From 3b16e01e520aabec17ad05ef3aebce755dc90e2d Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Fri, 5 Mar 2021 12:04:09 -0800 Subject: [PATCH 01/19] pencil edit --- .../threat-protection/microsoft-defender-atp/machine-groups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md index 1370c628f9..1826c31d95 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md @@ -1,6 +1,6 @@ --- title: Create and manage device groups in Microsoft Defender ATP -description: Create device groups and set automated remediation levels on them by confiring the rules that apply on the group +description: Create device groups and set automated remediation levels on them by confirming the rules that apply on the group keywords: device groups, groups, remediation, level, rules, aad group, role, assign, rank search.product: eADQiWindows 10XVcnh search.appverid: met150 From 9fd633ba5a9bf87b9868997929b69b44db80a164 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 2 Jun 2021 12:38:29 +0500 Subject: [PATCH 02/19] update basic-audit-account-management.md --- .../basic-audit-account-management.md | 84 +++++++++---------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md index 10a7cb1c8c..dd21f98e57 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-management.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md @@ -46,48 +46,48 @@ You can configure this security setting by opening the appropriate policy under | Account management events | Description | |---------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 624 | A user account was created. | -| 627 | A user password was changed. | -| 628 | A user password was set. | -| 630 | A user account was deleted. | -| 631 | A global group was created. | -| 632 | A member was added to a global group. | -| 633 | A member was removed from a global group. | -| 634 | A global group was deleted. | -| 635 | A new local group was created. | -| 636 | A member was added to a local group. | -| 637 | A member was removed from a local group. | -| 638 | A local group was deleted. | -| 639 | A local group account was changed. | -| 641 | A global group account was changed. | -| 642 | A user account was changed. | -| 643 | A domain policy was modified. | -| 644 | A user account was auto locked. | -| 645 | A computer account was created. | -| 646 | A computer account was changed. | -| 647 | A computer account was deleted. | -| 648 | A local security group with security disabled was created.
**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. | -| 649 | A local security group with security disabled was changed. | -| 650 | A member was added to a security-disabled local security group. | -| 651 | A member was removed from a security-disabled local security group. | -| 652 | A security-disabled local group was deleted. | -| 653 | A security-disabled global group was created. | -| 645 | A security-disabled global group was changed. | -| 655 | A member was added to a security-disabled global group. | -| 656 | A member was removed from a security-disabled global group. | -| 657 | A security-disabled global group was deleted. | -| 658 | A security-enabled universal group was created. | -| 659 | A security-enabled universal group was changed. | -| 660 | A member was added to a security-enabled universal group. | -| 661 | A member was removed from a security-enabled universal group. | -| 662 | A security-enabled universal group was deleted. | -| 663 | A security-disabled universal group was created. | -| 664 | A security-disabled universal group was changed. | -| 665 | A member was added to a security-disabled universal group. | -| 666 | A member was removed from a security-disabled universal group. | -| 667 | A security-disabled universal group was deleted. | -| 668 | A group type was changed. | -| 684 | Set the security descriptor of members of administrative groups. | +| 4720 | A user account was created. | +| 4723 | A user password was changed. | +| 4724 | A user password was set. | +| 4726 | A user account was deleted. | +| 4727 | A global group was created. | +| 4728 | A member was added to a global group. | +| 4729 | A member was removed from a global group. | +| 4730 | A global group was deleted. | +| 4731 | A new local group was created. | +| 4732 | A member was added to a local group. | +| 4733 | A member was removed from a local group. | +| 4734 | A local group was deleted. | +| 4735 | A local group account was changed. | +| 4737 | A global group account was changed. | +| 4738 | A user account was changed. | +| 4739 | A domain policy was modified. | +| 4740 | A user account was auto locked. | +| 4741 | A computer account was created. | +| 4742 | A computer account was changed. | +| 4743 | A computer account was deleted. | +| 4744 | A local security group with security disabled was created.
