Guests| |Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Can be moved out, but we do not recommend it.| +|Safe to move out of default container?|Can be moved out, but we don't recommend it.| |Safe to delegate management of this group to non-Service admins?|No| ### DefaultAccount The DefaultAccount, also known as the Default System Managed Account (DSMA), is a built-in account introduced in Windows 10 version 1607 and Windows Server 2016. The DSMA is a well-known user account type. -It is a user neutral account that can be used to run processes that are either multi-user aware or user-agnostic. +It's a user neutral account that can be used to run processes that are either multi-user aware or user-agnostic. The DSMA is disabled by default on the desktop SKUs (full windows SKUs) and WS 2016 with the Desktop. The DSMA has a well-known RID of 503. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: S-1-5-21-\
-- **Old Remark** \[Type = UnicodeString\]: the old value of network share “**Comments:**” field. Has “**N/A**” value if it is not set.
+- **Old Remark** \[Type = UnicodeString\]: the old value of network share “**Comments:**” field. Has “**N/A**” value if it isn't set.
-- **New Remark** \[Type = UnicodeString\]: the new value of network share “**Comments:**” field. Has “**N/A**” value if it is not set.
+- **New Remark** \[Type = UnicodeString\]: the new value of network share “**Comments:**” field. Has “**N/A**” value if it isn't set.
- **Old MaxUsers** \[Type = HexInt32\]: old hexadecimal value of “**Limit the number of simultaneous user to:**” field. Has “**0xFFFFFFFF**” value if the number of connections is unlimited.
@@ -155,7 +155,7 @@ This event generates every time network share object was modified.
| "AU" | Authenticated users | "LG" | Local guest |
| "BA" | Built-in administrators | "LS" | Local service account |
| "BG" | Built-in guests | "SY" | Local system |
-| "BO" | Backup operators | "NU" | Network logon user |
+| "BO" | Backup operators | "NU" | Network sign-in user |
| "BU" | Built-in users | "NO" | Network configuration operators |
| "CA" | Certificate server administrators | "NS" | Network service account |
| "CG" | Creator group | "PO" | Printer operators |
@@ -167,7 +167,7 @@ This event generates every time network share object was modified.
| "DU" | Domain users | "RC" | Restricted code |
| "EA" | Enterprise administrators | "SA" | Schema administrators |
| "ED" | Enterprise domain controllers | "SO" | Server operators |
-| "WD" | Everyone | "SU" | Service logon user |
+| "WD" | Everyone | "SU" | Service sign-in user |
- *G*: = Primary Group.
- *D*: = DACL Entries.
@@ -187,7 +187,7 @@ Example: D:(A;;FA;;;WD)
"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
-"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
+"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Isn't also set.
"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
@@ -213,7 +213,7 @@ Example: D:(A;;FA;;;WD)
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
-"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
+"OI" - OBJECT INHERIT: Child objects that aren't containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
@@ -224,7 +224,7 @@ Example: D:(A;;FA;;;WD)
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
-- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
+- rights: A hexadecimal string that denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
| Value | Description | Value | Description |
|----------------------------|---------------------------------|----------------------|--------------------------|
@@ -246,7 +246,7 @@ Example: D:(A;;FA;;;WD)
- object\_guid: N/A
- inherit\_object\_guid: N/A
-- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
+- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. For more information, see the table above.
For more information about SDDL syntax, see these articles: %%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.
**ListDirectory -** For a directory, the right to list the contents of the directory. | | WriteData (or AddFile) | 0x2,
%%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).
**AddFile -** For a directory, the right to create a file in the directory. | -| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. | +| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations won't overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
**AddSubdirectory -** For a directory, the right to create a subdirectory.
**CreatePipeInstance -** For a named pipe, the right to create a pipe. | | ReadEA | 0x8,
%%4419 | The right to read extended file attributes. | | WriteEA | 0x10,
%%4420 | The right to write extended file attributes. | -| Execute/Traverse | 0x20,
%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](/windows/win32/secauthz/privileges), which ignores the **FILE\_TRAVERSE** [access right](/windows/win32/secauthz/access-rights-and-access-masks). See the remarks in [File Security and Access Rights](/windows/win32/fileio/file-security-and-access-rights) for more information. | +| Execute/Traverse | 0x20,
%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING** [privilege](/windows/win32/secauthz/privileges), which ignores the **FILE\_TRAVERSE** [access right](/windows/win32/secauthz/access-rights-and-access-masks). For more information, see the remarks in [File Security and Access Rights](/windows/win32/fileio/file-security-and-access-rights). | | DeleteChild | 0x40,
%%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | | ReadAttributes | 0x80,
%%4423 | The right to read file attributes. | | WriteAttributes | 0x100,
%%4424 | The right to write file attributes. | @@ -155,7 +155,7 @@ This event generates every time network share object (file or folder) was access | READ\_CONTROL | 0x20000,
%%1538 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). | | WRITE\_DAC | 0x40000,
%%1539 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. | | WRITE\_OWNER | 0x80000,
%%1540 | The right to change the owner in the object's security descriptor | -| SYNCHRONIZE | 0x100000,
%%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. | +| SYNCHRONIZE | 0x100000,
%%1541 | The right to use the object for synchronization. This right enables a thread to wait until the object is in the signaled state. Some object types don't support this access right. | | ACCESS\_SYS\_SEC | 0x1000000,
%%1542 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. | > Table 13. File access codes. @@ -193,7 +193,7 @@ REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS. | "AU" | Authenticated users | "LG" | Local guest | | "BA" | Built-in administrators | "LS" | Local service account | | "BG" | Built-in guests | "SY" | Local system | -| "BO" | Backup operators | "NU" | Network logon user | +| "BO" | Backup operators | "NU" | Network sign-in user | | "BU" | Built-in users | "NO" | Network configuration operators | | "CA" | Certificate server administrators | "NS" | Network service account | | "CG" | Creator group | "PO" | Printer operators | @@ -205,7 +205,7 @@ REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS. | "DU" | Domain users | "RC" | Restricted code | | "EA" | Enterprise administrators | "SA" | Schema administrators | | "ED" | Enterprise domain controllers | "SO" | Server operators | -| "WD" | Everyone | "SU" | Service logon user | +| "WD" | Everyone | "SU" | Service sign-in user | - *G*: = Primary Group. - *D*: = DACL Entries. @@ -225,7 +225,7 @@ Example: D:(A;;FA;;;WD) "P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked. -"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set. +"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Isn't also set. "AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object. @@ -251,7 +251,7 @@ Example: D:(A;;FA;;;WD) "CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE. -"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE. +"OI" - OBJECT INHERIT: Child objects that aren't containers inherit the ACE as an explicit ACE. "NP" - NO PROPAGATE: only immediate children inherit this ace. @@ -262,7 +262,7 @@ Example: D:(A;;FA;;;WD) "SA" - SUCCESSFUL ACCESS AUDIT "FA" - FAILED ACCESS AUDIT -- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc. +- rights: A hexadecimal string that denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc. | Value | Description | Value | Description | |----------------------------|---------------------------------|----------------------|--------------------------| @@ -284,7 +284,7 @@ Example: D:(A;;FA;;;WD) - object\_guid: N/A - inherit\_object\_guid: N/A -- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details. +- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. For more information, see the table above. For more information about SDDL syntax, see these articles:
@@ -100,7 +100,7 @@ This event generates every time the [Windows Filtering Platform](/windows/win32/
- 0.0.0.0 - all IP addresses in IPv4 format
- - 127.0.0.1 , ::1 - localhost
+ - 127.0.0.1, ::1 - localhost
- **Source Port** \[Type = UnicodeString\]**:** The port number used by the application.
@@ -126,7 +126,7 @@ This event generates every time the [Windows Filtering Platform](/windows/win32/
**Filter Information:**
-- **Filter Run-Time ID** \[Type = UInt64\]: A unique filter ID which blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding to an application, and if this application doesn’t match any filters, you will get a 0 value in this field.
+- **Filter Run-Time ID** \[Type = UInt64\]: A unique filter ID that blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding to an application, and if this application doesn’t match any filters, you'll get a 0 value in this field.
To find a specific Windows Filtering Platform filter by ID, you need to execute the following command: **netsh wfp show filters**. As a result of this command, a **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**<filterId>**), for example:
@@ -134,7 +134,7 @@ This event generates every time the [Windows Filtering Platform](/windows/win32/
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](/windows/win32/fwp/application-layer-enforcement--ale-) layer name.
-- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, you need to execute the following command: **netsh wfp show state**. As result of this command, a **wfpstate.xml** file will be generated. You need to open this file and find the specific substring with the required layer ID (**<layerId>**), for example:
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, you need to execute the following command: **netsh wfp show state**. As a result of this command, a **wfpstate.xml** file will be generated. You need to open this file and find the specific substring with the required layer ID (**<layerId>**), for example:
diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md
index f19c968a01..4c668565fa 100644
--- a/windows/security/threat-protection/auditing/event-5156.md
+++ b/windows/security/threat-protection/auditing/event-5156.md
@@ -109,7 +109,7 @@ This event generates when [Windows Filtering Platform](/windows/win32/fwp/window
- 0.0.0.0 - all IP addresses in IPv4 format
- - 127.0.0.1 , ::1 - localhost
+ - 127.0.0.1, ::1 - localhost
- **Source Port** \[Type = UnicodeString\]**:** port number from which the connection was initiated.
@@ -123,7 +123,7 @@ This event generates when [Windows Filtering Platform](/windows/win32/fwp/window
- 0.0.0.0 - all IP addresses in IPv4 format
- - 127.0.0.1 , ::1 - localhost
+ - 127.0.0.1, ::1 - localhost
- **Destination Port** \[Type = UnicodeString\]**:** port number where the connection was received.
@@ -167,20 +167,20 @@ For 5156(S): The Windows Filtering Platform has permitted a connection.
- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
-- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
- Check that “**Source Address”** is one of the addresses assigned to the computer.
-- If the computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5156](event-5156.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
+- If the computer or device shouldn't have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5156](event-5156.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
- If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
-- If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
+- If you've an allowlist of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that aren't in the allowlist.
- If you need to monitor all inbound connections to a specific local port, monitor for [5156](event-5156.md) events with that “**Source Port**.**”**
-- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
+- Monitor for all connections with a “**Protocol Number”** that isn't typical for this device or computer, for example, anything other than 1, 6, or 17.
- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md
index e860f2729c..3569920d49 100644
--- a/windows/security/threat-protection/auditing/event-5157.md
+++ b/windows/security/threat-protection/auditing/event-5157.md
@@ -109,7 +109,7 @@ This event generates when [Windows Filtering Platform](/windows/win32/fwp/window
- 0.0.0.0 - all IP addresses in IPv4 format
- - 127.0.0.1 , ::1 - localhost
+ - 127.0.0.1, ::1 - localhost
- **Source Port** \[Type = UnicodeString\]**:** port number on which application received the connection.
@@ -123,7 +123,7 @@ This event generates when [Windows Filtering Platform](/windows/win32/fwp/window
- 0.0.0.0 - all IP addresses in IPv4 format
- - 127.0.0.1 , ::1 - localhost
+ - 127.0.0.1, ::1 - localhost
- **Destination Port** \[Type = UnicodeString\]**:** port number that was used from remote machine to initiate connection.
@@ -167,20 +167,20 @@ For 5157(F): The Windows Filtering Platform has blocked a connection.
- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
-- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
- Check that “**Source Address”** is one of the addresses assigned to the computer.
-- If the\` computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5157](event-5157.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
+- If the\` computer or device shouldn't have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5157](event-5157.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
- If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
-- If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
+- If you've an allowlist of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that aren't in the allowlist.
- If you need to monitor all inbound connections to a specific local port, monitor for [5157](event-5157.md) events with that “**Source Port**.**”**
-- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
+- Monitor for all connections with a “**Protocol Number”** that isn't typical for this device or computer, for example, anything other than 1, 6, or 17.
- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md
index f2a088807e..e2ecfbd040 100644
--- a/windows/security/threat-protection/auditing/event-5158.md
+++ b/windows/security/threat-protection/auditing/event-5158.md
@@ -90,7 +90,7 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/
**Network Information:**
-- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application was bind the port.
+- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application was bound the port.
- IPv4 Address
@@ -100,7 +100,7 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/
- 0.0.0.0 - all IP addresses in IPv4 format
- - 127.0.0.1 , ::1 - localhost
+ - 127.0.0.1, ::1 - localhost
- **Source Port** \[Type = UnicodeString\]**:** port number which application was bind.
@@ -126,7 +126,7 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/
**Filter Information:**
-- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows the application to bind the port. By default, Windows firewall won't prevent a port from being bound by an application. If this application doesn’t match any filters, you will get value 0 in this field.
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows the application to bind the port. By default, Windows firewall won't prevent a port from being bound by an application. If this application doesn’t match any filters, you'll get value 0 in this field.
To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
@@ -144,7 +144,7 @@ For 5158(S): The Windows Filtering Platform has permitted a bind to a local port
- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
-- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
+- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
@@ -152,6 +152,6 @@ For 5158(S): The Windows Filtering Platform has permitted a bind to a local port
- If you need to monitor all actions with a specific local port, monitor for [5158](event-5158.md) events with that “**Source Port.”**
-- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 6 or 17.
+- Monitor for all connections with a “**Protocol Number”** that isn't typical for this device or computer, for example, anything other than 6 or 17.
- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md
index c66d53025f..61393ef168 100644
--- a/windows/security/threat-protection/auditing/event-5159.md
+++ b/windows/security/threat-protection/auditing/event-5159.md
@@ -98,7 +98,7 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
- 0.0.0.0 - all IP addresses in IPv4 format
- - 127.0.0.1 , ::1 - localhost
+ - 127.0.0.1, ::1 - localhost
- **Source Port** \[Type = UnicodeString\]**:** the port number used by the application.
@@ -124,7 +124,7 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
**Filter Information:**
-- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you will get value 0 in this field.
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you'll get value 0 in this field.
To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find the specific substring with the required filter ID (**<filterId>**)**,** for example:
@@ -138,4 +138,4 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
## Security Monitoring Recommendations
-- There is no recommendation for this event in this document.
\ No newline at end of file
+- There's no recommendation for this event in this document.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md
index 08210802e3..7b2b12b6e5 100644
--- a/windows/security/threat-protection/auditing/event-5632.md
+++ b/windows/security/threat-protection/auditing/event-5632.md
@@ -85,7 +85,7 @@ It typically generates when network adapter connects to new wireless network.
- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which 802.1x authentication request was made.
-- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@@ -125,16 +125,16 @@ You can see interface’s GUID using the following commands:
- **Reason Code** \[Type = UnicodeString\]**:** contains Reason Text (explanation of Reason Code) and Reason Code for wireless authentication results. See more information about reason codes for wireless authentication here: Administrators may create a custom policy to set the registry value if needed.
SAM responds dynamically to changes in this registry value without a reboot.
You can use the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script to parse the event logs, as explained in the next section.| +|Notes|This setting can't be added or removed by using predefined Group Policy settings.
Administrators may create a custom policy to set the registry value if needed.
SAM responds dynamically to changes in this registry value without a reboot.
You can use the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script to parse the event logs, as explained in the next section.| ### Related events @@ -130,7 +130,7 @@ There are corresponding events that indicate when remote calls to the SAM are re |16966|Audit Mode is enabled-
Message Text: "Audit only mode is now enabled for remote calls to the SAM database. SAM will log an event for clients who would have been denied access in normal mode. %n"|Emit event whenever training mode (see 16968) is enabled or disabled. |16967|Audit Mode is disabled-
Message Text: "Audit only mode is now disabled for remote calls to the SAM database.%n For more information"|Emit event whenever training mode (see 16968) is enabled or disabled. |16968| Message Text: "Audit only mode is currently enabled for remote calls to the SAM database.%n The following client would have been normally denied access:%nClient SID: %1 from network address: %2. %n"
%1- "Client SID:"
%2- "Client Network Address:"|Emit event when access would have been denied to a remote client, but was allowed through due to training mode being enabled. Event should include identity and network address of the client.| -|16969|Message Text: "%2 remote calls to the SAM database have been denied in the past %1 seconds throttling window.%n
"%1- "Throttle window:"
%2- "Suppressed Message Count:"| Throttling may be necessary for some events due to expected high volume on some servers causing the event log to wrap.
Note: There is no throttling of events when audit mode is enabled. Environments with a large number of low-privilege and anonymous querying of the remote database may see large numbers of events logged to the System log. For more info, see the [Event Throttling](#event-throttling) section. +|16969|Message Text: "%2 remote calls to the SAM database have been denied in the past %1-seconds throttling window.%n
"%1- "Throttle window:"
%2- "Suppressed Message Count:"| Throttling may be necessary for some events due to expected high volume on some servers causing the event log to wrap.
Note: There's no throttling of events when audit mode is enabled. Environments with a large number of low-privilege and anonymous querying of the remote database may see large numbers of events logged to the System log. For more info, see the [Event Throttling](#event-throttling) section. Compare the security context attempting to remotely enumerate accounts with the default security descriptor. Then edit the security descriptor to add accounts that require remote access. @@ -143,11 +143,11 @@ Setting |RestrictRemoteSamEventThrottlingWindow| Data Type |DWORD| |Value|seconds| |Reboot Required?|No| -|Notes|**Default** is 900 seconds – 15mins.
The throttling uses a suppressed events counter which starts at 0 and gets incremented during the throttling window.
For example, X events were suppressed in the last 15 minutes.
The counter is restarted after the event 16969 is logged. +|Notes|**Default** is 900 seconds – 15 mins.
The throttling uses a suppressed events counter that starts at 0 and gets incremented during the throttling window.
For example, X events were suppressed in the last 15 minutes.
The counter is restarted after the event 16969 is logged. ### Restart requirement -Restarts are not required to enable, disable or modify the **Network access: Restrict clients allowed to make remote calls to SAM security** policy setting, including audit only mode. Changes become effective without a device restart when they are saved locally or distributed through Group Policy. +Restarts aren't required to enable, disable or modify the **Network access: Restrict clients allowed to make remote calls to SAM security** policy setting, including audit only mode. Changes become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -158,7 +158,7 @@ The SAMRPC protocol has a default security posture that makes it possible for lo The following example illustrates how an attacker might exploit remote SAM enumeration: 1. A low-privileged attacker gains a foothold on a network. 2. The attacker then queries all machines on the network to determine which ones have a highly privileged domain user configured as a local administrator on that machine. -3. If the attacker can then find any other vulnerability on that machine that allows taking it over, the attacker can then squat on the machine waiting for the high-privileged user to logon and then steal or impersonate those credentials. +3. If the attacker can, then find any other vulnerability on that machine that allows taking it over, the attacker can then squat on the machine waiting for the high-privileged user to sign in and then steal or impersonate those credentials. ### Countermeasure You can mitigate this vulnerability by enabling the **Network access: Restrict clients allowed to make remote calls** to SAM security policy setting and configuring the SDDL for only those accounts that are explicitly allowed access. diff --git a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md index 0e8c62d1a3..8886a5ba0a 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md @@ -36,7 +36,7 @@ This policy setting determines which shared folders can be accessed by anonymous ### Best practices -- Set this policy to a null value. There should be little impact because this is the default value. All users will have to be authenticated before they can access shared resources on the server. +- Set this policy to a null value. There should be little impact because this null value is the default one. All users will have to be authenticated before they can access shared resources on the server. ### Location @@ -61,7 +61,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -77,7 +77,7 @@ Configure the **Network access: Shares that can be accessed anonymously** settin ### Potential impact -There should be little impact because this is the default configuration. Only authenticated users have access to shared resources on the server. +There should be little impact because this state is the default configuration. Only authenticated users have access to shared resources on the server. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md index f4a400c044..c13b8ecea9 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md @@ -32,7 +32,7 @@ This policy setting determines how network logons that use local accounts are au >**Note:** This policy setting does not affect network logons that use domain accounts. Nor does this policy setting affect interactive logons that are performed remotely through services such as Telnet or Remote Desktop Services. When the device is not joined to a domain, this policy setting also tailors the **Sharing** and **Security** tabs in Windows Explorer to correspond to the sharing and security model that is being used. -When the value of this policy setting is **Guest only - local users authenticate as Guest**, any user who can access your device over the network does so with Guest user rights. This means that they will probably be unable to write to shared folders. Although this does increase security, it makes it impossible for authorized users to access shared resources on those systems. When the value is **Classic - local users authenticate as themselves**, local accounts must be password-protected; otherwise, anyone can use those user accounts to access shared system resources. +When the value of this policy setting is **Guest only - local users authenticate as Guest**, any user who can access your device over the network does so with Guest user rights. This privilege means that they'll probably be unable to write to shared folders. Although this restriction does increase security, it makes it impossible for authorized users to access shared resources on those systems. When the value is **Classic - local users authenticate as themselves**, local accounts must be password-protected; otherwise, anyone can use those user accounts to access shared system resources. ### Possible values @@ -68,11 +68,11 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations @@ -80,7 +80,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -With the Guest only model, any user who can authenticate to your device over the network does so with Guest privileges, which probably means that they do not have Write access to shared resources on that device. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources. +With the Guest only model, any user who can authenticate to your device over the network does so with Guest privileges, which probably means that they don't have Write access to shared resources on that device. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources. ### Countermeasure @@ -88,7 +88,7 @@ For network servers, configure the **Network access: Sharing and security model ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md index 261dd0a213..2b7a73365a 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md @@ -35,9 +35,9 @@ When a service connects with the device identity, signing and encryption are sup | Setting | Windows Server 2008 and Windows Vista | At least Windows Server 2008 R2 and Windows 7 | | - | - | - | -| Enabled | Services running as Local System that use Negotiate will use the computer identity. This value might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This is the default behavior. | -| Disabled| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. This is the default behavior.| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.| -|Neither|Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.| +| Enabled | Services running as Local System that use Negotiate will use the computer identity. This value might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This behavior is the default behavior. | +| Disabled| Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously. This behavior is the default behavior.| Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously.| +|Neither|Services running as Local System that uses Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that uses Negotiate will use the computer identity. This behavior might cause some authentication requests between Windows operating systems to fail and log an error.| ### Location @@ -61,17 +61,17 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations -The policy [Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md), if enabled, will allow NTLM or Kerberos authentication to be used when a system service attempts authentication. This will increase the success of interoperability at the expense of security. +The policy [Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md), if enabled, will allow NTLM or Kerberos authentication to be used when a system service attempts authentication. This privilege will increase the success of interoperability at the expense of security. The anonymous authentication behavior is different for Windows Server 2008 and Windows Vista than later versions of Windows. Configuring and applying this policy setting on those systems might not produce the same results. ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations @@ -89,7 +89,7 @@ You can configure the **Network security: Allow Local System to use computer ide ### Potential impact -If you do not configure this policy setting on Windows Server 2008 and Windows Vista, services running as Local System that use the default credentials will use the NULL session and revert to NTLM authentication for Windows operating systems earlier than Windows Vista or Windows Server 2008. +If you don't configure this policy setting on Windows Server 2008 and Windows Vista, services running as Local System that uses the default credentials will use the NULL session and revert to NTLM authentication for Windows operating systems earlier than Windows Vista or Windows Server 2008. Beginning with Windows Server 2008 R2 and Windows 7, the system allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. ## Related articles diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md index 401a588948..271d990f14 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md @@ -28,7 +28,7 @@ Describes the best practices, location, values, and security considerations for ## Reference This policy affects session security during the authentication process between devices running Windows Server 2008 R2 and Windows 7 and later and those devices running earlier versions of the Windows operating system. For computers running Windows Server 2008 R2 and Windows 7 and later, services running as Local System require a service principal name (SPN) to generate the session key. However, if [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) is set to disabled, services running as Local -System will fall back to using NULL session authentication when they transmit data to servers running versions of Windows earlier than Windows Vista or Windows Server 2008. NULL session does not establish a unique session key for each authentication; and thus, it cannot provide integrity or confidentiality protection. The setting **Network security: Allow LocalSystem NULL session fallback** determines whether services that request the use of session security are allowed to perform signature or encryption functions with a well-known key for application compatibility. +System will fall back to using NULL session authentication when they transmit data to servers running versions of Windows earlier than Windows Vista or Windows Server 2008. NULL session doesn't establish a unique session key for each authentication; and thus, it can't provide integrity or confidentiality protection. The setting **Network security: Allow LocalSystem NULL session fallback** determines whether services that request the use of session security are allowed to perform signature or encryption functions with a well-known key for application compatibility. ### Possible values @@ -41,13 +41,13 @@ System will fall back to using NULL session authentication when they transmit da When a service running as Local System connects with a NULL session, session security will be unavailable. Calls seeking encryption or signing will fail. This setting is more secure, but at the risk of degrading application incompatibility. Calls that are using the device identity instead of a NULL session will still have full use of session security. -- Not defined. When this policy is not defined, the default takes effect. This is Enabled for versions of the Windows operating system earlier than Windows Server 2008 R2 and Windows 7, and it is Disabled otherwise. +- Not defined. When this policy isn't defined, the default takes effect. This policy is Enabled for versions of the Windows operating system earlier than Windows Server 2008 R2 and Windows 7, and it's Disabled otherwise. ### Best practices -When services connect with the device identity, signing and encryption are supported to provide data protection. When services connect with a NULL session, this level of data protection is not provided. However, you will need to evaluate your environment to determine the Windows operating system versions that you support. If this policy is enabled, some services may not be able to authenticate. +When services connect with the device identity, signing and encryption are supported to provide data protection. When services connect with a NULL session, this level of data protection isn't provided. However, you'll need to evaluate your environment to determine the Windows operating system versions that you support. If this policy is enabled, some services may not be able to authenticate. -This policy applies to Windows Server 2008 and Windows Vista (SP1 and later). When your environment no longer requires support for Windows NT 4, this policy should be disabled. By default, it is disabled in Windows 7 and Windows Server 2008 R2 and later. +This policy applies to Windows Server 2008 and Windows Vista (SP1 and later). When your environment no longer requires support for Windows NT 4, this policy should be disabled. By default, it's disabled in Windows 7 and Windows Server 2008 R2 and later. ### Location @@ -74,11 +74,11 @@ If this setting is Enabled, when a service connects with a NULL session, a syste ### Countermeasure -You can configure the computer to use the computer identity for Local System with the policy **Network security: Allow Local System to use computer identity for NTLM**. If that is not possible, this policy can be used to prevent data from being exposed in transit if it was protected with a well-known key. +You can configure the computer to use the computer identity for Local System with the policy **Network security: Allow Local System to use computer identity for NTLM**. If that isn't possible, this policy can be used to prevent data from being exposed in transit if it was protected with a well-known key. ### Potential impact -If you enable this policy, services that use NULL session with Local System could fail to authenticate because they will be prohibited from using signing and encryption. +If you enable this policy, services that use NULL session with Local System could fail to authenticate because they'll be prohibited from using signing and encryption. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 1c229713a8..093d8db29f 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -27,18 +27,18 @@ This article describes the best practices, location, and values for the **Networ ## Reference -Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Support Provider (SSP) supports an extension SSP, Negoexts.dll. This extension SSP is treated as an authentication protocol by the Windows operating system. It supports SSPs from Microsoft, including PKU2U. You can also develop or add other SSPs. +From Windows Server 2008 R2 and Windows 7, the Negotiate Security Support Provider (SSP) supports an extension SSP, Negoexts.dll. This extension SSP is treated as an authentication protocol by the Windows operating system. It supports SSPs from Microsoft, including PKU2U. You can also develop or add other SSPs. -When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that's used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When it's validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. +When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that's used to sign in. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When it's validated on the peer computer, the certificate within the metadata is sent to the sign-in peer for validation. It associates the user's certificate to a security token, and then the sign-in process completes. > [!NOTE] > Linking online IDs can be performed by anyone who has an account that has standard user’s credentials through Credential Manager. -This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers from Windows 7 up to Windows 10, Version 1607. This policy is enabled by default in Windows 10, Version 1607, and later. +This policy isn't configured by default on domain-joined devices. This disablement would disallow the online identities to authenticate to domain-joined computers from Windows 7 up to Windows 10, Version 1607. This policy is enabled by default in Windows 10, Version 1607, and later. ### Possible values -- **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use of online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. +- **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship by using online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the sign-in peer for validation. It associates the user's certificate to a security token, and then the sign-in process completes. > [!NOTE] > PKU2U is disabled by default on Windows Server. If PKU2U is disabled, Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client. @@ -75,7 +75,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or an Azure AD account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is not only beneficial, but required for Azure AD-joined devices, where they are signed in with an online identity and are issued certificates by Azure AD. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it does not pose any threats in a hybrid environment where Azure AD is used as it relies on the user's online identity and Azure AD to authenticate. +Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or an Azure AD account. That account can then sign in to a peer device (if the peer device is likewise configured) without the use of a Windows sign-in account (domain or local). This setup isn't only beneficial, but required for Azure AD-joined devices, where they're signed in with an online identity and are issued certificates by Azure AD. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it doesn't pose any threats in a hybrid environment where Azure AD is used as it relies on the user's online identity and Azure AD to authenticate. ### Countermeasure @@ -83,9 +83,9 @@ Set this policy to *Disabled* or don't configure this security policy for *on-pr ### Potential impact -If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. This is a valid configuration in *on-premises only* environments. Please be aware that some roles/features (such as Failover Clustering) do not utilize a domain account for its PKU2U authentication and will cease to function properly when disabling this policy. +If you don't set or you disable this policy, the PKU2U protocol won't be used to authenticate between peer devices, which forces users to follow domain-defined access control policies. This disablement is a valid configuration in *on-premises only* environments. Some roles/features (such as Failover Clustering) don't utilize a domain account for its PKU2U authentication and will cease to function properly when disabling this policy. -If you enable this policy in a hybrid environment, you allow your users to authenticate by using certificates issued by Azure AD and their online identity between the corresponding devices. This configuration allows users to share resources between such devices. Without enabling this policy, remote connections to an Azure AD joined device will not work. +If you enable this policy in a hybrid environment, you allow your users to authenticate by using certificates issued by Azure AD and their online identity between the corresponding devices. This configuration allows users to share resources between such devices. If this policy isn't enabled, remote connections to an Azure AD joined device won't work. ### Fix/Remediation diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md index bcaef6d811..afe9be35da 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -37,11 +37,11 @@ The following table lists and explains the allowed encryption types. | Encryption type | Description and version support | | - | - | | DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2, and later operating systems don't support DES by default. | -| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2, and later operating systems do not support DES by default. | +| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2, and later operating systems don't support DES by default. | | RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function
Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2.| | AES128_HMAC_SHA1| Advanced Encryption Standard in 128-bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. | | AES256_HMAC_SHA1| Advanced Encryption Standard in 256-bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. | -| Future encryption types| Reserved by Microsoft for additional encryption types that might be implemented.| +| Future encryption types| Reserved by Microsoft for other encryption types that might be implemented.| ### Possible values @@ -55,7 +55,7 @@ The encryption type options include: - AES256\_HMAC\_SHA1 - Future encryption types - As of the release of Windows 7 and Windows Server 2008 R2, this is reserved by Microsoft for additional encryption types that might be implemented. + As of the release of Windows 7 and Windows Server 2008 R2, these options are reserved by Microsoft for other encryption types that might be implemented. ### Best practices @@ -72,9 +72,9 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec | Default domain policy| Not defined| | Default domain controller policy| Not defined| | Stand-alone server default settings | Not defined| -| Domain controller effective default settings | The default OS setting applies, DES suites are not supported by default.| -| Member server effective default settings | The default OS setting applies, DES suites are not supported by default.| -| Effective GPO default settings on client computers | The default OS setting applies, DES suites are not supported by default.| +| Domain controller effective default settings | The default OS setting applies, DES suites aren't supported by default.| +| Member server effective default settings | The default OS setting applies, DES suites aren't supported by default.| +| Effective GPO default settings on client computers | The default OS setting applies, DES suites aren't supported by default.| ## Security considerations @@ -87,14 +87,14 @@ Windows Server 2008 R2, Windows 7 and Windows 10. You can also disable DES fo ### Countermeasure -Do not configure this policy. This will force the computers running Windows Server 2008 R2, Windows 7, and Windows 10 to use the AES or RC4 cryptographic suites. +Don't configure this policy. This disablement will force the computers running Windows Server 2008 R2, Windows 7, and Windows 10 to use the AES or RC4 cryptographic suites. ### Potential impact If you don't select any of the encryption types, computers running Windows Server 2008 R2, Windows 7 and Windows 10, might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol. -If you do select any encryption type, you will lower the effectiveness of encryption for Kerberos authentication but you will improve interoperability with computers running older versions of Windows. +If you do select any encryption type, you'll lower the effectiveness of encryption for Kerberos authentication but you'll improve interoperability with computers running older versions of Windows. Contemporary non-Windows implementations of the Kerberos protocol support RC4 and AES 128-bit and AES 256-bit encryption. Most implementations, including the MIT Kerberos protocol and the Windows Kerberos protocol, are deprecating DES encryption. ## Related articles diff --git a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md index ebf155ba56..e0ecaddc05 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management and security c This policy setting determines whether LAN Manager is prevented from storing hash values for the new password the next time the password is changed. Hash values are a representation of the password after the encryption algorithm is applied that corresponds to the format that is specified by the algorithm. To decrypt the hash value, the encryption algorithm must be determined and then reversed. The LAN Manager hash is relatively weak and prone to attack compared to the cryptographically stronger NTLM hash. Because the LM hash is stored on the local device in the security database, the passwords can be compromised if the security database, Security Accounts Manager (SAM), is attacked. -By attacking the SAM file, attackers can potentially gain access to user names and password hashes. Attackers can use a password-cracking tool to determine what the password is. After they have access to this information, they can use it to gain access to resources on your network by impersonating users. Enabling this policy setting will not prevent these types of attacks, but it will make them much more difficult. +When the attackers attack the SAM file, they can potentially gain access to user names and password hashes. Attackers can use a password-cracking tool to determine what the password is. After they have access to this information, they can use it to gain access to resources on your network by impersonating users. Enabling this policy setting won't prevent these types of attacks, but it will make them much more difficult. ### Possible values @@ -40,7 +40,7 @@ By attacking the SAM file, attackers can potentially gain access to user names a ### Best practices - Set **Network security: Do not store LAN Manager hash value on next password change** to **Enabled**. - - Require all users to set new passwords the next time they log on to the domain so that LAN Manager hashes are removed. + - Require all users to set new passwords the next time they sign in to the domain so that LAN Manager hashes are removed. ### Location @@ -65,7 +65,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -73,11 +73,11 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The SAM file can be targeted by attackers who seek access to user names and password hashes. Such attacks use special tools to discover passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks are not prevented by enabling this policy setting because LAN Manager hashes are much weaker than NTLM hashes, but it is much more difficult for these attacks to succeed. +The SAM file can be targeted by attackers who seek access to user names and password hashes. Such attacks use special tools to discover passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks aren't prevented by enabling this policy setting because LAN Manager hashes are much weaker than NTLM hashes, but it's much more difficult for these attacks to succeed. ### Countermeasure -Enable the **Network security: Do not store LAN Manager hash value on next password change** setting. Require all users to set new passwords the next time they log on to the domain so that LAN Manager hashes are removed. +Enable the **Network security: Do not store LAN Manager hash value on next password change** setting. Require all users to set new passwords the next time they sign in to the domain so that LAN Manager hashes are removed. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md index daab389419..3bc3ec584c 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md @@ -27,25 +27,25 @@ Describes the best practices, location, values, policy management, and security ## Reference -This security setting determines whether to disconnect users who are connected to the local device outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. +This security setting determines whether to disconnect users who are connected to the local device outside their user account's valid sign-in hours. This setting affects the Server Message Block (SMB) component. -This policy setting does not apply to administrator accounts, but it behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy Object (GPO), even if there is a different account policy that is applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member devices) also receive the same account policy for their local accounts. However, local account policies for member devices can be different from the domain account policy by defining an account policy for the organizational unit that contains the member devices. Kerberos settings are not applied to member devices. +This policy setting doesn't apply to administrator accounts, but it behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it's enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy Object (GPO), even if there's a different account policy that is applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member devices) also receive the same account policy for their local accounts. However, local account policies for member devices can be different from the domain account policy by defining an account policy for the organizational unit that contains the member devices. Kerberos settings aren't applied to member devices. ### Possible values - Enabled - When enabled, this policy causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire. + When enabled, this policy causes client sessions with the SMB server to be forcibly disconnected when the client's sign-in hours expire. - Disabled - When disabled, this policy allows for the continuation of an established client session after the client's logon hours have expired. + When disabled, this policy allows for the continuation of an established client session after the client's sign-in hours have expired. - Not defined ### Best practices -- Set **Network security: Force logoff when logon hours expire** to Enabled. SMB sessions will be terminated on member servers when a user's logon time expires, and the user will be unable to log on to the system until their next scheduled access time begins. +- Set **Network security: Force logoff when logon hours expire** to Enabled. SMB sessions will be terminated on member servers when a user's sign-in time expires, and the user will be unable to sign in to the system until their next scheduled access time begins. ### Location @@ -70,7 +70,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -78,15 +78,15 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -If you disable this policy setting, users can remain connected to the computer outside of their allotted logon hours. +If you disable this policy setting, users can remain connected to the computer outside of their allotted sign-in hours. ### Countermeasure -Enable the **Network security: Force logoff when logon hours expire** setting. This policy setting does not apply to administrator accounts. +Enable the **Network security: Force logoff when logon hours expire** setting. This policy setting doesn't apply to administrator accounts. ### Potential impact -When a user's logon time expires, SMB sessions terminate. The user cannot log on to the device until the next scheduled access time commences. +When a user's sign-in time expires, SMB sessions terminate. The user can't sign in to the device until the next scheduled access time commences. ## Related articles diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md index fcd510671f..1841669403 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md @@ -27,15 +27,15 @@ Describes the best practices, location, values, policy management and security c ## Reference -This policy setting determines which challenge or response authentication protocol is used for network logons. LAN Manager (LM) includes client computer and server software from Microsoft that allows users to link personal devices together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory uses LM, NTLM, or NTLM version 2 (NTLMv2). +This policy setting determines which challenge or response authentication protocol is used for network logons. LAN Manager (LM) includes client computer and server software from Microsoft that allows users to link personal devices together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol isn't negotiated for some reason, Active Directory uses LM, NTLM, or NTLM version 2 (NTLMv2). -LAN Manager authentication includes the LM, NTLM, and NTLMv2 variants, and it is the protocol that is used to authenticate all client devices running the Windows operating system when they perform the following operations: +LAN Manager authentication includes the LM, NTLM, and NTLMv2 variants, and it's the protocol that is used to authenticate all client devices running the Windows operating system when they perform the following operations: - Join a domain - Authenticate between Active Directory forests - Authenticate to domains based on earlier versions of the Windows operating system -- Authenticate to computers that do not run Windows operating systems, beginning with Windows 2000 -- Authenticate to computers that are not in the domain +- Authenticate to computers that don't run Windows operating systems, beginning with Windows 2000 +- Authenticate to computers that aren't in the domain ### Possible values @@ -56,8 +56,8 @@ authentication level that servers accept. The following table identifies the pol | Send LM & NTLM – use NTLMv2 session security if negotiated | Client devices use LM and NTLM authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 1| | Send NTLM response only| Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 2| | Send NTLMv2 response only | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.| 3| -| Send NTLMv2 response only. Refuse LM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they will accept only NTLM and NTLMv2 authentication.| 4| -| Send NTLMv2 response only. Refuse LM & NTLM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they will accept only NTLMv2 authentication.| 5| +| Send NTLMv2 response only. Refuse LM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM authentication, and they'll accept only NTLM and NTLMv2 authentication.| 4| +| Send NTLMv2 response only. Refuse LM & NTLM | Client devices use NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers refuse to accept LM and NTLM authentication, and they'll accept only NTLMv2 authentication.| 5| ### Best practices @@ -90,7 +90,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -106,11 +106,11 @@ In Windows 7 and Windows Vista, this setting is undefined. In Windows Server ### Countermeasure -Configure the **Network security: LAN Manager Authentication Level** setting to **Send NTLMv2 responses only**. Microsoft and a number of independent organizations strongly recommend this level of authentication when all client computers support NTLMv2. +Configure the **Network security: LAN Manager Authentication Level** setting to **Send NTLMv2 responses only**. Microsoft and many independent organizations strongly recommend this level of authentication when all client computers support NTLMv2. ### Potential impact -Client devices that do not support NTLMv2 authentication cannot authenticate in the domain and access domain resources by using LM and NTLM. +Client devices that don't support NTLMv2 authentication can't authenticate in the domain and access domain resources by using LM and NTLM. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md index 006e925460..1f59bd9111 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md @@ -30,8 +30,8 @@ This security policy reference topic for the IT professional describes the best This policy setting determines the level of data signing that is requested on behalf of client devices that issue LDAP BIND requests. The levels of data signing are described in the following list: - **None**. The LDAP BIND request is issued with the caller-specified options. -- **Negotiate signing**. If Transport Layer Security/Secure Sockets Layer (TLS/SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the caller-specified options. If TLS/SSL has been started, the LDAP BIND request is initiated with the caller-specified options. -- **Require signing**. This level is the same as **Negotiate signing**. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is returned a message that the LDAP BIND command request failed. +- **Negotiate signing**. If Transport Layer Security/Secure Sockets Layer (TLS/SSL) hasn't been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the caller-specified options. If TLS/SSL has been started, the LDAP BIND request is initiated with the caller-specified options. +- **Require signing**. This level is the same as **Negotiate signing**. However, if the LDAP server's intermediate saslBindInProgress response doesn't indicate that LDAP traffic signing is required, the caller is returned a message that the LDAP BIND command request failed. Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. @@ -44,7 +44,7 @@ Misuse of this policy setting is a common error that can cause data loss or prob ### Best practices -- Set both the **Network security: LDAP client signing requirements** and **Domain controller: LDAP server signing requirements** settings to **Require signing**. To avoid usage of unsigned traffic, set both client and server sides to require signing. Not setting one of the sides will prevent client computers from communicating with the server. This can cause many features to fail, including user authentication, Group Policy, and logon scripts. +- Set both the **Network security: LDAP client signing requirements** and **Domain controller: LDAP server signing requirements** settings to **Require signing**. To avoid usage of unsigned traffic, set both client and server sides to require signing. Not setting one of the sides will prevent client computers from communicating with the server. This prevention can cause many features to fail, including user authentication, Group Policy, and logon scripts. ### Location @@ -69,7 +69,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -81,7 +81,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client computer and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers. +Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client computer and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks difficult if you require digital signatures on all network packets throughs IPsec authentication headers. ### Countermeasure @@ -89,7 +89,7 @@ Configure the **Network security: LDAP client signing requirements** setting to ### Potential impact -If you configure the client to require LDAP signatures, it may fail to communicate with the LDAP servers that do not require requests to be signed. To avoid this issue, make sure that both the **Network security: LDAP client signing requirements** and **Domain controller: LDAP server signing requirements** settings are set to **Require signing**. +If you configure the client to require LDAP signatures, it may fail to communicate with the LDAP servers that don't require requests to be signed. To avoid this issue, make sure that both the **Network security: LDAP client signing requirements** and **Domain controller: LDAP server signing requirements** settings are set to **Require signing**. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md index d606dc935b..026f314358 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md @@ -33,13 +33,13 @@ Setting all of these values for this policy setting will help protect network tr ### Possible values -- Require 128-bit encryption. The connection fails if strong encryption (128-bit) is not negotiated. -- Require NTLMv2 session security. The connection fails if the NTLMv2 protocol is not negotiated. +- Require 128-bit encryption. The connection fails if strong encryption (128-bit) isn't negotiated. +- Require NTLMv2 session security. The connection fails if the NTLMv2 protocol isn't negotiated. - Not Defined. ### Best practices -- Enable all values that are available for this security policy. Legacy client devices that do not support these policy settings will be unable to communicate with the server. +- Enable all values that are available for this security policy. Legacy client devices that don't support these policy settings will be unable to communicate with the server. ### Location @@ -64,7 +64,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy dependencies @@ -84,7 +84,7 @@ Enable all options that are available for the **Network security: Minimum sessio ### Potential impact -Older client devices that do not support these security settings cannot communicate with the computer on which this policy is set. +Older client devices that don't support these security settings can't communicate with the computer on which this policy is set. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md index bf5804a540..828f91f36b 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md @@ -31,7 +31,7 @@ The **Network security: Restrict NTLM: Add remote server exceptions for NTLM aut If you configure this policy setting, you can define a list of remote servers to which client devices are allowed to use NTLM authentication. -If you do not configure this policy setting, no exceptions will be applied, and if [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) is enabled, NTLM authentication attempts from the client devices will fail. +If you don't configure this policy setting, no exceptions will be applied, and if [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) is enabled, NTLM authentication attempts from the client devices will fail. List the NetBIOS server names that are used by the applications as the naming format, one per line. To ensure exceptions, the names that are used by all applications need to be in the list. A single asterisk (\*) can be used anywhere in the string as a wildcard character. @@ -43,7 +43,7 @@ List the NetBIOS server names that are used by the applications as the naming fo - Not defined - If you do not configure this policy setting by defining a list of servers, the policy is undefined and no exceptions will be applied. + If you don't configure this policy setting by defining a list of servers, the policy is undefined and no exceptions will be applied. ### Best practices @@ -72,7 +72,7 @@ This section describes the features and tools that are available to help you man ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -90,7 +90,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -When it has been determined that the NTLM authentication protocol should not be used from a client device to any remote servers because you are required to use a more secure protocol such as Kerberos, there might be some client applications that still use NTLM. If so, and you set [Network Security: +When it has been determined that the NTLM authentication protocol shouldn't be used from a client device to any remote servers because you're required to use a more secure protocol such as Kerberos, there might be some client applications that still use NTLM. If so, and you set [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) to any of the deny options, those applications will fail because the outbound NTLM authentication traffic from the client computer will be blocked. If you define an exception list of servers to which client devices are allowed to use NTLM authentication, then NTLM authentication traffic will continue to flow between those client applications and servers. The servers then are vulnerable to any malicious attack that takes advantage of security weaknesses in NTLM. @@ -98,13 +98,13 @@ If you define an exception list of servers to which client devices are allowed t ### Countermeasure When you use [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the remote -servers in your environment. When assessed, you will have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements. If not, the client application has to be upgraded to use something other than NTLM authentication. +servers in your environment. When assessed, you'll have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements. If not, the client application has to be upgraded to use something other than NTLM authentication. ### Potential impact -Defining a list of servers for this policy setting will enable NTLM authentication traffic from the client application that uses those servers, and this might result in a security vulnerability. +Defining a list of servers for this policy setting will enable NTLM authentication traffic from the client application that uses those servers, and this traffic might result in a security vulnerability. -If this list is not defined and [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) is enabled, then client applications that use NTLM will fail to authenticate to those servers that they have previously used. +If this list isn't defined and [Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md) is enabled, then client applications that use NTLM will fail to authenticate to those servers that they've previously used. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md index 5fb535995e..41ca2e0bee 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md @@ -27,11 +27,11 @@ Describes the best practices, location, values, management aspects, and security ## Reference -The **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting allows you to create an exception list of servers in this domain to which client device are allowed to use NTLM pass-through authentication if any of the deny options are set in the [Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) policy setting. +The **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting allows you to create an exception list of servers in this domain to which client devices are allowed to use NTLM pass-through authentication if any of the deny options are set in the [Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) policy setting. If you configure this policy setting, you can define a list of servers in this domain to which client devices are allowed to use NTLM authentication. -If you do not configure this policy setting, no exceptions will be applied, and if **Network Security: Restrict NTLM: NTLM authentication in this domain** is enabled, all NTLM authentication attempts in the domain will fail. +If you don't configure this policy setting, no exceptions will be applied, and if **Network Security: Restrict NTLM: NTLM authentication in this domain** is enabled, all NTLM authentication attempts in the domain will fail. List the NetBIOS server names as the naming format, one per line. A single asterisk (\*) can be used anywhere in the string as a wildcard character. @@ -43,7 +43,7 @@ List the NetBIOS server names as the naming format, one per line. A single aster - Not defined - If you do not configure this policy setting by defining a list of servers, the policy is undefined and no exceptions will be applied. + If you don't configure this policy setting by defining a list of servers, the policy is undefined and no exceptions will be applied. ### Best practices @@ -89,7 +89,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -When it has been determined that the NTLM authentication protocol should not be used within a domain because you are required to use a more secure protocol such as Kerberos, there might be some NTLM authentication traffic that is still present in the domain. If so, and you set Network Security: +When it has been determined that the NTLM authentication protocol shouldn't be used within a domain because you're required to use a more secure protocol such as Kerberos, there might be some NTLM authentication traffic that is still present in the domain. If so, and you set Network Security: [Network Security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md) to any of the deny options, any NTLM authentication request will fail because the pass-through member server will block the NTLM request. If you define an exception list of servers in this domain to which client computers are allowed to use NTLM pass-through authentication, then NTLM authentication traffic will continue to flow between those servers, which make them vulnerable to any malicious attack that takes advantage of security @@ -97,14 +97,13 @@ weaknesses in NTLM. ### Countermeasure -When you use **Network Security: Restrict NTLM: NTLM authentication in this domain** in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the pass-through authentication servers. When assessed, you will have to determine on a -case-by-case basis if NTLM authentication still minimally meets your security requirements. +When you use **Network Security: Restrict NTLM: NTLM authentication in this domain** in audit-only mode, you can determine by reviewing which client applications are making NTLM authentication requests to the pass-through authentication servers. When assessed, you'll have to determine on a case-by-case basis if NTLM authentication still minimally meets your security requirements. ### Potential impact Defining a list of servers for this policy setting will enable NTLM authentication traffic between those servers might result in a security vulnerability. -If this list is not defined and **Network Security: Restrict NTLM: NTLM authentication in this domain** is enabled, then NTLM authentication will fail on those pass-through servers in the domain that they have previously used +If this list isn't defined and **Network Security: Restrict NTLM: NTLM authentication in this domain** is enabled, then NTLM authentication will fail on those pass-through servers in the domain that they've previously used ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md index 47b963ab2a..d1310a007d 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md @@ -29,18 +29,18 @@ Describes the best practices, location, values, management aspects, and security The **Network Security: Restrict NTLM: Audit incoming NTLM traffic** policy setting allows you to audit incoming NTLM traffic. -When this audit policy is enabled within Group Policy, it is enforced on any server where that Group Policy is distributed. The events will be recorded in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. Using an audit event collection system can help you collect the events for analysis more efficiently. +When this audit policy is enabled within Group Policy, it's enforced on any server where that Group Policy is distributed. The events will be recorded in the operational event log located in **Applications and Services Log\\Microsoft\\Windows\\NTLM**. Using an audit event collection system can help you collect the events for analysis more efficiently. When you enable this policy on a server, only authentication traffic to that server will be logged. -When you enable this audit policy, it functions in the same way as the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy, but it does not actually block any traffic. Therefore, you can use it effectively to understand the -authentication traffic in your environment, and when you are ready to block that traffic, you can enable the Network Security: Restrict NTLM: Incoming NTLM traffic policy setting and select **Deny all accounts** or **Deny all domain accounts**. +When you enable this audit policy, it functions in the same way as the [Network Security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md) policy, but it doesn't actually block any traffic. Therefore, you can use it effectively to understand the +authentication traffic in your environment, and when you're ready to block that traffic, you can enable the Network Security: Restrict NTLM: Incoming NTLM traffic policy setting and select **Deny all accounts** or **Deny all domain accounts**. ### Possible values - Disable - The server on which this policy is set will not log events for incoming NTLM traffic. + The server on which this policy is set won't log events for incoming NTLM traffic. - Enable auditing for domain accounts @@ -52,7 +52,7 @@ authentication traffic in your environment, and when you are ready to block that - Not defined - This is the same as **Disable**, and it results in no auditing of NTLM traffic. + This state of not being defined is the same as **Disable**, and it results in no auditing of NTLM traffic. ### Best practices @@ -95,11 +95,11 @@ There are no security audit event policies that can be configured to view output This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. -NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB relay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. +NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB relay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. ### Vulnerability -Enabling this policy setting will reveal through logging which servers and client computers within your network or domain handle NTLM traffic. The identity of these devices can be used in malicious ways if NTLM authentication traffic is compromised. The policy setting does not prevent or mitigate any vulnerability because it is for audit purposes only. +Enabling this policy setting will reveal through logging which servers and client computers within your network or domain handle NTLM traffic. The identity of these devices can be used in malicious ways if NTLM authentication traffic is compromised. The policy setting doesn't prevent or mitigate any vulnerability because it is for audit purposes only. ### Countermeasure @@ -107,7 +107,7 @@ Restrict access to the log files when this policy setting is enabled in your pro ### Potential impact -If you do not enable or configure this policy setting, no NTLM authentication traffic information will be logged. If you do enable this policy setting, only auditing functions will occur; no security enhancements will be implemented. +If you don't enable or configure this policy setting, no NTLM authentication traffic information will be logged. If you do enable this policy setting, only auditing functions will occur; no security enhancements will be implemented. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md index 0e0c392215..9132d60c97 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md @@ -31,21 +31,21 @@ The **Network Security: Restrict NTLM: Audit NTLM authentication in this domain* When you enable this policy setting on the domain controller, only authentication traffic to that domain controller will be logged. -When you enable this audit policy, it functions in the same way as the **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting, but it does not actually block any traffic. Therefore, you can use it effectively to understand the authentication traffic to your domain controllers and when you are ready to block that traffic, you can enable the **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting and select **Deny for domain accounts to domain servers**, **Deny for domain servers**, or **Deny for domain accounts**. +When you enable this audit policy, it functions in the same way as the **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting, but it doesn't actually block any traffic. Therefore, you can use it effectively to understand the authentication traffic to your domain controllers and when you're ready to block that traffic, you can enable the **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting and select **Deny for domain accounts to domain servers**, **Deny for domain servers**, or **Deny for domain accounts**. ### Possible values - **Disable** - The domain controller on which this policy is set will not log events for incoming NTLM traffic. + The domain controller on which this policy is set won't log events for incoming NTLM traffic. - **Enable for domain accounts to domain servers** - The domain controller on which this policy is set will log events for NTLM authentication logon attempts for accounts in the domain to domain servers when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts to domain servers**. + The domain controller on which this policy is set will log events for NTLM authentication sign-in attempts for accounts in the domain to domain servers when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts to domain servers**. - **Enable for domain accounts** - The domain controller will log events for NTLM authentication logon attempts that use domain accounts when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts**. + The domain controller will log events for NTLM authentication sign-in attempts that use domain accounts when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts**. - **Enable for domain servers** @@ -96,19 +96,19 @@ There are no security audit event policies that can be configured to view output This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. -NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the +NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. ### Vulnerability -Enabling this policy setting will reveal through logging which devices within your network or domain handle NTLM traffic. The identity of these devices can be used in malicious ways if NTLM authentication traffic is compromised. The policy setting does not prevent or mitigate any vulnerability because it is for audit purposes only. +Enabling this policy setting will reveal through logging which devices within your network or domain handle NTLM traffic. The identity of these devices can be used in malicious ways if NTLM authentication traffic is compromised. The policy setting doesn't prevent or mitigate any vulnerability because it is for audit purposes only. ### Countermeasure Restrict access to the log files when this policy setting is enabled in your production environment. ### Potential impact -If you do not enable or configure this policy setting, no NTLM authentication traffic information will be logged. If you do enable this policy setting, only auditing functions will occur; no security enhancements will be implemented. +If you don't enable or configure this policy setting, no NTLM authentication traffic information will be logged. If you do enable this policy setting, only auditing functions will occur; no security enhancements will be implemented. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md index cbcc2e7d66..2bb128f669 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md @@ -37,20 +37,20 @@ The **Network Security: Restrict NTLM: Incoming NTLM traffic** policy setting al - **Deny all domain accounts** - The server will deny NTLM authentication requests for domain logon, return an NTLM blocked error message to the client device, and log the error, but the server will allow local account logon. + The server will deny NTLM authentication requests for domain sign in, return an NTLM blocked error message to the client device, and log the error, but the server will allow local account sign in. - **Deny all accounts** - The server will deny NTLM authentication requests from all incoming traffic (whether domain account logon or local account logon), return an NTLM blocked error message to the client device, and log the error. + The server will deny NTLM authentication requests from all incoming traffic (whether domain account sign in or local account sign in), return an NTLM blocked error message to the client device, and log the error. - Not defined - This is the same as **Allow all**, and the server will allow all NTLM authentication requests. + This state of not being defined is the same as **Allow all**, and the server will allow all NTLM authentication requests. ### Best practices -If you select **Deny all domain accounts** or **Deny all accounts**, incoming NTLM traffic to the member server will be restricted. It is better to set the **Network Security: Restrict NTLM: Audit Incoming NTLM traffic** policy setting and then review the Operational log to understand what authentication attempts are made to the member servers, and subsequently what client applications are using NTLM. +If you select **Deny all domain accounts** or **Deny all accounts**, incoming NTLM traffic to the member server will be restricted. It's better to set the **Network Security: Restrict NTLM: Audit Incoming NTLM traffic** policy setting and then review the Operational log to understand what authentication attempts are made to the member servers, and then what client applications are using NTLM. ### Location @@ -89,7 +89,7 @@ There are no Security Audit Event policies that can be configured to view event This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. -NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. +NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. ### Vulnerability @@ -97,7 +97,7 @@ Malicious attacks on NTLM authentication traffic that result in a compromised se ### Countermeasure -When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as Kerberos, you can select one of several options that this security policy setting offers to restrict NTLM usage. +When it has been determined that the NTLM authentication protocol shouldn't be used within a network because you're required to use a more secure protocol such as Kerberos, you can select one of several options that this security policy setting offers to restrict NTLM usage. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md index 0c1396e74f..2589d1f95d 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md @@ -26,7 +26,7 @@ Describes the best practices, location, values, management aspects, and security ## Reference -The **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy setting does not affect interactive logon to this domain controller. +The **Network Security: Restrict NTLM: NTLM authentication in this domain** policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy setting doesn't affect interactive logon to this domain controller. ### Possible values @@ -36,17 +36,17 @@ The **Network Security: Restrict NTLM: NTLM authentication in this domain** poli - **Deny for domain accounts to domain servers** - The domain controller will deny all NTLM authentication logon attempts using accounts from this domain to all servers in the domain. The NTLM authentication attempts will be blocked and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. + The domain controller will deny all NTLM authentication sign-in attempts using accounts from this domain to all servers in the domain. The NTLM authentication attempts will be blocked and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. - NTLM can be used if the users are connecting to other domains. This depends on if any Restrict NTLM policies have been set on those domains. + NTLM can be used if the users are connecting to other domains, depending on whether any Restrict NTLM policies have been set on those domains. - **Deny for domain accounts** - Only the domain controller will deny all NTLM authentication logon attempts from domain accounts and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. + Only the domain controller will deny all NTLM authentication sign-in attempts from domain accounts and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. - **Deny for domain servers** - The domain controller will deny NTLM authentication requests to all servers in the domain and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. Servers that are not joined to the domain will not be affected if this policy setting is configured. + The domain controller will deny NTLM authentication requests to all servers in the domain and will return an NTLM blocked error unless the server name is on the exception list in the **Network security: Restrict NTLM: Add server exceptions in this domain** policy setting. Servers that aren't joined to the domain won't be affected if this policy setting is configured. - **Deny all** @@ -97,7 +97,7 @@ There are no security audit event policies that can be configured to view output This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. -NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. +NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. ### Vulnerability @@ -105,7 +105,7 @@ Malicious attacks on NTLM authentication traffic resulting in a compromised serv ### Countermeasure -When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage +When it has been determined that the NTLM authentication protocol shouldn't be used within a network because you're required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage within the domain. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md index 4c05d8bea2..57d8b13de1 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md @@ -43,19 +43,19 @@ The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** - **Audit all** - The device that sends the NTLM authentication request to a remote server logs an event for each request. This allows you to identify those servers that receive NTLM authentication requests from the client device + The device that sends the NTLM authentication request to a remote server logs an event for each request. This event allows you to identify those servers that receive NTLM authentication requests from the client device. - **Deny all** - The device cannot authenticate any identities to a remote server by using NTLM authentication. You can use the [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) policy setting to define a list of remote servers to which client devices are allowed to use NTLM authentication while denying others. This setting will also log an event on the device that is making the authentication request. + The device can't authenticate any identities to a remote server by using NTLM authentication. You can use the [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) policy setting to define a list of remote servers to which client devices are allowed to use NTLM authentication while denying others. This setting will also log an event on the device that is making the authentication request. - Not defined - This is the same as **Allow all**, and the device will allow all NTLM authentication requests when the policy is deployed. + This state of being not defined is the same as **Allow all**, and the device will allow all NTLM authentication requests when the policy is deployed. ### Best practices -If you select **Deny all**, the client device cannot authenticate identities to a remote server by using NTLM authentication. First, select **Audit all** and then review the operational event log to understand which servers are involved in these authentication attempts. You can then add those server names to a server exception list by using the [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) policy setting. +If you select **Deny all**, the client device can't authenticate identities to a remote server by using NTLM authentication. First, select **Audit all** and then review the operational event log to understand which servers are involved in these authentication attempts. You can then add those server names to a server exception list by using the [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md) policy setting. ### Location @@ -94,7 +94,7 @@ There are no security audit event policies that can be configured to view event This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. -NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. +NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. ### Vulnerability @@ -102,7 +102,7 @@ Malicious attacks on NTLM authentication traffic that result in a compromised se ### Countermeasure -When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as Kerberos, then you can select from several options to restrict NTLM usage to servers. +When it has been determined that the NTLM authentication protocol shouldn't be used within a network because you're required to use a more secure protocol such as Kerberos, then you can select from several options to restrict NTLM usage to servers. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index 74efe115ae..5bcf16ede3 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -31,7 +31,7 @@ The **Passwords must meet complexity requirements** policy setting determines wh 1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks aren't case-sensitive. The samAccountName is checked in its entirety only to determine whether it's part of the password. If the samAccountName is fewer than three characters long, this check is skipped. - The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens aren't checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it's ignored. So, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password. + The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens aren't checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it's ignored. So, this user couldn't have a password that included either "erin" or "hagens" as a substring anywhere in the password. 2. The password contains characters from three of the following categories: @@ -45,11 +45,11 @@ The **Passwords must meet complexity requirements** policy setting determines wh Complexity requirements are enforced when passwords are changed or created. -The rules that are included in the Windows Server password complexity requirements are part of Passfilt.dll, and they cannot be directly modified. +The rules that are included in the Windows Server password complexity requirements are part of Passfilt.dll, and they can't be directly modified. When enabled, the default Passfilt.dll may cause some more Help Desk calls for locked-out accounts, because users are used to passwords that contain only characters that are in the alphabet. But this policy setting is liberal enough that all users should get used to it. -Additional settings that can be included in a custom Passfilt.dll are the use of non–upper-row characters. To type upper-row characters, you hold the SHIFT key and press one of any of the keys on the number row of the keyboard (from 1 through 9 and 0). +Other settings that can be included in a custom Passfilt.dll are the use of non–upper-row characters. To type upper-row characters, you hold the SHIFT key and press one of any of the keys on the number row of the keyboard (from 1 through 9 and 0). ### Possible values @@ -64,9 +64,9 @@ Additional settings that can be included in a custom Passfilt.dll are the use of Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 159,238,157,238,528 different possibilities for a single password. This setting makes a brute force attack difficult, but still not impossible. -The use of ALT key character combinations may greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements might result in unhappy users and an over-worked Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of that range can represent standard alphanumeric characters that do not add more complexity to the password.) +The use of ALT key character combinations may greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements might result in unhappy users and an over-worked Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of that range can represent standard alphanumeric characters that don't add more complexity to the password.) -Short passwords that contain only alphanumeric characters are easy to compromise by using publicly available tools. To prevent this, passwords should contain additional characters and/or meet complexity requirements. +Short passwords that contain only alphanumeric characters are easy to compromise by using publicly available tools. To prevent this vulnerability, passwords should contain other characters and/or meet complexity requirements. ### Location @@ -95,7 +95,7 @@ Passwords that contain only alphanumeric characters are easy to discover with se ### Countermeasure -Configure the **Passwords must meet complexity requirements** policy setting to _Enabled_ and advise users to use a variety of characters in their passwords. +Configure the **Passwords must meet complexity requirements** policy setting to _Enabled_ and advise users to use various characters in their passwords. When combined with a [Minimum password length](minimum-password-length.md) of 8, this policy setting ensures that the number of different possibilities for a single password is so great that it's difficult (but possible) for a brute force attack to succeed. (If the Minimum password length policy setting is increased, the average amount of time necessary for a successful attack also increases.) diff --git a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md index 514e1a9ea7..fb0e337c6b 100644 --- a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md +++ b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md @@ -65,7 +65,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. diff --git a/windows/security/threat-protection/security-policy-settings/profile-single-process.md b/windows/security/threat-protection/security-policy-settings/profile-single-process.md index 599cb50810..c0fb47def4 100644 --- a/windows/security/threat-protection/security-policy-settings/profile-single-process.md +++ b/windows/security/threat-protection/security-policy-settings/profile-single-process.md @@ -64,7 +64,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -85,7 +85,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The **Profile single process** user right presents a moderate vulnerability. Attackers with this user right could monitor a computer's performance to help identify critical processes that they might want to attack directly. Attackers may be able to determine what processes run on the computer so that they could identify countermeasures that they may need to avoid, such as anti-virus software or an intrusion-detection system. They could also identify other users who are logged on to a computer. +The **Profile single process** user right presents a moderate vulnerability. Attackers with this user right could monitor a computer's performance to help identify critical processes that they might want to attack directly. Attackers may be able to determine what processes run on the computer so that they could identify countermeasures that they may need to avoid, such as anti-virus software or an intrusion-detection system. They could also identify other users who are signed in to a computer. ### Countermeasure @@ -93,7 +93,7 @@ Ensure that only the local Administrators group is assigned the **Profile single ### Potential impact -If you remove the **Profile single process** user right from the Power Users group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks are not negatively affected. +If you remove the **Profile single process** user right from the Power Users group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks aren't negatively affected. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md index 47f372d723..8eeabdcf30 100644 --- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md +++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md @@ -64,7 +64,7 @@ The following table lists the actual and effective default policy values for the This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md index c188b74c08..ce9ada3153 100644 --- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md +++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security This policy setting determines whether the built-in Administrator account password must be provided before access to the device is granted. If you enable this setting, the built-in Administrator account is automatically logged on to the computer at the Recovery Console; no password is required. -The Recovery Console can be useful when troubleshooting and repairing systems that cannot be restarted. However, enabling this policy setting so a user can automatically log on to the console is dangerous. Anyone can walk up to the server, shut it down by disconnecting the power, reboot it, select **Recovery Console** from the **Restart** menu, and then assume full control of the server. +The Recovery Console can be useful when troubleshooting and repairing systems that can't be restarted. However, enabling this policy setting so a user can automatically sign in to the console is dangerous. Anyone can walk up to the server, shut it down by disconnecting the power, reboot it, select **Recovery Console** from the **Restart** menu, and then assume full control of the server. ### Possible values @@ -39,15 +39,15 @@ The Recovery Console can be useful when troubleshooting and repairing systems th - Disabled - Automatic administrative logon is not allowed. + Automatic administrative logon isn't allowed. - Not defined - Automatic administrative logon is not allowed. + Automatic administrative logon isn't allowed. ### Best practices -- Set **Recovery Console: Allow automatic administrative logon** to **Disabled**. This requires a user to enter a user name and password to access the Recovery Console account. +- Set **Recovery Console: Allow automatic administrative logon** to **Disabled**. This setting requires a user to enter a user name and password to access the Recovery Console account. ### Location @@ -72,7 +72,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -88,7 +88,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The Recovery Console can be very useful when you must troubleshoot and repair device that do not start. However, allowing automatic logon to the Recovery Console can make it possible for someone to assume full control of the server. +The Recovery Console can be useful when you must troubleshoot and repair devices that don't start. However, allowing automatic logon to the Recovery Console can make it possible for someone to assume full control of the server. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md index c06d6f180c..9c9c56c5db 100644 --- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md +++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md @@ -34,7 +34,7 @@ This policy setting enables or disables the Recovery Console SET command, which - **AllowRemovableMedia**. Allows files to be copied to removable media, such as a floppy disk. - **NoCopyPrompt**. Suppresses the prompt that typically displays before an existing file is overwritten. -You might forget to remove removable media, such as CD or floppy disk, with sensitive data or applications that a malicious user could then steal. Or you could accidentally leave a startup disk in the computer after using the Recovery Console. If the device is restarted for any reason and the BIOS has been configured to boot from the removable media before the hard disk drive, the server will start from the removable disk. This causes the server's network services to be unavailable. +You might forget to remove removable media, such as CD or floppy disk, with sensitive data or applications that a malicious user could then steal. Or you could accidentally leave a startup disk in the computer after using the Recovery Console. If the device is restarted for any reason and the BIOS has been configured to boot from the removable media before the hard disk drive, the server will start from the removable disk. This boot causes the server's network services to be unavailable. ### Possible values @@ -44,7 +44,7 @@ You might forget to remove removable media, such as CD or floppy disk, with sens ### Best practices -- Set **Recovery Console: Allow floppy copy and access to drives and folders** to **Disabled**. Users who have started a server by using the Recovery Console and logged in with the built-in Administrator account will not be able to copy files and folders to a floppy disk. +- Set **Recovery Console: Allow floppy copy and access to drives and folders** to **Disabled**. Users who have started a server by using the Recovery Console and logged in with the built-in Administrator account won't be able to copy files and folders to a floppy disk. ### Location @@ -69,7 +69,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -86,7 +86,7 @@ Enabling this security option makes the Recovery Console SET command available, - AllowWildCards: Enable wildcard support for some commands (such as the DEL command). - AllowAllPaths: Allow access to all files and folders on the device. - AllowRemovableMedia: Allow files to be copied to removable media, such as a floppy disk. -- NoCopyPrompt: Do not prompt when overwriting an existing file. +- NoCopyPrompt: Don't prompt when overwriting an existing file. ## Security considerations @@ -102,7 +102,7 @@ Disable the **Recovery console: Allow floppy copy and access to drives and folde ### Potential impact -Users who have started a server through the Recovery Console and logged in with the built-in Administrator account cannot copy files and folders to a floppy disk. +Users who have started a server through the Recovery Console and logged in with the built-in Administrator account can't copy files and folders to a floppy disk. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md index 4508560bdc..b42bad16dd 100644 --- a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md +++ b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security This security setting determines whether a user can undock a portable device from its docking station without logging on. This policy setting only affects scenarios that involve a portable computer and its docking station. -If this user right is assigned to the user’s account (or if the user is a member of the assigned group), the user must log on before removing the portable device from its docking station. Otherwise, as a security measure, the user will not be able to log on after the device is removed from the docking station. If this policy is not assigned, the user may remove the portable device from its docking station without logging on, and then have the ability to start and log on to the device afterwards in its undocked state. +If this user right is assigned to the user’s account (or if the user is a member of the assigned group), the user must sign in before removing the portable device from its docking station. Otherwise, as a security measure, the user won't be able to sign in after the device is removed from the docking station. If this policy isn't assigned, the user may remove the portable device from its docking station without signing in, and then have the ability to start and sign in to the device afterwards in its undocked state. Constant: SeUndockPrivilege @@ -48,7 +48,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use ### Default values -Although this portable device scenario does not normally apply to servers, by default this setting is Administrators on domain controllers and on stand-alone servers. +Although this portable device scenario doesn't normally apply to servers, by default this setting is Administrators on domain controllers and on stand-alone servers. The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. @@ -65,7 +65,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -86,10 +86,10 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Anyone who has the **Remove computer from docking station** user right can log on and then remove a portable device from its docking station. If this setting is not defined, it has the same effect as if everyone was granted this right. However, the value of implementing this countermeasure is reduced by the following factors: +Anyone who has the **Remove computer from docking station** user right can sign in and then remove a portable device from its docking station. If this setting isn't defined, it has the same effect as if everyone was granted this right. However, the value of implementing this countermeasure is reduced by the following factors: - If attackers can restart the device, they could remove it from the docking station after the BIOS starts but before the operating system starts. -- This setting does not affect servers because they typically are not installed in docking stations. +- This setting doesn't affect servers because they typically aren't installed in docking stations. - An attacker could steal the device and the docking station together. - Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality. @@ -99,7 +99,7 @@ Ensure that only the local Administrators group and the user account to which th ### Potential impact -By default, only members of the local Administrators group are granted this right. Other user accounts must be explicitly granted this user right as necessary. If your organization's users are not members of the local Administrators groups on their portable devices, they cannot remove their portable devices from their docking stations if they do not first shut down the device. Therefore, you may want to assign the **Remove computer from docking station** privilege to the local Users group for portable devices. +By default, only members of the local Administrators group are granted this right. Other user accounts must be explicitly granted this user right as necessary. If your organization's users aren't members of the local Administrators groups on their portable devices, they can't remove their portable devices from their docking stations if they don't first shut down the device. Therefore, you may want to assign the **Remove computer from docking station** privilege to the local Users group for portable devices. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md index 87951d31f4..51f96f1875 100644 --- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md +++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md @@ -27,9 +27,9 @@ Describes the best practices, location, values, and security considerations for ## Reference -The **Reset account lockout counter after** policy setting determines the number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0. If [Account lockout threshold](account-lockout-threshold.md) is set to a number greater than zero, this reset time must be less than or equal to the value of [Account lockout duration](account-lockout-duration.md). +The **Reset account lockout counter after** policy setting determines the number of minutes that must elapse from the time a user fails to sign in before the failed sign-in attempt counter is reset to 0. If [Account lockout threshold](account-lockout-threshold.md) is set to a number greater than zero, this reset time must be less than or equal to the value of [Account lockout duration](account-lockout-duration.md). -The disadvantage of a high setting is that users lock themselves out for an inconveniently long period if they exceed the account lockout threshold through logon errors. Users may make excessive Help Desk calls. +The disadvantage of a high setting is that users lock themselves out for an inconveniently long period if they exceed the account lockout threshold through sign-in errors. Users may make excessive Help Desk calls. ### Possible values @@ -40,7 +40,7 @@ The disadvantage of a high setting is that users lock themselves out for an inco Determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements. -[Windows security baselines](../windows-security-baselines.md) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockeout settings, this value is more of a guideline than a rule or best practice because there is no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout). +[Windows security baselines](../windows-security-baselines.md) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout). ### Location @@ -73,7 +73,7 @@ Users can accidentally lock themselves out of their accounts if they mistype the ### Potential impact -If you do not configure this policy setting or if the value is configured to an interval that is too long, an attacker could attempt to log on to each user's account numerous times and lock out their accounts, a denial-of-service (DoS) attack might succeed, or administrators might have to manually unlock all locked-out accounts. If you configure this policy setting to a reasonable value, users can perform new attempts to log on after a failed logon within a reasonable time, without making brute force attacks feasible at high speeds. Be sure that you notify users of the values that are used for this policy setting so that they wait for the lockout timer to expire before they call the Help Desk. +If you don't configure this policy setting or if the value is configured to an interval that is too long, an attacker could attempt to sign in to each user's account numerous times and lock out their accounts, a denial-of-service (DoS) attack might succeed, or administrators might have to manually unlock all locked-out accounts. If you configure this policy setting to a reasonable value, users can perform new attempts to sign in after a failed sign in within a reasonable time, without making brute force attacks feasible at high speeds. Be sure that you notify users of the values that are used for this policy setting so that they wait for the lockout timer to expire before they call the Help Desk. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md index a1d965558b..012a47736e 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md @@ -25,7 +25,7 @@ ms.technology: windows-sec This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations. -This reference focuses on those settings that are considered security settings. This reference examines only the settings and features in the Windows operating systems that can help organizations secure their enterprises against malicious software threats. Management features and those security features that you cannot configure are not described in this reference. +This reference focuses on those settings that are considered security settings. This reference examines only the settings and features in the Windows operating systems that can help organizations secure their enterprises against malicious software threats. Management features and those security features that you can't configure aren't described in this reference. Each policy setting described contains referential content such as a detailed explanation of the settings, best practices, default settings, differences between operating system versions, policy management considerations, and security considerations that include a discussion of vulnerability, countermeasures, and potential impact of those countermeasures. diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md index 7cbaa1f1fc..b7c8b59b5f 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md @@ -27,7 +27,7 @@ ms.technology: windows-sec This reference topic describes the common scenarios, architecture, and processes for security settings. -Security policy settings are rules that administrators configure on a computer or multiple devices for the purpose of protecting resources on a device or network. The Security Settings extension of the Local Group Policy Editor snap-in allows you to define security configurations as part of a Group Policy Object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, or organizational units, and they enable you to manage security settings for multiple devices from any device joined to the domain. Security settings policies are used as part of your overall security implementation to help secure domain controllers, servers, clients, and other resources in your organization. +Security policy settings are rules that administrators configure on a computer or multiple devices for protecting resources on a device or network. The Security Settings extension of the Local Group Policy Editor snap-in allows you to define security configurations as part of a Group Policy Object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, or organizational units, and they enable you to manage security settings for multiple devices from any device joined to the domain. Security settings policies are used as part of your overall security implementation to help secure domain controllers, servers, clients, and other resources in your organization. Security settings can control: @@ -58,15 +58,15 @@ The Security Settings extension of the Local Group Policy Editor includes the fo > [!NOTE] > For devices running Windows 7 and later, we recommend to use the settings under Advanced Audit Policy Configuration rather than the Audit Policy settings under Local Policies. - - **User Rights Assignment.** Specify the users or groups that have logon rights or privileges on a device - - **Security Options.** Specify security settings for the computer, such as Administrator and Guest Account names; access to floppy disk drives and CD-ROM drives; installation of drivers; logon prompts; and so on. + - **User Rights Assignment.** Specify the users or groups that have sign-in rights or privileges on a device + - **Security Options.** Specify security settings for the computer, such as Administrator and Guest Account names; access to floppy disk drives and CD-ROM drives; installation of drivers; sign-in prompts; and so on. - **Windows Firewall with Advanced Security.** Specify settings to protect the device on your network by using a stateful firewall that allows you to determine which network traffic is permitted to pass between your device and the network. - **Network List Manager Policies.** Specify settings that you can use to configure different aspects of how networks are listed and displayed on one device or on many devices. - **Public Key Policies.** Specify settings to control Encrypting File System, Data Protection, and BitLocker Drive Encryption in addition to certain certificate paths and services settings. - **Software Restriction Policies.** Specify settings to identify software and to control its ability to run on your local device, organizational unit, domain, or site. - **Application Control Policies.** Specify settings to control which users or groups can run particular applications in your organization based on unique identities of files. -- **IP Security Policies on Local Computer.** Specify settings to ensure private, secure communications over IP networks through the use of cryptographic security services. IPsec establishes trust and security from a source IP address to a destination IP address. +- **IP Security Policies on Local Computer.** Specify settings to ensure private, secure communications over IP networks by using cryptographic security services. IPsec establishes trust and security from a source IP address to a destination IP address. - **Advanced Audit Policy Configuration.** Specify settings that control the logging of security events into the security log on the device. The settings under Advanced Audit Policy Configuration provide finer control over which activities to monitor as opposed to the Audit Policy settings under Local Policies. ## Policy-based security settings management @@ -88,7 +88,7 @@ Importing a security template to a GPO ensures that any accounts to which the GP > [!NOTE] > These refresh settings vary between versions of the operating system and can be configured. -By using Group Policy−based security configurations in conjunction with the delegation of administration, you can ensure that specific security settings, rights, and behavior are applied to all servers and computers within an OU. This approach makes it simple to update a number of servers with any additional changes required in the future. +By using Group Policy−based security configurations in conjunction with the delegation of administration, you can ensure that specific security settings, rights, and behavior are applied to all servers and computers within an OU. This approach makes it simple to update many servers with any other changes required in the future. ### Dependencies on other operating system technologies @@ -96,7 +96,7 @@ For devices that are members of a Windows Server 2008 or later domain, securit - **Active Directory Domain Services (AD DS)** - The Windows-based directory service, AD DS, stores information about objects on a network and makes this information available to administrators and users. By using AD DS, you can view and manage network objects on the network from a single location, and users can access permitted network resources by using a single logon. + The Windows-based directory service, AD DS, stores information about objects on a network and makes this information available to administrators and users. By using AD DS, you can view and manage network objects on the network from a single location, and users can access permitted network resources by using a single sign in. - **Group Policy** @@ -104,7 +104,7 @@ For devices that are members of a Windows Server 2008 or later domain, securit - **Domain Name System (DNS)** - A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses, and IP addresses to domain names. This allows users, computers, and applications to query DNS to specify remote systems by fully qualified domain names rather than by IP addresses. + A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses, and IP addresses to domain names. This service allows users, computers, and applications to query DNS to specify remote systems by fully qualified domain names rather than by IP addresses. - **Winlogon** @@ -116,11 +116,11 @@ For devices that are members of a Windows Server 2008 or later domain, securit - **Security Accounts Manager (SAM)** - A Windows service used during the logon process. SAM maintains user account information, including groups to which a user belongs. + A Windows service used during the sign-in process. SAM maintains user account information, including groups to which a user belongs. - **Local Security Authority (LSA)** - A protected subsystem that authenticates and logs on users to the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system. + A protected subsystem that authenticates and signs in users to the local system. LSA also maintains information about all aspects of local security on a system, collectively known as the Local Security Policy of the system. - **Windows Management Instrumentation (WMI)** @@ -128,7 +128,7 @@ For devices that are members of a Windows Server 2008 or later domain, securit - **Resultant Set of Policy (RSoP)** - An enhanced Group Policy infrastructure that uses WMI in order to make it easier to plan and debug policy settings. RSoP provides public methods that expose what an extension to Group Policy would do in a what-if situation, and what the extension has done in an actual situation. This allows administrators to easily determine the combination of policy settings that apply to, or will apply to, a user or device. + An enhanced Group Policy infrastructure that uses WMI in order to make it easier to plan and debug policy settings. RSoP provides public methods that expose what an extension to Group Policy would do in a what-if situation, and what the extension has done in an actual situation. These public methods allow administrators to easily determine the combination of policy settings that apply to, or will apply to, a user or device. - **Service Control Manager (SCM)** @@ -190,11 +190,11 @@ The following list describes these primary features of the security configuratio - **scesrv.dll** - This .dll is hosted in services.exe and runs under local system context. scesrv.dll provides core Security Configuration Manager functionality, such as import, configure, analyze, and policy propagation. + This .dll file is hosted in services.exe and runs under local system context. scesrv.dll provides core Security Configuration Manager functionality, such as import, configure, analyze, and policy propagation. Scesrv.dll performs configuration and analysis of various security-related system parameters by calling corresponding system APIs, including LSA, SAM, and the registry. - Scesrv.dll exposes APIs such as import, export, configure, and analyze. It checks that the request is made over LRPC (Windows XP) and fails the call if it is not. + Scesrv.dll exposes APIs such as import, export, configure, and analyze. It checks that the request is made over LRPC (Windows XP) and fails the call if it isn't. Communication between parts of the Security Settings extension occurs by using the following methods: @@ -211,7 +211,7 @@ The following list describes these primary features of the security configuratio - **Scecli.dll** - This is the client-side interface or wrapper to scesrv.dll. scecli.dll is loaded into Wsecedit.dll to support MMC snap-ins. It is used by Setup to configure default system security and security of files, registry keys, and services installed by the Setup API .inf files. + This Scecli.dll is the client-side interface or wrapper to scesrv.dll. scecli.dll is loaded into Wsecedit.dll to support MMC snap-ins. It's used by Setup to configure default system security and security of files, registry keys, and services installed by the Setup API .inf files. The command-line version of the security configuration and analysis user interfaces, secedit.exe, uses scecli.dll. @@ -229,7 +229,7 @@ The following list describes these primary features of the security configuratio - **Secedit.sdb** - This is a permanent system database used for policy propagation including a table of persistent settings for rollback purposes. + This Secedit.sdb is a permanent system database used for policy propagation including a table of persistent settings for rollback purposes. - **User databases** @@ -237,7 +237,7 @@ The following list describes these primary features of the security configuratio - **.Inf Templates** - These are text files that contain declarative security settings. They are loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they are downloaded (by using file copy) and merged into the system database during policy propagation. + These templates are text files that contain declarative security settings. They're loaded into a database before configuration or analysis. Group Policy security policies are stored in .inf files on the SYSVOL folder of domain controllers, where they're downloaded (by using file copy) and merged into the system database during policy propagation. ## Security settings policy processes and interactions @@ -245,27 +245,27 @@ For a domain-joined device, where Group Policy is administered, security setting ### Group Policy processing -When a computer starts and a user logs on, computer policy and user policy are applied according to the following sequence: +When a computer starts and a user signs in, computer policy and user policy are applied according to the following sequence: 1. The network starts. Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) start. 1. An ordered list of Group Policy Objects is obtained for the device. The list might depend on these factors: - Whether the device is part of a domain and, therefore, subject to Group Policy through Active Directory. - The location of the device in Active Directory. - - Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done. + - Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects hasn't changed, no processing is done. -1. Computer policy is applied. These are the settings under Computer Configuration from the gathered list. This is a synchronous process by default and occurs in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while computer policies are processed. -1. Startup scripts run. This is hidden and synchronous by default; each script must complete or time out before the next one starts. The default time-out is 600 seconds. You can use several policy settings to modify this behavior. -1. The user presses CTRL+ALT+DEL to log on. -1. After the user is validated, the user profile loads; it is governed by the policy settings that are in effect. +1. Computer policy is applied. These settings are the ones under Computer Configuration from the gathered list. This process is a synchronous one by default and occurs in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while computer policies are processed. +1. Startup scripts run. These scripts are hidden and synchronous by default; each script must complete or time out before the next one starts. The default time-out is 600 seconds. You can use several policy settings to modify this behavior. +1. The user presses CTRL+ALT+DEL to sign in. +1. After the user is validated, the user profile loads; it's governed by the policy settings that are in effect. 1. An ordered list of Group Policy Objects is obtained for the user. The list might depend on these factors: - Whether the user is part of a domain and, therefore, subject to Group Policy through Active Directory. - Whether loopback policy processing is enabled, and if so, the state (Merge or Replace) of the loopback policy setting. - The location of the user in Active Directory. - - Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects has not changed, no processing is done. + - Whether the list of Group Policy Objects has changed. If the list of Group Policy Objects hasn't changed, no processing is done. -1. User policy is applied. These are the settings under User Configuration from the gathered list. This is synchronous by default and in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while user policies are processed. +1. User policy is applied. These settings are the ones under User Configuration from the gathered list. These settings are synchronous by default and in the following order: local, site, domain, organizational unit, child organizational unit, and so on. No user interface appears while user policies are processed. 1. Logon scripts run. Group Policy−based logon scripts are hidden and asynchronous by default. The user object script runs last. 1. The operating system user interface that is prescribed by Group Policy appears. @@ -307,7 +307,7 @@ At the level of each organizational unit in the Active Directory hierarchy, one, This order means that the local Group Policy Object is processed first, and Group Policy Objects that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites the earlier Group Policy Objects. -This is the default processing order and administrators can specify exceptions to this order. A Group Policy Object that is linked to a site, domain, or organizational unit (not a local Group Policy Object) can be set to **Enforced** with respect to that site, domain, or organizational unit, so that none of its policy settings can be overridden. At any site, domain, or organizational unit, you can mark Group Policy inheritance selectively as **Block Inheritance**. Group Policy Object links that are set to **Enforced** are always applied, however, and they cannot be blocked. For more information see [Group Policy Basics – Part 2: Understanding Which GPOs to Apply](/archive/blogs/musings_of_a_technical_tam/group-policy-basics-part-2-understanding-which-gpos-to-apply). +This order is the default processing order and administrators can specify exceptions to this order. A Group Policy Object that is linked to a site, domain, or organizational unit (not a local Group Policy Object) can be set to **Enforced** with respect to that site, domain, or organizational unit, so that none of its policy settings can be overridden. At any site, domain, or organizational unit, you can mark Group Policy inheritance selectively as **Block Inheritance**. Group Policy Object links that are set to **Enforced** are always applied, however, and they can't be blocked. For more information, see [Group Policy Basics – Part 2: Understanding Which GPOs to Apply](/archive/blogs/musings_of_a_technical_tam/group-policy-basics-part-2-understanding-which-gpos-to-apply). ### Security settings policy processing @@ -334,9 +334,9 @@ The following figure illustrates the security settings policy processing. ### Merging of security policies on domain controllers -Password policies, Kerberos, and some security options are only merged from GPOs that are linked at the root level on the domain. This is done to keep those settings synchronized across all domain controllers in the domain. The following security options are merged: +Password policies, Kerberos, and some security options are only merged from GPOs that are linked at the root level on the domain. This merging is done to keep those settings synchronized across all domain controllers in the domain. The following security options are merged: -- Network Security: Force logoff when logon hours expire +- Network Security: Force sign out when sign-in hours expire - Accounts: Administrator account status - Accounts: Guest account status - Accounts: Rename administrator account @@ -350,11 +350,11 @@ If an application is installed on a primary domain controller (PDC) with operati ### When security settings are applied -After you have edited the security settings policies, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object in the following instances: +After you've edited the security settings policies, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object in the following instances: - When a device is restarted. - Every 90 minutes on a workstation or server and every 5 minutes on a domain controller. This refresh interval is configurable. -- By default, Security policy settings delivered by Group Policy are also applied every 16 hours (960 minutes) even if a GPO has not changed. +- By default, Security policy settings delivered by Group Policy are also applied every 16 hours (960 minutes) even if a GPO hasn't changed. ### Persistence of security settings policy @@ -362,11 +362,11 @@ Security settings can persist even if a setting is no longer defined in the poli Security settings might persist in the following cases: -- The setting has not been previously defined for the device. +- The setting hasn't been previously defined for the device. - The setting is for a registry security object. - The settings are for a file system security object. -All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database then the setting does not revert to anything and remains defined as is. +All settings applied through local policy or through a Group Policy Object are stored in a local database on your computer. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the computer. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value doesn't exist in the database, then the setting doesn't revert to anything and remains defined as is. This behavior is sometimes referred to as "tattooing". Registry and file security settings will maintain the values applied through Group Policy until that setting is set to other values. @@ -377,7 +377,7 @@ Both Apply Group Policy and Read permissions are required to have the settings f ### Filtering security policy -By default, all GPOs have Read and Apply Group Policy both Allowed for the Authenticated Users group. The Authenticated Users group includes both users and computers. Security settings policies are computer-based. To specify which client computers will or will not have a Group Policy Object applied to them, you can deny them either the Apply Group Policy or Read permission on that Group Policy Object. Changing these permissions allows you to limit the scope of the GPO to a specific set of computers within a site, domain, or OU. +By default, all GPOs have Read and Apply Group Policy both Allowed for the Authenticated Users group. The Authenticated Users group includes both users and computers. Security settings policies are computer-based. To specify which client computers will or won't have a Group Policy Object applied to them, you can deny them either the Apply Group Policy or Read permission on that Group Policy Object. Changing these permissions allows you to limit the scope of the GPO to a specific set of computers within a site, domain, or OU. > [!NOTE] > Do not use security policy filtering on a domain controller as this would prevent security policy from applying to it. @@ -386,9 +386,9 @@ By default, all GPOs have Read and Apply Group Policy both Allowed for the Authe In some situations, you might want to migrate GPOs from one domain environment to another environment. The two most common scenarios are test-to-production migration, and production-to-production migration. The GPO copying process has implications for some types of security settings. -Data for a single GPO is stored in multiple locations and in various formats; some data is contained in Active Directory and other data is stored on the SYSVOL share on the domain controllers. Certain policy data might be valid in one domain but might be invalid in the domain to which the GPO is being copied. For example, Security Identifiers (SIDs) stored in security policy settings are often domain-specific. So copying GPOs is not as simple as taking a folder and copying it from one device to another. +Data for a single GPO is stored in multiple locations and in various formats; some data is contained in Active Directory and other data is stored on the SYSVOL share on the domain controllers. Certain policy data might be valid in one domain but might be invalid in the domain to which the GPO is being copied. For example, Security Identifiers (SIDs) stored in security policy settings are often domain-specific. So copying GPOs isn't as simple as taking a folder and copying it from one device to another. -The following security policies can contain security principals and might require some additional work to successfully move them from one domain to another. +The following security policies can contain security principals and might require some more work to successfully move them from one domain to another. - User rights assignment - Restricted groups @@ -397,7 +397,7 @@ The following security policies can contain security principals and might requir - Registry - The GPO DACL, if you choose to preserve it during a copy operation -To ensure that data is copied correctly, you can use Group Policy Management Console (GPMC). When migrating a GPO from one domain to another, GPMC ensures that all relevant data is properly copied. GPMC also offers migration tables, which can be used to update domain-specific data to new values as part of the migration process. GPMC hides much of the complexity involved in the migrating GPO operations, and it provides simple and reliable mechanisms for performing operations such as copy and backup of GPOs. +To ensure that data is copied correctly, you can use Group Policy Management Console (GPMC). When there's a migration of a GPO from one domain to another, GPMC ensures that all relevant data is properly copied. GPMC also offers migration tables, which can be used to update domain-specific data to new values as part of the migration process. GPMC hides much of the complexity involved in the migrating GPO operations, and it provides simple and reliable mechanisms for performing operations such as copy and backup of GPOs. ## In this section diff --git a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md index 57374f2aa8..597fe3f069 100644 --- a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md +++ b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security This security setting determines if a user who is logged on locally to a device can shut down Windows. -Shutting down domain controllers makes them unable to do things like process logon requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. Shutting down domain controllers that have been assigned operations master roles, which are also known as flexible single master operations or FSMO roles, can disable key domain functionality. For example, processing logon requests for new passwords, which are done by the primary domain controller (PDC) emulator master. +Shutting down domain controllers makes them unable to do things like process sign-in requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. Shutting down domain controllers that have been assigned operations master roles, which are also known as flexible single master operations or FSMO roles, can disable key domain functionality. For example, processing sign-in requests for new passwords, which are done by the primary domain controller (PDC) emulator master. The **Shut down the system** user right is required to enable hibernation support, to set the power management settings, and to cancel a shutdown. @@ -44,7 +44,7 @@ Constant: SeShutdownPrivilege ### Best practices 1. Ensure that only Administrators and Backup Operators have the **Shut down the system** user right on member servers. And that only Administrators have the user right on domain controllers. Removing these default groups might limit the abilities of users who are assigned to specific administrative roles in your environment. Ensure that their delegated tasks won't be negatively affected. -2. The ability to shut down domain controllers should be limited to a small number of trusted administrators. Even though a system shutdown requires the ability to log on to the server, you should be careful about the accounts and groups that you allow to shut down a domain controller. +2. The ability to shut down domain controllers should be limited to a few trusted administrators. Even though a system shutdown requires the ability to sign in to the server, you should be careful about the accounts and groups that you allow to shut down a domain controller. ### Location @@ -69,13 +69,13 @@ The following table lists the actual and effective default policy values for the This section describes features, tools, and guidance to help you manage this policy. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. ### Group Policy -This user right does not have the same effect as **Force shutdown from a remote system**. For more information, see [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md). +This user right doesn't have the same effect as **Force shutdown from a remote system**. For more information, see [Force shutdown from a remote system](force-shutdown-from-a-remote-system.md). Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: @@ -92,11 +92,11 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The ability to shut down domain controllers should be limited to a very small number of trusted administrators. Although the **Shut down the system** user right requires the ability to log on to the server, you should be careful about which accounts and groups you allow to shut down a domain controller. +The ability to shut down domain controllers should be limited to a few trusted administrators. Although the **Shut down the system** user right requires the ability to sign in to the server, you should be careful about which accounts and groups you allow to shut down a domain controller. -When a domain controller is shut down, it can't process logon requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. If you shut down domain controllers that have operations master roles, you can disable key domain functionality, such as processing logon requests for new passwords, which are performed by the PDC master. +When a domain controller is shut down, it can't process sign-in requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. If you shut down domain controllers that have operations master roles, you can disable key domain functionality, such as processing sign-in requests for new passwords, which are performed by the PDC master. -For other server roles, especially roles where non-administrators have rights to log on to the server, such as RD Session Host servers, it's critical that this user right be removed from users who don't have a legitimate reason to restart the servers. +For other server roles, especially roles where non-administrators have rights to sign in to the server, such as RD Session Host servers, it's critical that this user right be removed from users who don't have a legitimate reason to restart the servers. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md index 4cada523db..185bbf975e 100644 --- a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md +++ b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md @@ -27,9 +27,9 @@ Describes the best practices, location, values, policy management and security c ## Reference -This policy setting determines whether the virtual memory paging file is cleared when the device is shut down. Virtual memory support uses a system paging file to swap pages of memory to disk when they are not used. On a running device, this paging file is opened exclusively by the operating system, and it is well protected. However, devices that are configured to allow other operating systems to start should verify that the system paging file is cleared as the device shuts down. This confirmation ensures that sensitive information from process memory that might be placed in the paging file is not available to an unauthorized user who manages to directly access the paging file after shutdown. +This policy setting determines whether the virtual memory paging file is cleared when the device is shut down. Virtual memory support uses a system paging file to swap pages of memory to disk when they aren't used. On a running device, this paging file is opened exclusively by the operating system, and it's well protected. However, devices that are configured to allow other operating systems to start should verify that the system paging file is cleared as the device shuts down. This confirmation ensures that sensitive information from process memory that might be placed in the paging file isn't available to an unauthorized user who manages to directly access the paging file after shutdown. -Important information that is kept in real memory might be written periodically to the paging file. This helps devices handle multitasking functions. A malicious user who has physical access to a server that has been shut down can view the contents of the paging file. The attacker can move the system volume into a different computer and then analyze the contents of the paging file. This is a time-consuming process, but it can expose data that is cached from RAM to the paging file. A malicious user who has physical access to the server can bypass this countermeasure by simply unplugging the server from its power source. +Important information that is kept in real memory might be written periodically to the paging file. This periodical write-operation helps devices handle multitasking functions. A malicious user who has physical access to a server that has been shut down can view the contents of the paging file. The attacker can move the system volume into a different computer and then analyze the contents of the paging file. This process is a time-consuming one, but it can expose data that is cached from RAM to the paging file. A malicious user who has physical access to the server can bypass this countermeasure by unplugging the server from its power source. ### Possible values @@ -42,7 +42,7 @@ Important information that is kept in real memory might be written periodically ### Best practices -- Set this policy to **Enabled**. This causes Windows to clear the paging file when the system is shut down. Depending on the size of the paging file, this process might take several minutes before the system completely shuts down. This delay in shutting down the server is especially noticeable on servers with large paging files. For a server with 2 gigabytes (GB) of RAM and a 2-GB paging file, this setting can add more than 30 minutes to the shutdown process. For some organizations, this downtime violates their internal service level agreements. Use caution when implementing this countermeasure in your environment. +- Set this policy to **Enabled**. This policy setting causes Windows to clear the paging file when the system is shut down. Depending on the size of the paging file, this process might take several minutes before the system completely shuts down. This delay in shutting down the server is especially noticeable on servers with large paging files. For a server with 2 gigabytes (GB) of RAM and a 2-GB paging file, this setting can add more than 30 minutes to the shutdown process. For some organizations, this downtime violates their internal service level agreements. Use caution when implementing this countermeasure in your environment. ### Location @@ -67,7 +67,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -85,7 +85,7 @@ Enable the **Shutdown: Clear virtual memory page file** setting. This configurat ### Potential impact -It takes longer to shut down and restart the device, especially on devices with large paging files. For a device with 2 gigabytes (GB) of RAM and a 2-GB paging file, this policy setting could increase the shutdown process by more than 30 minutes. For some organizations this downtime violates their internal service level agreements. Therefore, use caution before you implement this countermeasure in your environment. +It takes longer to shut down and restart the device, especially on devices with large paging files. For a device with 2 gigabytes (GB) of RAM and a 2-GB paging file, this policy setting could increase the shutdown process by more than 30 minutes. For some organizations, this downtime violates their internal service level agreements. Therefore, use caution before you implement this countermeasure in your environment. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md index d5ebfdefe1..b720770fd9 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md @@ -23,7 +23,7 @@ ms.technology: windows-sec **Applies to** - Windows 10 -This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 is not installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows). +This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 isn't secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 isn't installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows). The rest of this topic describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. For more information, see [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md). @@ -34,7 +34,7 @@ This policy setting determines whether SMB packet signing must be negotiated bef Implementation of digital signatures in high-security networks helps prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security. -If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. +If server-side SMB signing is required, a client device won't be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device won't be able to establish a session with servers that don't have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. @@ -85,7 +85,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -95,7 +95,7 @@ This section describes how an attacker might exploit a feature or its configurat Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication, and gain unauthorized access to data. -SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place. +SMB is the resource-sharing protocol that is supported by many Windows operating systems. It's the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission doesn't take place. ### Countermeasure @@ -112,9 +112,9 @@ In highly secure environments, we recommend that you configure all of these sett ### Potential impact -Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. +Implementations of the SMB file and print-sharing protocol support mutual authentication. This mutual authentication prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. -Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks. +Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems can't connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md index b1dc905ad5..b912861503 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md @@ -22,7 +22,7 @@ ms.technology: windows-sec **Applies to** - Windows 10 -This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 is not installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows). +This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 isn't secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 isn't installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows). The rest of this topic describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. For more information, see [Microsoft network client: Digitally sign communications (if server agrees)](microsoft-network-client-digitally-sign-communications-always.md). @@ -32,7 +32,7 @@ The Server Message Block (SMB) protocol provides the basis for Microsoft file an Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security. -If server-side SMB signing is required, a client computer will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. +If server-side SMB signing is required, a client computer won't be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device won't be able to establish a session with servers that don't have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. @@ -84,7 +84,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -95,7 +95,7 @@ This section describes how an attacker might exploit a feature or its configurat Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client device after legitimate authentication and gain unauthorized access to data. -SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place. +SMB is the resource-sharing protocol that is supported by many Windows operating systems. It's the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission doesn't take place. ### Countermeasure @@ -106,16 +106,16 @@ Configure the settings as follows: - Enable **Microsoft network client: Digitally sign communications (if server agrees)**. - Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md). -In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems. +In highly secure environments, we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems. > [!NOTE] > An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing. ### Potential impact -Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. +Implementations of the SMB file and print-sharing protocol support mutual authentication. This mutual authentication prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. -Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking +Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure devices to ignore all unsigned SMB communications, older applications and operating systems can't connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking attacks. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md index e091179e64..49782f3f58 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md @@ -23,7 +23,7 @@ ms.technology: windows-sec **Applies to** - Windows 10 -This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMB v1 is not installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows). +This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 isn't secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMB v1 isn't installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows). The rest of this topic describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. Fore more information, see [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md). @@ -34,9 +34,9 @@ This policy setting determines whether SMB packet signing must be negotiated bef Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security. -For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md). Devices that have this policy set will not be able to communicate with devices that do not have server-side packet signing enabled. By default, server-side packet signing is enabled only on domain controllers. Server-side packet signing can be enabled on devices by setting [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md). +For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md). Devices that have this policy set won't be able to communicate with devices that don't have server-side packet signing enabled. By default, server-side packet signing is enabled only on domain controllers. Server-side packet signing can be enabled on devices by setting [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md). -If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. +If server-side SMB signing is required, a client device won't be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device won't be able to establish a session with servers that don't have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with client devices that have SMB signing enabled. @@ -88,7 +88,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -98,7 +98,7 @@ This section describes how an attacker might exploit a feature or its configurat Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client device after legitimate authentication and gain unauthorized access to data. -SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place. +SMB is the resource-sharing protocol that is supported by many Windows operating systems. It's the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission doesn't take place. ### Countermeasure @@ -109,15 +109,15 @@ Configure the settings as follows: - Enable [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md). - Enable [Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md). -In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems. +In highly secure environments, we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems. >**Note:** An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing. ### Potential impact -Implementations of the SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. +Implementations of the SMB file and print-sharing protocol support mutual authentication. This mutual authentication prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. -Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking attacks. +Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems can't connect. However, if you completely disable all SMB signing, devices are vulnerable to session-hijacking attacks. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md index 228cd2ec2b..75a325c3b4 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md @@ -23,7 +23,7 @@ ms.technology: windows-sec **Applies to** - Windows 10 -This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 is not secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 is not installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows). +This topic is about the Server Message Block (SMB) v1 protocol. SMBv1 isn't secure and has been deprecated in Windows. Beginning with Windows 10 Fall Creators Update and Windows Server, version 1709, [SMBv1 isn't installed by default](/windows-server/storage/file-server/troubleshoot/smbv1-not-installed-by-default-in-windows). The rest of this topic describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting only for SMBv1. The same policy setting can be applied to computers that run SMBv2. For more information, see [Microsoft network server: Digitally sign communications (if client agrees)](microsoft-network-server-digitally-sign-communications-always.md). @@ -34,7 +34,7 @@ This policy setting determines whether SMB packet signing must be negotiated bef Implementation of digital signatures in high-security networks helps to prevent the impersonation of client computers and servers, which is known as "session hijacking." But misuse of these policy settings is a common error that can cause data loss or problems with data access or security. -If server-side SMB signing is required, a client device will not be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. +If server-side SMB signing is required, a client device won't be able to establish a session with that server, unless it has client-side SMB signing enabled. By default, client-side SMB signing is enabled on workstations, servers, and domain controllers. Similarly, if client-side SMB signing is required, that client device won't be able to establish a session with servers that don't have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. @@ -87,7 +87,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -97,7 +97,7 @@ This section describes how an attacker might exploit a feature or its configurat Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client computer after legitimate authentication and gain unauthorized access to data. -SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission does not take place. +SMB is the resource-sharing protocol that is supported by many Windows operating systems. It's the basis of NetBIOS and many other protocols. SMB signatures authenticate users and the servers that host the data. If either side fails the authentication process, data transmission doesn't take place. ### Countermeasure @@ -108,15 +108,15 @@ Configure the settings as follows: - Enable [Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md). - Enable **Microsoft network server: Digitally sign communications (if client agrees)**. -In highly secure environments we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems. +In highly secure environments, we recommend that you configure all of these settings to Enabled. However, that configuration may cause slower performance on client devices and prevent communications with earlier SMB applications and operating systems. >**Note:** An alternative countermeasure that could protect all network traffic is to implement digital signatures with IPsec. There are hardware-based accelerators for IPsec encryption and signing that could be used to minimize the performance impact on the servers' CPUs. No such accelerators are available for SMB signing. ### Potential impact -SMB file and print-sharing protocol support mutual authentication. This prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. +SMB file and print-sharing protocol support mutual authentication. This mutual authentication prevents session hijacking attacks and supports message authentication to prevent man-in-the-middle attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by the client and the server. -Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems cannot connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks. +Implementation of SMB signing may negatively affect performance because each packet must be signed and verified. If these settings are enabled on a server that is performing multiple roles, such as a small business server that is serving as a domain controller, file server, print server, and application server, performance may be substantially slowed. Additionally, if you configure computers to ignore all unsigned SMB communications, older applications and operating systems can't connect. However, if you completely disable all SMB signing, computers are vulnerable to session-hijacking attacks. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md index ea2f55d403..316d4868dd 100644 --- a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md +++ b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for ## Reference -The **Store password using reversible encryption** policy setting provides support for applications that use protocols that require the user's password for authentication. Storing encrypted passwords in a way that is reversible means that the encrypted passwords can be decrypted. A knowledgeable attacker who is able to break this encryption can then log on to network resources by using the compromised account. For this reason, never enable **Store password using reversible encryption** for all users in the domain unless application requirements outweigh the need to protect password information. +The **Store password using reversible encryption** policy setting provides support for applications that use protocols that require the user's password for authentication. Storing encrypted passwords in a way that is reversible means that the encrypted passwords can be decrypted. A knowledgeable attacker who is able to break this encryption can then sign in to network resources by using the compromised account. For this reason, never enable **Store password using reversible encryption** for all users in the domain unless application requirements outweigh the need to protect password information. If you use the Challenge Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Services (IAS), you must enable this policy setting. CHAP is an authentication protocol that is used by remote access and network connections. Digest Authentication in Internet Information Services (IIS) also requires that you enable this policy setting. @@ -39,7 +39,7 @@ Information Services (IIS) also requires that you enable this policy setting. ### Best practices -Set the value for **Store password using reversible encryption** to Disabled. If you use CHAP through remote access or IAS, or Digest Authentication in IIS, you must set this value to **Enabled**. This presents a security risk when you apply the setting by using Group Policy on a user-by-user basis because it requires opening the appropriate user account object in Active Directory Users and Computers. +Set the value for **Store password using reversible encryption** to Disabled. If you use CHAP through remote access or IAS, or Digest Authentication in IIS, you must set this value to **Enabled**. This setting presents a security risk when you apply the setting by using Group Policy on a user-by-user basis because it requires opening the appropriate user account object in Active Directory Users and Computers. >**Note:** Do not enable this policy setting unless business requirements outweigh the need to protect password information. @@ -77,7 +77,7 @@ Disable the **Store password using reversible encryption** policy setting. ### Potential impact -If your organization uses CHAP through remote access or IAS, or Digest Authentication in IIS, you must configure this policy setting to Enabled. This presents a security risk when you apply the setting through Group Policy on a user-by-user basis because it requires the appropriate user account object to be opened in Active Directory Users and Computers. +If your organization uses CHAP through remote access or IAS, or Digest Authentication in IIS, you must configure this policy setting to Enabled. This setting presents a security risk when you apply the setting through Group Policy on a user-by-user basis because it requires the appropriate user account object to be opened in Active Directory Users and Computers. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md index 88f07c4037..e6e95159e1 100644 --- a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md +++ b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md @@ -46,7 +46,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use ### Default values -By default this setting is not defined on domain controllers and on stand-alone servers. +By default this setting isn't defined on domain controllers and on stand-alone servers. The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. @@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The **Synchronize directory service data** user right affects domain controllers (only domain controllers should be able to synchronize directory service data). Domain controllers have this user right inherently because the synchronization process runs in the context of the **System** account on domain controllers. Attackers who have this user right can view all information that is stored within the directory. They could then use some of that information to facilitate additional attacks or expose sensitive data, such as direct telephone numbers or physical addresses. +The **Synchronize directory service data** user right affects domain controllers (only domain controllers should be able to synchronize directory service data). Domain controllers have this user right inherently because the synchronization process runs in the context of the **System** account on domain controllers. Attackers who have this user right can view all information that is stored within the directory. They could then use some of that information to facilitate more attacks or expose sensitive data, such as direct telephone numbers or physical addresses. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md index d5dd1f683e..7e0e17cc6d 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management and security c This policy setting determines whether users can use private keys, such as their Secure/Multipurpose Internet Mail Extensions (S/MIME) key, without a password. -Configuring this policy setting so that users must provide a password every time they use a key (in addition to their domain password) makes it more difficult for a malicious user to access locally-stored user keys, even if the attacker takes control of the user's device and determines their logon password. +Configuring this policy setting so that users must provide a password every time they use a key (in addition to their domain password) makes it more difficult for a malicious user to access locally stored user keys, even if the attacker takes control of the user's device and determines their sign-in password. ### Possible values @@ -40,7 +40,7 @@ Configuring this policy setting so that users must provide a password every time ### Best practices -- Set this policy to **User must enter a password each time they use a key**. Users must enter their password every time they access a key that is stored on their computer. For example, if users use an S/MIME certificate to digitally sign their email, they will be forced to enter the password for that certificate every time they send a signed email message. For some organizations, the overhead that is caused by using this value might be too high, but they should set the value at a minimum to **User is prompted when the key is first used**. +- Set this policy to **User must enter a password each time they use a key**. Users must enter their password every time they access a key that is stored on their computer. For example, if users use an S/MIME certificate to digitally sign their email, they'll be forced to enter the password for that certificate every time they send a signed email message. For some organizations, the overhead that is caused by using this value might be too high, but they should set the value at a minimum to **User is prompted when the key is first used**. ### Location @@ -65,7 +65,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -77,11 +77,11 @@ If a user's account is compromised or the user's device is inadvertently left un ### Countermeasure -Configure the **System cryptography: Force strong key protection for user keys stored on the computer** setting to **User must enter a password each time they use a key** so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user's computer and determines the logon password. +Configure the **System cryptography: Force strong key protection for user keys stored on the computer** setting to **User must enter a password each time they use a key** so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user's computer and determines the sign-in password. ### Potential impact -Users must type their password every time they access a key that is stored on their device. For example, if users use an S/MIME certificate to digitally sign their email, they are forced to type the password for that certificate every time they send a signed email message. For some organizations, the overhead that is involved by using this configuration may be too high. At a minimum, this setting should be set to **User is prompted when the key is first used**. +Users must type their password every time they access a key that is stored on their device. For example, if users use an S/MIME certificate to digitally sign their email, they're forced to type the password for that certificate every time they send a signed email message. For some organizations, the overhead that is involved by using this configuration may be too high. At a minimum, this setting should be set to **User is prompted when the key is first used**. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index e98291ef6b..e38443c02b 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -57,7 +57,7 @@ Additionally, if a data drive is password-protected, it can be accessed by a FIP ### Best practices -We recommend that customers hoping to comply with FIPS 140-2 research the configuration settings of applications and protocols they may be using to ensure their solutions can be configured to utilize the FIPS 140-2 validated cryptography provided by Windows when it is operating in FIPS 140-2 approved mode. +We recommend that customers hoping to comply with FIPS 140-2 research the configuration settings of applications and protocols they may be using to ensure their solutions can be configured to utilize the FIPS 140-2 validated cryptography provided by Windows when it's operating in FIPS 140-2 approved mode. For a complete list of Microsoft-recommended configuration settings, see [Windows security baselines](../windows-security-baselines.md). For more information about Windows and FIPS 140-2, see [FIPS 140 Validation](../fips-140-validation.md). @@ -82,11 +82,11 @@ The following table lists the actual and effective default values for this polic When this setting is enabled, the Encrypting File System (EFS) service supports only the Triple DES encryption algorithm for encrypting file data. By default, the Windows Vista and the Windows Server 2003 implementation of EFS uses the Advanced Encryption Standard (AES) with a 256-bit key. The Windows XP implementation uses DESX. -When this setting is enabled, BitLocker generates recovery password or recovery keys applicable to versions listed in the following: +When this setting is enabled, BitLocker generates recovery password or recovery keys applicable to the following versions: | Operating systems | Applicability | | - | - | -| Windows 10, Windows 8.1, and Windows Server 2012 R2| When created on these operating systems, the recovery password cannot be used on other systems listed in this table.| +| Windows 10, Windows 8.1, and Windows Server 2012 R2| When created on these operating systems, the recovery password can't be used on other systems listed in this table.| | Windows Server 2012 and Windows 8 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.| | Windows Server 2008 R2 and Windows 7 | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.| | Windows Server 2008 and Windows Vista | When created on these operating systems, the recovery key can be used on other systems listed in this table as well.| @@ -97,7 +97,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -117,8 +117,8 @@ Enable the **System cryptography: Use FIPS compliant algorithms for encryption, ### Potential impact -Client devices that have this policy setting enabled cannot communicate by means of digitally encrypted or signed protocols with servers that do not support these algorithms. Network clients that do not support these algorithms cannot use servers that require them for network communications. For example, many Apache-based Web servers are not configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tool -uses the RDP protocol to communicate with servers that run Terminal Services and client computers that are configured for remote control; RDP connections fail if both devices are not configured to use the same encryption algorithms. +Client devices that have this policy setting enabled can't communicate through digitally encrypted or signed protocols with servers that don't support these algorithms. Network clients that don't support these algorithms can't use servers that require them for network communications. For example, many Apache-based Web servers aren't configured to support TLS. If you enable this setting, you must also configure Internet Explorer® to use TLS. This policy setting also affects the encryption level that is used for the Remote Desktop Protocol (RDP). The Remote Desktop Connection tool +uses the RDP protocol to communicate with servers that run Terminal Services and client computers that are configured for remote control; RDP connections fail if both devices aren't configured to use the same encryption algorithms. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md index 3a9ceb4840..9c7c2c4433 100644 --- a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md +++ b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md @@ -27,9 +27,9 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is not case sensitive; however, the kernel supports case sensitivity for other subsystems, such as Portable Operating System Interface for UNIX (POSIX). Enabling this policy setting enforces case insensitivity for all directory objects, symbolic links, and input/output (I/O) objects, including file objects. Disabling this policy setting does not allow the Win32 subsystem to become case sensitive. +This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem isn't case sensitive; however, the kernel supports case sensitivity for other subsystems, such as Portable Operating System Interface for UNIX (POSIX). Enabling this policy setting enforces case insensitivity for all directory objects, symbolic links, and input/output (I/O) objects, including file objects. Disabling this policy setting doesn't allow the Win32 subsystem to become case sensitive. -Because Windows is case insensitive but the POSIX subsystem will support case sensitivity, if this policy setting is not enforced, it is possible for a user of that subsystem to create a file with the same name as another file but with a different mix of capital letters. That might confuse users when they try to access these files by using normal Win32 tools, because only one of the files will be available. +Because Windows is case insensitive but the POSIX subsystem will support case sensitivity, if this policy setting isn't enforced, it's possible for a user of that subsystem to create a file with the same name as another file but with a different mix of capital letters. That convention might confuse users when they try to access these files by using normal Win32 tools, because only one of the files will be available. ### Possible values @@ -39,13 +39,13 @@ Because Windows is case insensitive but the POSIX subsystem will support case se - Disabled - Will not allow the Win32 subsystem to become case sensitive. + Won't allow the Win32 subsystem to become case sensitive. - Not defined ### Best practices -- Set this policy to **Enabled**. All subsystems will be forced to observe case insensitivity. However, this might confuse users who are familiar with one of the UNIX-based operating systems and are used to a case sensitive operating system. +- Set this policy to **Enabled**. All subsystems will be forced to observe case insensitivity. However, this insensitivity might confuse users who are familiar with one of the UNIX-based operating systems and are used to a case sensitive operating system. ### Location @@ -70,7 +70,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md index abd9724c03..71e2fa8221 100644 --- a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md @@ -1,6 +1,6 @@ --- -title: System objects Strengthen default permissions of internal system objects (e.g., Symbolic Links) (Windows 10) -description: Best practices and more for the security policy setting, System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links). +title: System objects Strengthen default permissions of internal system objects (for example, Symbolic Links) (Windows 10) +description: Best practices and more for the security policy setting, System objects Strengthen default permissions of internal system objects (for example, Symbolic Links). ms.assetid: 3a592097-9cf5-4fd0-a504-7cbfab050bb6 ms.reviewer: ms.author: dansimp @@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management and security c ## Reference -This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Windows maintains a global list of shared system resources such as MS-DOS device names, mutexes, and semaphores. By using this list, processes can locate and share objects. Each type of object is created with a default DACL that specifies who can access the objects with what permissions. Enabling this policy setting strengthens the default DACL and allows users who are not administrators to read, but not to modify, shared objects that they did not create. +This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Windows maintains a global list of shared system resources such as MS-DOS device names, mutexes, and semaphores. The processes use this list to locate and share objects. Each type of object is created with a default DACL that specifies who can access the objects with what permissions. Enabling this policy setting strengthens the default DACL and allows users who aren't administrators to read, but not to modify, shared objects that they didn't create. ### Possible values @@ -37,7 +37,7 @@ This policy setting determines the strength of the default discretionary access ### Best practices -- It is advisable to set this policy to **Enabled**. +- It's advisable to set this policy to **Enabled**. ### Location @@ -62,7 +62,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -70,7 +70,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -This policy setting is enabled by default to protect against a known vulnerability that can be used with hard links or symbolic links. Hard links are actual directory entries in the file system. With hard links, the same data in a file system can be referred to by different file names. Symbolic links are text files that provide a pointer to the file that is interpreted and followed by the operating system as a path to another file or directory. Because symbolic links are a separate file, they can exist independently of the target location. If a symbolic link is deleted, its target location remains unaffected. When this setting is disabled, it is possible for a malicious user to destroy a data file by creating a link that looks like a temporary file that the system automatically creates, such as a sequentially named log file, but it points to the data file that the malicious user wants to eradicate. When the system writes the files with that name, the data is overwritten. Enabling **System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)** prevents an attacker from exploiting programs that create files with predictable names by not allowing them to write to objects that they did not create. +This policy setting is enabled by default to protect against a known vulnerability that can be used with hard links or symbolic links. Hard links are actual directory entries in the file system. With hard links, the same data in a file system can be referred to by different file names. Symbolic links are text files that provide a pointer to the file that is interpreted and followed by the operating system as a path to another file or directory. Because symbolic links are a separate file, they can exist independently of the target location. If a symbolic link is deleted, its target location remains unaffected. When this setting is disabled, it's possible for a malicious user to destroy a data file by creating a link that looks like a temporary file that the system automatically creates, such as a sequentially named log file, but it points to the data file that the malicious user wants to eradicate. When the system writes the files with that name, the data is overwritten. Enabling **System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)** prevents an attacker from exploiting programs that create files with predictable names by not allowing them to write to objects that they didn't create. ### Countermeasure @@ -78,7 +78,7 @@ Enable the **System objects: Strengthen default permissions of global system obj ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md index a271d9f87f..8db727008d 100644 --- a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md +++ b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security This policy setting determines which subsystems support your applications. You can use this security setting to specify as many subsystems as your environment demands. -The subsystem introduces a security risk that is related to processes that can potentially persist across logons. If a user starts a process and then logs out, the next user who logs on to the system might access the process that the previous user started. This is dangerous, because the process started by the first user can retain that user's system user rights; therefore, anything that the second user does using that process is performed with the user rights of the first user. This makes it difficult to trace who creates processes and objects, which is essential for post-security incident forensics. +The subsystem introduces a security risk that is related to processes that can potentially persist across logons. If a user starts a process and then signs out, the next user who signs in to the system might access the process that the previous user started. This pattern is dangerous, because the process started by the first user can retain that user's system user rights; therefore, anything that the second user does using that process is performed with the user rights of the first user. This privileges rollover makes it difficult to trace who creates processes and objects, which is essential for post-security incident forensics. ### Possible values @@ -63,7 +63,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -73,7 +73,7 @@ This section describes how an attacker might exploit a feature or its configurat The POSIX subsystem is an Institute of Electrical and Electronic Engineers (IEEE) standard that defines a set of operating system services. The POSIX subsystem is required if the server supports applications that use that subsystem. -The POSIX subsystem introduces a security risk that relates to processes that can potentially persist across logons. If a user starts a process and then logs out, there is a potential that the next user who logs on to the computer could access the previous user's process. This would allow the second user to take actions on the process by using the privileges of the first user. +The POSIX subsystem introduces a security risk that relates to processes that can potentially persist across sign-ins. If a user starts a process and then signs out, there's a potential that the next user who signs in to the computer could access the previous user's process. This accessibility would allow the second user to take actions on the process by using the privileges of the first user. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md index 9791d8a12d..e58a8d0925 100644 --- a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md +++ b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md @@ -63,7 +63,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations diff --git a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md index c4781f258c..b3272708b2 100644 --- a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md +++ b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md @@ -31,7 +31,7 @@ This policy setting determines which users can take ownership of any securable o Every object has an owner, whether the object resides in an NTFS volume or Active Directory database. The owner controls how permissions are set on the object and to whom permissions are granted. -By default, the owner is the person who or the process which created the object. Owners can always change permissions to objects, even when they are denied all access to the object. +By default, the owner is the person who or the process that created the object. Owners can always change permissions to objects, even when they're denied all access to the object. Constant: SeTakeOwnershipPrivilege @@ -67,7 +67,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md index 16e00a82f8..d6d32d8a08 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management and security c ## Reference This policy setting determines the behavior of Admin Approval Mode for the built-in administrator account. -When the Admin Approval Mode is enabled, the local administrator account functions like a standard user account, but it has the ability to elevate privileges without logging on by using a different account. In this mode, any operation that requires elevation of privilege displays a prompt that allows the administrator to permit or deny the elevation of privilege. If Admin Approval Mode is not enabled, the built-in Administrator account runs all applications by default with full administrative privileges. By default, Admin Approval Mode is set to **Disabled**. +When the Admin Approval Mode is enabled, the local administrator account functions like a standard user account, but it has the ability to elevate privileges without logging on by using a different account. In this mode, any operation that requires elevation of privilege displays a prompt that allows the administrator to permit or deny the elevation of privilege. If Admin Approval Mode isn't enabled, the built-in Administrator account runs all applications by default with full administrative privileges. By default, Admin Approval Mode is set to **Disabled**. > [!NOTE] > If a computer is upgraded from a previous version of the Windows operating system, and the administrator account is the only account on the computer, the built-in administrator account remains enabled, and this setting is also enabled. @@ -40,11 +40,11 @@ When the Admin Approval Mode is enabled, the local administrator account functio - Disabled - If Admin Approval Mode is not enabled, the built-in Administrator account runs all applications by default with full administrative privileges + If Admin Approval Mode isn't enabled, the built-in Administrator account runs all applications by default with full administrative privileges ### Best practices -- It is recommended not to enable the built-in Administrator account on the client computer, but to use the standard user account and User Account Control (UAC) instead. If you want to enable the built-in Administrator account to carry out administrative tasks, for security reasons you should also enable Admin Approval Mode. See [UAC-Admin-Approval-Mode-for-the-Built-in-Administrator-account](/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account) +- It's recommended not to enable the built-in Administrator account on the client computer, but to use the standard user account and User Account Control (UAC) instead. If you want to enable the built-in Administrator account to carry out administrative tasks, for security reasons you should also enable Admin Approval Mode. See [UAC-Admin-Approval-Mode-for-the-Built-in-Administrator-account](/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account) To enable Admin Approval Mode, you must also configure the local security policy setting: [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) to **Prompt for consent on the secure desktop** and then click OK. @@ -74,7 +74,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -82,7 +82,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -One of the risks that the UAC feature tries to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for malicious programs is to discover the password of the Administrator account because that user account was created for all installations of Windows. To address this risk, the built-in Administrator account is disabled in computers running at least Windows Vista. In computers running at least Windows Server 2008, the Administrator account is enabled, and the password must be changed the first time the administrator logs on. In a default installation of a computer running at least Windows Vista, if the computer is not joined to a domain, the first user account you create has the equivalent permissions of a local administrator. +One of the risks that the UAC feature tries to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for malicious programs is to discover the password of the Administrator account because that user account was created for all installations of Windows. To address this risk, the built-in Administrator account is disabled in computers running at least Windows Vista. In computers running at least Windows Server 2008, the Administrator account is enabled, and the password must be changed the first time the administrator logs on. In a default installation of a computer running at least Windows Vista, if the computer isn't joined to a domain, the first user account you create has the equivalent permissions of a local administrator. ### Countermeasure @@ -90,7 +90,7 @@ Enable the **User Account Control: Admin Approval Mode for the Built-in Administ ### Potential impact -Users who log on by using the local administrator account are prompted for consent whenever a program requests an elevation in privilege. +Users who sign in by using the local administrator account are prompted for consent whenever a program requests an elevation in privilege. ## Related topics - [Security Options](/windows/device-security/security-policy-settings/security-options) \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md index 8526a457ae..4ade31f9ed 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md @@ -91,7 +91,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -99,7 +99,7 @@ All auditing capabilities are integrated in Group Policy. You can configure, dep ### Policy interactions -If you plan to enable this setting, you should also review the effect of the [User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md) setting. If it is configured as **Automatically deny elevation requests**, elevation requests are not presented to the user. If you disable this setting, the secure desktop can only be disabled by the user of the interactive desktop or by disabling the [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md) setting, which by default is enabled. +If you plan to enable this setting, you should also review the effect of the [User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md) setting. If it's configured as **Automatically deny elevation requests**, elevation requests aren't presented to the user. If you disable this setting, the secure desktop can only be disabled by the user of the interactive desktop or by disabling the [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md) setting, which by default is enabled. ## Security considerations @@ -107,13 +107,13 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -UIA programs are designed to interact with Windows and application programs on behalf of a user. This setting allows UIA programs to bypass the secure desktop to increase usability in certain cases, but it allows elevation requests to appear on the regular interactive desktop instead of on the secure desktop. This increases the risk that a malicious program could intercept data that is being transferred between the UI and the application. Because UIA programs must be able to respond to prompts regarding security issues, such as the UAC elevation prompt, UIA programs must be highly trusted. To be considered trusted, a UIA program must be digitally signed. By default, UIA programs can be run only from the following protected paths: +UIA programs are designed to interact with Windows and application programs on behalf of a user. This setting allows UIA programs to bypass the secure desktop to increase usability in certain cases, but it allows elevation requests to appear on the regular interactive desktop instead of on the secure desktop. This requests-appearance increases the risk that a malicious program could intercept data that is being transferred between the UI and the application. Because UIA programs must be able to respond to prompts regarding security issues, such as the UAC elevation prompt, UIA programs must be highly trusted. To be considered trusted, a UIA program must be digitally signed. By default, UIA programs can be run only from the following protected paths: - ..\\Program Files\\ (and subfolders) - ..\\Program Files (x86)\\ (and subfolders, in 64-bit versions of Windows only) - ..\\Windows\\System32\\ -The requirement to be in a protected path can be disabled by the [User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md) setting. Although this setting applies to any UIA program, it is used primarily in certain Windows Remote Assistance scenarios. +The requirement to be in a protected path can be disabled by the [User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md) setting. Although this setting applies to any UIA program, it's used primarily in certain Windows Remote Assistance scenarios. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md index e653550846..06252b3d4a 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md @@ -33,9 +33,9 @@ This policy setting determines the behavior of the elevation prompt for accounts - **Elevate without prompting** - Assumes that the administrator will permit an operation that requires elevation, and additional consent or credentials are not required. + Assumes that the administrator will permit an operation that requires elevation, and more consent or credentials aren't required. - **Note** Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure. + **Note** Selecting **Elevate without prompting** minimizes the protection that is provided by UAC. We don't recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure. - **Prompt for credentials on the secure desktop** @@ -55,18 +55,18 @@ This policy setting determines the behavior of the elevation prompt for accounts - **Prompt for consent for non-Windows binaries** - This is the default. When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege. + This prompt for consent is the default. When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select **Permit** or **Deny**. If the user selects **Permit**, the operation continues with the user's highest available privilege. -\*If you have enabled the built-in Administrator account and have configured Admin Approval Mode, you must also configure the option **Prompt for consent on the secure desktop**. You can also configure this option from User Account Control, by typing **UAC** in the search box. From the User Account Control Settings dialog box, set the slider control to **Notify me only when apps try to make changes to my computer (default)**. +\*If you've enabled the built-in Administrator account and have configured Admin Approval Mode, you must also configure the option **Prompt for consent on the secure desktop**. You can also configure this option from User Account Control, by typing **UAC** in the search box. From the User Account Control Settings dialog box, set the slider control to **Notify me only when apps try to make changes to my computer (default)**. > [!NOTE] > After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt. ### Best practices -- Selecting the option **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure. +- Selecting the option **Elevate without prompting** minimizes the protection that is provided by UAC. We don't recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure. -- It is recommended not to enable the built-in Administrator account on the client computer, but to use the standard user account and User Account Control (UAC) instead. If you want to enable the built-in Administrator account to carry out administrative tasks, for security reasons you should also enable Admin Approval Mode. For further information, see [UAC-Admin-Approval-Mode-for-the-Built-in-Administrator-account](/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account) +- It's recommended not to enable the built-in Administrator account on the client computer, but to use the standard user account and User Account Control (UAC) instead. If you want to enable the built-in Administrator account to carry out administrative tasks, for security reasons you should also enable Admin Approval Mode. For more information, see [UAC-Admin-Approval-Mode-for-the-Built-in-Administrator-account](/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account) ### Location @@ -90,7 +90,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -110,7 +110,7 @@ Configure the **User Account Control: Behavior of the elevation prompt for admin ### Potential impact -Administrators should be made aware that they will be prompted for consent when all binaries attempt to run. +Administrators should be made aware that they'll be prompted for consent when all binaries attempt to run. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md index 48f2dfa8c7..dcc2829197 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md @@ -37,7 +37,7 @@ This policy setting determines the behavior of the elevation prompt for standard - **Prompt for credentials on the secure desktop** - This is the default. When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. + This prompt for credentials is the default. When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. - **Prompt for credentials** @@ -45,8 +45,8 @@ This policy setting determines the behavior of the elevation prompt for standard ### Best practices -1. Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to log on with an administrative account to run programs that require elevation of privilege. -2. As a security best practice, standard users should not have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, set **Prompt for credentials on the secure desktop** so that the users do not choose to always log on with their administrator accounts, and they shift their behavior to use the standard user account. +1. Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to sign in with an administrative account to run programs that require elevation of privilege. +2. As a security best practice, standard users shouldn't have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, set **Prompt for credentials on the secure desktop** so that the users don't choose to always sign in with their administrator accounts, and they shift their behavior to use the standard user account. ### Location @@ -71,7 +71,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -87,11 +87,11 @@ One of the risks that the UAC feature tries to mitigate is that of malicious pro ### Countermeasure -Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to log on with an administrative account to run programs that require elevation of privilege. As a security best practice, standard users should not have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, we recommend setting **Prompt for credentials** so that the users do not choose to always log on with their administrator accounts, and they shift their behavior to use the standard user account. +Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to sign in with an administrative account to run programs that require elevation of privilege. As a security best practice, standard users shouldn't have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, we recommend setting **Prompt for credentials** so that the users don't choose to always sign in with their administrator accounts, and they shift their behavior to use the standard user account. ### Potential impact -Users must provide administrative passwords to run programs with elevated privileges. This could cause an increased load on IT staff while the programs that are affected are identified and standard operating procedures are modified to support least privilege operations. +Users must provide administrative passwords to run programs with elevated privileges. This impact could cause an increased load on IT staff while the programs that are affected are identified and standard operating procedures are modified to support least privilege operations. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md index 431ac04a15..53b87039e9 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md @@ -38,7 +38,7 @@ Some software might attempt to install itself after being given permission to ru - **Disabled** - Application installation packages that require an elevation of privilege to install are not detected and the user is not prompted for administrative credentials. + Application installation packages that require an elevation of privilege to install aren't detected and the user isn't prompted for administrative credentials. ### Best practices @@ -68,7 +68,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md index 242580312c..0f83be229f 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md @@ -31,18 +31,18 @@ This policy setting enforces public key infrastructure (PKI) signature checks on A trusted publisher is a certificate issuer that the computer’s user has chosen to trust and that has certificate details that have been added to the store of trusted publishers. -Windows maintains certificates in certificate stores. These stores can be represented by containers in the file system or the registry, or they can be implemented as physical stores such as smart cards. Certificate stores are associated with the computer object or they are owned by a distinct user who has a security context and profile on that computer. In addition, services can have certificate stores. A certificate store will often contain numerous certificates, possibly issued from a number of different certification authorities (CAs). +Windows maintains certificates in certificate stores. These stores can be represented by containers in the file system or the registry, or they can be implemented as physical stores such as smart cards. Certificate stores are associated with the computer object or they're owned by a distinct user who has a security context and profile on that computer. In addition, services can have certificate stores. A certificate store will often contain numerous certificates, possibly issued from many different certification authorities (CAs). When certificate path discovery is initiated, Windows attempts to locate the issuing CA for the certificates, and it builds a certificate path to the trusted root certificate. Intermediate certificates are included as part of the application protocol or are picked up from Group Policy or through URLs that are specified in the Authority Information Access (AIA) extension. When the path is built, each certificate in the path is verified for validity with respect to various parameters, such as name, time, signature, revocation status, and other constraints. ### Possible values - **Enabled** - Enforces the PKI certificate chain validation of a given executable file before it is permitted to run. + Enforces the PKI certificate chain validation of a given executable file before it's permitted to run. - **Disabled** - Does not enforce PKI certificate chain validation before a given executable file is permitted to run. + Doesn't enforce PKI certificate chain validation before a given executable file is permitted to run. ### Best practices @@ -71,7 +71,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -91,8 +91,8 @@ Enable the **User Account Control: Only elevate executables that are signed and ### Potential impact -Enabling this setting requires that you have a PKI infrastructure and that your enterprise administrators have populated the Trusted Publishers store with the certificates for the allowed applications. Some older applications are not signed, and they cannot be used in an environment that is hardened with this setting. You should carefully test your applications in a preproduction environment before implementing this setting. -Control over the applications that are installed on the desktops and the hardware that joins your domain should provide similar protection from the vulnerability that is addressed by this setting. Additionally, the level of protection that is provided by this setting is not an assurance that all rogue applications will be found. +Enabling this setting requires that you have a PKI infrastructure and that your enterprise administrators have populated the Trusted Publishers store with the certificates for the allowed applications. Some older applications aren't signed, and they can't be used in an environment that is hardened with this setting. You should carefully test your applications in a preproduction environment before implementing this setting. +Control over the applications that are installed on the desktops and the hardware that joins your domain should provide similar protection from the vulnerability that is addressed by this setting. Additionally, the level of protection that is provided by this setting isn't an assurance that all rogue applications will be found. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md index 76a8bc97a2..2c36882505 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md @@ -59,7 +59,7 @@ If an application presents a UIAccess attribute when it requests privileges, the - **Disabled** - An application can start with UIAccess integrity even if it does not reside in a secure location in the file system. + An application can start with UIAccess integrity even if it doesn't reside in a secure location in the file system. ### Best practices @@ -103,7 +103,7 @@ This section describes: ### Vulnerability -UIAccess integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. When this setting is enabled, an application that has the UIAccess flag set to true in its manifest can interchange information with applications that are running at a higher privilege level, such as logon prompts and privilege elevation prompts. This ability is required to support accessibility features such as screen readers that transmit user interfaces to alternative forms. But it's not required by most applications. A process that's started with UIAccess rights has the following abilities: +UIAccess integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. When this setting is enabled, an application that has the UIAccess flag set to true in its manifest can interchange information with applications that are running at a higher privilege level, such as sign-in prompts and privilege elevation prompts. This ability is required to support accessibility features such as screen readers that transmit user interfaces to alternative forms. But it's not required by most applications. A process that's started with UIAccess rights has the following abilities: - Set the foreground window. - Drive any application window by using the SendInput function. @@ -117,7 +117,7 @@ Enable the **User Account Control: Only elevate UIAccess applications that are i ### Potential impact -If the application that requests UIAccess meets the UIAccess setting requirements, computers that run at least the Windows Vista operating system start the application with the ability to bypass most UIPI restrictions. If the application does not meet the security restrictions, the application is started without UIAccess rights, and it can interact only with applications at the same or lower privilege level. +If the application that requests UIAccess meets the UIAccess setting requirements, computers that run at least the Windows Vista operating system start the application with the ability to bypass most UIPI restrictions. If the application doesn't meet the security restrictions, the application is started without UIAccess rights, and it can interact only with applications at the same or lower privilege level. ## Related articles diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md index 6760e38f5a..3d53a0a2f4 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md @@ -27,7 +27,7 @@ This article describes the best practices, location, values, policy management a ## Reference -This policy setting determines the behavior of all User Account Control (UAC) policies for the entire system. This is the setting that turns UAC on or off. +This policy setting determines the behavior of all User Account Control (UAC) policies for the entire system. This setting is the one that turns on or off the UAC. ### Possible values diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md index 5eb4fbd4e9..15ef6860e1 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management and security c This policy setting determines whether the elevation request prompts on the interactive user desktop or on the secure desktop. -The secure desktop presents the logon UI and restricts functionality and access to the system until the logon requirements are satisfied. +The secure desktop presents the sign-in UI and restricts functionality and access to the system until the sign-in requirements are satisfied. The secure desktop’s primary difference from the user desktop is that only trusted processes running as SYSTEM are allowed to run here (that is, nothing is running at the user’s privilege level). The path to get to the secure desktop from the user desktop must also be trusted through the entire chain. @@ -71,7 +71,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -91,7 +91,7 @@ Enable the **User Account Control: Switch to the secure desktop when prompting f ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md index dda6b18a18..97de8498ea 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management and security c This policy setting enables or disables the redirection of the write failures of earlier applications to defined locations in the registry and the file system. This feature mitigates applications that historically ran as administrator and wrote runtime application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKEY\_LOCAL\_MACHINE\\Software\\. -This feature can be disabled for applications on devices running at least Windows Vista because it is unnecessary. +This feature can be disabled for applications on devices running at least Windows Vista because it's unnecessary. ### Possible values @@ -43,7 +43,7 @@ This feature can be disabled for applications on devices running at least Window ### Best practices -1. If you run applications that are not Windows Vista-compliant, enable this security policy to prevent the possibility that these older applications could write data to unsecure locations. +1. If you run applications that aren't Windows Vista-compliant, enable this security policy to prevent the possibility that these older applications could write data to unsecure locations. 2. If you only run at least Windows Vista–compliant applications, this feature is unnecessary so you can disable this policy. ### Location @@ -69,7 +69,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -89,7 +89,7 @@ Enable the **User Account Control: Virtualize file and registry write failures t ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 411b14fcba..8eabd03b34 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -23,7 +23,7 @@ Windows Event Forwarding (WEF) reads any operational or administrative event log To accomplish this functionality, there are two different subscriptions published to client devices - the Baseline subscription and the suspect subscription. The Baseline subscription enrolls all devices in your organization, and a Suspect subscription only includes devices that have been added by you. The Suspect subscription collects more events to help build context for system activity and can quickly be updated to accommodate new events and/or scenarios as needed without impacting baseline operations. -This implementation helps differentiate where events are ultimately stored. Baseline events can be sent to devices with online analytical capability, such as Security Event Manager (SEM), while also sending events to a MapReduce system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the Suspect subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they are largely used for host forensic analysis. +This implementation helps differentiate where events are ultimately stored. Baseline events can be sent to devices with online analytical capability, such as Security Event Manager (SEM), while also sending events to a MapReduce system, such as HDInsight or Hadoop, for long-term storage and deeper analysis. Events from the Suspect subscription are sent directly to a MapReduce system due to volume and lower signal/noise ratio, they're largely used for host forensic analysis. An SEM’s strength lies in being able to inspect, correlate events, and generate alerts for known patterns manner and alert security staff at machine speed. @@ -37,7 +37,7 @@ Here's an approximate scaling guide for WEF events: | 5,000 - 50,000 | SEM | | 50,000+ | Hadoop/HDInsight/Data Lake | -Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#bkmk-appendixc). This condition is because WEF is a passive system regarding the event log. It cannot change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling additional event channels and expanding the size of event log files hasn't resulted in noticeable performance differences. +Event generation on a device must be enabled either separately or as part of the GPO for the baseline WEF implementation, including enabling of disabled event logs and setting channel permissions. For more info, see [Appendix C - Event channel settings (enable and channel access) methods](#bkmk-appendixc). This condition is because WEF is a passive system regarding the event log. It can't change the size of event log files, enable disabled event channels, change channel permissions, or adjust a security audit policy. WEF only queries event channels for existing events. Additionally, having event generation already occurring on a device allows for more complete event collection building a complete history of system activity. Otherwise, you'll be limited to the speed of GPO and WEF subscription refresh cycles to make changes to what is being generated on the device. On modern devices, enabling more event channels and expanding the size of event log files hasn't resulted in noticeable performance differences. For the minimum recommended audit policy and registry system ACL settings, see [Appendix A - Minimum recommended minimum audit policy](#bkmk-appendixa) and [Appendix B - Recommended minimum registry system ACL policy](#bkmk-appendixb). @@ -50,7 +50,7 @@ This system of dual subscription means you would create two base subscriptions: - **Baseline WEF subscription**. Events collected from all hosts; these events include some role-specific events, which will only be emitted by those machines. - **Targeted WEF subscription**. Events collected from a limited set of hosts due to unusual activity and/or heightened awareness for those systems. -Each using the respective event query below. For the Targeted subscription enabling the “read existing events” option should be set to true to allow collection of existing events from systems. By default, WEF subscriptions will only forward events generated after the WEF subscription was received by the client. +Each using the respective event query below. For the Targeted subscription, enabling the “read existing events” option should be set to true to allow collection of existing events from systems. By default, WEF subscriptions will only forward events generated after the WEF subscription was received by the client. In [Appendix E – Annotated Baseline Subscription Event Query](#bkmk-appendixe) and [Appendix F – Annotated Suspect Subscription Event Query](#bkmk-appendixf), the event query XML is included when creating WEF subscriptions. These subscriptions are annotated for query purpose and clarity. Individual <Query> element can be removed or edited without affecting the rest of the query. @@ -62,11 +62,11 @@ This section addresses common questions from IT pros and customers. The short answer is: No. -The longer answer is: The **Eventlog-forwardingPlugin/Operational** event channel logs the success, warning, and error events related to WEF subscriptions present on the device. Unless the user opens Event Viewer and navigates to that channel, they won't notice WEF either through resource consumption or Graphical User Interface pop-ups. Even if there is an issue with the WEF subscription, there is no user interaction or performance degradation. All success, warning, and failure events are logged to this operational event channel. +The longer answer is: The **Eventlog-forwardingPlugin/Operational** event channel logs the success, warning, and error events related to WEF subscriptions present on the device. Unless the user opens Event Viewer and navigates to that channel, they won't notice WEF either through resource consumption or Graphical User Interface pop-ups. Even if there's an issue with the WEF subscription, there's no user interaction or performance degradation. All success, warning, and failure events are logged to this operational event channel. ### Is WEF Push or Pull? -A WEF subscription can be configured to be push or pull, but not both. The simplest, most flexible IT deployment with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the subscription on the WEC server is pre-configured with the names of the WEF Client devices from which events are to be selected. Those clients are to be configured ahead of time to allow the credentials used in the subscription to access their event logs remotely (normally by adding the credential to the **Event Log Readers** built-in local security group.) A useful scenario: closely monitoring a specific set of machines. +A WEF subscription can be configured to be pushed or pulled, but not both. The simplest, most flexible IT deployment with the greatest scalability can be achieved by using a push, or source initiated, subscription. WEF clients are configured by using a GPO and the built-in forwarding client is activated. For pull, collector initiated, the subscription on the WEC server is pre-configured with the names of the WEF Client devices from which events are to be selected. Those clients are to be configured ahead of time to allow the credentials used in the subscription to access their event logs remotely (normally by adding the credential to the **Event Log Readers** built-in local security group.) A useful scenario: closely monitoring a specific set of machines. ### Will WEF work over VPN or RAS? @@ -75,7 +75,7 @@ WEF handles VPN, RAS, and DirectAccess scenarios well and will reconnect and sen ### How is client progress tracked? The WEC server maintains in its registry the bookmark information and last heartbeat time for each event source for each WEF subscription. When an event source reconnects to a WEC server, the last bookmark position is sent to the device to use as a starting point to resume forwarding events. If a -WEF client has no events to send, the WEF client will connect periodically to send a Heartbeat to the WEC server to indicate it is active. This heartbeat value can be individually configured for each subscription. +WEF client has no events to send, the WEF client will connect periodically to send a Heartbeat to the WEC server to indicate it's active. This heartbeat value can be individually configured for each subscription. ### Will WEF work in an IPv4, IPv6, or mixed IPv4/IPv6 environment? @@ -93,12 +93,11 @@ The HTTPS option is available if certificate based authentication is used, in ca The WEF client machines local event log is the buffer for WEF for when the connection to the WEC server is lost. To increase the “buffer size”, increase the maximum file size of the specific event log file where events are being selected. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc). -When the event log overwrites existing events (resulting in data loss if the device isn't connected to the Event Collector), there is no notification sent to the WEF collector that events are lost from the client. Neither is there an indicator that there was a gap encountered in the event stream. +When the event log overwrites existing events (resulting in data loss if the device isn't connected to the Event Collector), there's no notification sent to the WEF collector that events are lost from the client. Neither is there an indicator that there was a gap encountered in the event stream. ### What format is used for forwarded events? -WEF has two modes for forwarded events. The default is “Rendered Text” which includes the textual description of the event as you would see it in Event Viewer. This means that the event size is effectively doubled or tripled depending on the size of the rendered description. The alternative mode is -“Events” (also sometimes referred to as “Binary” format) – which is just the event XML itself sent in binary XML format (as it would be written to the evtx file.) This is very compact and can more than double the event volume a single WEC server can accommodate. +WEF has two modes for forwarded events. The default is “Rendered Text” that includes the textual description of the event as you would see it in Event Viewer. This description's inclusion means that the event size is effectively doubled or tripled depending on the size of the rendered description. The alternative mode is “Events” (also sometimes referred to as “Binary” format) – which is just the event XML itself sent in binary XML format (as it would be written to the evtx file.) This format is compact and can more than double the event volume a single WEC server can accommodate. A subscription “testSubscription” can be configured to use the Events format through the WECUTIL utility: @@ -109,19 +108,19 @@ Wecutil ss “testSubscription” /cf:Events ### How frequently are WEF events delivered? -Event delivery options are part of the WEF subscription configuration parameters – There are three built-in subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called “Custom” is available but cannot be selected or configured through the WEF UI by using Event Viewer. The Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All subscription options define a maximum event count and maximum event age, if either limit is exceeded then the accumulated events are sent to the event collector. +Event delivery options are part of the WEF subscription configuration parameters – There are three built-in subscription delivery options: Normal, Minimize Bandwidth, and Minimize Latency. A fourth, catch-all called “Custom” is available but can't be selected or configured through the WEF UI by using Event Viewer. The Custom delivery option must be selected and configured using the WECUTIL.EXE command-line application. All subscription options define a maximum event count and maximum event age, if either limit is exceeded then the accumulated events are sent to the event collector. This table outlines the built-in delivery options: | Event delivery optimization options | Description | | - | - | -| Normal | This option ensures reliable delivery of events and doesn't attempt to conserve bandwidth. It is the appropriate choice unless you need tighter control over bandwidth usage or need forwarded events delivered as quickly as possible. It uses pull delivery mode, batches 5 items at a time and sets a batch timeout of 15 minutes. | -| Minimize bandwidth | This option ensures that the use of network bandwidth for event delivery is strictly controlled. It is an appropriate choice if you want to limit the frequency of network connections made to deliver events. It uses push delivery mode and sets a batch timeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours. | -| Minimize latency | This option ensures that events are delivered with minimal delay. It is an appropriate choice if you are collecting alerts or critical events. It uses push delivery mode and sets a batch timeout of 30 seconds. | +| Normal | This option ensures reliable delivery of events and doesn't attempt to conserve bandwidth. It's the appropriate choice unless you need tighter control over bandwidth usage or need forwarded events delivered as quickly as possible. It uses pull delivery mode, batches 5 items at a time and sets a batch timeout of 15 minutes. | +| Minimize bandwidth | This option ensures that the use of network bandwidth for event delivery is strictly controlled. It's an appropriate choice if you want to limit the frequency of network connections made to deliver events. It uses push delivery mode and sets a batch timeout of 6 hours. In addition, it uses a heartbeat interval of 6 hours. | +| Minimize latency | This option ensures that events are delivered with minimal delay. It's an appropriate choice if you're collecting alerts or critical events. It uses push delivery mode and sets a batch timeout of 30 seconds. | For more info about delivery options, see [Configure Advanced Subscription Settings](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc749167(v=ws.11)). -The primary difference is in the latency which events are sent from the client. If none of the built-in options meet your requirements you can set Custom event delivery options for a given subscription from an elevated command prompt: +The primary difference is in the latency which events are sent from the client. If none of the built-in options meet your requirements, you can set Custom event delivery options for a given subscription from an elevated command prompt: ``` syntax @rem required to set the DeliveryMaxItems or DeliveryMaxLatencyTime @@ -139,15 +138,15 @@ For collector initiated subscriptions: The subscription contains the list of mac ### Can a client communicate to multiple WEF Event Collectors? -Yes. If you desire a High-Availability environment, simply configure multiple WEC servers with the same subscription configuration and publish both WEC Server URIs to WEF clients. WEF Clients will forward events simultaneously to the configured subscriptions on the WEC servers, if they have the appropriate access. +Yes. If you desire a High-Availability environment, configure multiple WEC servers with the same subscription configuration and publish both WEC Server URIs to WEF clients. WEF Clients will forward events simultaneously to the configured subscriptions on the WEC servers, if they have the appropriate access. ### What are the WEC server’s limitations? There are three factors that limit the scalability of WEC servers. The general rule for a stable WEC server on commodity hardware is planning for a total of 3,000 events per second on average for all configured subscriptions. - **Disk I/O**. The WEC server doesn't process or validate the received event, but rather buffers the received event and then logs it to a local event log file (EVTX file). The speed of logging to the EVTX file is limited by the disk write speed. Isolating the EVTX file to its own array or using high speed disks can increase the number of events per second that a single WEC server can receive. -- **Network Connections**. While a WEF source doesn't maintain a permanent, persistent connection to the WEC server, it doesn't immediately disconnect after sending its events. This means that the number of WEF sources that can simultaneously connect to the WEC server is limited to the open TCP ports available on the WEC server. -- **Registry size**. For each unique device that connects to a WEF subscription, there is a registry key (corresponding to the FQDN of the WEF Client) created to store bookmark and source heartbeat information. If this isn't pruned to remove inactive clients this set of registry keys can grow to an unmanageable size over time. +- **Network Connections**. While a WEF source doesn't maintain a permanent, persistent connection to the WEC server, it doesn't immediately disconnect after sending its events. This leniency means that the number of WEF sources that can simultaneously connect to the WEC server is limited to the open TCP ports available on the WEC server. +- **Registry size**. For each unique device that connects to a WEF subscription, there's a registry key (corresponding to the FQDN of the WEF Client) created to store bookmark and source heartbeat information. If this information isn't pruned to remove inactive clients, this set of registry keys can grow to an unmanageable size over time. - When a subscription has >1000 WEF sources connect to it over its operational lifetime, also known as lifetime WEF sources, Event Viewer can become unresponsive for a few minutes when selecting the **Subscriptions** node in the left-navigation, but will function normally afterwards. - At >50,000 lifetime WEF sources, Event Viewer is no longer an option and wecutil.exe (included with Windows) must be used to configure and manage subscriptions. @@ -155,30 +154,30 @@ There are three factors that limit the scalability of WEC servers. The general r ## Subscription information -Below lists all of the items that each subscription collects, the actual subscription XML is available in an Appendix. These are separated out into Baseline and Targeted. The intent is to subscribe all hosts to Baseline, and then enroll (and remove) hosts on an as needed basis to the Targeted subscription. +Below lists all of the items that each subscription collects, the actual subscription XML is available in an Appendix. These items are separated out into Baseline and Targeted. The intent is to subscribe all hosts to Baseline, and then enroll (and remove) hosts on an as needed basis to the Targeted subscription. ### Baseline subscription -While this appears to be the largest subscription, it really is the lowest volume on a per-device basis. (Exceptions should be allowed for unusual devices – a device performing complex developer related tasks can be expected to create an unusually high volume of process create and AppLocker events.) This subscription doesn't require special configuration on client devices to enable event channels or modify channel permissions. +While this subscription appears to be the largest subscription, it really is the lowest volume on a per-device basis. (Exceptions should be allowed for unusual devices – a device performing complex developer related tasks can be expected to create an unusually high volume of process create and AppLocker events.) This subscription doesn't require special configuration on client devices to enable event channels or modify channel permissions. -The subscription is essentially a collection of query statements applied to the Event Log. This means that it is modular in nature and a given query statement can be removed or changed without impacting other query statement in the subscription. Additionally, suppress statements which filter out specific events, only apply within that query statement and aren't to the entire subscription. +The subscription is essentially a collection of query statements applied to the Event Log. This subscription means that it's modular in nature and a given query statement can be removed or changed without impacting other query statement in the subscription. Additionally, suppress statements that filter out specific events, only apply within that query statement and aren't to the entire subscription. ### Baseline subscription requirements -To gain the most value out of the baseline subscription we recommend to have the following requirements set on the device to ensure that the clients are already generating the required events to be forwarded off the system. +To gain the most value out of the baseline subscription, we recommend having the following requirements set on the device to ensure that the clients are already generating the required events to be forwarded off the system. -- Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info, see [Appendix A – Minimum Recommended minimum Audit Policy](#bkmk-appendixa). This ensures that the security event log is generating the required events. +- Apply a security audit policy that is a super-set of the recommended minimum audit policy. For more info, see [Appendix A – Minimum Recommended minimum Audit Policy](#bkmk-appendixa). This policy ensures that the security event log is generating the required events. - Apply at least an Audit-Only AppLocker policy to devices. - - If you are already allowing or restricting events by using AppLocker, then this requirement is met. - - AppLocker events contain extremely useful information, such as file hash and digital signature information for executables and scripts. + - If you're already allowing or restricting events by using AppLocker, then this requirement is met. + - AppLocker events contain useful information, such as file hash and digital signature information for executables and scripts. - Enable disabled event channels and set the minimum size for modern event files. -- Currently, there is no GPO template for enabling or setting the maximum size for the modern event files. This must be done by using a GPO. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc). +- Currently, there's no GPO template for enabling or setting the maximum size for the modern event files. This threshold must be defined by using a GPO. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc). The annotated event query can be found in the following. For more info, see [Appendix F – Annotated Suspect Subscription Event Query](#bkmk-appendixf). -- Anti-malware events from Microsoft Antimalware or Windows Defender. This can be configured for any given anti-malware product easily if it writes to the Windows event log. +- Anti-malware events from Microsoft Antimalware or Windows Defender. These events can be configured for any given anti-malware product easily if it writes to the Windows event log. - Security event log Process Create events. - AppLocker Process Create events (EXE, script, packaged App installation and execution). - Registry modification events. For more info, see [Appendix B – Recommended minimum Registry System ACL Policy](#bkmk-appendixb). @@ -192,7 +191,7 @@ The annotated event query can be found in the following. For more info, see [App - Certificate Authority audit events - - This is only applicable on systems with the Certificate Authority role installed. + - These events are only applicable on systems with the Certificate Authority role installed. - Logs certificate requests and responses. - User profile events @@ -211,28 +210,29 @@ The annotated event query can be found in the following. For more info, see [App - Find out what initiated the restart of a device. -- User initiated interactive logoff event +- User-initiated interactive sign-out event - Remote Desktop Services sessions connect, reconnect, or disconnect. - EMET events, if EMET is installed. - Event forwarding plugin events - - For monitoring WEF subscription operations, particularly Partial Success events. This is useful for diagnosing deployment issues. + - For monitoring WEF subscription operations, such as Partial Success events. This event is useful for diagnosing deployment issues. - Network share creation and deletion - Enables detection of unauthorized share creation. - >**Note:** All shares are re-created when the device starts. + > [!NOTE] + > All shares are re-created when the device starts. -- Logon sessions +- Sign-in sessions - - Logon success for interactive (local and Remote Interactive/Remote Desktop) - - Logon success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on. - - Logon success for batch sessions - - Logon session close, which is logoff events for non-network sessions. + - Sign-in success for interactive (local and Remote Interactive/Remote Desktop) + - Sign-in success for services for non-built-in accounts, such as LocalSystem, LocalNetwork, and so on. + - Sign-in success for batch sessions + - Sign-in session close, which is sign-out events for non-network sessions. - Windows Error Reporting (Application crash events only) - - This can help detect early signs of intruder not familiar with enterprise environment using targeted malware. + - This session can help detect early signs of intruder not familiar with enterprise environment using targeted malware. - Event log service events @@ -240,11 +240,11 @@ The annotated event query can be found in the following. For more info, see [App - Event log cleared (including the Security Event Log) - - This could indicate an intruder that is covering their tracks. + - This event could indicate an intruder that is covering their tracks. -- Special privileges assigned to new logon +- Special privileges assigned to new sign in - - This indicates that at the time of logon a user is either an Administrator or has the sufficient access to make themselves Administrator. + - This assignation indicates that at the time of signing in, a user is either an Administrator or has the sufficient access to make themselves Administrator. - Outbound Remote Desktop Services session attempts @@ -265,19 +265,19 @@ The annotated event query can be found in the following. For more info, see [App - Task Scheduler allows intruders to run code at specified times as LocalSystem. -- Logon with explicit credentials +- Sign-in with explicit credentials - Detect credential use changes by intruders to access more resources. - Smartcard card holder verification events - - This detects when a smartcard is being used. + - This event detects when a smartcard is being used. ### Suspect subscription -This adds some possible intruder-related activity to help analyst further refine their determinations about the state of the device. +This subscription adds some possible intruder-related activity to help analyst further refine their determinations about the state of the device. -- Logon session creation for network sessions +- Sign-in session creation for network sessions - Enables time-series analysis of network graphs. @@ -290,15 +290,15 @@ This adds some possible intruder-related activity to help analyst further refine - Detects known bad certificate, CA, or sub-CA - Detects unusual process use of CAPI -- Groups assigned to local logon +- Groups assigned to local sign in - - Gives visibility to groups which enable account-wide access + - Gives visibility to groups that enable account-wide access - Allows better planning for remediation efforts - Excludes well known, built-in system accounts. -- Logon session exit +- Sign-in session exit - - Specific for network logon sessions. + - Specific for network sign-in sessions. - Client DNS lookup events @@ -308,11 +308,11 @@ This adds some possible intruder-related activity to help analyst further refine - Enables checking for processes terminating unexpectedly. -- Local credential validation or logon with explicit credentials +- Local credential validation or signing in with explicit credentials - Generated when the local SAM is authoritative for the account credentials being authenticated. - Noisy on domain controllers - - On client devices this is only generated when local accounts log on. + - On client devices, it's only generated when local accounts sign in. - Registry modification audit events @@ -370,9 +370,9 @@ If your organizational audit policy enables more auditing to meet its needs, tha ## Appendix B - Recommended minimum registry system ACL policy -The Run and RunOnce keys are useful for intruders and malware persistence. It allows code to be run (or run only once then removed, respectively) when a user logs into the system. +The Run and RunOnce keys are useful for intruders and malware persistence. It allows code to be run (or run only once then removed, respectively) when a user signs in to the system. -This can easily be extended to other Auto-Execution Start Points keys in the registry. +This implication can easily be extended to other Auto-Execution Start Points keys in the registry. Use the following figures to see how you can configure those registry keys. @@ -384,16 +384,16 @@ Use the following figures to see how you can configure those registry keys. Some channels are disabled by default and have to be enabled. Others, such as Microsoft-Windows-CAPI2/Operational must have the channel access modified to allow the Event Log Readers built-in security group to read from it. -The recommended and most effective way to do this is configuring the baseline GPO to run a scheduled task to configure the event channels (enable, set maximum size, and adjust channel access.) This will take effect at the next GPO refresh cycle and has minimal impact on the client device. +The recommended and most effective way to do this customization is configuring the baseline GPO to run a scheduled task to configure the event channels (enable, set maximum size, and adjust channel access). This configuration will take effect at the next GPO refresh cycle and has minimal impact on the client device. -The following GPO snippet performs the following: +The following GPO snippet performs the following tasks: - Enables the **Microsoft-Windows-Capi2/Operational** event channel. - Sets the maximum file size for **Microsoft-Windows-Capi2/Operational** to 100MB. -- Sets the maximum file size for **Microsoft-Windows-AppLocker/EXE and DLL** to 100MB. +- Sets the maximum file size for **Microsoft-Windows-AppLocker/EXE and DLL** to 100 MB. - Sets the maximum channel access for **Microsoft-Windows-Capi2/Operational** to include the built-in Event Log Readers security group. - Enables the **Microsoft-Windows-DriverFrameworks-UserMode/Operational** event channel. -- Sets the maximum file size for **Microsoft-Windows-DriverFrameworks-UserMode/Operational** to 50MB. +- Sets the maximum file size for **Microsoft-Windows-DriverFrameworks-UserMode/Operational** to 50 MB.  @@ -403,7 +403,7 @@ Here are the minimum steps for WEF to operate: 1. Configure the collector URI(s). 2. Start the WinRM service. -3. Add the Network Service account to the built-in Event Log Readers security group. This allows reading from secured event channel, such as the security event channel. +3. Add the Network Service account to the built-in Event Log Readers security group. This addition allows reading from secured event channel, such as the security event channel.  diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index e882f22e84..f85611c594 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -41,7 +41,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de 1. Generate a supplemental policy with Windows Defender Application Control tooling - This policy will expand the S mode base policy to authorize additional applications. Anything authorized by either the S mode base policy or your supplemental policy will be allowed to run. Your supplemental policies can specify filepath rules, trusted publishers, and more. + This policy will expand the S mode base policy to authorize more applications. Anything authorized by either the S mode base policy or your supplemental policy will be allowed to run. Your supplemental policies can specify filepath rules, trusted publishers, and more. Refer to [Deploy multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md) for guidance on creating supplemental policies and [Deploy Windows Defender Application Control policy rules and file rules](select-types-of-rules-to-create.md) to choose the right type of rules to create for your policy. @@ -56,14 +56,14 @@ The general steps for expanding the S mode base policy on your Intune-managed de ```powershell Set-CIPolicyIdInfo -SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784 -FilePath "
Conversely, if this is a **Deny** rule, then this option is the most restrictive because it denies all apps from installing or running. | You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app.| - |Applies to a specific **Publisher** | This scopes the rule to all apps published by a particular publisher. | You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope. | - |Applies to a **Package name** | This scopes the rule to all packages that share the publisher name and package name as the reference file. | You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope. | - |Applies to a **Package version** | This scopes the rule to a particular version of the package. | You want to be very selective in what you allow. You do not want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer. | + |Applies to **Any publisher**|This setting is the least restrictive scope condition for an **Allow** rule. It permits every packaged app to run or install.
Conversely, if this setting is a **Deny** rule, then this option is the most restrictive because it denies all apps from installing or running. | You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app.| + |Applies to a specific **Publisher** | This setting scopes the rule to all apps published by a particular publisher. | You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope. | + |Applies to a **Package name** | This setting scopes the rule to all packages that share the publisher name and package name as the reference file. | You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope. | + |Applies to a **Package version** | This setting scopes the rule to a particular version of the package. | You want to be selective in what you allow. You don't want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer. | |Applying custom values to the rule | Selecting the **Use custom values** check box allows you to adjust the scope fields for your particular circumstance. | You want to allow users to install all *Microsoft.Bing* applications, which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the **Use custom values** check box and edit the package name field by adding “Microsoft.Bing*” as the Package name. | 6. Select **Next**. -7. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**. +7. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. These conditions allow you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**. 8. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then select **Create**. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md index 7daf4320eb..4b22dedc36 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md @@ -39,7 +39,7 @@ For each business group, determine the following information: - The full installation path of the app - The publisher and signed status of each app - The type of requirement the business groups set for each app, such as business critical, business productivity, optional, or personal. It might also be helpful during this effort to identify which apps are supported or unsupported by your IT department, or supported by others outside your control. -- A list of files or apps that require administrative credentials to install or run. If the file requires administrative credentials to install or run, users who cannot provide administrative credentials will be prevented from running the file even if the file is explicitly allowed by an AppLocker policy. Even with AppLocker policies enforced, only members of the Administrators group can install or run files that require administrative credentials. +- A list of files or apps that require administrative credentials to install or run. If the file requires administrative credentials to install or run, users who can't provide administrative credentials will be prevented from running the file even if the file is explicitly allowed by an AppLocker policy. Even with AppLocker policies enforced, only members of the Administrators group can install or run files that require administrative credentials. ### How to perform the app usage assessment @@ -48,9 +48,9 @@ Rules wizard and the **Audit only** enforcement configuration to assist you with **Application inventory methods** -Using the Automatically Generate Rules wizard quickly creates rules for the applications you specify. The wizard is designed specifically to build a rule collection. You can use the Local Security Policy snap-in to view and edit the rules. This method is useful when creating rules from a reference computer and when creating and evaluating AppLocker policies in a testing environment. However, it does require that the files be accessible on the reference computer or through a network drive. This might mean additional work in setting up the reference computer and determining a maintenance policy for that computer. +Using the Automatically Generate Rules wizard quickly creates rules for the applications you specify. The wizard is designed specifically to build a rule collection. You can use the Local Security Policy snap-in to view and edit the rules. This method is useful when creating rules from a reference computer and when creating and evaluating AppLocker policies in a testing environment. However, it does require that the files be accessible on the reference computer or through a network drive. This requirement might mean more work in setting up the reference computer and determining a maintenance policy for that computer. -Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can see what the enforcement will be on the computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is very important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully. +Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can see what the enforcement will be on the computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully. > [!TIP] > If you run Application Verifier against a custom application with any AppLocker policies enabled, it might prevent the application from running. You should either disable Application Verifier or AppLocker. @@ -63,16 +63,16 @@ The following topics describe how to perform each method: ### Prerequisites to completing the inventory -Identify the business group and each organizational unit (OU) within that group to which you will apply application control policies. In addition, you should have identified whether or not AppLocker is the most appropriate solution for these policies. For info about these steps, see the following topics: +Identify the business group and each organizational unit (OU) within that group to which you'll apply application control policies. In addition, you should have identified whether or not AppLocker is the most appropriate solution for these policies. For info about these steps, see the following topics: - [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) - [Determine your application control objectives](determine-your-application-control-objectives.md) ## Next steps -Identify and develop the list of apps. Record the name of the app, whether it is signed or not as indicated by the publisher's name, and whether or not it is a mission critical, business productivity, optional, or personal application. Record the installation path of the apps. For info about how to do this, see [Document your app list](document-your-application-list.md). +Identify and develop the list of apps. Record the name of the app, whether it's signed or not as indicated by the publisher's name, and whether or not it's a mission critical, business productivity, optional, or personal application. Record the installation path of the apps. For more information, see [Document your app list](document-your-application-list.md). -After you have created the list of apps, the next step is to identify the rule collections, which will become the policies. This information can be added to the table under columns labeled: +After you've created the list of apps, the next step is to identify the rule collections, which will become the policies. This information can be added to the table under columns labeled: - Use default rule or define new rule condition - Allow or deny diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md index 961dd4e3ff..8a5e46aee1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md @@ -35,7 +35,7 @@ Creating effective application control policies with AppLocker starts by creatin ## Step 1: Use your plan -You can develop an application control policy plan to guide you in making successful deployment decisions. For more info about how to do this and what you should consider, see the [AppLocker Design Guide](applocker-policies-design-guide.md). This guide is intended for security architects, security administrators, and system administrators. It contains the following topics to help you create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group: +You can develop an application control policy plan to guide you in making successful deployment decisions. For more information about how to develop this policy and what you should consider, see the [AppLocker Design Guide](applocker-policies-design-guide.md). This guide is intended for security architects, security administrators, and system administrators. It contains the following topics to help you create an AppLocker policy deployment plan for your organization that will address your specific application control requirements by department, organizational unit, or business group: 1. [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md) 2. [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md) @@ -52,12 +52,12 @@ Each rule applies to one or more apps, and it imposes a specific rule condition ## Step 3: Configure the enforcement setting -An AppLocker policy is a set of rule collections that are configured with a rule enforcement setting. The enforcement setting can be **Enforce rules**, **Audit only**, or **Not configured**. If an AppLocker policy has at least one rule, and it is set to **Not configured**, all the rules in that +An AppLocker policy is a set of rule collections that are configured with a rule enforcement setting. The enforcement setting can be **Enforce rules**, **Audit only**, or **Not configured**. If an AppLocker policy has at least one rule, and it's set to **Not configured**, all the rules in that policy will be enforced. For info about configuring the rule enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) and [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md). ## Step 4: Update the GPO -AppLocker policies can be defined locally on a device or applied through Group Policy. To use Group Policy to apply AppLocker policies, you must create a new Group Policy Object (GPO) or you must update an existing GPO. You can create or modify AppLocker policies by using the Group Policy Management Console (GPMC), or you can import an AppLocker policy into a GPO. For the procedure to do this, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). +AppLocker policies can be defined locally on a device or applied through Group Policy. To use Group Policy to apply AppLocker policies, you must create a new Group Policy Object (GPO), or you must update an existing GPO. You can create or modify AppLocker policies by using the Group Policy Management Console (GPMC), or you can import an AppLocker policy into a GPO. For the procedure to import this policy into a GPO, see [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). ## Step 5: Test the effect of the policy @@ -68,7 +68,7 @@ In a test environment or with the enforcement setting set at **Audit only**, ver Depending on your deployment method, import the AppLocker policy to the GPO in your production environment, or if the policy is already deployed, change the enforcement setting to your production environment value—**Enforce rules** or **Audit only**. ## Step 7: Test the effect of the policy and adjust -Validate the effect of the policy by analyzing the AppLocker logs for application usage, and then modify the policy as necessary. To do this, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). +Validate the effect of the policy by analyzing the AppLocker logs for application usage, and then modify the policy as necessary. For information on how to do these tasks, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). ## Next steps diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md index cdda7822da..8efbf0415b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md @@ -33,7 +33,7 @@ This topic for the IT professional describes what you need to know about AppLock ## Creating AppLocker rules -AppLocker rules apply to the targeted app, and they are the components that make up the AppLocker policy. Depending on your IT environment and the business group that requires application control policies, setting these access rules for each application can be time-consuming and prone to error. With AppLocker, you can generate rules automatically or create rules individually. Creating rules that are derived from your planning document can help you avoid unintended results. For info about this planning document and other planning activities, see [AppLocker Design Guide](applocker-policies-design-guide.md). +AppLocker rules apply to the targeted app, and they're the components that make up the AppLocker policy. Depending on your IT environment and the business group that requires application control policies, setting these access rules for each application can be time-consuming and prone to error. With AppLocker, you can generate rules automatically or create rules individually. Creating rules that are derived from your planning document can help you avoid unintended results. For info about this planning document and other planning activities, see [AppLocker Design Guide](applocker-policies-design-guide.md). ### Automatically generate your rules @@ -47,7 +47,7 @@ You can use a reference device to automatically create a set of default rules fo ### Create your rules individually -You can create rules and set the mode to **Audit only** for each installed app, test and update each rule as necessary, and then deploy the policies. Creating rules individually might be best when you are targeting a small number of applications within a business group. +You can create rules and set the mode to **Audit only** for each installed app, test and update each rule as necessary, and then deploy the policies. Creating rules individually might be best when you're targeting a few applications within a business group. >**Note:** AppLocker includes default rules for each rule collection. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. You can also edit the default rules. For information about creating the default rules for the Windows operating system, see [Create AppLocker default rules](create-applocker-default-rules.md). @@ -62,7 +62,7 @@ For information about performing this task, see: ## About selecting rules -AppLocker policies are composed of distinct rules for specific apps. These rules are grouped by collection, and they are implemented through an AppLocker policy definition. AppLocker policies are managed by using Group Policy or by using the Local Security Policy snap-in for a single computer. +AppLocker policies are composed of distinct rules for specific apps. These rules are grouped by collection, and they're implemented through an AppLocker policy definition. AppLocker policies are managed by using Group Policy or by using the Local Security Policy snap-in for a single computer. When you determine what types of rules to create for each of your business groups or organizational units (OUs), you should also determine what enforcement setting to use for each group. Certain rule types are more applicable for some apps, depending on how the apps are deployed in a specific business group. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md index 0add3ed41f..6247e45693 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md @@ -38,7 +38,7 @@ For info about testing an AppLocker policy to see what rules affect which files You can perform this task by using the Group Policy Management Console for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer or in a security template. For info how to use these MMC snap-ins to administer AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins). -These steps apply only for locally managed devices. If the device has AppLocker policies applied by using MDM or a GPO, the local policy will not override those settings. +These steps apply only for locally managed devices. If the device has AppLocker policies applied by using MDM or a GPO, the local policy won't override those settings. ## To delete a rule in an AppLocker policy @@ -72,13 +72,13 @@ To use the Set-AppLockerPolicy cmdlet, first import the AppLocker modules: PS C:\Users\Administrator> import-module AppLocker ``` -We will create a file (for example, clear.xml), place it in the same directory where we are executing our cmdlet, and add the preceding XML contents. Then run the following command: +We'll create a file (for example, clear.xml), place it in the same directory where we're executing our cmdlet, and add the preceding XML contents. Then run the following command: ```powershell C:\Users\Administrator> Set-AppLockerPolicy -XMLPolicy .\clear.xml ``` -This will remove all AppLocker Policies on a machine and could be potentially scripted to use on multiple machines using remote execution tools with accounts with proper access. +This command will remove all AppLocker Policies on a machine and could be potentially scripted to use on multiple machines using remote execution tools with accounts with proper access. The following PowerShell commands must also be run to stop the AppLocker services and the effects of the former AppLocker policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md index 76c4ee127a..fc69f58037 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md @@ -41,15 +41,15 @@ For info about how to plan an AppLocker policy deployment, see [AppLocker Design ## Step 1: Retrieve the AppLocker policy -Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Using Group Policy, you can export the policy from the Group Policy Object (GPO) and then update the rule or rules by using AppLocker on your AppLocker reference or test PC. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). For local AppLocker policies, you can update the rule or rules by using the Local Security policy snap-in (secpol.msc) on your AppLocker reference or test PC. For the procedures to do this, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). +Updating an AppLocker policy that is currently enforced in your production environment can have unintended results. Using Group Policy, you can export the policy from the Group Policy Object (GPO) and then update the rule or rules by using AppLocker on your AppLocker reference or test PC. For the procedure to do these tasks, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). For local AppLocker policies, you can update the rule or rules by using the Local Security policy snap-in (secpol.msc) on your AppLocker reference or test PC. For the procedures to do this task, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). ## Step 2: Alter the enforcement setting -Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. For information about the enforcement setting, see [Understand AppLocker Enforcement Settings](understand-applocker-enforcement-settings.md). For the procedure to alter the enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). +Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into collections: executable files, Windows Installer files, packaged apps, scripts, and DLL files. By default, if enforcement isn't configured and rules are present in a rule collection, those rules are enforced. For information about the enforcement setting, see [Understand AppLocker Enforcement Settings](understand-applocker-enforcement-settings.md). For the procedure to alter the enforcement setting, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). ## Step 3: Update the policy -You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](https://go.microsoft.com/fwlink/p/?LinkId=145013) feature from the +You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the AppLocker policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. An example of this type of software is the [Advanced Group Policy Management](https://go.microsoft.com/fwlink/p/?LinkId=145013) feature from the Microsoft Desktop Optimization Pack. >**Caution:** You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. @@ -60,9 +60,9 @@ For the procedures to distribute policies for local PCs by using the Local Secur ## Step 4: Monitor the effect of the policy -When a policy is deployed, it is important to monitor the actual implementation of that policy. You can do this by monitoring your support organization's app access request activity and reviewing the AppLocker event logs. To monitor the effect of the policy, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md). +When a policy is deployed, it's important to monitor the actual implementation of that policy by monitoring your support organization's app access request activity and reviewing the AppLocker event logs. To monitor the effect of the policy, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md). -## Additional resources +## Other resources - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md index 2d9fdbe7c2..13836e63df 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md @@ -1,6 +1,6 @@ --- title: Determine the Group Policy structure and rule enforcement (Windows) -description: This overview topic describes the process to follow when you are planning to deploy AppLocker rules. +description: This overview topic describes the process to follow when you're planning to deploy AppLocker rules. ms.assetid: f435fcbe-c7ac-4ef0-9702-729aab64163f ms.reviewer: ms.author: dansimp @@ -29,7 +29,7 @@ ms.technology: windows-sec >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This overview topic describes the process to follow when you are planning to deploy AppLocker rules. +This overview topic describes the process to follow when you're planning to deploy AppLocker rules. ## In this section @@ -39,10 +39,10 @@ This overview topic describes the process to follow when you are planning to dep | [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md) | This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy.| | [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md) | This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. | -When you are determining how many Group Policy Objects (GPOs) to create when you apply an AppLocker policy in your organization, you should consider the following: +When you're determining how many Group Policy Objects (GPOs) to create when you apply an AppLocker policy in your organization, you should consider the following points: -- Whether you are creating new GPOs or using existing GPOs -- Whether you are implementing Software Restriction Policies (SRP) policies and AppLocker policies in the same GPO +- Whether you're creating new GPOs or using existing GPOs +- Whether you're implementing Software Restriction Policies (SRP) policies and AppLocker policies in the same GPO - GPO naming conventions - GPO size limits diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md index 656ab2805e..e8313de0e1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md @@ -31,14 +31,14 @@ ms.technology: windows-sec This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. -The Windows PowerShell cmdlet **Get-AppLockerFileInformation** can be used to determine which apps installed on your reference devices are digitally signed. Perform the following steps on each reference computer that you used to define the AppLocker policy. The device does not need to be joined to the domain. +The Windows PowerShell cmdlet **Get-AppLockerFileInformation** can be used to determine which apps installed on your reference devices are digitally signed. Perform the following steps on each reference computer that you used to define the AppLocker policy. The device doesn't need to be joined to the domain. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. **To determine which apps are digitally signed on a reference device** 1. Run **Get-AppLockerFileInformation** with the appropriate parameters. - The **Get-AppLockerFileInformation** cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information. + The **Get-AppLockerFileInformation** cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that aren't signed don't have any publisher information. 2. Analyze the publisher's name and digital signature status from the output of the command. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md index bb43e3b175..1136c55fd2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md @@ -39,21 +39,21 @@ Use the following table to develop your own objectives and determine which appli |Application control function|SRP|AppLocker| |--- |--- |--- | -|Scope|SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.|AppLocker policies apply only to the support versions of Windows listed in[Requirements to use AppLocker](requirements-to-use-applocker.md).| +|Scope|SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.|AppLocker policies apply only to the support versions of Windows listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).| |Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.
