diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index e8dc4d3729..c23aac08e5 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
-ms.date: 09/29/2021
+ms.date: 12/16/2021
ms.reviewer:
manager: dansimp
---
@@ -23,6 +23,9 @@ manager: dansimp
LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
+
+ LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
+
LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
@@ -222,6 +225,54 @@ The following list shows the supported values:
+
+**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus**
+
+
+
+|Edition|Windows 10|Windows 11|
+|--- |--- |--- |
+|Home|No|No|
+|Pro|Yes|Yes|
+|Business|Yes|Yes|
+|Enterprise|Yes|Yes|
+|Education|Yes|Yes|
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This setting allows the administrator to enable the local Administrator account.
+
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+
+
+
+GP Info:
+- GP Friendly name: *Accounts: Enable Administrator Account Status*
+- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
+
+
+
+The following list shows the supported values:
+
+- 0 - disabled (local Administrator account is disabled).
+- 1 - enabled (local Administrator account is enabled).
+
+
+
+
+
+
**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**
diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md
index ced9fe042a..22a950170a 100644
--- a/windows/client-management/mdm/policy-csp-networklistmanager.md
+++ b/windows/client-management/mdm/policy-csp-networklistmanager.md
@@ -1,13 +1,13 @@
---
title: Policy CSP - NetworkListManager
-description: The Policy CSP - NetworkListManager setting creates a new MDM policy that allows admins to configure a list of URIs of HTTPS endpoints that are considered secure.
+description: Policy CSP - NetworkListManager is a setting creates a new MDM policy. This setting allows admins to configure a list of URIs of HTTPS endpoints that are considered secure.
ms.author: v-nsatapathy
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
ms.localizationpriority: medium
-ms.date: 7/10/2021
+ms.date: 12/16/2021
ms.reviewer:
manager: dansimp
---
@@ -18,7 +18,7 @@ manager: dansimp
-## NetworkListManager policies
+## NetworkListManager policies
-
@@ -58,9 +58,19 @@ manager: dansimp
-This policy setting provides the list of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated.
+This policy setting provides the list of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated.
-
+When entering a list of TLS endpoints in Microsoft Endpoint Manager, you must follow this format, even in the UI:
+
+``
+
+- The HTTPS endpoint must not have any more authentication checks, such as login or multi-factor authentication.
+
+- The HTTPS endpoint must be an internal address not accessible from outside the corporate network.
+
+- The client must trust the server certificate. So the CA certificate that the HTTPS server certificate chains to must be present in the client machine's root certificate store.
+
+- A certificate should not be a public certificate.
@@ -91,7 +101,7 @@ This policy setting provides the list of URLs (separated by Unicode character 0x
-This policy setting provides the string to be used to name the network authenticated against one of the endpoints listed in NetworkListManager/AllowedTlsAuthenticationEndpoints policy.
+This policy setting provides the string that is to be used to name a network. That network is authenticated against one of the endpoints that are listed in NetworkListManager/AllowedTlsAuthenticationEndpoints policy. If this setting is used for Trusted Network Detection in an _Always On_ VPN profile, it must be the DNS suffix that is configured in the TrustedNetworkDetection attribute.
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index d27fd0af96..9789b8c171 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -26,26 +26,26 @@ ms.custom: seo-marvel-apr2020
In this section you'll learn how to use Update Compliance to monitor your device's Windows updates and Microsoft Defender Antivirus status. To configure your environment for use with Update Compliance, refer to [Get started with Update Compliance](update-compliance-get-started.md).
-Update Compliance:
+Update Compliance:
- Provides detailed deployment monitoring for Windows client feature and quality updates.
- Reports when devices need attention due to issues related to update deployment.
- Shows bandwidth usage and savings for devices that are configured to use [Delivery Optimization](waas-delivery-optimization.md).
- Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities.
## The Update Compliance tile
-After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you'll see this tile:
+After Update Compliance is successfully [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you can navigate to your log analytics workspace, select your Update Compliance deployment in the **Solutions** section, and then select **Summary** to see this tile:
-
+:::image type="content" alt-text="Update Compliance tile no data." source="images/UC_tile_assessing.png":::
When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that belongs to the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary:
-
+:::image type="content" alt-text="Update Compliance tile with data." source="images/UC_tile_filled.png":::
The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was refreshed.
## The Update Compliance workspace
-
+:::image type="content" alt-text="Update Compliance workspace view." source="images/UC_workspace_needs_attention.png" lightbox="images/UC_workspace_needs_attention.png":::
When you select this tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview blade providing a hub from which to navigate to different reports of your devices' data.