**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. | +| 4745 | A local security group with security disabled was changed. | +| 4746 | A member was added to a security-disabled local security group. | +| 4747 | A member was removed from a security-disabled local security group. | +| 4748 | A security-disabled local group was deleted. | +| 4749 | A security-disabled global group was created. | +| 4750 | A security-disabled global group was changed. | +| 4751 | A member was added to a security-disabled global group. | +| 4752 | A member was removed from a security-disabled global group. | +| 4753 | A security-disabled global group was deleted. | +| 4754 | A security-enabled universal group was created. | +| 4755 | A security-enabled universal group was changed. | +| 4756 | A member was added to a security-enabled universal group. | +| 4757 | A member was removed from a security-enabled universal group. | +| 4758 | A security-enabled universal group was deleted. | +| 4759 | A security-disabled universal group was created. | +| 4760 | A security-disabled universal group was changed. | +| 4761 | A member was added to a security-disabled universal group. | +| 4762 | A member was removed from a security-disabled universal group. | +| 4763 | A security-disabled universal group was deleted. | +| 4764 | A group type was changed. | +| 4780 | Set the security descriptor of members of administrative groups. | | 685 | Set the security descriptor of members of administrative groups.
**Note:** Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. | ## Related topics From ab320a70eac965e084f5e73670f000c27b9d559a Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 2 Jun 2021 14:24:45 +0500 Subject: [PATCH 03/19] Update Proxy servers and Internal proxy servers Made changes in Proxy servers and Internal proxy servers. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9499 --- .../create-wip-policy-using-intune-azure.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index c10b2990b3..69a4976fae 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -486,7 +486,7 @@ Specify the proxy servers your devices will go through to reach your cloud resou Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in your Internal proxy servers list. -Internal proxy servers must be used only for WIP-protected (enterprise) traffic. +Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic. Separate multiple resources with the ";" delimiter. ```console @@ -497,8 +497,7 @@ proxy.contoso.com:80;proxy2.contoso.com:443 Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. -This list shouldn’t include any servers listed in your Proxy servers list. -Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic. +This list shouldn’t include any servers listed in your Proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic. Separate multiple resources with the ";" delimiter. ```console From 1ca6bc2544d22c9a01b92fe2e8fa7f7f3df44c44 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Wed, 2 Jun 2021 13:57:37 -0700 Subject: [PATCH 04/19] Added a note to page The note about separating allow and deny rules is at the end of the "More information about file path rules" section. --- .../select-types-of-rules-to-create.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index add268e0ee..d6e4970eb9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -126,6 +126,9 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. +>[!NOTE] +>We recommend maintaining separate ALLOW and DENY policies on version 1903 and higher, if for no other reason than it makes it a bit easier for an average person to reason over the policy. + ## More information about hashes ### Why does scan create four hash rules per XML file? From a7aad9ca114beee8c588581bdbb7fa0f0a35863a Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Wed, 2 Jun 2021 16:47:01 -0700 Subject: [PATCH 05/19] Restored event ID 3086 and added event ID 8036 Event ID updates are for event-id-explanation. Also, I reworked the language in the new note added in the More information about firewall rules section. --- .../event-id-explanations.md | 3 ++- .../select-types-of-rules-to-create.md | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 849d3ce821..b1da16e27a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -41,6 +41,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind |--------|-----------| | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. | | 8029 | Block script/MSI file | +| 8036| COM object was blocked. Learn more about COM object authorization: Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs | | 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | ## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events @@ -108,7 +109,7 @@ A list of other relevant event IDs and their corresponding description. | 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. | | 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. | | 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. | -| 3086 | COM object was blocked. Learn more about COM object authorization: Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs| +| 3086 | The file under validation does not meet the signing requirements for an IUM (isolated user mode) process. | | 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. | | 3097 | The Code Integrity policy cannot be refreshed. | | 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. | diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index d6e4970eb9..f110ba66c4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -127,7 +127,7 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. >[!NOTE] ->We recommend maintaining separate ALLOW and DENY policies on version 1903 and higher, if for no other reason than it makes it a bit easier for an average person to reason over the policy. +>For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on version 1903 and higher. ## More information about hashes From 3a01b40ec9a985a2e41a98b930123d584a8ad0bd Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Wed, 2 Jun 2021 17:13:12 -0700 Subject: [PATCH 06/19] Added link to event ID 8036 in the event id explanation doc Also, I added a space to the new note in select type of rules doc. --- .../event-id-explanations.md | 2 +- .../select-types-of-rules-to-create.