AppLocker permits customization of error messages to direct users to a Web page for help.| |Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in, if the policies are created locally, or the GPMC, or the Windows PowerShell AppLocker cmdlets.| |Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.| -|Enforcement mode|SRP works in the “deny list mode” where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.
SRP can also be configured in the “allow list mode” such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|By default, AppLocker works in allow list mode. Only those files are allowed to run for which there's a matching allow rule.| -|File types that can be controlled|SRP can control the following file types:
SRP cannot control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:
AppLocker maintains a separate rule collection for each of the five file types.| -|Designated file types|SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.|AppLocker doesn't support this. AppLocker currently supports the following file extensions:
SRP can also be configured in the “allowlist mode” such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|By default, AppLocker works in allowlist mode. Only those files are allowed to run for which there's a matching allow rule.| +|File types that can be controlled|SRP can control the following file types:
SRP can't control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:
AppLocker maintains a separate rule collection for each of the five file types.| +|Designated file types|SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.|AppLocker doesn't support this addition of extension. AppLocker currently supports the following file extensions:
Internet zone|AppLocker supports three types of rules:
SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker does not support security levels.| +|Support for different security levels|With SRP, you can specify the permissions with which an app can run. Then configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.
SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker doesn't support security levels.| |Manage Packaged apps and Packaged app installers.|Unable|.appx is a valid file type which AppLocker can manage.| |Targeting a rule to a user or a group of users|SRP rules apply to all users on a particular computer.|AppLocker rules can be targeted to a specific user or a group of users.| -|Support for rule exceptions|SRP does not support rule exceptions|AppLocker rules can have exceptions that allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.| -|Support for audit mode|SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode that allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.| -|Support for exporting and importing policies|SRP does not support policy import/export.|AppLocker supports the importing and exporting of policies. This allows you to create AppLocker policy on a sample computer, test it out and then export that policy and import it back into the desired GPO.| +|Support for rule exceptions|SRP doesn't support rule exceptions|AppLocker rules can have exceptions that allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.| +|Support for audit mode|SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode that allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you're satisfied with the results, you can start enforcing the policy.| +|Support for exporting and importing policies|SRP doesn't support policy import/export.|AppLocker supports the importing and exporting of policies. This support by AppLocker allows you to create AppLocker policy on a sample computer, test it out and then export that policy and import it back into the desired GPO.| |Rule enforcement|Internally, SRP rules enforcement happens in user-mode, which is less secure.|Internally, AppLocker rules for exes and dlls are enforced in kernel-mode, which is more secure than enforcing them in the user-mode.| For more general info, see AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md index 596ca4a50f..542a15ced2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md @@ -31,7 +31,7 @@ ms.technology: windows-sec This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app. -Using Group Policy, AppLocker can be configured to display a message with a custom URL. You can use this URL to redirect users to a support site that contains info about why the user received the error and which apps are allowed. If you do not display a custom message when an apps is blocked, the default access denied message is displayed. +With the help of Group Policy, AppLocker can be configured to display a message with a custom URL. You can use this URL to redirect users to a support site that contains info about why the user received the error and which apps are allowed. If you don't display a custom message when an app is blocked, the default access denied message is displayed. To complete this procedure, you must have the **Edit Setting** permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md index 92f944b419..70a4c7cad7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md @@ -31,7 +31,7 @@ ms.technology: windows-sec ## Using fsutil to query SmartLocker EA -Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This can be achieved by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This can be used in conjunction with enabling the MI and ISG logging events. +Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This verification can be done by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This EA's presence can be used in conjunction with enabling the MI and ISG logging events. **Example:** diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md index 26a241db0e..f983d739b8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md @@ -1,6 +1,6 @@ --- title: Create a code signing cert for Windows Defender Application Control (Windows) -description: Learn how to set up a publicly-issued code signing certificate, so you can sign catalog files or WDAC policies internally. +description: Learn how to set up a publicly issued code signing certificate, so you can sign catalog files or WDAC policies internally. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security @@ -29,11 +29,11 @@ ms.technology: windows-sec >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). +As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signature, you'll either need a publicly issued code signing certificate or an internal CA. If you've purchased a code-signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). If you have an internal CA, complete these steps to create a code signing certificate. Only RSA algorithm is supported for the code signing certificate, and signatures must be PKCS 1.5 padded. -ECDSA is not supported. +ECDSA isn't supported. 1. Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA. @@ -75,7 +75,7 @@ When this certificate template has been created, you must publish it to the CA p Figure 3. Select the new certificate template to issue - A list of available templates to issue appears, including the template you just created. + A list of available templates to issue appears, including the template you created. 2. Select the WDAC Catalog signing certificate, and then click **OK**. @@ -100,7 +100,7 @@ Now that the template is available to be issued, you must request one from the c >[!NOTE] >If a certificate manager is required to approve any issued certificates and you selected to require management approval on the template, the request will need to be approved in the CA before it will be issued to the client. -This certificate must be installed in the user's personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the computer on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps: +This certificate must be installed in the user's personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the computer on which you just requested the certificate, exporting the certificate to a .pfx file won't be required because it already exists in your personal store. If you're signing on another computer, you'll need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps: 1. Right-click the certificate, point to **All Tasks**, and then click **Export**. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index 3686f2ecb5..2d31e8f0f7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -37,7 +37,7 @@ The policy file is converted to binary format when it gets created so that Windo ## Overview of the process of creating Windows Defender Application Control policies -A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Windows Defender Application Control policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of WDAC policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional WDAC policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the [WDAC Design Guide](windows-defender-application-control-design-guide.md). +A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone more company assets. Windows Defender Application Control policies follow a similar methodology that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of WDAC policies is similar to imaging, these policies should be maintained independently. Assess the necessity of more WDAC policies based on what should be allowed to be installed and run and for whom. For more information on doing this assessment, see the [WDAC Design Guide](windows-defender-application-control-design-guide.md). Optionally, WDAC can align with your software catalog and any IT department–approved applications. One straightforward method to implement WDAC is to use existing images to create one master WDAC policy. You do so by creating a WDAC policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged, or serviced, and managed. @@ -48,12 +48,12 @@ If you plan to use an internal CA to sign catalog files or WDAC policies, see th Each installed software application should be validated as trustworthy before you create a policy. We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. -Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want to run scripts. +Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you don't want to run scripts. You can remove or disable such software on the reference computer. To create a Windows Defender Application Control policy, copy each of the following commands into an elevated Windows PowerShell session, in order: -1. Initialize variables that you will use. +1. Initialize variables that you'll use. ```powershell $PolicyPath=$env:userprofile+"\Desktop\" @@ -83,7 +83,7 @@ To create a Windows Defender Application Control policy, copy each of the follow ConvertFrom-CIPolicy $WDACPolicy $WDACPolicyBin ``` -After you complete these steps, the WDAC binary file ($WDACPolicyBin) and original .xml file ($WDACPolicy) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security. +After you complete these steps, the WDAC binary file ($WDACPolicyBin) and original .xml file ($WDACPolicy) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for more security. > [!NOTE] > We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index c0296ea8e6..7cd08be428 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -30,16 +30,16 @@ ms.technology: windows-sec >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager. Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access. +This section outlines the process to create a Windows Defender Application Control (WDAC) policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device can't install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager. Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access. > [!NOTE] > Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. -As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md), we will use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. +As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. **Alice Pena** is the IT team lead tasked with the rollout of WDAC. -Alice previously created a policy for the organization's lightly managed devices. Some devices, however, are more tightly managed and can benefit from a more constrained policy. In particular, certain job functions such as administrative staff and firstline workers are not granted administrator level access to their devices. Similarly, shared kiosks are configured only with a managed set of apps and all users of the device except IT run as standard user. On these devices, all apps are deployed and installed by IT. +Alice previously created a policy for the organization's lightly managed devices. Some devices, however, are more tightly managed and can benefit from a more constrained policy. In particular, certain job functions such as administrative staff and firstline workers aren't granted administrator level access to their devices. Similarly, shared kiosks are configured only with a managed set of apps and all users of the device except IT run as standard user. On these devices, all apps are deployed and installed by IT. ## Define the "circle-of-trust" for fully managed devices @@ -51,26 +51,26 @@ Alice identifies the following key factors to arrive at the "circle-of-trust" fo - Sometimes, IT staff install apps directly to these devices without using Configuration Manager; - All users except IT are standard users on these devices. -Alice's team develops a simple console application, called *LamnaITInstaller.exe*, which will become the authorized way for IT staff to install apps directly to devices. *LamnaITInstaller.exe* allows the IT pro to launch another process, such as an app installer. Alice will configure *LamnaITInstaller.exe* as an additional managed installer for WDAC and allows her to remove the need for filepath rules. +Alice's team develops a simple console application, called *LamnaITInstaller.exe*, which will become the authorized way for IT staff to install apps directly to devices. *LamnaITInstaller.exe* allows the IT pro to launch another process, such as an app installer. Alice will configure *LamnaITInstaller.exe* as an extra managed installer for WDAC and allows her to remove the need for filepath rules. Based on the above, Alice defines the pseudo-rules for the policy: 1. **“Windows works”** rules that authorize: - Windows - - WHQL (3rd party kernel drivers) + - WHQL (third-party kernel drivers) - Windows Store signed apps 2. **"MEMCM works”** rules that include signer and hash rules for Configuration Manager components to properly function. 3. **Allow Managed Installer** (Configuration Manager and *LamnaITInstaller.exe* configured as a managed installer) -The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are: +The critical differences between this set of pseudo-rules and those pseudo-rules defined for Lamna's [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are: - Removal of the Intelligent Security Graph (ISG) option; and - Removal of filepath rules. ## Create a custom base policy using an example WDAC base policy -Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's fully-managed devices. She decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs. +Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's fully managed devices and decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs. Alice follows these steps to complete this task: @@ -113,7 +113,7 @@ Alice follows these steps to complete this task: Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security ``` -6. If appropriate, add additional signer or file rules to further customize the policy for your organization. +6. If appropriate, add more signer or file rules to further customize the policy for your organization. 7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format: @@ -134,7 +134,7 @@ At this point, Alice now has an initial policy that is ready to deploy in audit Alice has defined a policy for Lamna's fully managed devices that makes some trade-offs between security and manageability for apps. Some of the trade-offs include: - **Users with administrative access**
- Although applying to fewer users, Lamna still allows some IT staff to log in to its fully managed devices as administrator. This allows these admin users (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish. + Although applying to fewer users, Lamna still allows some IT staff to sign in to its fully managed devices as administrator. This privilege allows these users (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish. Possible mitigations: - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index d03bb18a75..9cb8de44f4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -35,11 +35,11 @@ This section outlines the process to create a Windows Defender Application Contr > [!NOTE] > Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. -As in the [previous topic](types-of-devices.md), we will use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. +As in the [previous topic](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. -**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing where Lamna is starting from, with loose application usage policies and a culture of maximum app flexibility for users, Alice knows that she will need to take an incremental approach to application control and use different policies for different workloads. +**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing where Lamna is starting from, with loose application usage policies and a culture of maximum app flexibility for users, Alice knows that she'll need to take an incremental approach to application control and use different policies for different workloads. -For the majority of users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value. +For most users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value. ## Define the "circle-of-trust" for lightly managed devices @@ -49,16 +49,16 @@ Alice identifies the following key factors to arrive at the "circle-of-trust" fo - All clients are managed by Microsoft Endpoint Manager either with Configuration Manager or with Intune. - Some, but not all, apps are deployed using Configuration Manager; - Most users are local administrators on their devices; -- Some teams may need additional rules to authorize specific apps that don't apply generally to all other users. +- Some teams may need more rules to authorize specific apps that don't apply generally to all other users. Based on the above, Alice defines the pseudo-rules for the policy: 1. **“Windows works”** rules that authorize: - Windows - - WHQL (3rd party kernel drivers) + - WHQL (third-party kernel drivers) - Windows Store signed apps -2. **"MEMCM works”** rules which include signer and hash rules for Configuration Manager components to properly function. +2. **"MEMCM works”** rules that include signer and hash rules for Configuration Manager components to properly function. 3. **Allow Managed Installer** (Configuration Manager configured as a managed installer) 4. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization) 5. **Admin-only path rules** for the following locations: @@ -68,7 +68,7 @@ Based on the above, Alice defines the pseudo-rules for the policy: ## Create a custom base policy using an example WDAC base policy -Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. She decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs. +Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. Alice decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs. Alice follows these steps to complete this task: @@ -121,7 +121,7 @@ Alice follows these steps to complete this task: Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules ``` -7. If appropriate, add additional signer or file rules to further customize the policy for your organization. +7. If appropriate, add more signer or file rules to further customize the policy for your organization. 8. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format: @@ -142,7 +142,7 @@ At this point, Alice now has an initial policy that is ready to deploy in audit In order to minimize user productivity impact, Alice has defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include: - **Users with administrative access**
- By far the most impactful security trade-off, this allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish. + By far the most impactful security trade-off, this trade-off allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish. Possible mitigations: - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index 348fbacaf2..65565ec200 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -40,9 +40,9 @@ To create a catalog file, you use a tool called **Package Inspector**. You must > [!NOTE] > When you establish a naming convention it makes it easier to detect deployed catalog files in the future. In this guide, *\*-Contoso.cat* is used as the example naming convention. -1. Be sure that a Windows Defender Application Control policy is currently deployed in audit mode on the computer on which you will run Package Inspector. +1. Be sure that a Windows Defender Application Control policy is currently deployed in audit mode on the computer on which you'll run Package Inspector. - Package Inspector does not always detect temporary installation files that are added and then removed from the computer during the installation process. To ensure that these binaries are also included in your catalog file, deploy a WDAC policy in audit mode. + Package Inspector doesn't always detect temporary installation files that are added and then removed from the computer during the installation process. To ensure that these binaries are also included in your catalog file, deploy a WDAC policy in audit mode. > [!NOTE] > This process should **not** be performed on a system with an enforced Windows Defender Application Control policy, only with a policy in audit mode. If a policy is currently being enforced, you will not be able to install and run the application unless the policy already allows it. @@ -58,7 +58,7 @@ To create a catalog file, you use a tool called **Package Inspector**. You must By copying the installation media to the local drive, you ensure that Package Inspector detects and catalogs the actual installer. If you skip this step, the future WDAC policy may allow the application to run but not to be installed. -4. Install the application. Install it to the same drive that the application installer is located on (the drive you are scanning). Also, while Package Inspector is running, do not run any installations or updates that you don't want to capture in the catalog. +4. Install the application. Install it to the same drive that the application installer is located on (the drive you're scanning). Also, while Package Inspector is running, don't run any installations or updates that you don't want to capture in the catalog. > [!IMPORTANT] > Every binary that is run while Package Inspector is running will be captured in the catalog. Ensure that only trusted applications are run during this time. @@ -71,9 +71,9 @@ To create a catalog file, you use a tool called **Package Inspector**. You must This step is necessary to ensure that the scan has captured all binaries. -8. As appropriate, with Package Inspector still running, repeat the process for another application that you want in the catalog. Copy the installation media to the local drive, install the application, ensure it is updated, and then close and reopen the application. +8. As appropriate, with Package Inspector still running, repeat the process for another application that you want in the catalog. Copy the installation media to the local drive, install the application, ensure it's updated, and then close and reopen the application. -9. When you have confirmed that the previous steps are complete, use the following commands to generate the catalog and definition files on your computer's desktop. The filenames used in these example commands are **LOBApp-Contoso.cat** (catalog file) and **LOBApp.cdf** (definition file)—substitute different filenames as appropriate. +9. When you've confirmed that the previous steps are complete, use the following commands to generate the catalog and definition files on your computer's desktop. The filenames used in these example commands are **LOBApp-Contoso.cat** (catalog file) and **LOBApp.cdf** (definition file)—substitute different filenames as appropriate. For the last command, which stops Package Inspector, be sure to type the drive letter of the drive you have been scanning, for example, C:. @@ -98,22 +98,22 @@ Packages can fail for the following reasons: - Package is too large for default USN Journal or Event Log sizes - To diagnose whether USN journal size is the issue, after running through Package Inspector, click Start > install app > PackageInspector stop - - Get the value of the reg key at HKEY\_CURRENT\_USER/PackageInspectorRegistryKey/c: (this was the most recent USN when you ran PackageInspector start) + - Get the value of the reg key at HKEY\_CURRENT\_USER/PackageInspectorRegistryKey/c: (this USN was the most recent one when you ran PackageInspector start) - `fsutil usn readjournal C: startusn=RegKeyValue > inspectedusn.txt` - ReadJournal command should throw an error if the older USNs don't exist anymore due to overflow - For USN Journal, log size can be expanded using: `fsutil usn createjournal` command with a new size and alloc delta. `Fsutil usn queryjournal` will give the current size and allocation delta, so using a multiple of that may help - To diagnose whether Eventlog size is the issue, look at the Microsoft/Windows/CodeIntegrity/Operational log under Applications and Services logs in Event Viewer and ensure that there are entries present from when you began Package Inspector (You can use write time as a justification; if you started the install 2 hours ago and there are only entries from 30 minutes prior, the log is definitely too small) - To increase Eventlog size, in Event Viewer you can right click the operational log, click properties, and then set new values (some multiple of what it was previously) - Package files that change hash each time the package is installed - - Package Inspector is completely incompatible if files in the package (temporary or otherwise) change hash each time the package is installed. You can diagnose this by looking at the hash field in the 3077 block events when the package is failing in enforcement. If each time you attempt to run the package you get a new block event with a different hash, the package will not work with Package Inspector + - Package Inspector is incompatible if files in the package (temporary or otherwise) change hash each time the package is installed. You can diagnose this hash-change by looking at the hash field in the 3077 block events when the package is failing in enforcement. If each time you attempt to run the package you get a new block event with a different hash, the package won't work with Package Inspector - Files with an invalid signature blob or otherwise "unhashable" files - This issue arises when a file that has been signed is modified post signing in a way that invalidates the PE header and renders the file unable to be hashed by the Authenticode Spec. - - Windows Defender Application Control uses Authenticode Hashes to validate files when they are running. If the file is unhashable via the authenticode SIP, there is no way to identify the file to allow it, regardless of if you attempt to add the file to the policy directly, or re-sign the file with a Package Inspector catalog (the signature is invalidated due to file being edited, file can't be allowed by hash due to authenticode hashing algorithm rejecting it) - - Recent versions of InstallShield packages that use custom actions can hit this. If the DLL input to the custom action was signed before being put through InstallShield, InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this "unhashable" state and renders the file unable to be allowed by Windows Defender (regardless of if you try to allow directly by policy or resign with Package Inspector) + - Windows Defender Application Control uses Authenticode Hashes to validate files when they're running. If the file is unhashable via the authenticode SIP, there's no way to identify the file to allow it, regardless of if you attempt to add the file to the policy directly, or re-sign the file with a Package Inspector catalog (the signature is invalidated due to file being edited, file can't be allowed by hash due to authenticode hashing algorithm rejecting it) + - Recent versions of InstallShield packages that use custom actions can hit this condition. If the DLL input to the custom action was signed before being put through InstallShield, InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this "unhashable" state and renders the file unable to be allowed by Windows Defender (regardless of if you try to allow directly by policy or resign with Package Inspector) ## Catalog signing with SignTool.exe -To sign a catalog file you generated by using PackageInspector.exe, you need the following: +To sign a catalog file you generated by using PackageInspector.exe, you need: - SignTool.exe, found in the Windows software development kit (SDK—Windows 7 or later) @@ -148,15 +148,15 @@ To sign the existing catalog file, copy each of the following commands into an e 5. Copy the catalog file to C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}. - For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, to copy the appropriate catalog files to all desired computers, we recommend that you use Group Policy File Preferences or an enterprise systems management product such as Microsoft Endpoint Configuration Manager. Doing this also simplifies the management of catalog versions. + For testing purposes, you can manually copy signed catalog files to their intended folder. For large-scale implementations, to copy the appropriate catalog files to all desired computers, we recommend that you use Group Policy File Preferences or an enterprise systems management product such as Microsoft Endpoint Configuration Manager, which also simplifies the management of catalog versions. ## Add a catalog signing certificate to a Windows Defender Application Control policy After the catalog file is signed, add the signing certificate to a WDAC policy, as described in the following steps. -1. If you have not already verified the catalog file digital signature, right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with the algorithm you expect. +1. If you haven't already verified the catalog file digital signature, right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with the algorithm you expect. -2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to create a Windows Defender Application Control policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**: +2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to create a Windows Defender Application Control policy that you'll later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**: `New-CIPolicy -Level PcaCertificate -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml –UserPEs` @@ -212,9 +212,9 @@ To simplify the management of catalog files, you can use Group Policy preference **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\LOBApp-Contoso.cat** - For the catalog file name, use the name of the catalog you are deploying. + For the catalog file name, use the name of the catalog you're deploying. -10. On the **Common** tab of the **New File Properties** dialog box, select the **Remove this item when it is no longer applied** option. Doing this ensures that the catalog file is removed from every system, in case you ever need to stop trusting this application. +10. On the **Common** tab of the **New File Properties** dialog box, select the **Remove this item when it is no longer applied** option. Enabling this option ensures that the catalog file is removed from every system, in case you ever need to stop trusting this application. 11. Click **OK** to complete file creation. @@ -224,7 +224,7 @@ Before you begin testing the deployed catalog file, make sure that the catalog s ## Deploy catalog files with Microsoft Endpoint Configuration Manager -As an alternative to Group Policy, you can use Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files: +As an alternative to Group Policy, you can use Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files and provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files: >[!NOTE] >The following example uses a network share named \\\\Shares\\CatalogShare as a source for the catalog files. If you have collection specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization. @@ -263,7 +263,7 @@ As an alternative to Group Policy, you can use Configuration Manager to deploy c 7. Accept the defaults for the rest of the wizard, and then close the wizard. -After you create the deployment package, deploy it to a collection so that the clients will receive the catalog files. In this example, you deploy the package you just created to a test collection: +After you create the deployment package, deploy it to a collection so that the clients will receive the catalog files. In this example, you deploy the package you created to a test collection: 1. In the Software Library workspace, navigate to Overview\\Application Management\\Packages, right-click the catalog file package, and then click **Deploy**. @@ -335,9 +335,9 @@ When catalog files have been deployed to the computers within your environment, 8. Click **OK**. -9. Now that you have created the client settings policy, right-click the new policy, click **Deploy**, and then choose the collection on which you would like to inventory the catalog files. +9. Now that you've created the client settings policy, right-click the new policy, click **Deploy**, and then choose the collection on which you would like to inventory the catalog files. -At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you will be able to view the inventoried files in the built-in Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps: +At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you'll be able to view the inventoried files in the built-in Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps: 1. Open the Configuration Manager console, and select the Assets and Compliance workspace. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 010247f3ee..dbe28e8b2a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -29,7 +29,7 @@ ms.technology: windows-sec >[!NOTE] >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -Prior to Windows 10 1903, Windows Defender Application Control only supported a single active policy on a system at any given time. This significantly limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios: +Prior to Windows 10 1903, Windows Defender Application Control only supported a single active policy on a system at any given time. This limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios: 1. Enforce and Audit Side-by-Side - To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side by side with an existing enforcement-mode base policy @@ -49,11 +49,11 @@ Prior to Windows 10 1903, Windows Defender Application Control only supported a - Multiple base policies: intersection - Only applications allowed by both policies run without generating block events - Base + supplemental policy: union - - Files that are allowed by either the base policy or the supplemental policy are not blocked + - Files that are allowed by either the base policy or the supplemental policy aren't blocked ## Creating WDAC policies in Multiple Policy Format -In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](/powershell/module/configci/new-cipolicy?preserve-view=true&view=win10-ps) results in 1) unique GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below is an example of creating a new policy in the multiple policy format. +In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](/powershell/module/configci/new-cipolicy?preserve-view=true&view=win10-ps) results in 1) unique GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below example describes the process of creating a new policy in the multiple policy format. ```powershell New-CIPolicy -MultiplePolicyFormat -ScanPath "
-However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. +However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP. -See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using Microsoft Endpoint Manager Intune's Custom OMA-URI capability. +For more information on deploying multiple policies, optionally using Microsoft Endpoint Manager Intune's Custom OMA-URI capability, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp). > [!NOTE] > WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format Windows Defender Application Control policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md index 2efe41d1ae..287aba1869 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md @@ -88,6 +88,8 @@ Configuration Manager doesn't remove policies once deployed. To stop enforcement For more information on using Configuration Manager's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager). +Download the entire [WDAC in Configuration Manager lab paper](https://download.microsoft.com/download/c/f/d/cfd6227c-8ec4-442d-8c50-825550d412f6/WDAC-Deploy-WDAC-using-MEMCM.pdf). + ## Deploy custom WDAC policies using Packages/Programs or Task Sequences Using Configuration Manager's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in Configuration Manager too limiting. To define your own circle-of-trust, you can use Configuration Manager to deploy custom WDAC policies using [script-based deployment](deploy-wdac-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences. diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md index 200bac9e6a..407a00c553 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md @@ -29,14 +29,14 @@ ms.technology: windows-sec > [!NOTE] > Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md). -You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps. +You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC, which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps. ## Use Intune's built-in policies Intune's built-in Windows Defender Application Control support allows you to configure Windows client computers to only run: - Windows components -- 3rd party hardware and software kernel drivers +- Third-party hardware and software kernel drivers - Microsoft Store-signed apps - [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG) @@ -68,7 +68,7 @@ The steps to use Intune's custom OMA-URI functionality are: 4. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings: - **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy - **Data type**: Base64 - - **Certificate file**: upload your binary format policy file. You do not need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. + - **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. > [!div class="mx-imgBorder"] >  @@ -78,13 +78,13 @@ The steps to use Intune's custom OMA-URI functionality are: ### Remove WDAC policies on Windows 10 1903+ -Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to disable Windows Defender Application Control enforcement, first replace the existing policy with a new version of the policy that will "Allow *", like the rules in the example policy at %windir%\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml. Once the updated policy is deployed, you can then delete the policy from the Intune portal. This will prevent anything from being blocked and fully remove the WDAC policy on the next reboot. +Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to disable Windows Defender Application Control enforcement, first replace the existing policy with a new version of the policy that will "Allow *", like the rules in the example policy at %windir%\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml. Once the updated policy is deployed, you can then delete the policy from the Intune portal. This deletion will prevent anything from being blocked and fully remove the WDAC policy on the next reboot. ### For pre-1903 systems #### Deploying policies -The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are: +The steps to use Intune's Custom OMA-URI functionality to apply the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are: 1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. @@ -100,4 +100,4 @@ The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocke #### Removing policies -Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable Windows Defender Application Control policy enforcement, either deploy an audit-mode policy or use a script to delete the existing policy. +Policies deployed through Intune via the AppLocker CSP can't be deleted through the Intune console. In order to disable Windows Defender Application Control policy enforcement, either deploy an audit-mode policy or use a script to delete the existing policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index 7f04db97e1..0c7726f27d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -33,7 +33,7 @@ This topic covers how to disable unsigned or signed WDAC policies. ## Disable unsigned Windows Defender Application Control policies -There may come a time when an administrator wants to disable a Windows Defender Application Control policy. For unsigned WDAC policies, this process is simple. The method used to deploy the policy (such as Group Policy) must first be disabled, then simply delete the SIPolicy.p7b policy file from the following locations, and the WDAC policy will be disabled on the next computer restart: +There may come a time when an administrator wants to disable a Windows Defender Application Control policy. For unsigned WDAC policies, this process is simple. The method used to deploy the policy (such as Group Policy) must first be disabled, then delete the SIPolicy.p7b policy file from the following locations, and the WDAC policy will be disabled on the next computer restart: - <EFI System Partition>\\Microsoft\\Boot\\ - <OS Volume>\\Windows\\System32\\CodeIntegrity\\ @@ -43,7 +43,7 @@ There may come a time when an administrator wants to disable a Windows Defender ## Disable signed Windows Defender Application Control policies within Windows -Signed policies protect Windows from administrative manipulation as well as malware that has gained administrative-level access to the system. For this reason, signed Windows Defender Application Control policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed WDAC policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps. +Signed policies protect Windows from administrative manipulation and malware that has gained administrative-level access to the system. For this reason, signed Windows Defender Application Control policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed WDAC policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps. > [!NOTE] > For reference, signed WDAC policies should be replaced and removed from the following locations: @@ -68,7 +68,7 @@ Signed policies protect Windows from administrative manipulation as well as malw 5. Restart the client computer. -If the signed Windows Defender Application Control policy has been deployed using by using Group Policy, you must complete the following steps: +If the signed Windows Defender Application Control policy has been deployed by using Group Policy, you must complete the following steps: 1. Replace the existing policy in the GPO with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled. @@ -90,7 +90,7 @@ If the signed Windows Defender Application Control policy has been deployed usin ## Disable signed Windows Defender Application Control policies within the BIOS -There may be a time when signed Windows Defender Application Control policies cause a boot failure. Because WDAC policies enforce kernel mode drivers, it is important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed WDAC policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows: +There may be a time when signed Windows Defender Application Control policies cause a boot failure. Because WDAC policies enforce kernel mode drivers, it's important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed WDAC policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows: - <EFI System Partition>\\Microsoft\\Boot\\ - <OS Volume>\\Windows\\System32\\CodeIntegrity\\ diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index e96c186076..4caa7844ea 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -91,7 +91,7 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x ## Event ID 3099 Options -The Application Control policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. To derive and parse these values, follow the below workflow. +The Application Control policy rule option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. To derive and parse these values, follow the below workflow. - Access Event Viewer. - Access the Code integrity 3099 event. diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md index 4edab9bde3..751028a760 100644 --- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md +++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md @@ -36,8 +36,8 @@ ms.topic: overview | Managed Installer (MI) | [Available on 1703+](./configure-authorized-apps-deployed-with-a-managed-installer.md) | Not available | | Reputation-Based intelligence | [Available on 1709+](./use-windows-defender-application-control-with-intelligent-security-graph.md) | Not available | | Multiple policy support | [Available on 1903+](./deploy-multiple-windows-defender-application-control-policies.md) | Not available | -| Path-based rules | [Available on 1903+.](./select-types-of-rules-to-create.md#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability checks enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. | +| Path-based rules | [Available on 1903+.](./select-types-of-rules-to-create.md#more-information-about-filepath-rules) Exclusions aren't supported. Runtime user-writeability checks enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. | | COM object configurability | [Available on 1903+](./allow-com-object-registration-in-windows-defender-application-control-policy.md) | Not available | | Packaged app rules | [Available on RS5+](./manage-packaged-apps-with-windows-defender-application-control.md) | Available on Windows 8+ | -| Enforceable file types |
- Driver files: .sys
- Executable files: .exe and .com
- DLLs: .dll and .ocx
- Windows Installer files: .msi, .mst, and .msp
- Scripts: .ps1, .vbs, and .js
- Packaged apps and packaged app installers: .appx
- Executable files: .exe and .com
- [Optional] DLLs: .dll and .ocx
- Windows Installer files: .msi, .mst, and .msp
- Scripts: .ps1, .bat, .cmd, .vbs, and .js
- Packaged apps and packaged app installers: .appx
- Driver files: .sys
- Executable files: .exe and .com
- DLLs: .dll and .ocx
- Windows Installer files: .msi, .mst, and .msp
- Scripts: .ps1, .vbs, and .js
- Packaged apps and packaged app installers: .appx
- Executable files: .exe and .com
- [Optional] DLLs: .dll, .rll and .ocx
- Windows Installer files: .msi, .mst, and .msp
- Scripts: .ps1, .bat, .cmd, .vbs, and .js
- Packaged apps and packaged app installers: .appx
Devices are required to run organization's antivirus solution and client management tools. | Windows Defender Application Control can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | -| **Fully managed devices**: Allowed software is restricted by IT department.
Users can request additional software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline Windows Defender Application Control policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.
WDAC policies are supported by the HVCI service. | -| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | Windows Defender Application Control can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After Windows Defender Application Control deployment, only approved applications can run. This is because of protections offered by WDAC. | -| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, Windows Defender Application Control does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a blocklist only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. | +| **Fully managed devices**: Allowed software is restricted by IT department.
Users can request for more software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline Windows Defender Application Control policy can be established and enforced. Whenever the IT department approves more applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.