@@ -93,4 +93,4 @@ See below for a few topics related to Log Analytics:
## Related topics
-[Get started with Update Compliance](update-compliance-get-started.md)
\ No newline at end of file
+[Get started with Update Compliance](update-compliance-get-started.md)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 095e9ddef9..59826162ce 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -14,17 +14,17 @@ ms.collection:
- M365-identity-device-management
- highpri
ms.topic: article
-ms.date: 09/30/2020
+ms.date: 12/16/2021
---
# Windows Defender Credential Guard: Requirements
## Applies to
-- Windows 10
-- Windows 11
-- Windows Server 2016
+- Windows 11 Professional and Enterprise
+- Windows 10 Professional and Enterprise
- Windows Server 2019
+- Windows Server 2016
For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
@@ -155,4 +155,4 @@ The following table lists qualifications for Windows 10, version 1703, which are
>
> - Do not attempt to directly modify executable system memory
>
-> - Do not use dynamic code
\ No newline at end of file
+> - Do not use dynamic code
diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md
index 6ab435279c..306872fcbc 100644
--- a/windows/security/threat-protection/auditing/audit-registry.md
+++ b/windows/security/threat-protection/auditing/audit-registry.md
@@ -11,7 +11,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 09/06/2021
+ms.date: 12/16/2021
ms.technology: windows-sec
---
@@ -46,6 +46,8 @@ If success auditing is enabled, an audit entry is generated each time any accoun
- [4670](event-4670.md)(S): Permissions on an object were changed.
-> [!NOTE]
-> On creating a subkey for a parent, the expectation is to see a 4656 event for the newly created subkey. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using advanced audit policy configurations for registry specific events, such as using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". While using regedit.exe for creating subkeys you will see an additional 4663 event because you perform NtEnumerateKeys on the newly created subkey. You might additionally see a 4663 event on the newly created key if you try to rename the subkey. While using reg.exe for creating subkeys you'll see an additional 4663 event because you perform NtSetValueKey on the newly created subkey. We recommend not relying on 4663 events for subkey creation as they are dependent on the type of permissions enabled on the parent and are not consistent across regedit.exe and reg.exe.
+> [!NOTE]
+> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable".
+
+Calls to Registry APIs to access an open key object to perform an operation such as RegSetValue, RegEnumValue, and RegRenameKey would trigger an event to access the object (event 4663). For example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would.
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index 2ba6bae7e6..4d66697518 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -10,7 +10,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 11/29/2021
+ms.date: 12/16/2021
ms.reviewer:
ms.technology: windows-sec
---
@@ -19,8 +19,9 @@ ms.technology: windows-sec
**Applies to**
- Windows 10
+- Windows 11
-This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10.
+This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10 and Windows 11.
Some applications, including device drivers, may be incompatible with HVCI.
This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself.
If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
@@ -34,9 +35,9 @@ If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
* HVCI also ensures that your other trusted processes, like Credential Guard, have got a valid certificate.
* Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI.
-## How to turn on HVCI in Windows 10
+## How to turn on HVCI in Windows 10 and Windows 11
-To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these options:
+To enable HVCI on Windows 10 and Windows 11 devices with supporting hardware throughout an enterprise, use any of these options:
- [Windows Security app](#windows-security-app)
- [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune)
- [Group Policy](#enable-hvci-using-group-policy)
@@ -80,7 +81,7 @@ Set the following registry keys to enable HVCI. This provides exactly the same s
>
> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
-#### For Windows 10 version 1607 and later
+#### For Windows 10 version 1607 and later and for Windows 11 version 21H2
Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):
@@ -194,17 +195,17 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG
### Validate enabled Windows Defender Device Guard hardware-based security features
-Windows 10 and Windows Server 2016 have a WMI class for related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command:
+Windows 10, Windows 11, and Windows Server 2016 have a WMI class for related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command:
```powershell
Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
```
> [!NOTE]
-> The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10.
+> The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10 and Windows 11.
> [!NOTE]
-> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803.
+> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803 and Windows 11 version 21H2.
The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled.
diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
index 6760680ea6..e2a05656b9 100644
--- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
+++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 12/16/2021
ms.technology: windows-sec
---
@@ -22,6 +22,7 @@ ms.technology: windows-sec
**Applies to**
- Windows 10
+- Windows 11
Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.
User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the **User Rights Assignment** item.