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index b1da16e27a..fb6a29d22d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -41,7 +41,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind |--------|-----------| | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. | | 8029 | Block script/MSI file | -| 8036| COM object was blocked. Learn more about COM object authorization: Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs | +| 8036| COM object was blocked. Learn more about COM object authorization: [Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs](allow-com-object-registration-in-windows-defender-application-control-policy). | | 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | ## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index f110ba66c4..91b1a1725e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -126,8 +126,8 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. ->[!NOTE] ->For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on version 1903 and higher. +> [!NOTE] +> For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on version 1903 and higher. ## More information about hashes From d705d4a1efeb44f92bca614d21753f9f60af0ba9 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 3 Jun 2021 12:09:37 +0500 Subject: [PATCH 07/19] Update windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../create-wip-policy-using-intune-azure.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 69a4976fae..2cd10013da 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -497,7 +497,8 @@ proxy.contoso.com:80;proxy2.contoso.com:443 Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. -This list shouldn’t include any servers listed in your Proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic. +This list shouldn’t include any servers listed in your Proxy servers list. +Internal proxy servers must be used only for WIP-protected (enterprise) traffic. Separate multiple resources with the ";" delimiter. ```console From a840a33060203945db8dd81f3d570b142edf261a Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 3 Jun 2021 12:20:45 +0500 Subject: [PATCH 08/19] Removal of spaces Removed spaces from the page. --- .../basic-audit-account-management.md | 90 +++++++++---------- 1 file changed, 45 insertions(+), 45 deletions(-) diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md index dd21f98e57..5541fc0f63 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-management.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md @@ -44,51 +44,51 @@ set this value to **No auditing**, in the **Properties** dialog box for this pol You can configure this security setting by opening the appropriate policy under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy. -| Account management events | Description | -|---------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 4720 | A user account was created. | -| 4723 | A user password was changed. | -| 4724 | A user password was set. | -| 4726 | A user account was deleted. | -| 4727 | A global group was created. | -| 4728 | A member was added to a global group. | -| 4729 | A member was removed from a global group. | -| 4730 | A global group was deleted. | -| 4731 | A new local group was created. | -| 4732 | A member was added to a local group. | -| 4733 | A member was removed from a local group. | -| 4734 | A local group was deleted. | -| 4735 | A local group account was changed. | -| 4737 | A global group account was changed. | -| 4738 | A user account was changed. | -| 4739 | A domain policy was modified. | -| 4740 | A user account was auto locked. | -| 4741 | A computer account was created. | -| 4742 | A computer account was changed. | -| 4743 | A computer account was deleted. | -| 4744 | A local security group with security disabled was created.
**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. | -| 4745 | A local security group with security disabled was changed. | -| 4746 | A member was added to a security-disabled local security group. | -| 4747 | A member was removed from a security-disabled local security group. | -| 4748 | A security-disabled local group was deleted. | -| 4749 | A security-disabled global group was created. | -| 4750 | A security-disabled global group was changed. | -| 4751 | A member was added to a security-disabled global group. | -| 4752 | A member was removed from a security-disabled global group. | -| 4753 | A security-disabled global group was deleted. | -| 4754 | A security-enabled universal group was created. | -| 4755 | A security-enabled universal group was changed. | -| 4756 | A member was added to a security-enabled universal group. | -| 4757 | A member was removed from a security-enabled universal group. | -| 4758 | A security-enabled universal group was deleted. | -| 4759 | A security-disabled universal group was created. | -| 4760 | A security-disabled universal group was changed. | -| 4761 | A member was added to a security-disabled universal group. | -| 4762 | A member was removed from a security-disabled universal group. | -| 4763 | A security-disabled universal group was deleted. | -| 4764 | A group type was changed. | -| 4780 | Set the security descriptor of members of administrative groups. | -| 685 | Set the security descriptor of members of administrative groups.
**Note:** Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. | +| Account management events | Description | +| :-----------------------: | :---------- | +| 4720 | A user account was created. | +| 4723 | A user password was changed. | +| 4724 | A user password was set. | +| 4726 | A user account was deleted. | +| 4727 | A global group was created. | +| 4728 | A member was added to a global group. | +| 4729 | A member was removed from a global group. | +| 4730 | A global group was deleted. | +| 4731 | A new local group was created. | +| 4732 | A member was added to a local group. | +| 4733 | A member was removed from a local group. | +| 4734 | A local group was deleted. | +| 4735 | A local group account was changed. | +| 4737 | A global group account was changed. | +| 4738 | A user account was changed. | +| 4739 | A domain policy was modified. | +| 4740 | A user account was auto locked. | +| 4741 | A computer account was created. | +| 4742 | A computer account was changed. | +| 4743 | A computer account was deleted. | +| 4744 | A local security group with security disabled was created.