WDAC policies are supported by the HVCI service. | +| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | Windows Defender Application Control can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After Windows Defender Application Control deployment, only approved applications can run. This rule is because of protections offered by WDAC. | +| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, Windows Defender Application Control doesn't apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a blocklist only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. | ## An introduction to Lamna Healthcare Company -In the next set of topics, we will explore each of the above scenarios using a fictional organization called Lamna Healthcare Company. +In the next set of topics, we'll explore each of the above scenarios using a fictional organization called Lamna Healthcare Company. Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the United States. Lamna employs thousands of people, from doctors and nurses to accountants, in-house lawyers, and IT technicians. Their device use cases are varied and include single-user workstations for their professional staff, shared kiosks used by doctors and nurses to access patient records, dedicated medical devices such as MRI scanners, and many others. Additionally, Lamna has a relaxed, bring-your-own-device policy for many of their professional staff. Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) in hybrid mode with both Configuration Manager and Intune. Although they use Microsoft Endpoint Manager to deploy many applications, Lamna has always had relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response. -Recently, Lamna experienced a ransomware event that required an expensive recovery process and may have included data exfiltration by the unknown attacker. Part of the attack included installing and running malicious binaries that evaded detection by Lamna's antivirus solution but would have been blocked by an application control policy. In response, Lamna's executive board has authorized a number of new security IT responses, including tightening policies for application use and introducing application control. +Recently, Lamna experienced a ransomware event that required an expensive recovery process and may have included data exfiltration by the unknown attacker. Part of the attack included installing and running malicious binaries that evaded detection by Lamna's antivirus solution but would have been blocked by an application control policy. In response, Lamna's executive board has authorized many new security IT responses, including tightening policies for application use and introducing application control. ## Up next -- [Create a Windows Defender Application Control policy for lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md) +- [Create a Windows Defender Application Control policy for lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md index 9729e7515d..406209261e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md @@ -44,15 +44,15 @@ You should consider using Windows Defender Application Control as part of your o ## Decide what policies to create -Beginning with Windows 10, version 1903, Windows Defender Application Control allows [multiple simultaneous policies](deploy-multiple-windows-defender-application-control-policies.md) to be applied to each device. This opens up many new use cases for organizations, but your policy management can easily become unwieldy without a well-thought-out plan for the number and types of policies to create. +Beginning with Windows 10, version 1903, Windows Defender Application Control allows [multiple simultaneous policies](deploy-multiple-windows-defender-application-control-policies.md) to be applied to each device. This concurrent application opens up many new use cases for organizations, but your policy management can easily become unwieldy without a well-thought-out plan for the number and types of policies to create. The first step is to define the desired "circle-of-trust" for your WDAC policies. By "circle-of-trust," we mean a description of the business intent of the policy expressed in natural language. This "circle-of-trust" definition will guide you as you create the actual policy rules for your policy XML. For example, the DefaultWindows policy, which can be found under %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies, establishes a "circle-of-trust" that allows Windows, 3rd-party hardware and software kernel drivers, and applications from the Microsoft Store. -Configuration Manager uses the DefaultWindows policy as the basis for its policy but then modifies the policy rules to allow Configuration Manager and its dependencies, sets the managed installer policy rule, and additionally configures Configuration Manager as a managed installer. It also can optionally authorize apps with positive reputation and perform a one-time scan of folder paths specified by the Configuration Manager administrator, which adds rules for any apps found in the specified paths on the managed endpoint. This establishes the "circle-of-trust" for Configuration Manager's native WDAC integration. +Configuration Manager uses the DefaultWindows policy as the basis for its policy but then modifies the policy rules to allow Configuration Manager and its dependencies, sets the managed installer policy rule, and additionally configures Configuration Manager as a managed installer. It also can optionally authorize apps with positive reputation and perform a one-time scan of folder paths specified by the Configuration Manager administrator, which adds rules for any apps found in the specified paths on the managed endpoint. This process establishes the "circle-of-trust" for Configuration Manager's native WDAC integration. -The following questions can help you plan your Windows Defender Application Control deployment and determine the right "circle-of-trust" for your policies. They are not in priority or sequential order, and are not meant to be an exhaustive set of design considerations. +The following questions can help you plan your Windows Defender Application Control deployment and determine the right "circle-of-trust" for your policies. They aren't in priority or sequential order, and aren't meant to be an exhaustive set of design considerations. ## WDAC design considerations @@ -74,11 +74,11 @@ Traditional Win32 apps on Windows can run without being digitally signed. This p | Possible answers | Design considerations | | - | - | | All apps used in your organization must be signed. | Organizations that enforce [codesigning](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) for all executable code are best-positioned to protect their Windows computers from malicious code execution. Windows Defender Application Control rules can be created to authorize apps and binaries from the organization's internal development teams and from trusted independent software vendors (ISV). | -| Apps used in your organization do not need to meet any codesigning requirements. | Organizations can [use built-in Windows tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Endpoint Manager offer multiple ways to distribute signed App Catalogs. | +| Apps used in your organization don't need to meet any codesigning requirements. | Organizations can [use built-in Windows tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Endpoint Manager offer multiple ways to distribute signed App Catalogs. | ### Are there specific groups in your organization that need customized application control policies? -Most business teams or departments have specific security requirements that pertain to data access and the applications used to access that data. Consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization. There is overhead in managing policies that might lead you to choose between broad, organization-wide policies and multiple team-specific policies. +Most business teams or departments have specific security requirements that pertain to data access and the applications used to access that data. Consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization. There's overhead in managing policies that might lead you to choose between broad, organization-wide policies and multiple team-specific policies. | Possible answers | Design considerations | | - | - | @@ -91,12 +91,12 @@ The time and resources that are available to you to perform the research and ana | Possible answers | Design considerations | | - | - | -| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are constructed as simply as possible.| +| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are constructed as possible.| | No | Consider a focused and phased deployment for specific groups by using few rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. Alternatively, you can create a policy with a broad trust profile to authorize as many apps as possible. | ### Does your organization have Help Desk support? -Preventing your users from accessing known, deployed, or personal applications will initially cause an increase in end-user support. It will be necessary to address the various support issues in your organization so security policies are followed and business workflow is not hampered. +Preventing your users from accessing known, deployed, or personal applications will initially cause an increase in end-user support. It will be necessary to address the various support issues in your organization so security policies are followed and business workflow isn't hampered. | Possible answers | Design considerations | | - | - | diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md index fcb3a32077..b84336abab 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md @@ -1,6 +1,6 @@ --- title: Use code signing to simplify application control for classic Windows applications (Windows) -description: With embedded signing, your WDAC policies typically do not have to be updated when an app is updated. To set this up, you can choose from a variety of methods. +description: With embedded signing, your WDAC policies typically don't have to be updated when an app is updated. To set up this embedded signing, you can choose from various methods. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security @@ -33,13 +33,13 @@ This topic covers guidelines for using code signing control classic Windows apps ## Reviewing your applications: application signing and catalog files -Typically, Windows Defender Application Control (WDAC) policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a "catalog file" from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed. +Typically, Windows Defender Application Control (WDAC) policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This purpose means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a "catalog file" from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed. -Catalog files can be very useful for unsigned LOB applications that cannot easily be given an embedded signature. However, catalogs need to be updated each time an application is updated. In contrast, with embedded signing, your Windows Defender Application Control policies typically do not have to be updated when an application is updated. For this reason, if code-signing is or can be included in your in-house application development process, it can simplify the management of WDAC (compared to using catalog signing). +Catalog files can be useful for unsigned LOB applications that can't easily be given an embedded signature. However, catalogs need to be updated each time an application is updated. In contrast, with embedded signing, your Windows Defender Application Control policies typically don't have to be updated when an application is updated. For this reason, if code-signing is or can be included in your in-house application development process, it can simplify the management of WDAC (compared to using catalog signing). -To obtain signed applications or embed signatures in your in-house applications, you can choose from a variety of methods: +To obtain signed applications or embed signatures in your in-house applications, you can choose from various methods: -- Using the Microsoft Store publishing process. All apps that come out of the Microsoft Store are automatically signed with special signatures that can roll-up to our certificate authority (CA) or to your own. +- Using the Microsoft Store publishing process. All apps that come out of the Microsoft Store are automatically signed with special signatures that can roll up to our certificate authority (CA) or to your own. - Using your own digital certificate or public key infrastructure (PKI). ISV's and enterprises can sign their own Classic Windows applications themselves, adding themselves to the trusted list of signers. @@ -53,11 +53,11 @@ To use catalog signing, you can choose from the following options: ### Catalog files -Catalog files (which you can create in Windows 10 and Windows 11 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you do not want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by Windows Defender Application Control in the same way as any other signed application. +Catalog files (which you can create in Windows 10 and Windows 11 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you don't want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by Windows Defender Application Control in the same way as any other signed application. -Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries' hash values are updated each time an application is updated, which requires the catalog file to be updated also. +Catalog files are Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries' hash values are updated each time an application is updated, which requires the catalog file to be updated also. -After you have created and signed your catalog files, you can configure your WDAC policies to trust the signer or signing certificate of those files. +After you've created and signed your catalog files, you can configure your WDAC policies to trust the signer or signing certificate of those files. > [!NOTE] > Package Inspector only works on operating systems that support Windows Defender, such as Windows 10 and Windows 11 Enterprise, Windows 10 and Windows 11 Education, Windows 2016 Server, or Windows Enterprise IoT. @@ -66,8 +66,8 @@ For procedures for working with catalog files, see [Deploy catalog files to supp ## Windows Defender Application Control policy formats and signing -When you generate a Windows Defender Application Control policy, you are generating a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 and Windows 11 Enterprise, along with restrictions on Windows 10 and Windows 11 script hosts. You can view your original XML document in a text editor, for example if you want to check the rule options that are present in the **<Rules>** section of the file. +When you generate a Windows Defender Application Control policy, you're generating a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 and Windows 11 Enterprise, along with restrictions on Windows 10 and Windows 11 script hosts. You can view your original XML document in a text editor, for example if you want to check the rule options that are present in the **<Rules>** section of the file. We recommend that you keep the original XML file for use when you need to merge the WDAC policy with another policy or update its rule options. For deployment purposes, the file is converted to a binary format, which can be done using a simple Windows PowerShell command. -When the Windows Defender Application Control policy is deployed, it restricts the software that can run on a device. The XML document can be signed, helping to add additional protection against administrative users changing or removing the policy. +When the Windows Defender Application Control policy is deployed, it restricts the software that can run on a device. The XML document can be signed, helping to add more protection against administrative users changing or removing the policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index af2a34ff3e..3200f16f8f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -29,20 +29,20 @@ ms.technology: windows-sec > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of malware protection available in Windows—must be signed with [PKCS #7](https://datatracker.ietf.org/doc/html/rfc5652). In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies. +Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of malware protection available in Windows—must be signed with [PKCS #7](https://datatracker.ietf.org/doc/html/rfc5652). In addition to their enforced policy rules, signed policies can't be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this idea of the policies in mind, it's much more difficult to remove signed WDAC policies. SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies. Before you sign with PKCS #7 and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run. Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. -If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA. +If you don't currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA. -Before PKCS #7-signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath
Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO’s element to make sure it is constructed in a way that meets the needs of the server isolation zone. |[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.
Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO’s element to make sure it's constructed in a way that meets the needs of the server isolation zone. |[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| | Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone’s membership group that are running the specified version of Windows can read and apply it.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | | Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| | Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| | Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| | Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| | Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| -| Create a rule that requests authentication for all network traffic.
**Important:** Just as in an isolated domain, do not set the rules to require authentication for inbound traffic until you have completed testing. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| Create a rule that requests authentication for all network traffic.
**Important:** As in an isolated domain, don't set the rules to require authentication for inbound traffic until you have completed testing. That way, if the rules don't work as expected, communications aren't affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| | Create the NAG to contain the device or user accounts that are allowed to access the servers in the isolated server zone. | [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| | Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG. | [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| | Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| | Add your test server to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) | -Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. +Don't change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md index 4c9332aa61..db9e5235c2 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md @@ -25,26 +25,26 @@ ms.technology: windows-sec - Windows 11 - Windows Server 2016 and above -This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). +This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that isn't part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md). -The GPOs for isolated servers are similar to those for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server. +The GPOs for isolated servers are similar to those GPOs for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server. **Checklist: Configuring rules for isolated servers** | Task | Reference | | - | - | -| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| -| If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the devices for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| If you're working on a copy of a GPO, modify the group memberships and WMI filters so that they're correct for the devices for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | | Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| | Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md) | | Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| | Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| | Configure the authentication methods to be used. This procedure sets the default settings for the device. If you want to set authentication on a per-rule basis, this procedure is optional.| [Configure Authentication Methods](configure-authentication-methods.md) | -| Create a rule that requests authentication for all inbound network traffic.
**Important:** Just as in an isolated domain, do not set the rules to require authentication until your testing is complete. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| Create a rule that requests authentication for all inbound network traffic.
**Important:** As in an isolated domain, don't set the rules to require authentication until your testing is complete. That way, if the rules don't work as expected, communications aren't affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| | If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| | Create the NAG to contain the device or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client devices, then create a NAG for each set of servers.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) | -| Create a firewall rule that allows inbound network traffic only if it is authenticated from a user or device that is a member of the zone’s NAG.| [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| +| Create a firewall rule that allows inbound network traffic only if it's authenticated from a user or device that is a member of the zone’s NAG.| [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| | Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| | Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| -Do not change the rules for any of your zones to require authentication until all zones have been set up and thoroughly tested. +Don't change the rules for any of your zones to require authentication until all zones have been set up and thoroughly tested. diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md index 4fa942aac8..7e7fc7b158 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md @@ -27,16 +27,16 @@ ms.technology: windows-sec The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain. -Rules for the boundary zone are typically the same as those for the isolated domain, with the exception that the final rule is left to only request, not require, authentication. +Rules for the boundary zone are typically the same as those rules for the isolated domain, with the exception that the final rule is left to only request, not require, authentication. **Checklist: Configuring boundary zone rules** -This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you do not change the rule from request authentication to require authentication when you create the other GPOs. +This checklist assumes that you've already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you don't change the rule from request authentication to require authentication when you create the other GPOs. | Task | Reference | | - | - | -| Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy is not changed after deployment to require authentication.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) | -| If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the boundary zone and version of Windows for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy isn't changed after deployment to require authentication.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) | +| If you're working on a copy of a GPO, modify the group memberships and WMI filters so that they're correct for the boundary zone and version of Windows for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | | Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| | Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| | Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md index f543b9606f..1d42ae70b6 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md @@ -27,16 +27,16 @@ ms.technology: windows-sec This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain. -Rules for the encryption zone are typically the same as those for the isolated domain, with the exception that the main rule requires encryption in addition to authentication. +Rules for the encryption zone are typically the same as those rules for the isolated domain, with the exception that the main rule requires encryption in addition to authentication. **Checklist: Configuring encryption zone rules** -This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain. +This checklist assumes that you've already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain. | Task | Reference | | - | - | | Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| -| Modify the group memberships and WMI filters so that they are correct for the encryption zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Modify the group memberships and WMI filters so that they're correct for the encryption zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | | Add the encryption requirements for the zone. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| | Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| | Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md index e5e7186579..4f86220ff8 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md @@ -31,8 +31,8 @@ The following checklists include tasks for configuring connection security rules | Task | Reference | | - | - | -| Create a GPO for the computers in the isolated domain running one of the operating systems. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| -| If you are working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they are correct for the isolated domain zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| Create a GPO for the computers in the isolated domain running one of the operating systems. After you've finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| If you're working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they're correct for the isolated domain zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | | Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| | Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| | Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| @@ -44,4 +44,4 @@ The following checklists include tasks for configuring connection security rules | Verify that the connection security rules are protecting network traffic to and from the test computers. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| -Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. +Don't change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly. diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md index 1796cc336e..373174d887 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md @@ -25,7 +25,7 @@ ms.technology: windows-sec - Windows 11 - Windows Server 2016 and above -To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group. +To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the end by making GPO assignments as easy as dropping a device into a membership group. The checklists for firewall, domain isolation, and server isolation include a link to this checklist. @@ -35,19 +35,19 @@ For most GPO deployment tasks, you must determine which devices must receive and ## About exclusion groups -A Windows Defender Firewall with Advanced Security design must often take into account domain-joined devices on the network that cannot or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers. +A Windows Defender Firewall with Advanced Security design must often take into account domain-joined devices on the network that can't or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it's easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers. -You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To do this, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones. +You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To use the group as an exclusion group, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones. **Checklist: Creating Group Policy objects** | Task | Reference | | - | - | | Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)| -| Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.
If some devices in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the device accounts for the devices that cannot be blocked by using a WMI filter.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| +| Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.
If some devices in the membership group are running an operating system that doesn't support WMI filters, such as Windows 2000, create an exclusion group to contain the device accounts for the devices that can't be blocked by using a WMI filter.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| | Create a GPO for each version of Windows that has different implementation requirements.| [Create a Group Policy Object](create-a-group-policy-object.md) | | Create security group filters to limit the GPO to only devices that are members of the membership group and to exclude devices that are members of the exclusion group.|[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) | | Create WMI filters to limit each GPO to only the devices that match the criteria in the filter.| [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) | -| If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.|[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | +| If you're working on a GPO that was copied from another, modify the group memberships and WMI filters so that they're correct for the new zone or version of Windows for which this GPO is intended.|[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | | Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) | | Before adding any rules or configuring the GPO, add a few test devices to the membership group, and make sure that the correct GPO is received and applied to each member of the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) | diff --git a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md index 62905bf49e..b6369d7c01 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md +++ b/windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md @@ -31,13 +31,13 @@ This checklist includes tasks for configuring connection security rules and IPse | Task | Reference | | - | - | -| Create a GPO for the client devices that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you have finished the tasks in this checklist, you can make a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| +| Create a GPO for the client devices that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you've finished the tasks in this checklist, you can make a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| | To determine which devices receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) | | Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| | Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| | Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| | Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| | Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| -| Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with devices that cannot use IPsec, you can use the same any-to-any rule used in an isolated domain.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| +| Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with devices that can't use IPsec, you can use the same any-to-any rule used in an isolated domain.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| | Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| | Add your test devices to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md index a1183f3f52..5d59df9ccd 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -35,7 +35,7 @@ This parent checklist includes cross-reference links to important concepts about | Task | Reference | | - | - | | Review important concepts and examples for certificate-based authentication to determine if this design meets your implementation goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
[Planning Certificate-based Authentication](planning-certificate-based-authentication.md) | -| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.| | +| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you haven't already deployed a CA on your network.| | | Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)| | Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)| | On a test device, refresh Group Policy and confirm that the certificate is installed. | [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)| diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md index 3090ba97d5..c484d2eec0 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -1,6 +1,6 @@ --- title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows) -description: Use these tasks to create a server isolation policy design that is not part of an isolated domain. See references to concepts and links to other checklists. +description: Use these tasks to create a server isolation policy design that isn't part of an isolated domain. See references to concepts and links to other checklists. ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3 ms.reviewer: ms.author: dansimp @@ -25,7 +25,7 @@ ms.technology: windows-sec - Windows 11 - Windows Server 2016 and above -This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md). +This checklist contains procedures for creating a server isolation policy design that isn't part of an isolated domain. For information on the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md). This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. diff --git a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md index 7522322a6f..b16b7adc8a 100644 --- a/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md +++ b/windows/security/threat-protection/windows-firewall/configure-authentication-methods.md @@ -49,29 +49,29 @@ To complete these procedures, you must be a member of the Domain Administrators 3. **Computer (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows. - 4. **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. + 4. **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently signed-in user by using their domain credentials. 5. **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication enhanced key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule. 6. **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. - The first authentication method can be one of the following: + The first authentication method can be one of the following methods: - **Computer (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows. - - **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. + - **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 isn't supported by IKE v1. - **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by that CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used. - - **Preshared key (not recommended)**. Selecting this method and entering a preshared key tells the computer to authenticate by exchanging the preshared keys. If they match, then the authentication succeeds. This method is not recommended, and is included only for backward compatibility and testing purposes. + - **Preshared key (not recommended)**. Selecting this method and entering a preshared key tells the computer to authenticate by exchanging the preshared keys. If they match, then the authentication succeeds. This method isn't recommended, and is included only for backward compatibility and testing purposes. If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails. - The second authentication method can be one of the following: + The second authentication method can be one of the following methods: - - **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. + - **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently signed-in user by using their domain credentials. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 isn't supported by IKE v1. - - **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. + - **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently signed-in user by using their domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 isn't supported by IKE v1. - **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to specified users or user groups. diff --git a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md index 6e18c1001c..d630831fe4 100644 --- a/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md +++ b/windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md @@ -41,23 +41,23 @@ To complete these procedures, you must be a member of the Domain Administrators 4. In the **Key exchange (Main Mode)** section, click **Advanced**, and then click **Customize**. -5. Select the security methods to be used to help protect the main mode negotiations between the two devices. If the security methods displayed in the list are not what you want, then do the following: +5. Select the security methods to be used to help protect the main mode negotiations between the two devices. If the security methods displayed in the list aren't what you want, then do the following steps: **Important** - In Windows Vista, Windows Server 2008, or later, you can specify only one key exchange algorithm. This means that if you want to communicate by using IPsec with another device running Windows 8 or Windows Server 2012, then you must select the same key exchange algorithm on both devices. + In Windows Vista, Windows Server 2008, or later, you can specify only one key exchange algorithm. This rule means that if you want to communicate by using IPsec with another device running Windows 8 or Windows Server 2012, then you must select the same key exchange algorithm on both devices. - Also, if you create a connection security rule that specifies an option that requires AuthIP instead of IKE, then only the one combination of the top integrity and encryption security method are used in the negotiation. Make sure that all of your devices that are running at least Windows Vista and Windows Server 2008 have the same methods at the top of the list and the same key exchange algorithm selected. + Also, if you create a connection security rule that specifies an option that requires AuthIP instead of IKE, then only the one combination of the top integrity and encryption security method is used in the negotiation. Ensure that all of your devices that are running at least Windows Vista and Windows Server 2008 have the same methods at the top of the list and the same key exchange algorithm selected. **Note** - When AuthIP is used, no Diffie-Hellman key exchange protocol is used. Instead, when Kerberos V5 authentication is requested, the Kerberos V5 service ticket secret is used in place of a Diffie-Hellman value. When either certificate authentication or NTLM authentication is requested, a transport level security (TLS) session is established, and its secret is used in place of the Diffie-Hellman value. This happens no matter which Diffie-Hellman key exchange protocol you select. + When AuthIP is used, no Diffie-Hellman key exchange protocol is used. Instead, when Kerberos V5 authentication is requested, the Kerberos V5 service ticket secret is used in place of a Diffie-Hellman value. When either certificate authentication or NTLM authentication is requested, a transport level security (TLS) session is established, and its secret is used in place of the Diffie-Hellman value. This event happens no matter which Diffie-Hellman key exchange protocol you select. - 1. Remove any of the security methods that you do not want by selecting the method and then clicking **Remove**. + 1. Remove any of the security methods that you don't want by selecting the method and then clicking **Remove**. 2. Add any required security method combinations by clicking **Add**, selecting the appropriate encryption algorithm and integrity algorithm from the lists, and then clicking **OK**. >**Caution:** We recommend that you do not include MD5 or DES in any combination. They are included for backward compatibility only. - 3. After the list contains only the combinations you want, use the up and down arrows to the right of the list to arrange them in the order of preference. The combination that appears first in the list is tried first, and so on. + 3. After the list contains only the combinations you want, use the "up" and "down" arrows to the right of the list to arrange them in the order of preference. The combination that appears first in the list is tried first, and so on. 6. From the list on the right, select the key exchange algorithm that you want to use. diff --git a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md index c7c3f8fafc..00d5f4cd23 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md @@ -1,6 +1,6 @@ --- title: Configure the Rules to Require Encryption (Windows) -description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that do not use encryption for zones that require encryption. +description: Learn how to configure rules to add encryption algorithms and delete the algorithm combinations that don't use encryption for zones that require encryption. ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0 ms.reviewer: ms.author: dansimp @@ -20,7 +20,7 @@ ms.technology: windows-sec # Configure the Rules to Require Encryption -If you are creating a zone that requires encryption, you must configure the rules to add the encryption algorithms and delete the algorithm combinations that do not use encryption. +If you're creating a zone that requires encryption, you must configure the rules to add the encryption algorithms and delete the algorithm combinations that don't use encryption. **Administrative credentials** @@ -46,9 +46,9 @@ To complete this procedure, you must be a member of the Domain Administrators gr 9. Click **Require encryption for all connection security rules that use these settings**. - This disables the data integrity rules section. Make sure the **Data integrity and encryption** list contains all of the combinations that your client devices will use to connect to members of the encryption zone. The client devices receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client devices in that zone will not be able to connect to devices in this zone. + This setting disables the data integrity rules section. Ensure the **Data integrity and encryption** list contains all of the combinations that your client devices will use to connect to members of the encryption zone. The client devices receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client devices in that zone won't be able to connect to devices in this zone. -10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md). +10. If you need to add an algorithm combination, click **Add** and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md). **Note** Not all of the algorithms available in Windows 8 or Windows Server 2012 and later can be selected in the Windows Defender Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell. @@ -57,6 +57,6 @@ To complete this procedure, you must be a member of the Domain Administrators gr For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) -11. During negotiation, algorithm combinations are proposed in the order shown in the list. Make sure that the more secure combinations are at the top of the list so that the negotiating devices select the most secure combination that they can jointly support. +11. During negotiation, algorithm combinations are proposed in the order shown in the list. Ensure that the more secure combinations are at the top of the list so that the negotiating devices select the most secure combination that they can jointly support. 12. Click **OK** three times to save your changes. diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md index c7d71a4f26..763858cb1e 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md @@ -43,11 +43,11 @@ To complete these procedures, you must be a member of the Domain Administrators 2. Under **Logging**, click **Customize**. - 3. The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location. + 3. The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this path, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location. >**Important:** The location you specify must have permissions assigned that permit the Windows Defender Firewall service to write to the log file. - 4. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file will not grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones. + 4. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this size, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file won't grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones. 5. No logging occurs until you set one of following two options: @@ -58,4 +58,4 @@ To complete these procedures, you must be a member of the Domain Administrators 6. Click **OK** twice. ### Troubleshooting Slow Log Ingestion -If logs are slow to appear in Sentinel, you can turn down the log file size. Just beware that this will result in more resource usage due to the increased resource usage for log rotation. +If logs are slow to appear in Sentinel, you can turn down the log file size. Just beware that this downsizing will result in more resource usage due to the increased resource usage for log rotation. diff --git a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md index f0c5bb8bdf..ae802dff45 100644 --- a/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md +++ b/windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md @@ -52,4 +52,4 @@ To complete these procedures, you must be a member of both the Domain Admins gro 10. In the Certification Authority MMC snap-in, in the left pane, right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**. -11. In the **Enable Certificate Templates** dialog box, click the name of the certificate template you just configured, and then click **OK**. +11. In the **Enable Certificate Templates** dialog box, click the name of the certificate template you configured, and then click **OK**. diff --git a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md index 9a23ea1f28..da729a7b63 100644 --- a/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md +++ b/windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md @@ -1,6 +1,6 @@ --- title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows) -description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Bbocked +description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Blocked ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b ms.reviewer: ms.author: dansimp @@ -29,7 +29,7 @@ To configure Windows Defender Firewall with Advanced Security to suppress the di >**Caution:** If you choose to disable alerts and prohibit locally defined rules, then you must create firewall rules that allow your users’ programs to send and receive the required network traffic. If a firewall rule is missing, then the user does not receive any kind of warning, the network traffic is silently blocked, and the program might fail. -We recommend that you do not enable these settings until you have created and tested the required rules. +We recommend that you don't enable these settings until you've created and tested the required rules. **Administrative credentials** @@ -51,6 +51,6 @@ To complete these procedures, you must be a member of the Domain Administrators 4. Under **Rule merging**, change **Apply local firewall rules** to **No**. - 5. Although a connection security rule is not a firewall setting, you can also use this tab to prohibit locally defined connection security rules if you are planning to deploy IPsec rules as part of a server or domain isolation environment. Under **Rule merging**, change **Apply local connection security rules** to **No**. + 5. Although a connection security rule isn't a firewall setting, you can also use this tab to prohibit locally defined connection security rules if you're planning to deploy IPsec rules as part of a server or domain isolation environment. Under **Rule merging**, change **Apply local connection security rules** to **No**. 6. Click **OK** twice. diff --git a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md index 16fa98ba4f..a3b8bcee88 100644 --- a/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md +++ b/windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md @@ -49,7 +49,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr 8. Type the new name, and then press ENTER. -9. You must change the security filters to apply the policy to the correct group of devices. To do this, click the **Scope** tab, and in the **Security Filtering** section, select the group that grants permissions to all members of the isolated domain, for example **CG\_DOMISO\_IsolatedDomain**, and then click **Remove**. +9. You must change the security filters to apply the policy to the correct group of devices. To change the security filters, click the **Scope** tab, and in the **Security Filtering** section, select the group that grants permissions to all members of the isolated domain, for example **CG\_DOMISO\_IsolatedDomain**, and then click **Remove**. 10. In the confirmation dialog box, click **OK**. @@ -57,4 +57,4 @@ To complete this procedure, you must be a member of the Domain Administrators gr 12. Type the name of the group that contains members of the boundary zone, for example **CG\_DOMISO\_Boundary**, and then click **OK**. -13. If required, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10 or Windows 11, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO. +13. If necessary, change the WMI filter to one appropriate for the new GPO. For example, if the original GPO is for client devices running Windows 10 or Windows 11, and the new boundary zone GPO is for devices running Windows Server 2016, then select a WMI filter that allows only those devices to read and apply the GPO. diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md index e38e364c07..11f38ec926 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md @@ -45,13 +45,13 @@ To create an outbound port rule 5. On the **Program** page, click **All programs**, and then click **Next**. -6. On the **Protocol and Ports** page, select the protocol type that you want to block. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an outbound rule, you typically configure only the remote port number. +6. On the **Protocol and Ports** page, select the protocol type that you want to block. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this rule is an outbound rule, you typically configure only the remote port number. - If you select another protocol, then only packets whose protocol field in the IP header match this rule are blocked by Windows Defender Firewall. Network traffic for protocols is allowed as long as other rules that match do not block it. + If you select another protocol, then only packets whose protocol field in the IP header matches this rule are blocked by Windows Defender Firewall. Network traffic for protocols is allowed as long as other rules that match don't block it. To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box. - When you have configured the protocols and ports, click **Next**. + When you've configured the protocols and ports, click **Next**. 7. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. diff --git a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md index 6e4429688b..4d05d75092 100644 --- a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md +++ b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md @@ -20,7 +20,7 @@ ms.technology: windows-sec - Windows 11 - Windows Server 2016 and above -To allow inbound remote procedure call (RPC) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper. +To allow inbound remote procedure call (RPC) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper. **Administrative credentials** @@ -77,7 +77,7 @@ In this topic: 3. On the **Program** page, click **This Program Path**, and then type the path to the executable file that hosts the network service. Click **Customize**. -4. In the **Customize Service Settings** dialog box, click **Apply to this service**, and then select the service that you want to allow. If the service does not appear in the list, then click **Apply to service with this service short name**, and then type the short name of the service in the text box. +4. In the **Customize Service Settings** dialog box, click **Apply to this service**, and then select the service that you want to allow. If the service doesn't appear in the list, then click **Apply to service with this service short name**, and then type the short name of the service in the text box. 5. Click **OK**, and then click **Next**. diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index 502b0b5b91..7f460e4af8 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -45,7 +45,7 @@ Package family names can be retrieved by running the Get-AppxPackage command fro [Learn more](https://aka.ms/intunefirewallPackageNameFromPowerShell) Windows service short names are used in cases when a service, not an application, is sending or receiving traffic. -Default ia All. +Default is All. [Learn more](/windows/client-management/mdm/firewall-csp#servicename) @@ -67,9 +67,9 @@ Comma separated list of ranges. For example, *100-120,200,300-320*. Default is A [Learn more](/windows/client-management/mdm/firewall-csp#remoteportranges) ## Local addresses -Comma separated list of local addresses covered by the rule. Valid tokens include: -- \* indicates any local address. If present, this must be the only token included. -- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask default is 255.255.255.255. +Comma-separated list of local addresses covered by the rule. Valid tokens include: +- \* indicates any local address. If present, this token must be the only one included. +- A subnet can be specified using either the subnet mask or network prefix notation. If a subnet mask or a network prefix isn't specified, the subnet mask default is 255.255.255.255. - A valid IPv6 address. - An IPv4 address range in the format of "start address-end address" with no spaces included. - An IPv6 address range in the format of "start address-end address" with no spaces included. Default is Any address. @@ -78,7 +78,7 @@ Comma separated list of local addresses covered by the rule. Valid tokens includ ## Remote addresses List of comma separated tokens specifying the remote addresses covered by the rule. Tokens are case insensitive. Valid tokens include: -- \* indicates any remote address. If present, this must be the only token included. +- \* indicates any remote address. If present, this token must be the only one included. - Defaultgateway - DHCP - DNS @@ -103,7 +103,7 @@ Indicates whether edge traversal is enabled or disabled for this rule. The EdgeT [Learn more](/windows/client-management/mdm/firewall-csp#edgetraversal) ## Authorized users -Specifies the list of authorized local users for this rule. A list of authorized users cannot be specified if the rule being authored is targeting a Windows service. Default is all users. +Specifies the list of authorized local users for this rule. A list of authorized users can't be specified if the rule being authored is targeting a Windows service. Default is all users. [Learn more](/windows/client-management/mdm/firewall-csp#localuserauthorizedlist) diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md index 7e365c2fbf..a245dc4589 100644 --- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -32,17 +32,17 @@ The information that you gather will help you answer the following questions. Th - What traffic must always be blocked? Does your organization have policies that prohibit the use of specific programs? If so, what are the characteristics of the network traffic generated and consumed by the prohibited programs? -- What traffic on the network cannot be protected by IPsec because the devices or devices sending or receiving the traffic do not support IPsec? +- What traffic on the network can't be protected by IPsec because the devices or devices sending or receiving the traffic don't support IPsec? - For each type of network traffic, does the default configuration of the firewall (block all unsolicited inbound network traffic, allow all outbound traffic) allow or block the traffic as required? -- Do you have an Active Directory domain (or forest of trusted domains) to which all your devices are joined? If you do not, then you cannot use Group Policy for easy mass deployment of your firewall and connection security rules. You also cannot easily take advantage of Kerberos V5 authentication that all domain clients can use. +- Do you have an Active Directory domain (or forest of trusted domains) to which all your devices are joined? If you don't, then you can't use Group Policy for easy mass deployment of your firewall and connection security rules. You also can't easily take advantage of Kerberos V5 authentication that all domain clients can use. -- Which devices must be able to accept unsolicited inbound connections from devices that are not part of the domain? +- Which devices must be able to accept unsolicited inbound connections from devices that aren't part of the domain? - Which devices contain data that must be encrypted when exchanged with another computer? -- Which devices contain sensitive data to which access must be restricted to specifically authorized users and devices? +- Which devices contain sensitive data to which access must be restricted to authorized users and devices? - Does your organization have specific network troubleshooting devices or devices (such as protocol analyzers) that must be granted unlimited access to the devices on the network, essentially bypassing the firewall? diff --git a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md index cdbb54af14..8ba54573da 100644 --- a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md @@ -20,7 +20,7 @@ ms.technology: windows-sec - Windows 11 - Windows Server 2016 and above -After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security can't exceed the level of security set by the least secure client that achieves trusted status. +After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this communication can lead to problems with the security of the trusted environment, because the overall security can't exceed the level of security set by the least secure client that achieves trusted status. >**Note:** In this context, the term *trust* has nothing to do with an Active Directory trust relationship between domains. The trusted state of your devices just indicates the level of risk that you believe the device brings to the network. Trusted devices bring little risk whereas untrusted devices can potentially bring great risk. @@ -47,7 +47,7 @@ When a device is considered trusted, other trusted devices can reasonably assume Spend some time defining the goals and technology requirements that your organization considers appropriate as the minimum configuration for a device to obtain trusted status. -A possible list of technology requirements might include the following: +A possible list of technology requirements might include: - **Operating system.** A trusted client device should run at least Windows Vista. A trusted server should run at least Windows Server 2008. @@ -75,7 +75,7 @@ For each device that is assigned a trustworthy status, make an accompanying conf Generally, trustworthy devices fall into one of the following two groups: -- **Configuration required.** The current hardware, operating system, and software enable the device to achieve a trustworthy state. However, additional configuration changes are required. For example, if the organization requires a secure file system before a device can be considered trusted, a device that uses a FAT32-formatted hard disk doesn't meet this requirement. +- **Configuration required.** The current hardware, operating system, and software enable the device to achieve a trustworthy state. However, more configuration changes are required. For example, if the organization requires a secure file system before a device can be considered trusted, a device that uses a FAT32-formatted hard disk doesn't meet this requirement. - **Upgrade required.** These devices require upgrades before they can be considered trusted. The following list provides some examples of the type of upgrade these devices might require: @@ -83,9 +83,9 @@ Generally, trustworthy devices fall into one of the following two groups: - **Software required.** A device that is missing a required security application, such as an antivirus scanner or a management client, can't be considered trusted until these applications are installed and active. - - **Hardware upgrade required.** In some cases, a device might require a specific hardware upgrade before it can achieve trusted status. This type of device usually needs an operating system upgrade or additional software that forces the required hardware upgrade. For example, security software might require additional hard disk space on the device. + - **Hardware upgrade required.** In some cases, a device might require a specific hardware upgrade before it can achieve trusted status. This type of device usually needs an operating system upgrade or another software that forces the required hardware upgrade. For example, security software might require more hard disk space on the device. - - **Device replacement required.** This category is reserved for devices that can't support the security requirements of the solution because their hardware can't support the minimum acceptable configuration. For example, a device that can't run a secure operating system because it has an old processor (such as a 100-megahertz \[MHz\] x86-based device). + - **Device replacement required.** This category is reserved for devices that can't support the security requirements of the solution because their hardware can't support the minimum acceptable configuration. For example, a device that can't run a secure operating system because it has an old processor (such as a 100 megahertz \[MHz\] x86-based device). Use these groups to assign costs for implementing the solution on the devices that require upgrades. @@ -101,9 +101,9 @@ During the process of categorizing an organization's devices, you'll identify so There can be multiple functional reasons for a device to remain in the known untrusted state. The following list includes several examples of functional reasons that can lead to a classification of this state: -- **Devices that run unsupported versions of Windows.** This includes Windows XP, Windows Millennium Edition, Windows 98, Windows 95, or Windows NT. Devices that run these versions of the Windows operating system can't be classified as trustworthy because these operating systems don't support the required security infrastructure. For example, although Windows NT does support a basic security infrastructure, it doesn't support “deny” ACLs on local resources, any way to ensure the confidentiality and integrity of network communications, smart cards for strong authentication, or centralized management of device configurations (although limited central management of user configurations is supported). +- **Devices that run unsupported versions of Windows.** These versions include Windows XP, Windows Millennium Edition, Windows 98, Windows 95, or Windows NT. Devices that run these versions of the Windows operating system can't be classified as trustworthy because these operating systems don't support the required security infrastructure. For example, although Windows NT does support a basic security infrastructure, it doesn't support “deny” ACLs on local resources, any way to ensure the confidentiality and integrity of network communications, smart cards for strong authentication, or centralized management of device configurations (although limited central management of user configurations is supported). -- **Stand-alone devices.** Devices running any version of Windows that are configured as stand-alone devices or as members of a workgroup usually can't achieve a trustworthy state. Although these devices fully support the minimum required basic security infrastructure, the required security management capabilities are unlikely to be available when the device isn't a part of a trusted domain. +- **Stand-alone devices.** Devices running any version of Windows which are configured as stand-alone devices or as members of a workgroup usually can't achieve a trustworthy state. Although these devices fully support the minimum required basic security infrastructure, the required security management capabilities are unlikely to be available when the device isn't a part of a trusted domain. - **Devices in an untrusted domain.** A device that is a member of a domain that isn't trusted by an organization's IT department can't be classified as trusted. An untrusted domain is a domain that can't provide the required security capabilities to its members. Although the operating systems of devices that are members of this untrusted domain might fully support the minimum required basic security infrastructure, the required security management capabilities can't be fully guaranteed when devices aren't in a trusted domain. @@ -139,6 +139,6 @@ The device SERVER001 is "trustworthy" because it meets the hardware requirements With the other information that you've gathered in this section, this information will be the foundation of the efforts performed later in the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section. -The costs identified in this section only capture the projected cost of the device upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan. +The costs identified in this section only capture the projected cost of the device upgrades. Many more design, support, test, and training costs should be accounted for in the overall project plan. **Next:** [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) diff --git a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md index 4b52443989..2215134491 100644 --- a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md @@ -20,7 +20,7 @@ ms.technology: windows-sec - Windows 11 - Windows Server 2016 and above -Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Defender Firewall with Advanced Security Strategy section. A sample is shown here: +Generally, the task of determining zone membership isn't complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Defender Firewall with Advanced Security Strategy section. A sample is shown here: | Host name | Hardware reqs met | Software reqs met | Configuration required | Details | Projected cost | Group | | - | - | - | - | - | - | diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md index d3e12bfc41..2370992ec2 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md @@ -30,11 +30,11 @@ The following illustration shows the traffic protection needed for this design e  -1. All devices on the Woodgrove Bank corporate network that are Active Directory domain members must authenticate inbound network traffic as coming from another computer that is a member of the domain. Unless otherwise specified in this section, Woodgrove Bank's devices reject all unsolicited inbound network traffic that is not authenticated. If the basic firewall design is also implemented, even authenticated inbound network traffic is dropped unless it matches an inbound firewall rule. +1. All devices on the Woodgrove Bank corporate network that are Active Directory domain members must authenticate inbound network traffic as coming from another computer that is a member of the domain. Unless otherwise specified in this section, Woodgrove Bank's devices reject all unsolicited inbound network traffic that isn't authenticated. If the basic firewall design is also implemented, even authenticated inbound network traffic is dropped unless it matches an inbound firewall rule. -2. The servers hosting the WGPartner programs must be able to receive unsolicited inbound traffic from devices owned by its partners, which are not members of Woodgrove Bank's domain. +2. The servers hosting the WGPartner programs must be able to receive unsolicited inbound traffic from devices owned by its partners, which aren't members of Woodgrove Bank's domain. -3. Client devices can initiate non-authenticated outbound communications with devices that are not members of the domain, such as browsing external Web sites. Unsolicited inbound traffic from non-domain members is blocked. +3. Client devices can initiate non-authenticated outbound communications with devices that aren't members of the domain, such as browsing external Web sites. Unsolicited inbound traffic from non-domain members is blocked. 