8e9e1de135 100644 --- a/windows/security/threat-protection/security-policy-settings/debug-programs.md +++ b/windows/security/threat-protection/security-policy-settings/debug-programs.md @@ -26,7 +26,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines which users can attach to or open any process, even those they do not own. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components need this user right. This user right provides access to sensitive and critical operating-system components. +This policy setting determines which users can attach to or open any process, even a process they do not own. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides access to sensitive and critical operating-system components. Constant: SeDebugPrivilege diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md index 5e75ce5325..3705d5c84b 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md @@ -22,7 +22,7 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management, and security considerations for the **Deny log on as a batch job** security policy setting. +This article describes the recommended practices, location, values, policy management, and security considerations for the **Deny log on as a batch job** security policy setting. ## Reference @@ -40,7 +40,7 @@ Constant: SeDenyBatchLogonRight 1. When you assign this user right, thoroughly test that the effect is what you intended. 2. Within a domain, modify this setting on the applicable Group Policy Object (GPO). -3. **Deny log on as a batch job** prevents administrators or operators from using their personal accounts to schedule tasks, which helps with business continuity when that person transitions to other positions or responsibilities. +3. **Deny log on as a batch job** prevents administrators or operators from using their personal accounts to schedule tasks. This restriction helps with business continuity when that person transitions to other positions or responsibilities. ### Location @@ -48,7 +48,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use ### Default values -The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. +The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy's property page. | Server type or GPO | Default value | | - | - | @@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values for the This section describes features and tools available to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -73,7 +73,7 @@ This policy setting might conflict with and negate the **Log on as a batch job** On a domain-joined device, including the domain controller, this policy can be overwritten by a domain policy, which will prevent you from modifying the local policy setting. -For example, if you are trying to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account is not present in the **Deny log on as a batch job** +For example, to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account isn't present in the **Deny log on as a batch job** setting. User Rights Assignment and also correctly configured in the **Log on as a batch job** setting. @@ -100,7 +100,7 @@ Assign the **Deny log on as a batch job** user right to the local Guest account. ### Potential impact -If you assign the **Deny log on as a batch job** user right to other accounts, you could deny the ability to perform required job activities to users who are assigned specific administrative roles. You should confirm that delegated tasks are not affected adversely. +If you assign the **Deny log on as a batch job** user right to other accounts, you could deny the ability to perform required job activities to users who are assigned specific administrative roles. Confirm that delegated tasks aren't affected adversely. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md index 2da4ae7aa5..ae1ff7ad09 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md @@ -22,7 +22,7 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management, and security considerations for the **Deny log on as a service** security policy setting. +This article describes the recommended practices, location, values, policy management, and security considerations for the **Deny log on as a service** security policy setting. ## Reference @@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values for the This section describes features and tools available to help you manage this policy. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -89,11 +89,11 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability Accounts that can log on to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is somewhat reduced by the fact that only users with administrative rights can install and configure -services, and an attacker who has already attained that level of access could configure the service to run by using the System account. +services, and an attacker who already has that level of access could configure the service to run by using the System account. ### Countermeasure -We recommend that you not assign the **Deny log on as a service** user right to any accounts. This is the default configuration. Organizations that are extremely concerned about security might assign this user right to groups and accounts when they are certain that they will never need to log on to a service application. +We recommend that you don't assign the **Deny log on as a service** user right to any accounts. This configuration is the default. Organizations that have strong concerns about security might assign this user right to groups and accounts when they're certain that they'll never need to log on to a service application. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md index 473772b9bc..933e46f0a1 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md @@ -22,13 +22,13 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server signing requirements** security policy setting. +This article describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server signing requirements** security policy setting. ## Reference This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. -Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, this means that a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower the risk of a malicious user accomplishing this in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks extremely difficult. +Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower this risk in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks difficult. This setting does not have any impact on LDAP simple bind through SSL (LDAP TCP/636). @@ -44,7 +44,7 @@ If signing is required, then LDAP simple binds not using SSL are rejected (LDAP ### Best practices -- It is advisable to set **Domain controller: LDAP server signing requirements** to **Require signature**. Clients that do not support LDAP signing will be unable to execute LDAP queries against the domain controllers. +- We recommend that you set **Domain controller: LDAP server signing requirements** to **Require signature**. Clients that do not support LDAP signing will be unable to execute LDAP queries against the domain controllers. ### Location @@ -77,7 +77,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Where LDAP servers are concerned, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks extremely difficult. +Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Where LDAP servers are concerned, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks difficult. ### Countermeasure @@ -85,7 +85,7 @@ Configure the **Domain controller: LDAP server signing requirements** setting to ### Potential impact -Client device that do not support LDAP signing cannot run LDAP queries against the domain controllers. +Client devices that do not support LDAP signing cannot run LDAP queries against the domain controllers. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md index d21bf2cf15..fb56241385 100644 --- a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md +++ b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md @@ -26,7 +26,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -This security setting determines which users are allowed to shut down a device from a remote location on the network. This allows members of the Administrators group or specific users to manage computers (for tasks such as a restart) from a remote location. +This security setting determines which users are allowed to shut down a device from a remote location on the network. This setting allows members of the Administrators group or specific users to manage computers (for tasks such as a restart) from a remote location. Constant: SeRemoteShutdownPrivilege @@ -37,7 +37,7 @@ Constant: SeRemoteShutdownPrivilege ### Best practices -- Explicitly restrict this user right to members of the Administrators group or other specifically assigned roles that require this capability, such as non-administrative operations staff. +- Explicitly restrict this user right to members of the Administrators group or other assigned roles that require this capability, such as non-administrative operations staff. ### Location @@ -91,11 +91,11 @@ Any user who can shut down a device could cause a denial-of-service condition to ### Countermeasure -Restrict the **Force shutdown from a remote system** user right to members of the Administrators group or other specifically assigned roles that require this capability, such as non-administrative operations staff. +Restrict the **Force shutdown from a remote system** user right to members of the Administrators group or other assigned roles that require this capability, such as non-administrative operations staff. ### Potential impact -On a domain controller, if you remove the **Force shutdown from a remote system** user right from the Server Operator group, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should confirm that delegated activities are not adversely affected. +On a domain controller, if you remove the **Force shutdown from a remote system** user right from the Server Operator group, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Confirm that delegated activities are not adversely affected. ## Related topics