**Note:** SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks | +| 4745 | A local security group with security disabled was changed. | +| 4746 | A member was added to a security-disabled local security group. | +| 4747 | A member was removed from a security-disabled local security group. | +| 4748 | A security-disabled local group was deleted. | +| 4749 | A security-disabled global group was created. | +| 4750 | A security-disabled global group was changed. | +| 4751 | A member was added to a security-disabled global group. | +| 4752 | A member was removed from a security-disabled global group. | +| 4753 | A security-disabled global group was deleted. | +| 4754 | A security-enabled universal group was created. | +| 4755 | A security-enabled universal group was changed. | +| 4756 | A member was added to a security-enabled universal group. | +| 4757 | A member was removed from a security-enabled universal group. | +| 4758 | A security-enabled universal group was deleted. | +| 4759 | A security-disabled universal group was created. | +| 4760 | A security-disabled universal group was changed. | +| 4761 | A member was added to a security-disabled universal group. | +| 4762 | A member was removed from a security-disabled universal group. | +| 4763 | A security-disabled universal group was deleted. | +| 4764 | A group type was changed. | +| 4780 | Set the security descriptor of members of administrative groups. | +| 685 | Set the security descriptor of members of administrative groups.
**Note:** Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. | ## Related topics From 840a38048575d1bbb83ef14c9877ab793d1ba891 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Fri, 4 Jun 2021 13:54:49 -0700 Subject: [PATCH 09/19] Added suggested feedback to event-id-explanation and select-types-of-rules documents. --- .../event-id-explanations.md | 2 +- .../select-types-of-rules-to-create.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index fb6a29d22d..f6ca319d9d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -109,7 +109,7 @@ A list of other relevant event IDs and their corresponding description. | 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. | | 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. | | 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. | -| 3086 | The file under validation does not meet the signing requirements for an IUM (isolated user mode) process. | +| 3086 | The file under validation does not meet the signing requirements for an isolated user mode (IUM) process. | | 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. | | 3097 | The Code Integrity policy cannot be refreshed. | | 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. | diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 91b1a1725e..fa5065912e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -127,7 +127,7 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`. > [!NOTE] -> For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on version 1903 and higher. +> For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later. ## More information about hashes From 57309f51e80c02e22b105c93f9198f14c9811faf Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 7 Jun 2021 09:38:34 -0700 Subject: [PATCH 10/19] Implemented 1 last suggestion to event ID 8036 --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index f6ca319d9d..e09ff64630 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -41,7 +41,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind |--------|-----------| | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. | | 8029 | Block script/MSI file | -| 8036| COM object was blocked. Learn more about COM object authorization: [Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs](allow-com-object-registration-in-windows-defender-application-control-policy). | +| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy). | | 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | ## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events From a7248e6d9cafecdc29fe8b25fbbf47ed878bfa63 Mon Sep 17 00:00:00 2001 From: Steve DiAcetis Date: Fri, 11 Jun 2021 14:09:12 -0700 Subject: [PATCH 11/19] Update media-dynamic-update.md Additional information on Flash removal --- windows/deployment/update/media-dynamic-update.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 34ef7cc00f..5b33d7c287 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -84,6 +84,9 @@ This table shows the correct sequence for applying the various tasks to the file > [!NOTE] > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md). +> [!NOTE] +> Microsoft will remove the Flash component from Windows through the KB4577586 “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying KB4577586, which is available on the Catalog, between steps 20 and 21. As of July 2021, the KB4577586 “Update for Removal of Adobe Flash Player” will be included in the Latest Cumulative Update for Windows 10, versions 1607 and Windows 10, version 1507. The KB will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). + ### Multiple Windows editions The main operating system file (install.wim) contains multiple editions of Windows 10. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last. From fe45e657bf13c815e40ef7c1e7893f7e8aa37281 Mon Sep 17 00:00:00 2001 From: Andrea Barr <81656118+AndreaLBarr@users.noreply.github.com> Date: Fri, 11 Jun 2021 14:13:45 -0700 Subject: [PATCH 12/19] FAQ Additoin This additional question and answer was requested to be added to this FAQ document by Radia Soulmani . --- .../microsoft-defender-application-guard/faq-md-app-guard.