4. Devices in the encryption zone require that all network traffic inbound and outbound must be encrypted, in addition to the authentication already required by the isolated domain. @@ -46,13 +46,13 @@ The following illustration shows the traffic protection needed for this design e Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the devices on its network. -Setting up groups as described here ensures that you do not have to know what operating system a computer is running before assigning it to a group. As in the firewall policy design, a combination of WMI filters and security group filters are used to ensure that members of the group receive the GPO appropriate for the version of Windows running on that computer. For some groups, you might have four or even five GPOs. +Setting up groups as described here ensures that you don't have to know what operating system a computer is running before assigning it to a group. As in the firewall policy design, a combination of WMI filters and security group filters are used to ensure that members of the group receive the GPO appropriate for the version of Windows running on that computer. For some groups, you might have four or even five GPOs. -The following groups were created by using the Active Directory Users and Computers MMC snap-in, all devices that run Windows were added to the correct groups, and then the appropriate GPO are applied to the group. To include a device in the isolated domain or any one of its subordinate zones, simply add the device's account in the appropriate group. +The following groups were created by using the Active Directory Users and Computers MMC snap-in, all devices that run Windows were added to the correct groups, and then the appropriate GPO are applied to the group. To include a device in the isolated domain or any one of its subordinate zones, add the device's account in the appropriate group. -- **CG\_DOMISO\_ISOLATEDDOMAIN**. The members of this group participate in the isolated domain. After an initial pilot period, followed by a slowly increasing group membership, the membership of this group was eventually replaced with the entry **Domain Computers** to ensure that all devices in the domain participate by default. The WMI filters ensure that the GPO does not apply to domain controllers. GPOs with connection security rules to enforce domain isolation behavior are linked to the domain container and applied to the devices in this group. Filters ensure that each computer receives the correct GPO for its operating system type. The rules in the domain isolation GPO require Kerberos v5 authentication for inbound network connections, and request (but not require) it for all outbound connections. +- **CG\_DOMISO\_ISOLATEDDOMAIN**. The members of this group participate in the isolated domain. After an initial pilot period, followed by a slowly increasing group membership, the membership of this group was eventually replaced with the entry **Domain Computers** to ensure that all devices in the domain participate by default. The WMI filters ensure that the GPO doesn't apply to domain controllers. GPOs with connection security rules to enforce domain isolation behavior are linked to the domain container and applied to the devices in this group. Filters ensure that each computer receives the correct GPO for its operating system type. The rules in the domain isolation GPO require Kerberos v5 authentication for inbound network connections, and request (but not require) it for all outbound connections. -- **CG\_DOMISO\_NO\_IPSEC**. This group is denied read or apply permissions on any of the domain isolation GPOs. Any computer that cannot participate in domain isolation, such as a DHCP server running UNIX, is added to this group. +- **CG\_DOMISO\_NO\_IPSEC**. This group is denied read or apply permissions on any of the domain isolation GPOs. Any computer that can't participate in domain isolation, such as a DHCP server running UNIX, is added to this group. - **CG\_DOMISO\_BOUNDARY**. This group contains the computer accounts for all the devices that are part of the boundary group able to receive unsolicited inbound traffic from untrusted devices. Members of the group receive a GPO that configures connection security rules to request (but not require) both inbound and outbound authentication. diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md index ac3e4beadc..50640ef245 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md @@ -22,37 +22,37 @@ ms.technology: windows-sec In the domain isolation policy design, you configure the devices on your network to accept only connections coming from devices that are authenticated as members of the same isolated domain. -This design typically begins with a network configured as described in the [Basic Firewall Policy Design](basic-firewall-policy-design.md) section. For this design, you then add connection security and IPsec rules to configure devices in the isolated domain to accept only network traffic from other devices that can authenticate as a member of the isolated domain. After implementing the new rules, your devices reject unsolicited network traffic from devices that are not members of the isolated domain. +This design typically begins with a network configured as described in the [Basic Firewall Policy Design](basic-firewall-policy-design.md) section. For this design, you then add connection security and IPsec rules to configure devices in the isolated domain to accept only network traffic from other devices that can authenticate as a member of the isolated domain. After the new rules are implemented, your devices reject unsolicited network traffic from devices that aren't members of the isolated domain. The isolated domain might not be a single Active Directory domain. It can consist of all the domains in a forest, or domains in separate forests that have two-way trust relationships configured between them. -By using connection security rules based on IPsec, you provide a logical barrier between devices even if they are connected to the same physical network segment. +By using connection security rules based on IPsec, you provide a logical barrier between devices even if they're connected to the same physical network segment. The design is shown in the following illustration, with the arrows that show the permitted communication paths.  -Characteristics of this design, as shown in the diagram, include the following: +Characteristics of this design, as shown in the diagram, include: -- Isolated domain (area A) - Devices in the isolated domain receive unsolicited inbound traffic only from other members of the isolated domain or from devices referenced in authentication exemption rules. Devices in the isolated domain can send traffic to any device. This includes unauthenticated traffic to devices that are not in the isolated domain. Devices that cannot join an Active Directory domain, but that can use certificates for authentication, can be part of the isolated domain. For more info, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md). +- Isolated domain (area A) - Devices in the isolated domain receive unsolicited inbound traffic only from other members of the isolated domain or from devices referenced in authentication exemption rules. Devices in the isolated domain can send traffic to any device. This traffic includes unauthenticated traffic to devices that aren't in the isolated domain. Devices that can't join an Active Directory domain, but that can use certificates for authentication, can be part of the isolated domain. For more info, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md). - Boundary zone (area B) - Devices in the boundary zone are part of the isolated domain but are allowed to accept inbound connections from untrusted devices, such as clients on the Internet. - Devices in the boundary zone request but do not require authentication to communicate. When a member of the isolated domain communicates with a boundary zone member the traffic is authenticated. When a device that is not part of the isolated domain communicates with a boundary zone member the traffic is not authenticated. + Devices in the boundary zone request but don't require authentication to communicate. When a member of the isolated domain communicates with a boundary zone member, the traffic is authenticated. When a device that isn't part of the isolated domain communicates with a boundary zone member the traffic isn't authenticated. Because boundary zone devices are exposed to network traffic from untrusted and potentially hostile devices, they must be carefully managed and secured. Put only the devices that must be accessed by external devices in this zone. Use firewall rules to ensure that network traffic is accepted only for services that you want exposed to non-domain member devices. -- Trusted non-domain members (area C) - Devices on the network that are not domain members or that cannot use IPsec authentication are allowed to communicate by configuring authentication exemption rules. These rules enable devices in the isolated domain to accept inbound connections from these trusted non-domain member devices. +- Trusted non-domain members (area C) - Devices on the network that aren't domain members or that can't use IPsec authentication are allowed to communicate by configuring authentication exemption rules. These rules enable devices in the isolated domain to accept inbound connections from these trusted non-domain member devices. -- Untrusted non-domain members (area D) - Devices that are not managed by your organization and have an unknown security configuration must have access only to those devices required for your organization to correctly conduct its business. Domain isolation exists to put a logical barrier between these untrusted Devices and your organization's devices. +- Untrusted non-domain members (area D) - Devices that aren't managed by your organization and have an unknown security configuration must have access only to those devices required for your organization to correctly conduct its business. Domain isolation exists to put a logical barrier between these untrusted Devices and your organization's devices. -After implementing this design, your administrative team will have centralized management of the firewall and connection security rules applied to the devices in your organization. +After this design is implemented, your administrative team will have centralized management of the firewall and connection security rules applied to the devices in your organization. > [!IMPORTANT] > This design builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented. This design can be applied to Devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules. -In order to expand the isolated domain to include Devices that cannot be part of an Active Directory domain, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md). +In order to expand the isolated domain to include Devices that can't be part of an Active Directory domain, see the [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md). For more info about this design: diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md index c17b29ef65..307d2e17e0 100644 --- a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md @@ -20,7 +20,7 @@ ms.technology: windows-sec - Windows 11 - Windows Server 2016 and above -Windows Defender Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. +Windows Defender Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Using this advantage helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. **Administrative credentials** @@ -36,6 +36,6 @@ To deploy predefined firewall rules that allow inbound network traffic for commo 4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Predefined**, select the rule category from the list, and then click **Next**. -5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. By default, they are all selected. For rules that you do not want to deploy, clear the check boxes next to the rules, and then click **Next**. +5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. By default, they're all selected. For rules that you don't want to deploy, clear the check boxes next to the rules, and then click **Next**. 6. On the **Action** page, select **Allow the connection**, and then click **Finish**. diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md index 782c3d49fc..d0ee50b518 100644 --- a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md @@ -20,7 +20,7 @@ ms.technology: windows-sec - Windows 11 - Windows Server 2016 and above -By default, Windows Defender Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Defender Firewall includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. +By default, Windows Defender Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Defender Firewall includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically doesn't enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Using this advantage helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use. **Administrative credentials** @@ -36,7 +36,7 @@ To deploy predefined firewall rules that block outbound network traffic for comm 4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Predefined**, select the rule category from the list, and then click **Next**. -5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. They are all selected by default. For rules that you do not want to deploy, clear the check boxes next to the rules, and then click **Next**. +5. On the **Predefined Rules** page, the list of rules defined in the group is displayed. They're all selected by default. For rules that you don't want to deploy, clear the check boxes next to the rules, and then click **Next**. 6. On the **Action** page, select **Block the connection**, and then click **Finish**. diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md index f246825b19..90e93ba044 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md @@ -22,6 +22,6 @@ ms.technology: windows-sec Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section. -The GPO is only for server versions of Windows. Client devices aren't expected to participate in the encryption zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing encryption zone GPOs to make it apply to the client version of Windows. +The GPO is only for server versions of Windows. Client devices aren't expected to participate in the encryption zone. If the need for one occurs, either create a new GPO for that version of Windows or expand the WMI filter attached to one of the existing encryption zone GPOs to make it apply to the client version of Windows. - [GPO\_DOMISO\_Encryption](gpo-domiso-encryption.md) diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md index 8a6dd9db87..3427f8825c 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md @@ -1,6 +1,6 @@ --- title: Encryption Zone (Windows) -description: Learn how to create an encryption zone to contain devices that host very sensitive data and require that the sensitive network traffic be encrypted. +description: Learn how to create an encryption zone to contain devices that host sensitive data and require that the sensitive network traffic be encrypted. ms.reviewer: ms.author: dansimp ms.prod: m365-security @@ -20,18 +20,18 @@ ms.technology: windows-sec - Windows 11 - Windows Server 2016 and above -Some servers in the organization host data that's very sensitive, including medical, financial, or other personal data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices. +Some servers in the organization host data that's sensitive, including medical, financial, or other personal data. Government or industry regulations might require that this sensitive information must be encrypted when it's transferred between devices. -To support the additional security requirements of these servers, we recommend that you create an encryption zone to contain the devices and that requires that the sensitive inbound and outbound network traffic is encrypted. +To support the other security requirements of these servers, we recommend that you create an encryption zone to contain the devices and that requires that the sensitive inbound and outbound network traffic is encrypted. -You must create a group in Active Directory to contain members of the encryption zone. The settings and rules for the encryption zone are typically similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. You then modify the security methods list to include only algorithm combinations that include encryption protocols. +You must create a group in Active Directory to contain members of the encryption zone. The settings and rules for the encryption zone are typically similar to those settings and rules for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. You then modify the security methods list to include only algorithm combinations that include encryption protocols. Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section. ## GPO settings for encryption zone servers running at least Windows Server 2008 -The GPO for devices that are running at least Windows Server 2008 should include the following: +The GPO for devices that are running at least Windows Server 2008 should include: - IPsec default settings that specify the following options: @@ -39,11 +39,11 @@ The GPO for devices that are running at least Windows Server 2008 should includ 2. Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems. - 3. Data protection (quick mode) algorithm combinations. Check **Require encryption for all connection security rules that use these settings**, and then specify one or more integrity and encryption combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. + 3. Data protection (quick mode) algorithm combinations. Check **Require encryption for all connection security rules that use these settings**, and then specify one or more integrity and encryption combinations. We recommend that you don't include DES or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems. If any NAT devices are present on your networks, use ESP encapsulation.. - 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5 authentication, then you must include certificate-based authentication as an optional authentication method. + 4. Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers, then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members can't use Kerberos V5 authentication, then you must include certificate-based authentication as an optional authentication method. - The following connection security rules: @@ -52,7 +52,7 @@ The GPO for devices that are running at least Windows Server 2008 should includ - A connection security rule, from any IP address to any, that requires inbound and requests outbound authentication using the default authentication specified earlier in this policy. **Important** - Be sure to begin operations by using request in and request out behavior until you are sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out. + Be sure to begin operations by using request in and request out behavior until you're sure that all the devices in your IPsec environment are communicating successfully by using IPsec. After confirming that IPsec is operating as expected, you can change the GPO to require in, request out. diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md index a150d214f5..487eb1a25d 100644 --- a/windows/security/threat-protection/windows-firewall/exemption-list.md +++ b/windows/security/threat-protection/windows-firewall/exemption-list.md @@ -20,23 +20,23 @@ ms.technology: windows-sec - Windows 11 - Windows Server 2016 and above -When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devices on the internal network, yet secured from network attacks. However, if they must remain available to all devices on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. +When you implement a server and domain isolation security model in your organization, you're likely to find more challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devices on the internal network, yet secured from network attacks. However, if they must remain available to all devices on the network, not just to isolated domain members, then these servers can't require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. -In addition to the infrastructure servers mentioned earlier, there might also be other servers on the network that trusted devices cannot use IPsec to access, which would be added to the exemption list. +In addition to the infrastructure servers mentioned earlier, there might also be other servers on the network that trusted devices can't use IPsec to access, which would be added to the exemption list. Generally, the following conditions are reasons to consider adding a device to the exemption list: -- If the device must be accessed by trusted devices but it does not have a compatible IPsec implementation. +- If the device must be accessed by trusted devices but it doesn't have a compatible IPsec implementation. -- If the device must provide services to both trusted and untrusted devices, but does not meet the criteria for membership in the boundary zone. +- If the device must provide services to both trusted and untrusted devices, but doesn't meet the criteria for membership in the boundary zone. -- If the device must be accessed by trusted devices from different isolated domains that do not have an Active Directory trust relationship established with each other. +- If the device must be accessed by trusted devices from different isolated domains that don't have an Active Directory trust relationship established with each other. - If the device is a domain controller running version of Windows earlier than Windows Server 2008, or if any of its clients are running a version of Windows earlier than Windows Vista. -- If the device must support trusted and untrusted devices, but cannot use IPsec to help secure communications to trusted devices. +- If the device must support trusted and untrusted devices, but can't use IPsec to help secure communications to trusted devices. -For large organizations, the list of exemptions might grow very large if all the exemptions are implemented by one connection security rule for the whole domain or for all trusted forests. If you can require all devices in your isolated domain to run at least Windows Vista or Windows Server 2008, you can greatly reduce the size of this list. A large exemption list has several unwanted effects on every device that receives the GPO, including the following: +For large organizations, the list of exemptions might grow large if all the exemptions are implemented by one connection security rule for the whole domain or for all trusted forests. If you can require all devices in your isolated domain to run at least Windows Vista or Windows Server 2008, you can greatly reduce the size of this list. A large exemption list has several unwanted effects on every device that receives the GPO, including the following effects: - Reduces the overall effectiveness of isolation. diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md index 9ecf89d162..73db668581 100644 --- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md +++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md @@ -24,7 +24,7 @@ Typically, when investigating packet drop events, a customer would use the field The filter ID uniquely identifies the filter that caused the packet drop. The filter ID can be searched in the WFP state dump output to trace back to the Firewall rule where the filter originated from. -However, the filter ID is not a reliable source for tracing back to the filter or the rule, as the filter ID can change for many reasons despite the rule not changing at all. This makes the diagnosis process error-prone and difficult. +However, the filter ID isn't a reliable source for tracing back to the filter or the rule, as the filter ID can change for many reasons despite the rule not changing at all. This change in ID makes the diagnosis process error-prone and difficult. For customers to debug packet drop events correctly and efficiently, they would need more context about the blocking filter such as its origin. @@ -95,7 +95,7 @@ After identifying the rule that caused the drop, the network admin can now modif **AppContainer loopback** -Network drop events from the AppContainer loopback block filter origin occur when localhost loopback is not enabled properly for the Universal Windows Platform (UWP) app. +Network drop events from the AppContainer loopback block filter origin occur when localhost loopback isn't enabled properly for the Universal Windows Platform (UWP) app. To enable localhost loopback in a local debugging environment, see [Communicating with localhost](/windows/iot-core/develop-your-app/loopback). @@ -103,7 +103,7 @@ To enable localhost loopback for a published app that requires loopback access t **Boottime default** -Network drop events from the boottime default block filter origin occur when the computer is booting up and the firewall service is not yet running. Services will need to create a boottime allow filter to allow the traffic. It should be noted that it is not possible to add boottime filters through firewall rules. +Network drop events from the boottime default block filter origin occur when the computer is booting up and the firewall service isn't yet running. Services will need to create a boottime allow filter to allow the traffic. It should be noted that it's not possible to add boottime filters through firewall rules. **Quarantine default** @@ -125,9 +125,9 @@ To learn more about the quarantine feature, see [Quarantine behavior](quarantine **Query user default** -Network packet drops from query user default block filters occur when there is no explicit rule created to allow an inbound connection for the packet. When an application binds to a socket but does not have a corresponding inbound rule to allow packets on that port, Windows generates a pop up for the user to allow or deny the app to receive packets on the available network categories. If the user clicks to deny the connection in this popup, subsequent inbound packets to the app will be dropped. To resolve the drops: +Network packet drops from query user default block filters occur when there's no explicit rule created to allow an inbound connection for the packet. When an application binds to a socket but doesn't have a corresponding inbound rule to allow packets on that port, Windows generates a pop up for the user to allow or deny the app to receive packets on the available network categories. If the user clicks to deny the connection in this popup, subsequent inbound packets to the app will be dropped. To resolve the drops: -1. Create an inbound firewall rule to allow the packet for this application. This will allow the packet to bypass any query user default block filters. +1. Create an inbound firewall rule to allow the packet for this application. This packet will allow the packet to bypass any query user default block filters. 2. Delete any block query user rules that may have been auto generated by the firewall service. @@ -141,7 +141,7 @@ Get-NetFirewallRule | Where {$_.Name -like "*Query User*"} The query user pop-up feature is enabled by default. -To disable the query user pop-up, you can run the following in administrative command prompt: +To disable the query user pop-up, you can run the following command in administrative command prompt: ```Console Netsh set allprofiles inboundusernotification disable @@ -160,10 +160,10 @@ To disable stealth-mode, see [Disable stealth mode in Windows](/troubleshoot/win **UWP default** -Network drops from Universal Windows Platform (UWP) default inbound/outbound block filters are often caused by the UWP app not being configured correctly (that is, the UWP app is missing the correct capability tokens or loopback is not enabled) or the private range is configured incorrectly. +Network drops from Universal Windows Platform (UWP) default inbound/outbound block filters are often caused by the UWP app not being configured correctly (that is, the UWP app is missing the correct capability tokens or loopback isn't enabled) or the private range is configured incorrectly. For more information on how to debug drops caused by UWP default block filters, see [Troubleshooting UWP App Connectivity Issues](./troubleshooting-uwp-firewall.md). **WSH default** -Network drops from Windows Service Hardening (WSH) default filters indicate that there wasn’t an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block is not expected. +Network drops from Windows Service Hardening (WSH) default filters indicate that there wasn’t an explicit Windows Service Hardening allow rule to allow network traffic for the protected service. The service owner will need to configure allow rules for the service if the block isn't expected. diff --git a/windows/security/threat-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md index 9cac69201b..acce618f02 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-gpos.md +++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md @@ -1,6 +1,6 @@ --- title: Firewall GPOs (Windows) -description: In this example, a Group Policy Object is linked to the domain container because the domain controllers are not part of the isolated domain. +description: In this example, a Group Policy Object is linked to the domain container because the domain controllers aren't part of the isolated domain. ms.reviewer: ms.author: dansimp ms.prod: m365-security diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md index 6152948655..71610970dc 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md @@ -26,11 +26,11 @@ Woodgrove Bank has an Active Directory domain that provides Group Policy-based m Woodgrove Bank is in the process of migrating their devices from Windows Vista and Windows Server 2008 to Windows 10 and Windows Server 2016. A significant number of the devices at Woodgrove Bank continue to run Windows Vista and Windows Server 2008. Interoperability between the previous and newer operating systems must be maintained. Wherever possible, security features applied to the newer operating systems must also be applied to the previous operating systems. -A key line-of-business program called WGBank consists of a client program running on most of the desktop devices in the organization. This program accesses several front-end server devices that run the server-side part of WGBank. These front-end servers only do the processing — they do not store the data. The data is stored in several back-end database devices that are running Microsoft SQL Server. +A key line-of-business program called WGBank consists of a client program running on most of the desktop devices in the organization. This program accesses several front-end server devices that run the server-side part of WGBank. These front-end servers only do the processing—they don't store the data. The data is stored in several back-end database devices that are running Microsoft SQL Server. ## Design requirements -The network administrators want to implement Windows Defender Firewall with Advanced Security throughout their organization to provide an additional security layer to their overall security strategy. They want to create firewall rules that allow their business programs to operate, while blocking network traffic that is not wanted. +The network administrators want to implement Windows Defender Firewall with Advanced Security throughout their organization to provide another security layer to their overall security strategy. They want to create firewall rules that allow their business programs to operate, while blocking network traffic that isn't wanted. The following illustration shows the traffic protection needs for this design example. @@ -40,23 +40,23 @@ The following illustration shows the traffic protection needs for this design ex 2. The WGBank front-end servers can receive unsolicited inbound traffic from the client devices and the WGBank partner servers. The WGBank client devices and partner servers can receive the response. -3. The WGBank front-end servers can send updated information to the client devices to support real-time display. The clients do not poll for this unsolicited traffic, but must be able to receive it. +3. The WGBank front-end servers can send updated information to the client devices to support real-time display. The clients don't poll for this unsolicited traffic, but must be able to receive it. 4. The WGBank back-end servers can receive SQL query requests from the WGBank front-end servers. The WGBank front-end servers can receive the corresponding responses. -5. There is no direct communications between the client devices and the WGBank back-end devices. +5. There's no direct communications between the client devices and the WGBank back-end devices. -6. There is no unsolicited traffic from the WGBank back-end devices to the WGBank front-end servers. +6. There's no unsolicited traffic from the WGBank back-end devices to the WGBank front-end servers. -7. Company policy prohibits the use of peer-to-peer file transfer software. A recent review by the IT staff found that although the perimeter firewall does prevent most of the programs in this category from working, two programs are being used by staff members that do not require an outside server. Firewall rules must block the network traffic created by these programs. +7. Company policy prohibits the use of peer-to-peer file transfer software. A recent review by the IT staff found that although the perimeter firewall does prevent most of the programs in this category from working, two programs are being used by staff members that don't require an outside server. Firewall rules must block the network traffic created by these programs. 8. The WGBank partner servers can receive inbound requests from partner devices through the Internet. Other traffic notes: -- Devices are not to receive any unsolicited traffic from any computer other than specifically allowed above. +- Devices aren't to receive any unsolicited traffic from any computer other than allowed above. -- Other outbound network traffic from the client devices not specifically identified in this example is permitted. +- Other outbound network traffic from the client devices not identified in this example is permitted. ## Design details @@ -77,23 +77,23 @@ Woodgrove Bank uses Active Directory groups and Group Policy Objects to deploy t - DHCP servers that run the UNIX operating system -After evaluating these sets of devices, and comparing them to the Active Directory organizational unit (OU) structure, Woodgrove Bank network administrators determined that there was not a good one-to-one match between the OUs and the sets. Therefore the firewall GPOs will not be linked directly to OUs that hold the relevant devices. Instead, the GPOs are linked to the domain container in Active Directory, and then WMI and group filters are attached to the GPO to ensure that it is applied to the correct devices. +After the Woodgrove Bank network administrators evaluated these sets of devices, and compared them to the Active Directory organizational unit (OU) structure, they determined that there wasn't a good one-to-one match between the OUs and the sets. Therefore the firewall GPOs won't be linked directly to OUs that hold the relevant devices. Instead, the GPOs are linked to the domain container in Active Directory, and then WMI and group filters are attached to the GPO to ensure that it's applied to the correct devices. -Setting up groups as described here ensures that you do not have to know what operating system a computer is running before assigning it to a group. A combination of WMI filters and security group filters are used to ensure that members of the group receive the GPO appropriate for the version of Windows running on that computer. For some groups, you might have four or even five GPOs. +Setting up groups as described here ensures that you don't have to know what operating system a computer is running before assigning it to a group. A combination of WMI filters and security group filters are used to ensure that members of the group receive the GPO appropriate for the version of Windows running on that computer. For some groups, you might have four or even five GPOs. The following groups were created by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, and all devices that run Windows were added to the correct groups: - **CG\_FIREWALL\_ALLCOMPUTERS**. Add the predefined and system managed **Domain computers** group as a member of this group. All members of the FIREWALL\_ALLCOMPUTERS group receive an operating system-specific GPO with the common firewall rules applied to all devices. - The two device types (client and server) are distinguished by using a WMI filters to ensure that only the policy intended for devices that are running a client version of Windows can be applied to that computer. A similar WMI filter on the server GPO ensures that only devices that are running server versions of Windows can apply that GPO. Each of the GPOs also have security group filters to prevent members of the group FIREWALL\_NO\_DEFAULT from receiving either of these two GPOs. + The two device types (client and server) are distinguished by using a WMI filters to ensure that only the policy intended for devices that are running a client version of Windows can be applied to that computer. A similar WMI filter on the server GPO ensures that only devices that are running server versions of Windows can apply that GPO. Each of the GPOs also has security group filters to prevent members of the group FIREWALL\_NO\_DEFAULT from receiving either of these two GPOs. - Client devices receive a GPO that configures Windows Defender Firewall to enforce the default Windows Defender Firewall behavior (allow outbound, block unsolicited inbound). The client default GPO also includes the built-in firewall rule groups Core Networking and File and Printer Sharing. The Core Networking group is enabled for all profiles, whereas the File and Printer Sharing group is enabled for only the Domain and Private profiles. The GPO also includes inbound firewall rules to allow the WGBank front-end server dashboard update traffic, and rules to prevent company-prohibited programs from sending or receiving network traffic, both inbound and outbound. - - Server devices receive a GPO that includes similar firewall configuration to the client computer GPO. The primary difference is that the rules are enabled for all profiles (not just domain and private). Also, the rules for WGBank dashboard update are not included, because it is not needed on server devices. + - Server devices receive a GPO that includes similar firewall configuration to the client computer GPO. The primary difference is that the rules are enabled for all profiles (not just domain and private). Also, the rules for WGBank dashboard update aren't included, because it's not needed on server devices. All rules are scoped to allow network traffic only from devices on Woodgrove Bank's corporate network. -- **CG\_FIREWALL\_NO\_DEFAULT**. Members of this group do not receive the default firewall GPO. Devices are added to this group if there is a business requirement for it to be exempted from the default firewall behavior. The use of a group to represent the exceptions instead of the group members directly makes it easier to support the dynamic nature of the client computer population. A new computer joined to the domain is automatically given the appropriate default firewall GPO, unless it is a member of this group. +- **CG\_FIREWALL\_NO\_DEFAULT**. Members of this group don't receive the default firewall GPO. Devices are added to this group if there's a business requirement for it to be exempted from the default firewall behavior. The use of a group to represent the exceptions instead of the group members directly makes it easier to support the dynamic nature of the client computer population. A new computer joined to the domain is automatically given the appropriate default firewall GPO, unless it's a member of this group. - **CG\_FIREWALL\_WGB\_FE**. This group contains the computer accounts for all the WGBank front-end server devices. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow unsolicited WGBank client traffic. Devices in this group also receive the default firewall GPO. @@ -105,7 +105,7 @@ The following groups were created by using the Active Directory Users and Comput - **CG\_FIREWALL\_ADDC**. This group contains all the computer accounts for the Active Directory domain controller server devices. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow unsolicited Active Directory client and server-to-server traffic. Devices in this group also receive the default firewall GPO. -In your own design, create a group for each computer role in your organization that requires different or additional firewall rules. For example, file servers and print servers require additional rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most devices on the network, you might consider adding devices performing those roles to the common default firewall GPO set, unless there is a security reason not to include it there. +In your own design, create a group for each computer role in your organization that requires different or more firewall rules. For example, file servers and print servers require more rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most devices on the network, you might consider adding devices performing those roles to the common default firewall GPO set, unless there's a security reason not to include it there. **Next:** [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md) diff --git a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md index db56dcc84e..777d827e77 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md +++ b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md @@ -26,7 +26,7 @@ To help you organize your list, individual built-in firewall rules are categoriz - Remote Desktop – User Mode (TCP-In) - Remote Desktop – User-Mode (UDP-In) -Other group examples include **core networking**, **file and print sharing**, and **network discovery**. Grouping allows admins to manage sets of similar rules by filtering on categories in the firewall interface (wf.msc). Do this by right-clicking on either **Inbound** or **Outbound Rules** and selecting **Filter by Group**. Optionally, you can use PowerShell using the `Get-NetFirewallRule` cmdlet with the `-Group` switch. +Other group examples include **core networking**, **file and print sharing**, and **network discovery**. Grouping allows administrators to manage sets of similar rules by filtering on categories in the firewall interface (wf.msc). Do this filtering by right-clicking on either **Inbound** or **Outbound Rules** and selecting **Filter by Group**. Optionally, you can use PowerShell using the `Get-NetFirewallRule` cmdlet with the `-Group` switch. ```Powershell Get-NetFirewallRule -Group
This group is used in security group filters to ensure that GPOs with IPsec rules are not applied to group members.| -| CG_DOMISO_IsolatedDomain | A universal group of device accounts that contains the members of the isolated domain.
During the early days of testing, this group might contain only a very small number of devices. During production, it might contain the built-in **Domain Computers** group to ensure that every device in the domain participates.
Members of this group receive the domain isolation GPO that requires authentication for inbound connections.| +| CG_DOMISO_No_IPsec | A universal group of device accounts that don't participate in the IPsec environment. Typically consists of infrastructure device accounts that will also be included in exemption lists.
This group is used in security group filters to ensure that GPOs with IPsec rules aren't applied to group members.| +| CG_DOMISO_IsolatedDomain | A universal group of device accounts that contains the members of the isolated domain.
During the early days of testing, this group might contain only a small number of devices. During production, it might contain the built-in **Domain Computers** group to ensure that every device in the domain participates.
Members of this group receive the domain isolation GPO that requires authentication for inbound connections.| | CG_DOMISO_Boundary | A universal group of device accounts that contains the members of the boundary zone.
Members of this group receive a GPO that specifies that authentication is requested, but not required.|
| CG_DOMISO_Encryption | A universal group of device accounts that contains the members of the encryption zone.
Members of this group receive a GPO that specifies that both authentication and encryption are required for all inbound connections.
| CG_SRVISO_*ServerRole* | A universal group of device accounts that contains the members of the server isolation group.
Members of this group receive the server isolation GPO that requires membership in a network access group in order to connect.
There will be one group for each set of servers that have different user and device restriction requirements. |
Multiple GPOs might be delivered to each group. Which one actually becomes applied depends on the security group filters assigned to the GPOs in addition to the results of any WMI filtering assigned to the GPOs. Details of the GPO layout are discussed in the section [Planning the GPOs](planning-the-gpos.md).
-If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the device. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it is more specific.
+If multiple GPOs are assigned to a group, and similar rules are applied, the rule that most specifically matches the network traffic is the one that is used by the device. For example, if one IPsec rule says to request authentication for all IP traffic, and a second rule from a different GPO says to require authentication for IP traffic to and from a specific IP address, then the second rule takes precedence because it's more specific.
**Next:** [Planning Network Access Groups](planning-network-access-groups.md)
diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
index 115c4bc0b4..a46279468a 100644
--- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
+++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md
@@ -26,7 +26,7 @@ Minimize the number of NAGs to limit the complexity of the solution. You need on
The NAGs that you create and populate become active by referencing them in the **Users and Computers** tab of the firewall rules in the GPO assigned to the isolated servers. The GPO must also contain connection security rules that require authentication to supply the credentials checked for NAG membership.
-For the Woodgrove Bank scenario, access to the devices running SQL Server that support the WGBank application are restricted to the WGBank front-end servers and to approved administrative users logged on to specific authorized administrative devices. They are also only accessed by the approved admin users and the service account that is used to the run the WGBank front end service.
+For the Woodgrove Bank scenario, access to the devices running SQL Server which support the WGBank application are restricted to the WGBank front-end servers and to approved administrative users logged on to specific authorized administrative devices. They're also only accessed by the approved admin users and the service account that is used to the run the WGBank front end service.
| NAG Name | NAG Member Users, Computers, or Groups | Description |
| - | - | - |
diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
index 7c7ab8b78d..9e0486133d 100644
--- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
+++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md
@@ -24,13 +24,13 @@ Sometimes a server hosts data that is sensitive. If your servers host data that
The second option is to additionally restrict access to the server, not just to members of the isolated domain, but to only those users or devices who have business reasons to access the resources on the server. You can specify only approved users, or you can additionally specify that the approved users can only access the server from approved devices.
-To grant access, you add the approved user and device accounts to network access groups (NAGs) that are referenced in a firewall rule on this server. When the user sends a request to the server, the standard domain isolation rules are invoked. This causes IKE to use Kerberos V5 to exchange credentials with the server. The additional firewall rule on the server causes Windows to check the provided device and user accounts for group membership in the NAGs. If either the user or device is not a member of a required NAG then the network connection is refused.
+To grant access, you add the approved user and device accounts to network access groups (NAGs) that are referenced in a firewall rule on this server. When the user sends a request to the server, the standard domain isolation rules are invoked. This invocation causes IKE to use Kerberos V5 to exchange credentials with the server. The other firewall rule on the server causes Windows to check the provided device and user accounts for group membership in the NAGs. If either the user or device isn't a member of a required NAG, then the network connection is refused.
## Isolated domains and isolated servers
-If you are using an isolated domain, the client devices already have the IPsec rules to enable them to authenticate traffic when the server requires it. If you add an isolated server, it must have a GPO applied to its group with the appropriate connection security and firewall rules. The rules enforce authentication and restrict access to only connections that are authenticated as coming from an authorized device or user.
+If you're using an isolated domain, the client devices already have the IPsec rules to enable them to authenticate traffic when the server requires it. If you add an isolated server, it must have a GPO applied to its group with the appropriate connection security and firewall rules. The rules enforce authentication and restrict access to only connections that are authenticated as coming from an authorized device or user.
-If you are not using an isolated domain, but still want to isolate a server that uses IPsec, you must configure the client devices that you want to access the server to use the appropriate IPsec rules. If the client devices are members of an Active Directory domain, you can still use Group Policy to configure the clients. Instead of applying the GPO to the whole domain, you apply the GPO to only members of the NAG.
+If you aren't using an isolated domain, but still want to isolate a server that uses IPsec, you must configure the client devices that you want to access the server to use the appropriate IPsec rules. If the client devices are members of an Active Directory domain, you can still use Group Policy to configure the clients. Instead of applying the GPO to the whole domain, you apply the GPO to only members of the NAG.
## Creating multiple isolated server zones
@@ -44,7 +44,7 @@ An isolated server is often a member of the encryption zone. Therefore, copying
### GPO settings for isolated servers running at least Windows Server 2008
-GPOs for devices running at least Windows Server 2008 should include the following:
+GPOs for devices running at least Windows Server 2008 should include:
>**Note:** The connection security rules described here are identical to the ones for the encryption zone. If you do not want to encrypt access and also restrict access to NAG members, you can use connection security rules identical to the main isolated domain. You must still add the firewall rule described at the end of this list to change it into an isolated server zone.
@@ -52,16 +52,16 @@ GPOs for devices running at least Windows Server 2008 should include the follow
1. Exempt all ICMP traffic from IPsec.
- 2. Key exchange (main mode) security methods and algorithm. We recommend that you do not include Diffie-Hellman Group 1, DES, or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
+ 2. Key exchange (main mode) security methods and algorithm. We recommend that you don't include Diffie-Hellman Group 1, DES, or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
- 3. Data protection (quick mode) algorithm combinations. Check **Require encryption for all connection security rules that use these settings**, and then specify one or more integrity and encryption combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
+ 3. Data protection (quick mode) algorithm combinations. Check **Require encryption for all connection security rules that use these settings**, and then specify one or more integrity and encryption combinations. We recommend that you don't include DES or MD5 in any setting. They're included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems.
- If any NAT devices are present on your networks, do not use AH because it cannot traverse NAT devices. If isolated servers must communicate with hosts in the encryption zone, include an algorithm that is compatible with the requirements of the encryption zone GPOs.
+ If any NAT devices are present on your networks, don't use AH because it can't traverse NAT devices. If isolated servers must communicate with hosts in the encryption zone, include an algorithm that is compatible with the requirements of the encryption zone GPOs.
- 4. Authentication methods. Include at least device-based Kerberos V5 authentication for compatibility with the rest of the isolated domain. If you want to restrict access to specific user accounts, also include user-based Kerberos V5 authentication as an optional authentication method. Do not make the user-based authentication method mandatory, or else devices that cannot use AuthIP instead of IKE, including Windows XP and Windows Server 2003, cannot communicate. Likewise, if any of your domain isolation members cannot use Kerberos V5, include certificate-based authentication as an optional authentication method.
+ 4. Authentication methods. Include at least device-based Kerberos V5 authentication for compatibility with the rest of the isolated domain. If you want to restrict access to specific user accounts, also include user-based Kerberos V5 authentication as an optional authentication method. Don't make the user-based authentication method mandatory, or else devices that can't use AuthIP instead of IKE, including Windows XP and Windows Server 2003, can't communicate. Likewise, if any of your domain isolation members can't use Kerberos V5, include certificate-based authentication as an optional authentication method.
- The following connection security and firewall rules:
-
+s
- A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment.
- A connection security rule, from **Any IP address** to **Any IP address**, that requires inbound and requests outbound authentication by using Kerberos V5 authentication.
diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
index 5aed4df804..6f5c67f5bd 100644
--- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
+++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
@@ -20,11 +20,11 @@ ms.technology: windows-sec
- Windows 11
- Windows Server 2016 and above
-After you have identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices.
+After you've identified your requirements, and have the information about the network layout and devices available, you can begin to design the GPO settings and rules that will enable you to enforce your requirements on the devices.
-The following is a list of the firewall settings that you might consider for inclusion in a basic firewall design, together with recommendations to serve as a starting point for your analysis:
+The following list is that of the firewall settings that you might consider for inclusion in a basic firewall design, together with recommendations to serve as a starting point for your analysis:
-- **Profile selection**. The firewall rules can be configured for any of the network location profiles that you see in the Network and Sharing Center: **Domain**, **Public**, and **Private**. Most settings are enforced in the Domain profile, without an option for the user to change them. However, you might want to leave the profile settings configurable by the user on devices that can be taken from the organization's physical network and joined to a public or home network. If you lock down the public and private profiles, you might prevent a user from accessing a required network program or service. Because they are not on the organization's network, you cannot fix a connectivity problem by deploying rule changes in a GPO. For each section that follows, consider each profile and apply the rules to those profiles that make sense for your organization.
+- **Profile selection**. The firewall rules can be configured for any of the network location profiles that you see in the Network and Sharing Center: **Domain**, **Public**, and **Private**. Most settings are enforced in the Domain profile, without an option for the user to change them. However, you might want to leave the profile settings configurable by the user on devices that can be taken from the organization's physical network and joined to a public or home network. If you lock down the public and private profiles, you might prevent a user from accessing a required network program or service. Because they aren't on the organization's network, you can't fix a connectivity problem by deploying rule changes in a GPO. For each section that follows, consider each profile and apply the rules to those profiles that make sense for your organization.
>**Important:** We recommend that on server devices that you set all rules for all profiles to prevent any unexpected profile switch from disrupting network connectivity. You might consider a similar practice for your desktop devices, and only support different profiles on portable devices.
@@ -36,17 +36,17 @@ The following is a list of the firewall settings that you might consider for inc
- **Allow unicast response: Yes**. We recommend that you use the default setting of **Yes** unless you have specific requirements to do otherwise.
-- **Apply local firewall rules: Yes**. We recommend that you allow users to create and use local firewall rules. If you set this to **No**, then when a user clicks **Allow** on the notification message to allow traffic for a new program, Windows does not create a new firewall rule and the traffic remains blocked.
+- **Apply local firewall rules: Yes**. We recommend that you allow users to create and use local firewall rules. If you set this setting to **No**, then when a user clicks **Allow** on the notification message to allow traffic for a new program, Windows doesn't create a new firewall rule and the traffic remains blocked.
- If you and the IT staff can create and maintain the list of firewall rules for all permitted applications and deploy them by using GPOs then you can set this value to **No**.
+ If you and the IT staff can create and maintain the list of firewall rules for all permitted applications and deploy them by using GPOs, then you can set this value to **No**.
- **Apply local connection security rules: No**. We recommend that you prevent users from creating and using their own connection security rules. Connection failures caused by conflicting rules can be difficult to troubleshoot.
- **Logging**. We recommend that you enable logging to a file on the local hard disk. Be sure to limit the size, such as 4096 KB, to avoid causing performance problems by filling the user's hard disk. Be sure to specify a folder to which the Windows Defender Firewall with Advanced Security service account has write permissions.
-- **Inbound rules**. Create inbound rules for programs that must be able to receive unsolicited inbound network packets from another device on the network. Make the rules as specific as possible to reduce the risk of malicious programs exploiting the rules. For example, specify both program and port numbers. Specifying a program ensures that the rule is only active when the program is actually running, and specifying the port number ensures that the program cannot receive unexpected traffic on a different port.
+- **Inbound rules**. Create inbound rules for programs that must be able to receive unsolicited inbound network packets from another device on the network. Make the rules as specific as possible to reduce the risk of malicious programs exploiting the rules. For example, specify both program and port numbers. Specifying a program ensures that the rule is only active when the program is actually running, and specifying the port number ensures that the program can't receive unexpected traffic on a different port.
- Inbound rules are common on servers, because they host services to which client devices connect. When you install programs and services on a server, the installation program typically creates and enables the rules for you. Examine the rules to ensure that they do not open up more ports than are required.
+ Inbound rules are common on servers, because they host services to which client devices connect. When you install programs and services on a server, the installation program typically creates and enables the rules for you. Examine the rules to ensure that they don't open up more ports than are required.
>**Important:** If you create inbound rules that permit RPC network traffic by using the **RPC Endpoint Mapper** and **Dynamic RPC** rule options, then all inbound RPC network traffic is permitted because the firewall cannot filter network traffic based on the UUID of the destination application.
diff --git a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
index 054cd6b4c9..c61cc01904 100644
--- a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md
@@ -26,7 +26,7 @@ When you plan the GPOs for your different isolation zones, you must complete the
A few things to consider as you plan the GPOs:
-- Do not allow a device to be a member of more than one isolation zone. A device in more than one zone receives multiple and possibly contradictory GPOs. This can result in unexpected, and difficult to troubleshoot behavior.
+- Don't allow a device to be a member of more than one isolation zone. A device in more than one zone receives multiple and possibly contradictory GPOs. This receipt of multiple GPOs can result in unexpected, and difficult to troubleshoot behavior.
The examples in this guide show GPOs that are designed to prevent the requirement to belong to multiple zones.
@@ -43,13 +43,13 @@ A few things to consider as you plan the GPOs:
> [!NOTE]
> Devices running Windows 7, Windows Server 2008 R2, and later support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Defender Firewall then enforces only those rules that apply to that network type’s profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network.
-After considering these issues, document each GPO that you require, and the details about the connection security and firewall rules that it needs.
+After you consider these issues, document each GPO that you require, and the details about the connection security and firewall rules that it needs.
## Woodgrove Bank example GPOs
The Woodgrove Bank example uses the following set of GPOs to support its domain isolation requirements. This section only discusses the rules and settings for server and domain isolation. GPO settings that affect which devices receive the GPO, such as security group filtering and WMI filtering, are discussed in the [Planning GPO Deployment](planning-gpo-deployment.md) section.
-In this section you can find information about the following:
+In this section you can find information about:
- [Firewall GPOs](firewall-gpos.md)
diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
index 1bb9e49550..b2922c2dd6 100644
--- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
@@ -38,11 +38,11 @@ The design team's strategy for determining how WMI and security group filters at
### Configure communication between members and devices
-Decide what communication is to be allowed between members of each of the zones in the isolated domain and devices that are not part of the isolated domain or members of the isolated domain's exemption list.
+Decide what communication is to be allowed between members of each of the zones in the isolated domain and devices that aren't part of the isolated domain or members of the isolated domain's exemption list.
### Exempt domain controllers from IPsec authentication requirements
-It is recommended that domain controllers are exempt from IPsec authentication requirements. If they are not exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers.
+It's recommended that domain controllers are exempt from IPsec authentication requirements. If they aren't exempt and authentication fails, then domain clients might not be able to receive Group Policy updates to the IPsec connection security rules from the domain controllers.
### Configure IPsec authentication rules
@@ -58,7 +58,7 @@ For all devices to communicate with each other, they must share a common set of:
- Quick mode data integrity algorithms
-If at least one set of each does not match between two devices, then the devices cannot successfully communicate.
+If at least one set of each doesn't match between two devices, then the devices can't successfully communicate.
## Deploy your Windows Firewall Design Plan
diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
index c88257ead5..3c54199363 100644
--- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
@@ -20,17 +20,17 @@ ms.technology: windows-sec
- Windows 11
- Windows Server 2016 and above
-After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs.
+After you've gathered the relevant information in the previous sections, and understood the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs.
## Basic firewall design
We recommend that you deploy at least the basic firewall design. As discussed in the [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md) section, host-based firewalls are an important element in a defense-in-depth strategy and complement most other security measures you put in place in your organization.
-When you are ready to examine the options for firewall policy settings, see the [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) section.
+When you're ready to examine the options for firewall policy settings, see the [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) section.
## Algorithm and method support and selection
-To create a domain isolation or server isolation design, you must understand the algorithms available in each version of Windows, as well as their relative strengths.
+To create a domain isolation or server isolation design, you must understand the algorithms available in each version of Windows, and their relative strengths.
## IPsec performance considerations
@@ -45,11 +45,11 @@ Include this design in your plans:
- If you have an Active Directory domain of which most of the devices are members.
-- If you want to prevent the devices in your organization from accepting any unsolicited network traffic from devices that are not part of the domain.
+- If you want to prevent the devices in your organization from accepting any unsolicited network traffic from devices that aren't part of the domain.
-If you plan on including the basic firewall design as part of your deployment, we recommend that you deploy the firewall policies first to confirm that they work properly. Also plan to enable your connection security rules in request mode at first, instead of the more restrictive require mode, until you are sure that the devices are all correctly protecting network traffic with IPsec. If something is wrong, request mode still allows communications to continue while you are troubleshooting.
+If you plan on including the basic firewall design as part of your deployment, we recommend that you deploy the firewall policies first to confirm that they work properly. Also plan to enable your connection security rules in request mode at first, instead of the more restrictive require mode, until you're sure that the devices are all correctly protecting network traffic with IPsec. If something is wrong, request mode still allows communications to continue while you're troubleshooting.
-When you are ready to examine the options for creating an isolated domain, see the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section.
+When you're ready to examine the options for creating an isolated domain, see the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section.
## Server isolation design
@@ -58,38 +58,38 @@ Include this design in your plans:
- If you have an isolated domain and you want to additionally restrict access to specific servers to only authorized users and devices.
-- You are not deploying an isolated domain, but want to take advantage of similar benefits for a few specific servers. You can restrict access to the isolated servers to only authorized users and devices.
+- You aren't deploying an isolated domain, but want to take advantage of similar benefits for a few specific servers. You can restrict access to the isolated servers to only authorized users and devices.
-If you plan to include domain isolation in your deployment, we recommend that you complete that layer and confirm its correct operation before you implement the additional server isolation elements.
+If you plan to include domain isolation in your deployment, we recommend that you complete that layer and confirm its correct operation before you implement the other server isolation elements.
-When you are ready to examine the options for isolating servers, see the [Planning Server Isolation Zones](planning-server-isolation-zones.md) section.
+When you're ready to examine the options for isolating servers, see the [Planning Server Isolation Zones](planning-server-isolation-zones.md) section.
## Certificate-based authentication design
Include this design in your plans:
-- If you want to implement some of the elements of domain or server isolation on devices that are not joined to an Active Directory domain, or do not want to use domain membership as an authentication mechanism.
+- If you want to implement some of the elements of domain or server isolation on devices that aren't joined to an Active Directory domain, or don't want to use domain membership as an authentication mechanism.
-- You have an isolated domain and want to include a server that is not a member of the Active Directory domain because the device is not running Windows, or for any other reason.
+- You have an isolated domain and want to include a server that isn't a member of the Active Directory domain because the device isn't running Windows, or for any other reason.
-- You must enable external devices that are not managed by your organization to access information on one of your servers, and want to do this in a secure way.
+- You must enable external devices that aren't managed by your organization to access information on one of your servers in a secure way.
If you plan to include domain or server isolation in your deployment, we recommend that you complete those elements and confirm their correct operation before you add certificate-based authentication to the devices that require it.
-When you are ready to examine the options for using certificate-based authentication, see the [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) section.
+When you're ready to examine the options for using certificate-based authentication, see the [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) section.
## Documenting your design
-After you finish selecting the designs that you will use, you must assign each of your devices to the appropriate isolation zone and document the assignment for use by the deployment team.
+After you finish selecting the designs that you'll use, you must assign each of your devices to the appropriate isolation zone and document the assignment for use by the deployment team.
- [Documenting the Zones](documenting-the-zones.md)
## Designing groups and GPOs
-After you have selected a design and assigned your devices to zones, you can begin laying out the isolation groups for each zone, the network access groups for isolated server access, and the GPOs that you will use to apply the settings and rules to your devices.