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index 0e4406aaa5..abb97cebcc 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -51,6 +51,10 @@ Depending on your organization’s settings, it might be that Favorites Sync is Make sure to enable the extensions policy on your Application Guard configuration. +### I’m trying to watch playback video with HDR, why is the HDR option missing? + +In order for HDR video playback to work in the container, vGPU Hardware Acceleration needs to be enabled in Application Guard. + ### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. From 611dc0328fe7cdf684864aec19db3d13b099758f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 11 Jun 2021 14:34:51 -0700 Subject: [PATCH 13/19] Update faq-md-app-guard.md --- .../faq-md-app-guard.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index abb97cebcc..c37d466af5 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 05/12/2021 +ms.date: 06/11/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -23,9 +23,9 @@ This article lists frequently asked questions with answers for Microsoft Defende ## Frequently Asked Questions -### Can I enable Application Guard on machines equipped with 4-GB RAM? +### Can I enable Application Guard on machines equipped with 4 GB RAM? -We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. +We recommend 8 GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. `HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.) @@ -51,7 +51,7 @@ Depending on your organization’s settings, it might be that Favorites Sync is Make sure to enable the extensions policy on your Application Guard configuration. -### I’m trying to watch playback video with HDR, why is the HDR option missing? +### I’m trying to watch playback video with HDR. Why is the HDR option missing? In order for HDR video playback to work in the container, vGPU Hardware Acceleration needs to be enabled in Application Guard. @@ -102,7 +102,7 @@ Yes, both the Enterprise Resource domains that are hosted in the cloud and the d ### Why does my encryption driver break Microsoft Defender Application Guard? -Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). +Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). ### Why do the Network Isolation policies in Group Policy and CSP look different? @@ -114,7 +114,7 @@ There is not a one-to-one mapping among all the Network Isolation policies betwe - For EnterpriseNetworkDomainNames, there is no mapped CSP policy. -Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). +Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). ### Why did Application Guard stop working after I turned off hyperthreading? From 1464230d8a9f035ff6dc317c890fb15955901cc1 Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Fri, 11 Jun 2021 15:03:48 -0700 Subject: [PATCH 14/19] Update media-dynamic-update.md A few small changes for style. --- windows/deployment/update/media-dynamic-update.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 5b33d7c287..81b0cd7857 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -85,7 +85,7 @@ This table shows the correct sequence for applying the various tasks to the file > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md). > [!NOTE] -> Microsoft will remove the Flash component from Windows through the KB4577586 “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying KB4577586, which is available on the Catalog, between steps 20 and 21. As of July 2021, the KB4577586 “Update for Removal of Adobe Flash Player” will be included in the Latest Cumulative Update for Windows 10, versions 1607 and Windows 10, version 1507. The KB will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). +> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player,” will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). ### Multiple Windows editions @@ -459,4 +459,4 @@ Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null Write-Output "$(Get-TS): Media refresh completed!" -``` \ No newline at end of file +``` From c79468fa89db03a73db421805d3b77f58597e752 Mon Sep 17 00:00:00 2001 From: Jason Gerend Date: Fri, 11 Jun 2021 15:29:44 -0700 Subject: [PATCH 15/19] Update to deal with production outage issue If a customer running a failover cluster removes Authenticated Users group from this policy setting, the cluster goes down. --- .../access-this-computer-from-the-network.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md index d20934b1f3..55c80b17f7 100644 --- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md @@ -14,17 +14,20 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 06/11/2021 ms.technology: mde --- # Access this computer from the network - security policy setting **Applies to** -- Windows 10 +- Windows 10, Azure Stack HCI, Windows Server 2022, Windows Server 2019, Windows Server 2016 Describes the best practices, location, values, policy management, and security considerations for the **Access this computer from the network** security policy setting. +> [!WARNING] +> If running Windows Server or Azure Stack HCI Failover Clustering, don't remove Authenticated Users from the **Access this computer from the network** policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service won't have sufficient rights to function or start properly. + ## Reference The **Access this computer from the network** policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+). @@ -43,6 +46,7 @@ Constant: SeNetworkLogonRight - On desktop devices or member servers, grant this right only to users and administrators. - On domain controllers, grant this right only to authenticated users, enterprise domain controllers, and administrators. +- On failover clusters, make sure this right is granted to authenticated users. - This setting includes the **Everyone** group to ensure backward compatibility. Upon Windows upgrade, after you have verified that all users and groups are correctly migrated, you should remove the **Everyone** group and use the **Authenticated Users** group instead. ### Location @@ -104,6 +108,8 @@ from servers in the domain if members of the **Domain Users** group are included If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can log on to the domain or use network resources. If you remove this user right on member servers, users cannot connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to additional accounts that are required by those components. It is important to verify that authorized users are assigned this user right for the devices that they need to access the network. +If running Windows Server or Azure Stack HCI Failover Clustering, do not remove Authenticated Users from the Access this computer from the network policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service will not have sufficient rights to function or start properly. + ## Related topics [User Rights Assignment](user-rights-assignment.md) From 57e1b9eaaedab70491466dd1199d20c5058d880c Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Sun, 13 Jun 2021 19:07:04 -0700 Subject: [PATCH 16/19] Correct bad link added in the public repo This commit corrects the bad link added in commit https://github.com/MicrosoftDocs/windows-itpro-docs/pull/9646/commits/1ca6bc2544d22c9a01b92fe2e8fa7f7f3df44c44 in PR https://github.com/MicrosoftDocs/windows-itpro-docs/pull/9646. --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index c3f6909aaa..9c79336c9d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -41,7 +41,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind |--------|-----------| | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. | | 8029 | Block script/MSI file | -| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy). | +| 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy.md). | | 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | | ## Optional Intelligent Security Graph (ISG) or Managed Installer (MI) diagnostic events From 83d688e3f2ea31d4c1b4dc8965dc2c6c82b264df Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Sun, 13 Jun 2021 22:08:07 -0700 Subject: [PATCH 17/19] Remove the Markdown version of this file, which has been replaced by a YAML file in the private branch. --- .../faq-md-app-guard.md | 214 ------------------ 1 file changed, 214 deletions(-) delete mode 100644 windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md deleted file mode 100644 index c37d466af5..0000000000 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ /dev/null @@ -1,214 +0,0 @@ ---- -title: FAQ - Microsoft Defender Application Guard (Windows 10) -description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. -ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.date: 06/11/2021 -ms.reviewer: -manager: dansimp -ms.custom: asr -ms.technology: mde ---- - -# Frequently asked questions - Microsoft Defender Application Guard - -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration. - -## Frequently Asked Questions - -### Can I enable Application Guard on machines equipped with 4 GB RAM? - -We recommend 8 GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. - -`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.) - -`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.) - -`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.) - -### Can employees download documents from the Application Guard Edge session onto host devices? - -In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy. - -In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. - -### Can employees copy and paste between the host device and the Application Guard Edge session? - -Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. - -### Why don't employees see their favorites in the Application Guard Edge session? - -Depending on your organization’s settings, it might be that Favorites Sync is turned off. To manage the policy, see: [Microsoft Edge and Microsoft Defender Application Guard | Microsoft Docs](/deployedge/microsoft-edge-security-windows-defender-application-guard) - -### Why aren’t employees able to see their extensions in the Application Guard Edge session? - -Make sure to enable the extensions policy on your Application Guard configuration. - -### I’m trying to watch playback video with HDR. Why is the HDR option missing? - -In order for HDR video playback to work in the container, vGPU Hardware Acceleration needs to be enabled in Application Guard. - -### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? - -Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. - -### Which Input Method Editors (IME) in 19H1 are not supported? - -The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard: - -- Vietnam Telex keyboard -- Vietnam number key-based keyboard -- Hindi phonetic keyboard -- Bangla phonetic keyboard -- Marathi phonetic keyboard -- Telugu phonetic keyboard -- Tamil phonetic keyboard -- Kannada phonetic keyboard -- Malayalam phonetic keyboard -- Gujarati phonetic keyboard -- Odia phonetic keyboard -- Punjabi phonetic keyboard - -### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? - -This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. - -### What is the WDAGUtilityAccount local account? - -WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error: - -**Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000** - -We recommend that you do not modify this account. - -### How do I trust a subdomain in my site list? - -To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted. - -### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? - -When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md). - -### Is there a size limit to the domain lists that I need to configure? - -Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit. - -### Why does my encryption driver break Microsoft Defender Application Guard? - -Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). - -### Why do the Network Isolation policies in Group Policy and CSP look different? - -There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. - -- Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources** - -- Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)** - -- For EnterpriseNetworkDomainNames, there is no mapped CSP policy. - -Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). - -### Why did Application Guard stop working after I turned off hyperthreading? - -If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. - -### Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"? - -Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. - -### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file? - -This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources: - -- [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md) -- [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) - -#### First rule (DHCP Server) -1. Program path: `%SystemRoot%\System32\svchost.exe` - -2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))` - -3. Protocol UDP - -4. Port 67 - -#### Second rule (DHCP Client) -This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps: - -1. Right-click on inbound rules, and then create a new rule. - -2. Choose **custom rule**. - -3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`. - -4. Specify the following settings: - - Protocol Type: UDP - - Specific ports: 67 - - Remote port: any - -5. Specify any IP addresses. - -6. Allow the connection. - -7. Specify to use all profiles. - -8. The new rule should show up in the user interface. Right click on the **rule** > **properties**. - -9. In the **Programs and services** tab, under the **Services** section, select **settings**. - -10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. - -### Why can I not launch Application Guard when Exploit Guard is enabled? - -There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**. - -### How can I disable portions of ICS without breaking Application Guard? - -ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. - -1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**. - -2. Disable IpNat.sys from ICS load as follows:
-`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` - -3. Configure ICS (SharedAccess) to enabled as follows:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3` - -4. (This is optional) Disable IPNAT as follows:
-`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4` - -5. Reboot the device. - -### Why doesn't the container fully load when device control policies are enabled? - -Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly. - -Policy: Allow installation of devices that match any of the following device IDs: - -- `SCSI\DiskMsft____Virtual_Disk____` -- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba` -- `VMS_VSF` -- `root\Vpcivsp` -- `root\VMBus` -- `vms_mp` -- `VMS_VSP` -- `ROOT\VKRNLINTVSP` -- `ROOT\VID` -- `root\storvsp` -- `vms_vsmp` -- `VMS_PP` - -Policy: Allow installation of devices using drivers that match these device setup classes -- `{71a27cdd-812a-11d0-bec7-08002be2092f}` - -## See also - -[Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md) From f07b4f01f30e6e85aa162856ae32936b6ad82f10 Mon Sep 17 00:00:00 2001 From: "Steve DiAcetis (MSFT)" <52939067+SteveDiAcetis@users.noreply.github.com> Date: Mon, 14 Jun 2021 08:39:15 -0700 Subject: [PATCH 18/19] Update windows/deployment/update/media-dynamic-update.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/update/media-dynamic-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 81b0cd7857..85d236c15d 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -85,7 +85,7 @@ This table shows the correct sequence for applying the various tasks to the file > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md). > [!NOTE] -> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player,” will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). +> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player”, will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). ### Multiple Windows editions From 17db40a3eb6f99a7ad7d4f06edc1e1fea0e58274 Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Mon, 14 Jun 2021 09:08:56 -0700 Subject: [PATCH 19/19] Update media-dynamic-update.md Corrected comma. --- windows/deployment/update/media-dynamic-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 85d236c15d..2664d3f9d8 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -85,7 +85,7 @@ This table shows the correct sequence for applying the various tasks to the file > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](./servicing-stack-updates.md). > [!NOTE] -> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player”, will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). +> Microsoft will remove the Flash component from Windows through KB4577586, “Update for Removal of Adobe Flash Player”. You can also remove Flash anytime by deploying the update in KB4577586 (available on the Catalog) between steps 20 and 21. As of July 2021, KB4577586, “Update for Removal of Adobe Flash Player” will be included in the latest cumulative update for Windows 10, versions 1607 and 1507. The update will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard. For more information, see [Update on Adobe Flash Player End of Support](https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/). ### Multiple Windows editions