+After you've selected a design and assigned your devices to zones, you can begin laying out the isolation groups for each zone, the network access groups for isolated server access, and the GPOs that you'll use to apply the settings and rules to your devices.
-When you are ready to examine the options for the groups, filters, and GPOs, see the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
+When you're ready to examine the options for the groups, filters, and GPOs, see the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
**Next:** [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
index ba994c905e..0ae3e5785f 100644
--- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
+++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md
@@ -20,13 +20,13 @@ ms.technology: windows-sec
- Windows 11
- Windows Server 2016 and above
-Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall cannot protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable device are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats.
+Although network perimeter firewalls provide important protection to network resources from external threats, there are network threats that a perimeter firewall can't protect against. Some attacks might successfully penetrate the perimeter firewall, and at that point what can stop it? Other attacks might originate from inside the network, such as malware that is brought in on portable media and run on a trusted device. Portable devices are often taken outside the network and connected directly to the Internet, without adequate protection between the device and security threats.
Reports of targeted attacks against organizations, governments, and individuals have become more widespread in recent years. For a general overview of these threats, also known as advanced persistent threats (APT), see the [Microsoft Security Intelligence Report](https://www.microsoft.com/security/business/security-intelligence-report).
-Running a host-based firewall on every device that your organization manages is an important layer in a "defense-in-depth" security strategy. A host-based firewall can help protect against attacks that originate from inside the network and also provide additional protection against attacks from outside the network that manage to penetrate the perimeter firewall. It also travels with a portable device to provide protection when it is away from the organization's network.
+Running a host-based firewall on every device that your organization manages is an important layer in a "defense-in-depth" security strategy. A host-based firewall can help protect against attacks that originate from inside the network and also provide extra protection against attacks from outside the network that manage to penetrate the perimeter firewall. It also travels with a portable device to provide protection when it's away from the organization's network.
-A host-based firewall helps secure a device by dropping all network traffic that does not match the administrator-designed rule set for permitted network traffic. This design, which corresponds to [Basic Firewall Policy Design](basic-firewall-policy-design.md), provides the following benefits:
+A host-based firewall helps secure a device by dropping all network traffic that doesn't match the administrator-designed rule set for permitted network traffic. This design, which corresponds to [Basic Firewall Policy Design](basic-firewall-policy-design.md), provides the following benefits:
- Network traffic that is a reply to a request from the local device is permitted into the device from the network.
@@ -34,7 +34,7 @@ A host-based firewall helps secure a device by dropping all network traffic that
For example, Woodgrove Bank wants a device that is running SQL Server to be able to receive the SQL queries sent to it by client devices. The firewall policy deployed to the device that is running SQL Server includes firewall rules that specifically allow inbound network traffic for the SQL Server program.
-- Outbound network traffic that is not specifically blocked is allowed on the network.
+- Outbound network traffic that isn't blocked is allowed on the network.
For example, Woodgrove Bank has a corporate policy that prohibits the use of certain peer-to-peer file sharing programs. The firewall policy deployed to the computers on the network includes firewall rules that block both inbound and outbound network traffic for the prohibited programs. All other outbound traffic is permitted.
@@ -42,6 +42,6 @@ The following component is recommended for this deployment goal:
- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more Group Policy objects (GPOs) that can be automatically applied to all relevant computers in the domain.
-Other means of deploying a firewall policy are available, such as creating scripts that use the netsh command-line tool, and then running those scripts on each computer in the organization. This guide uses Active Directory as a recommended means of deployment because of its ability to scale to very large organizations.
+Other means of deploying a firewall policy are available, such as creating scripts that use the netsh command-line tool, and then running those scripts on each computer in the organization. This guide uses Active Directory as a recommended means of deployment because of its ability to scale to large organizations.
**Next:** [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md
index 42338ede59..debe26322b 100644
--- a/windows/security/threat-protection/windows-firewall/quarantine.md
+++ b/windows/security/threat-protection/windows-firewall/quarantine.md
@@ -17,9 +17,9 @@ ms.technology: windows-sec
One of the security challenges that network admins face is configuring a machine properly after a network change.
-Network changes can happen frequently. Additionally, the operations required to recategorize the network after a change and apply the correct security policies on a machine are non-trivial and may require considerable CPU time. This is especially true for machines that are part of the domain. In the past, the delay in applying security policies during network recategorization has been successfully exploited for vulnerabilities.
+Network changes can happen frequently. Additionally, the operations required to recategorize the network after a change and apply the correct security policies on a machine are non-trivial and may require considerable CPU time. This requirement by operations is especially true for machines that are part of the domain. In the past, the delay in applying security policies during network recategorization has been successfully exploited for vulnerabilities.
-To counter this potential exploitation, Windows Firewall will quarantine an interface until the system has successfully recategorized the network and Windows Filtering Platform (WFP) has the correct filters applied for the updated interface configuration. During quarantine, all new inbound connections without exceptions are blocked to the machine.
+To counter this potential exploitation, Windows Firewall will quarantine an interface until the system has successfully recategorized the network, and Windows Filtering Platform (WFP) has the correct filters applied for the updated interface configuration. During quarantine, all new inbound connections without exceptions are blocked to the machine.
While the quarantine feature has long been a part of Windows Firewall, the feature behavior has often caused confusion for customers unaware of quarantine and its motivations.
@@ -50,7 +50,7 @@ For more information about WFP layers and sublayers, see [WFP Operation](/window
### Quarantine default inbound block filter
-The quarantine default inbound block filter effectively blocks any new non-loopback inbound connections if the packet is not explicitly permitted by another filter in the quarantine sublayer.
+The quarantine default inbound block filter effectively blocks any new non-loopback inbound connections if the packet isn't explicitly permitted by another filter in the quarantine sublayer.
### Quarantine default exception filters
@@ -62,9 +62,9 @@ The interface un-quarantine filters allow all non-loopback packets if the interf
## Quarantine flow
-The following describes the general flow of quarantine:
+The following events describe the general flow of quarantine:
-1. There is some change on the current network interface.
+1. There's some change on the current network interface.
2. The interface un-quarantine filters will no longer permit new inbound connections. The interface is now in quarantine state.
@@ -102,7 +102,7 @@ The `netEvent` will have more information about the packet that was dropped incl
If the filter that dropped that packet was by the quarantine default inbound block filter, then the drop `netEvent` will have `filterOrigin` as `Quarantine Default`.
-The following is a sample `netEvent` with `filterOrigin` as `Quarantine Default`.
+The following code is a sample `netEvent` with `filterOrigin` as `Quarantine Default`.
```XML
By default, the firewall rules in Windows Server 2016. Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 11, Windows 10, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
| Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).|
| IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.|
| Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones).
In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.|
-| Server isolation | A technique for using group membership to restrict access to a server that is typically already a member of an isolated domain. The additional protection comes from using the authentication credentials of the requesting device to determine its group membership, and then only allowing access if the computer account (and optionally the user account) is a member of an authorized group.|
+| Server isolation | A technique for using group membership to restrict access to a server that is typically already a member of an isolated domain. The extra protection comes from using the authentication credentials of the requesting device to determine its group membership, and then only allowing access if the computer account (and optionally the user account) is a member of an authorized group.|
| Solicited network traffic | Network traffic that is sent in response to a request. By default, Windows Defender Firewall allows all solicited network traffic through.|
-| Unsolicited network traffic | Network traffic that is not a response to an earlier request, and that the receiving device cannot necessarily anticipate. By default, Windows Defender Firewall blocks all unsolicited network traffic. |
-| Zone | A zone is a logical grouping of devices that share common IPsec policies because of their communications requirements. For example, the boundary zone permits inbound connections from non-trusted devices. The encryption zone requires that all connections be encrypted.
This is not related to the term zone as used by Domain Name System (DNS). |
+| Unsolicited network traffic | Network traffic that isn't a response to an earlier request, and that the receiving device can't necessarily anticipate. By default, Windows Defender Firewall blocks all unsolicited network traffic. |
+| Zone | A zone is a logical grouping of devices that share common IPsec policies because of their communications requirements. For example, the boundary zone permits inbound connections from non-trusted devices. The encryption zone requires that all connections be encrypted.
This term zone isn't related to the one used by Domain Name System (DNS). |
**Next:** [Understanding the Windows Defender Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
index 966c5e4a6a..297a720a7a 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
@@ -21,13 +21,13 @@ ms.technology: windows-sec
- Windows 11
- Windows Server 2016 and above
-This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
+This topic is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
## Overview of Windows Defender Firewall with Advanced Security
-Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.
+Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that can't be authenticated as a trusted device can't communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.
-The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
+The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it doesn't provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
@@ -40,9 +40,9 @@ Windows Defender Firewall with Advanced Security is an important part of a layer
To help address your organizational network security challenges, Windows Defender Firewall offers the following benefits:
-- **Reduces the risk of network security threats.** Windows Defender Firewall reduces the attack surface of a device, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
+- **Reduces the risk of network security threats.** Windows Defender Firewall reduces the attack surface of a device, providing an extra layer to the defense-in-depth model. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
- **Safeguards sensitive data and intellectual property.** With its integration with IPsec, Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data.
-- **Extends the value of existing investments.** Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
+- **Extends the value of existing investments.** Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there's no other hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
index be77c53fd5..7d809b3599 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
@@ -19,9 +19,9 @@ Windows Sandbox benefits from new container technology in Windows to achieve a c
## Dynamically generated image
-Rather than requiring a separate copy of Windows to boot the sandbox, Dynamic Base Image technology leverages the copy of Windows already installed on the host.
+Rather than requiring a separate copy of Windows to boot the sandbox, Dynamic Base Image technology uses the copy of Windows already installed on the host.
-Most OS files are immutable and can be freely shared with Windows Sandbox. A small subset of operating system files are mutable and cannot be shared, so the sandbox base image contains pristine copies of them. A complete Windows image can be constructed from a combination of the sharable immutable files on the host and the pristine copies of the mutable files. By using this scheme, Windows Sandbox has a full Windows installation to boot from without needing to download or store an additional copy of Windows.
+Most OS files are immutable and can be freely shared with Windows Sandbox. A small subset of operating system files are mutable and can't be shared, so the sandbox base image contains pristine copies of them. A complete Windows image can be constructed from a combination of the sharable immutable files on the host and the pristine copies of the mutable files. With the help of this scheme, Windows Sandbox has a full Windows installation to boot from without needing to download or store an extra copy of Windows.
Before Windows Sandbox is installed, the dynamic base image package is stored as a compressed 30-MB package. Once it's installed, the dynamic base image occupies about 500 MB of disk space.
@@ -35,7 +35,7 @@ Traditional VMs apportion statically sized allocations of host memory. When reso
## Memory sharing
-Because Windows Sandbox runs the same operating system image as the host, it has been enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets.
+Because Windows Sandbox runs the same operating system image as the host, it has been enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those pages of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets.
@@ -45,7 +45,7 @@ With ordinary virtual machines, the Microsoft hypervisor controls the scheduling
-Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This means that the most important work will be prioritized, whether it's on the host or in the container.
+Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This preemption means that the most important work will be prioritized, whether it's on the host or in the container.
## WDDM GPU virtualization
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index 6f3d9838b0..c4b16514e9 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -21,7 +21,7 @@ A configuration file enables the user to control the following aspects of Window
- **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP).
- **Networking**: Enable or disable network access within the sandbox.
-- **Mapped folders**: Share folders from the host with *read* or *write* permissions. Note that exposing host directories may allow malicious software to affect the system or steal data.
+- **Mapped folders**: Share folders from the host with *read* or *write* permissions. Exposing host directories may allow malicious software to affect the system or steal data.
- **Logon command**: A command that's executed when Windows Sandbox starts.
- **Audio input**: Shares the host's microphone input into the sandbox.
- **Video input**: Shares the host's webcam input into the sandbox.
@@ -32,9 +32,9 @@ A configuration file enables the user to control the following aspects of Window
## Creating a configuration file
-To create a simple configuration file:
+To create a configuration file:
-1. Open a plain text editor or source code editor (e.g. Notepad, Visual Studio Code, etc.)
+1. Open a plain text editor or source code editor (for example, Notepad, Visual Studio Code, etc.)
2. Insert the following lines:
```XML
@@ -43,7 +43,7 @@ To create a simple configuration file:
```
3. Add appropriate configuration text between the two lines. For details, see the correct syntax and the examples below.
-4. Save the file with the desired name, but make sure its filename extension is `.wsb`. In Notepad, you should enclose the filename and the extension inside double quotation marks, e.g. `"My config file.wsb"`.
+4. Save the file with the desired name, but make sure its filename extension is `.wsb`. In Notepad, you should enclose the filename and the extension inside double quotation marks, for example, `"My config file.wsb"`.
## Using a configuration file
@@ -65,7 +65,7 @@ Supported values:
- *Enable*: Enables vGPU support in the sandbox.
- *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox will use software rendering, which may be slower than virtualized GPU.
-- *Default* This is the default value for vGPU support. Currently this means vGPU is disabled.
+- *Default* This value is the default value for vGPU support. Currently, this default value denotes that vGPU is disabled.
> [!NOTE]
> Enabling virtualized GPU can potentially increase the attack surface of the sandbox.
@@ -78,14 +78,14 @@ Enables or disables networking in the sandbox. You can disable network access to
Supported values:
- *Disable*: Disables networking in the sandbox.
-- *Default*: This is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC.
+- *Default*: This value is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC.
> [!NOTE]
> Enabling networking can expose untrusted applications to the internal network.
### Mapped folders
-An array of folders, each representing a location on the host machine that will be shared into the sandbox at the specified path. At this time, relative paths are not supported. If no path is specified, the folder will be mapped to the container user's desktop.
+An array of folders, each representing a location on the host machine that will be shared into the sandbox at the specified path. At this time, relative paths aren't supported. If no path is specified, the folder will be mapped to the container user's desktop.
```xml
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index f1ca17ad61..1a2434ffeb 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -54,7 +54,7 @@ The Security Compliance Toolkit consists of:
- GPO to Policy Rules
-You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](/archive/blogs/secguide/).
+You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more information about security baseline recommendations, see the [Microsoft Security Guidance blog](/archive/blogs/secguide/).
## What is the Policy Analyzer tool?
@@ -64,7 +64,7 @@ The Policy Analyzer is a utility for analyzing and comparing sets of Group Polic
- Compare GPOs against current local policy and local registry settings
- Export results to a Microsoft Excel spreadsheet
-Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.
+Policy Analyzer lets you treat a set of GPOs as a single unit. This treatment makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.
More information on the Policy Analyzer tool can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/new-tool-policy-analyzer) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
@@ -72,7 +72,7 @@ More information on the Policy Analyzer tool can be found on the [Microsoft Secu
LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy.
Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-domain-joined systems.
-LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted “LGPO text” files.
+LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, and from formatted “LGPO text” files.
It can export local policy to a GPO backup.
It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
index 18cb5242f6..e37c61bea7 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
@@ -22,13 +22,13 @@ Microsoft is dedicated to providing its customers with secure operating systems,
Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines.
-We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs.
+We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This industry-standard configuration helps increase flexibility and reduce costs.
-Here is a good blog about [Sticking with Well-Known and Proven Solutions](/archive/blogs/fdcc/sticking-with-well-known-and-proven-solutions).
+Here's a good blog about [Sticking with Well-Known and Proven Solutions](/archive/blogs/fdcc/sticking-with-well-known-and-proven-solutions).
## What are security baselines?
-Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
+Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be different from another organization. For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
@@ -36,17 +36,17 @@ A security baseline is a group of Microsoft-recommended configuration settings t
Security baselines are an essential benefit to customers because they bring together expert knowledge from Microsoft, partners, and customers.
-For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings, only some are security-related. Although Microsoft provides extensive guidance on different security features, exploring each one can take a long time. You would have to determine the security impact of each setting on your own. Then, you would still need to determine the appropriate value for each setting.
+For example, there are over 3,000 Group Policy settings for Windows 10, which doesn't include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings, only some are security-related. Although Microsoft provides extensive guidance on different security features, exploring each one can take a long time. You would have to determine the security impact of each setting on your own. Then, you would still need to determine the appropriate value for each setting.
In modern organizations, the security threat landscape is constantly evolving, and IT pros and policy-makers must keep up with security threats and make required changes to security settings to help mitigate these threats. To enable faster deployments and make managing Microsoft products easier, Microsoft provides customers with security baselines that are available in consumable formats, such as Group Policy Objects Backups.
## Baseline principles
Our recommendations follow a streamlined and efficient approach to baseline definitions. The foundation of that approach is essentially:
-- The baselines are designed for well-managed, security-conscious organizations in which standard end users do not have administrative rights.
-- A baseline enforces a setting only if it mitigates a contemporary security threat and does not cause operational issues that are worse than the risks they mitigate.
-- A baseline enforces a default only if it is otherwise likely to be set to an insecure state by an authorized user:
+- The baselines are designed for well-managed, security-conscious organizations in which standard end users don't have administrative rights.
+- A baseline enforces a setting only if it mitigates a contemporary security threat and doesn't cause operational issues that are worse than the risks they mitigate.
+- A baseline enforces a default only if it's otherwise likely to be set to an insecure state by an authorized user:
- If a non-administrator can set an insecure state, enforce the default.
- - If setting an insecure state requires administrative rights, enforce the default only if it is likely that a misinformed administrator will otherwise choose poorly.
+ - If setting an insecure state requires administrative rights, enforce the default only if it's likely that a misinformed administrator will otherwise choose poorly.
## How can you use security baselines?
@@ -60,7 +60,7 @@ There are several ways to get and use security baselines:
1. You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines. The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. You can also [Get Support for the security baselines](get-support-for-security-baselines.md)
-2. [MDM (Mobile Device Management) security baselines](/windows/client-management/mdm/#mdm-security-baseline) function like the Microsoft group policy-based security baselines and can easily integrate this into an existing MDM management tool.
+2. [MDM (Mobile Device Management) security baselines](/windows/client-management/mdm/#mdm-security-baseline) function like the Microsoft group policy-based security baselines and can easily integrate these baselines into an existing MDM management tool.
3. MDM Security baselines can easily be configures in Microsoft Endpoint Manager on devices that run Windows 10 and 11. The following article provides the detail steps: [Windows MDM (Mobile Device Management) baselines](/mem/intune/protect/security-baseline-settings-mdm-all).
diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md
index a0e24a1035..409613d466 100644
--- a/windows/security/trusted-boot.md
+++ b/windows/security/trusted-boot.md
@@ -25,7 +25,7 @@ Secure Boot and Trusted Boot help prevent malware and corrupted components from
The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments.
-As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader’s digital signature to ensure that it is trusted by the Secure Boot policy and hasn’t been tampered with.
+As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader’s digital signature to ensure that it's trusted by the Secure Boot policy and hasn’t been tampered with.
## Trusted Boot
diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md
index f042c1d12b..4cea2b5834 100644
--- a/windows/security/zero-trust-windows-device-health.md
+++ b/windows/security/zero-trust-windows-device-health.md
@@ -25,11 +25,11 @@ The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) princip
The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows enables **device health attestation** and **conditional access** capabilities, which are used to grant access to corporate resources.
-[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they are granted access to corporate resources.
+[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they're granted access to corporate resources.
-Windows 11 supports device health attestation, helping to confirm that devices are in a good state and have not been tampered with. This capability helps users access corporate resources whether they’re in the office, at home, or when they’re traveling.
+Windows 11 supports device health attestation, helping to confirm that devices are in a good state and haven't been tampered with. This capability helps users access corporate resources whether they’re in the office, at home, or when they’re traveling.
-Attestation helps verify the identity and status of essential components and that the device, firmware, and boot process have not been altered. Information about the firmware, boot process, and software, is used to validate the security state of the device. This information is cryptographically stored in the security co-processor Trusted Platform Module (TPM). Once the device is attested, it can be granted access to resources.
+Attestation helps verify the identity and status of essential components and that the device, firmware, and boot process haven't been altered. Information about the firmware, boot process, and software, is used to validate the security state of the device. This information is cryptographically stored in the security co-processor Trusted Platform Module (TPM). Once the device is attested, it can be granted access to resources.
## Device health attestation on Windows
Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. The verification process uses remote attestation as the secure channel to determine and present the device’s health. Remote attestation determines:
@@ -38,23 +38,23 @@ Attestation helps verify the identity and status of essential components and tha
- If the operating system booted correctly
- If the OS has the right set of security features enabled
-These determinations are made with the help of a secure root of trust using the Trusted Platform Module (TPM). Devices can attest that the TPM is enabled, and that the device has not been tampered with.
+These determinations are made with the help of a secure root of trust using the Trusted Platform Module (TPM). Devices can attest that the TPM is enabled, and that the device hasn't been tampered with.
-Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and was not tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](information-protection/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device.
+Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and wasn't tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](information-protection/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device.
A summary of the steps involved in attestation and Zero Trust on the device side are as follows:
1. During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signature are measured in the TPM PCRs. The measurements are bound by a [Trusted Computing Group specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/) (TCG) that dictates what events can be recorded and the format of each event.
-2. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. Both of these together form the attestation evidence that is then sent to the attestation service.
+2. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. The measurements in both these components together form the attestation evidence that is then sent to the attestation service.
3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation).
4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with Azure Active Directory conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device.
-5. The attestation service does the following:
+5. The attestation service does the following tasks:
- - Verify the integrity of the evidence. This is done by validating the PCRs that match the values recomputed by replaying the TCG log.
+ - Verify the integrity of the evidence. This verification is done by validating the PCRs that match the values recomputed by replaying the TCG log.
- Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM.
- Verify that the security features are in the expected states.
diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md
deleted file mode 100644
index 77dfd79528..0000000000
--- a/windows/whats-new/contribute-to-a-topic.md
+++ /dev/null
@@ -1,81 +0,0 @@
----
-title: Edit an existing topic using the Edit link
-description: Instructions about how to edit an existing topic by using the Edit link on docs.microsoft.com.
-ms.prod: w10
-ms.date: 10/13/2017
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-author: dansimp
-ms.topic: tutorial
----
-
-# Editing existing Windows IT professional documentation
-You can make suggestions and update existing, public content with just a GitHub account and a simple click of a link. You can use GitHub pull requests to edit the technical articles in the Windows IT libraries and then ask us to "pull" your changes into the published articles.
-
->[!NOTE]
->At this time, you can only edit the English (en-us) content.
-
-Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner of an article, you can suggest changes to it. You can specifically edit articles in the following libraries:
-
-- [Windows 10](/windows/windows-10)
-- [Windows Server](/windows-server/)
-- [Microsoft Edge](/microsoft-edge/deploy)
-- [Surface](/surface)
-- [Surface Hub](/surface-hub)
-- [HoloLens](/hololens)
-- [Microsoft Store](/microsoft-store)
-- [Windows 10 for Education](/education/windows)
-- [Windows 10 for SMB](/windows/smb)
-- [Internet Explorer 11](/internet-explorer)
-- [Microsoft Desktop Optimization Pack](/microsoft-desktop-optimization-pack)
-
-
-**To edit a topic**
-
-1. Go to the article that you want to update, and then click **Edit**.
-
- 
-
-2. Sign into (or sign up for) a GitHub account.
-
- You must have a GitHub account to get to the page that lets you edit a topic.
-
-3. Click the **Pencil** icon (in the red box) to edit the content.
-
- 
-
-4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
- - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring)
-
- - **If you're external to Microsoft:** [Mastering Markdown](https://guides.github.com/features/mastering-markdown/)
-
-5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct.
-
- 
-
-6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change**.
-
- 
-
- The **Comparing changes** screen shows the changes between your version of the article and the original content.
-
-7. On the **Comparing changes** screen, you’ll see if there are any problems with the file you’re checking in. (Occasionally there are merge conflicts, where you've edited the file one way, while someone else edited the same lines in the same file in a different way. Before you can propose your changes, you need to fix those conflicts.)
-
- If there are no problems, you’ll see the message, **Able to merge**.
-
- 
-
-8. Click **Create pull request**.
-
-9. Enter a title and description to let us know what’s in the request.
-
-10. Scroll to the bottom of the page, and make sure that only your changed files are in this pull request. Otherwise, you could overwrite changes from other people.
-
-11. Click **Create pull request** again to actually submit your edits.
-
-12. If you aren't a Microsoft employee, you need to [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before updating or adding to any Microsoft repositories. A bot running in GitHub checks whether you've signed the CLA - if not, you'll be prompted, in the pull request, to sign it.
-
- If you've previously contributed to topics in the Microsoft repositories, congratulations! You've already completed this step.
-
-Next, the pull request is sent to one of our writers to review your edits for technical and editorial accuracy. If we have any suggestions or questions, we'll add them to the pull request where we can discuss them with you. If we accept your edits, you'll see your changes the next time the article is published.
\ No newline at end of file
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
index 6e75a1fb9f..94de09d07a 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
@@ -21,7 +21,7 @@ This article lists new and updated features and content that are of interest to
### Provisioning devices using Windows Imaging and Configuration Designer (ICD)
-With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Using Windows Provisioning, an IT administrator can easily specify the configuration and settings required to enroll devices into management using a wizard-driven user interface, and then apply this configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.
+With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. An IT administrator who uses Windows Provisioning can easily specify the configuration and settings required to enroll devices into management using a wizard-driven user interface, and then apply this configuration to target devices in a matter of minutes. It's best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.
[Learn more about provisioning in Windows 10](/windows/configuration/provisioning-packages/provisioning-packages)
@@ -33,7 +33,7 @@ AppLocker was available for Windows 8.1, and is improved with Windows 10. See [R
Enhancements to AppLocker in Windows 10 include:
-- A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**.
+- A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this parameter, set the **ServiceEnforcement** to **Enabled**.
- A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was added to allow you to enable AppLocker rules by using an MDM server.
[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview).
@@ -42,7 +42,7 @@ Enhancements to AppLocker in Windows 10 include:
Enhancements to AppLocker in Windows 10 include:
-- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online.
+- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This escrow will make it easier to recover your BitLocker key online.
- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings."
@@ -67,10 +67,10 @@ In Windows 10, security auditing has added some improvements:
#### New audit subcategories
In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
-- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
- When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event.
+- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the sign-in session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
+ When this setting is configured, one or more security audit events are generated for each successful sign-in. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information can't fit in a single security audit event.
- [Audit PNP Activity](/windows/security/threat-protection/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
- Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play.
+ Only Success audits are recorded for this category. If you don't configure this policy setting, no audit event is generated when an external device is detected by plug and play.
A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs is included in the event.
#### More info added to existing audit events
@@ -86,20 +86,20 @@ With Windows 10, version 1507, we've added more info to existing audit events to
#### Changed the kernel default audit policy
-In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts.
+In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve information in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This setting results in better auditing of services that may start before LSA starts.
#### Added a default process SACL to LSASS.exe
-In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**.
-This can help identify attacks that steal credentials from the memory of a process.
+In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is `L"S:(AU;SAFA;0x0010;;;WD)"`. You can enable this process under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**.
+This process-when enabled-can help identify attacks that steal credentials from the memory of a process.
-#### New fields in the logon event
+#### New fields in the sign-in event
-The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624:
+The sign-in event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624:
1. **MachineLogon** String: yes or no
- If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no.
+ If the account that signed in to the PC is a computer account, this field will be yes. Otherwise, the field is no.
2. **ElevatedToken** String: yes or no
- If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown.
+ If an account has signed in to the PC through the "administrative sign-in" method, this field will be yes. Otherwise, the field is no. Additionally, if this field is part of a split token, the linked sign-in ID (LSAP\_LOGON\_SESSION) will also be shown.
3. **TargetOutboundUserName** String
**TargetOutboundUserDomain** String
The username and domain of the identity that was created by the LogonUser method for outbound traffic.
@@ -113,7 +113,7 @@ The logon event ID 4624 has been updated to include more verbose information to
#### New fields in the process creation event
-The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688:
+The sign-in event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688:
1. **TargetUserSid** String
The SID of the target principal.
2. **TargetUserName** String
@@ -121,7 +121,7 @@ The logon event ID 4688 has been updated to include more verbose information to
3. **TargetDomainName** String
The domain of the target user.
4. **TargetLogonId** String
- The logon ID of the target user.
+ The sign-in ID of the target user.
5. **ParentProcessName** String
The name of the creator process.
6. **ParentProcessId** String
@@ -187,7 +187,7 @@ Some things that you can check on the device are:
User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment.
-You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Universal Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10.
+You shouldn't turn off UAC because such a setting isn't supportive of devices running Windows 10. If you do turn off UAC, all Universal Windows Platform apps stop working. You must always set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This setting isn't recommended for devices running Windows 10.
For more info about how to manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings).
@@ -267,15 +267,15 @@ Administrators can also use mobile device management (MDM) or Group Policy to di
Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.
-By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
+By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system that enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met).
-- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient.
+- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth efficient.
- **Use with existing tools** such as Microsoft Endpoint Manager and the [Enterprise Mobility Suite](/enterprise-mobility-security).
-Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)) and [Microsoft Endpoint Configuration Manager](/configmgr).
+Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, and provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)) and [Microsoft Endpoint Configuration Manager](/configmgr).
Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
@@ -284,7 +284,7 @@ For more information about updating Windows 10, see [Windows 10 servicing option
## Microsoft Edge
-The new chromium-based Microsoft Edge is not included in the LTSC release of Windows 10. However, you can download and install it separately [here](https://www.microsoft.com/edge/business/download).
+The new chromium-based Microsoft Edge isn't included in the LTSC release of Windows 10. However, you can download and install it separately [here](https://www.microsoft.com/edge/business/download).
## See Also
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
index 7ee18df927..74fe44632b 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
@@ -24,7 +24,7 @@ This article lists new and updated features and content that are of interest to
### Windows Imaging and Configuration Designer (ICD)
-In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install additional features for Windows ICD to run. Starting in this version of Windows 10, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
+In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install more features for Windows ICD to run. Starting in this version of Windows 10, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
Windows ICD now includes simplified workflows for creating provisioning packages:
@@ -39,9 +39,9 @@ Windows ICD now includes simplified workflows for creating provisioning packages
>[!IMPORTANT]
>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a General Availability Channel release.
-Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
+Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for more direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
-With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
+With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft.
Use Upgrade Readiness to get:
@@ -65,9 +65,9 @@ Isolated User Mode is now included with Hyper-V so you don't have to install it
### Windows Hello for Business
-When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+When Windows 10 was first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work won't experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
-Additional changes for Windows Hello in Windows 10 Enterprise LTSC 2016:
+Other changes for Windows Hello in Windows 10 Enterprise LTSC 2016:
- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys.
- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**.
@@ -79,7 +79,7 @@ Additional changes for Windows Hello in Windows 10 Enterprise LTSC 2016:
#### New BitLocker features
-- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys.
+- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides extra protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys.
It provides the following benefits:
- The algorithm is FIPS-compliant.
- Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization.
@@ -116,7 +116,7 @@ Several new features and management options have been added to Windows Defender
- [Windows Defender Offline in Windows 10](/microsoft-365/security/defender-endpoint/microsoft-defender-offline) can be run directly from within Windows, without having to create bootable media.
- [Use PowerShell cmdlets for Windows Defender](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus) to configure options and run scans.
-- [Enable the Block at First Sight feature in Windows 10](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware.
+- [Enable the Block at First Sight feature in Windows 10](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) to use the Windows Defender cloud for near-instant protection against new malware.
- [Configure enhanced notifications for Windows Defender in Windows 10](/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus) to see more information about threat detections and removal.
- [Run a Windows Defender scan from the command line](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus).
- [Detect and block Potentially Unwanted Applications with Windows Defender](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times.
@@ -130,7 +130,7 @@ With the growing threat from more sophisticated targeted attacks, a new security
### VPN security
- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
-- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
+- The VPN client can integrate with Windows Information Protection (WIP) policy to provide extra security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607)
- Microsoft Intune: *VPN* profile template includes support for native VPN plug-ins. For more information, see [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure).
@@ -156,7 +156,7 @@ This version of Windows 10, introduces shared PC mode, which optimizes Windows 1
Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally.
-With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users.
+With the release of this version of Windows 10, App-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users.
[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started)
@@ -164,15 +164,15 @@ With the release of this version of Windows 10, App-V is included with the Windo
Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options.
-With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.
+With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users sign in, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they sign in to.
-With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices.
+With the release of this version of Windows 10, UE-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices.
[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows)
## Microsoft Edge
-The new chromium-based Microsoft Edge is not included in the LTSC release of Windows 10. However, you can download and install it separately [here](https://www.microsoft.com/edge/business/download).
+The new chromium-based Microsoft Edge isn't included in the LTSC release of Windows 10. However, you can download and install it separately [here](https://www.microsoft.com/edge/business/download).
## See Also
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index a5e9788ba1..d71d316113 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -71,7 +71,7 @@ But these protections can also be configured separately. And, unlike HVCI, code
### Endpoint detection and response
-Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal.
+Endpoint detection and response are improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal.
Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between Microsoft 365 services and interoperates with Microsoft Defender for Endpoint. Other policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus).
@@ -366,7 +366,7 @@ For more information about Update Compliance, see [Monitor Windows Updates with
### Privacy
-In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](/windows/privacy/diagnostic-data-viewer-overview) app.
+In the Feedback and Settings page under Privacy Settings, you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](/windows/privacy/diagnostic-data-viewer-overview) app.
## Configuration
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index e91667cc1a..d79885ad46 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -36,7 +36,7 @@ For more information about the lifecycle for this release, see [The next Windows
### System Guard
-[System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) has improved a feature in this version of Windows called **SMM Firmware Protection**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to reduce the firmware attack surface and ensure that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, SMM code cannot access the OS memory and secrets.
+[System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) has improved a feature in this version of Windows called **SMM Firmware Protection**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to reduce the firmware attack surface and ensure that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, SMM code can't access the OS memory and secrets.
In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to other resources like registers and IO.
@@ -64,17 +64,17 @@ Windows Defender Firewall now offers the following benefits:
**Safeguard data**: With integrated Internet Protocol Security (IPsec), Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data.
-**Extend value**: Windows Defender Firewall is a host-based firewall that is included with the operating system, so there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
+**Extend value**: Windows Defender Firewall is a host-based firewall that is included with the operating system, so there's no other hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
-The Windows Defender Firewall is also now easier to analyze and debug. IPsec behavior has been integrated with Packet Monitor (pktmon), an in-box cross-component network diagnostic tool for Windows.
+The Windows Defender Firewall is also now easier to analyze and debug. IPsec behavior has been integrated with Packet Monitor (pktmon), an in-box cross-component network diagnostic tool for Windows.
-Additionally, the Windows Defender Firewall event logs have been enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enables analysis of firewall behavior and rich packet capture without relying on other tools.
+Additionally, the Windows Defender Firewall event logs have been enhanced to ensure an audit can identify the specific filter that was responsible for any given event. This enhancement enables analysis of firewall behavior and rich packet capture without relying on other tools.
Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](/windows/wsl/); You can add rules for WSL process, just like for Windows processes. For more information, see [Windows Defender Firewall now supports Windows Subsystem for Linux (WSL)](https://blogs.windows.com/windowsexperience/2018/04/19/announcing-windows-10-insider-preview-build-17650-for-skip-ahead/#II14f7VlSBcZ0Gs4.97).
### Virus and threat protection
-[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses.
+[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URL’s and IP addresses.
[Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
- Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
- [Tamper-proofing](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
@@ -82,11 +82,11 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](
**Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
-**Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected.
+**Emergency outbreak protection**: Provides emergency outbreak protection that will automatically update devices with new intelligence when a new outbreak has been detected.
**Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
-**Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies.
+**Geolocation support**: Support geolocation and sovereignty of sample data and configurable retention policies.
**Improved support for non-ASCII file paths** for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
@@ -103,19 +103,19 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)](
[Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements include:
- Standalone users can install and configure their Windows Defender Application Guard settings without needing to change registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
- - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the Application Guard Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+ - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the Application Guard Edge browser. There's also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
To try this extension:
1. Configure Application Guard policies on your device.
2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension.
- 3. Follow any additional configuration steps on the extension setup page.
+ 3. Follow any of the other configuration steps on the extension setup page.
4. Reboot the device.
5. Navigate to an untrusted site in Chrome and Firefox.
**Dynamic navigation**: Application Guard now allows users to navigate back to their default host browser from the Application Guard Microsoft Edge. Previously, users browsing in Application Guard Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in Application Guard Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
Application Guard performance is improved with optimized document opening times:
-- An issue is fixed that could cause a one minute or more delay when you open a Microsoft Defender Application Guard (Application Guard) Office document. This can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
+- An issue is fixed that could cause a one-minute-or-more delay when you open a Microsoft Defender Application Guard (Application Guard) Office document. This issue can occur when you try to open a file using a Universal Naming Convention (UNC) path or Server Message Block (SMB) share link.
- A memory issue is fixed that could cause an Application Guard container to use almost 1 GB of working set memory when the container is idle.
- The performance of Robocopy is improved when copying files over 400 MB in size.
@@ -125,12 +125,12 @@ Application Guard performance is improved with optimized document opening times:
### Application Control
-[Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903, Windows Defender Application Control (WDAC) added a number of new features that light up key scenarios and provide feature parity with AppLocker.
+[Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903, Windows Defender Application Control (WDAC) added many new features that light up key scenarios and provide feature parity with AppLocker.
- [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): Windows Defender Application Control now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side by side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
- - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
- This brings Windows Defender Application Control (WDAC) to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
- - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control (WDAC) enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
+ - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that aren't user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for unknown admins. If a file is found to be user writeable, the executable is blocked from running unless it's authorized by something other than a path rule like a signer or hash rule.
+ This functionality brings WDAC to parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that isn't available with AppLocker.
+ - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control (WDAC) enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where more COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
## Identity and privacy
@@ -138,12 +138,12 @@ Application Guard performance is improved with optimized document opening times:
Windows Hello enhancements include:
- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
-- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
+- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign-in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
- Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
- With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user's biometric authentication data.
- Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present.
-- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
+- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less sign-in for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
- [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
@@ -151,7 +151,7 @@ Windows Hello enhancements include:
#### Windows Defender Credential Guard
-[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
+[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
### Privacy controls
@@ -173,7 +173,7 @@ Microsoft Intune supports Windows 10 Enterprise LTSC 2021, except for [Windows U
A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action).
-Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group).
+Intune has also added capabilities to [Role-based access control](/mem/intune/fundamentals/whats-new#role-based-access-control) (RBAC) that can be used to further define profile settings for the Enrollment Status Page (ESP). For more information, see [Create Enrollment Status Page profile and assign to a group](/mem/intune/enrollment/windows-enrollment-status#create-enrollment-status-page-profile-and-assign-to-a-group).
For a full list of what's new in Microsoft Intune, see [What's new in Microsoft Intune](/mem/intune/fundamentals/whats-new).
@@ -189,12 +189,11 @@ Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a perf
#### Key-rolling and Key-rotation
This release also includes two new features called Key-rolling and Key-rotation enables secure rolling of Recovery passwords on MDM-managed Azure Active Directory devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
-
## Deployment
### SetupDiag
-[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
+[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
### Reserved storage
diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
index 8190b90e04..5078ed991a 100644
--- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
+++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
@@ -1,6 +1,6 @@
---
title: What's new in Windows 10, versions 1507 and 1511 (Windows 10)
-description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511).
+description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511)?
ms.reviewer:
ms.prod: w10
author: aczechowski
@@ -23,7 +23,7 @@ Below is a list of some of the new and updated features included in the initial
### Provisioning devices using Windows Imaging and Configuration Designer (ICD)
-With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows Provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.
+With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. An IT administrator using Windows Provisioning can easily specify desired configuration and settings required to enroll the devices into management (through a wizard-driven user interface) and then apply that configuration to target devices in a matter of minutes. It's best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.
[Learn more about provisioning in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages)
@@ -34,8 +34,8 @@ With Windows 10, you can create provisioning packages that let you quickly and e
#### New AppLocker features in Windows 10, version 1507
-- A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**.
-- A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server.
+- A new parameter was added to the [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this parameter, set the **ServiceEnforcement** to **Enabled**.
+- A new [AppLocker](/windows/client-management/mdm/applocker-csp) configuration service provider was added to allow you to enable AppLocker rules by using an MDM server.
[Learn how to manage AppLocker within your organization](/windows/device-security/applocker/applocker-overview).
@@ -43,7 +43,7 @@ With Windows 10, you can create provisioning packages that let you quickly and e
#### New BitLocker features in Windows 10, version 1511
-- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys.
+- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides extra protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys.
It provides the following benefits:
- The algorithm is FIPS-compliant.
- Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization.
@@ -55,7 +55,7 @@ With Windows 10, you can create provisioning packages that let you quickly and e
-- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online.
+- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#device-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This escrow will make it easier to recover your BitLocker key online.
- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-configuration-service-provider#dataprotection-allowdirectmemoryaccess) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the [Configure pre-boot recovery message and URL](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-configurepreboot) section in "BitLocker Group Policy settings."
@@ -66,11 +66,11 @@ With Windows 10, you can create provisioning packages that let you quickly and e
#### New Credential Guard features in Windows 10, version 1511
- **Credential Manager support**. Credentials that are stored with Credential Manager, including domain credentials, are protected with Credential Guard with the following considerations:
- - Credentials that are saved by the Remote Desktop Protocol cannot be used. Employees in your organization can manually store credentials in Credential Manager as generic credentials.
+ - Credentials that are saved by the Remote Desktop Protocol can't be used. Employees in your organization can manually store credentials in Credential Manager as generic credentials.
- Applications that extract derived domain credentials using undocumented APIs from Credential Manager will no longer be able to use those saved derived credentials.
- - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
-- **Enable Credential Guard without UEFI lock**. You can enable Credential Guard by using the registry. This allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can configure this by using Group Policy.
-- **CredSSP/TsPkg credential delegation**. CredSSP/TsPkg cannot delegate default credentials when Credential Guard is enabled.
+ - You can't restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this backup before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
+- **Enable Credential Guard without UEFI lock**. You can enable Credential Guard by using the registry. This setting allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can do this configuration by using Group Policy.
+- **CredSSP/TsPkg credential delegation**. CredSSP/TsPkg can't delegate default credentials when Credential Guard is enabled.
[Learn how to deploy and manage Credential Guard within your organization](/windows/access-protection/credential-guard/credential-guard).
@@ -100,10 +100,10 @@ In Windows 10, security auditing has added some improvements:
##### New audit subcategories
In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
-- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
- When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event.
+- [Audit Group Membership](/windows/device-security/auditing/audit-group-membership) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's sign-in token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the sign-in session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
+ When this setting is configured, one or more security audit events are generated for each successful sign-in. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information can't fit in a single security audit event.
- [Audit PNP Activity](/windows/security/threat-protection/auditing/audit-pnp-activity) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
- Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play.
+ Only Success audits are recorded for this category. If you don't configure this policy setting, no audit event is generated when an external device is detected by plug and play.
A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event.
##### More info added to existing audit events
@@ -111,7 +111,7 @@ In Windows 10, two new audit subcategories were added to the Advanced Audit Poli
With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events:
- [Changed the kernel default audit policy](#bkmk-kdal)
- [Added a default process SACL to LSASS.exe](#bkmk-lsass)
-- [Added new fields in the logon event](#bkmk-logon)
+- [Added new fields in the sign-in event](#bkmk-logon)
- [Added new fields in the process creation event](#bkmk-logon)
- [Added new Security Account Manager events](#bkmk-sam)
- [Added new BCD events](#bkmk-bcd)
@@ -119,20 +119,20 @@ With Windows 10, version 1507, we've added more info to existing audit events to
##### Changed the kernel default audit policy
-In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts.
+In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This setting results in better auditing of services that may start before LSA starts.
##### Added a default process SACL to LSASS.exe
-In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**.
-This can help identify attacks that steal credentials from the memory of a process.
+In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is `L"S:(AU;SAFA;0x0010;;;WD)"`. You can enable this process under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**.
+This process can help identify attacks that steal credentials from the memory of a process.
-##### New fields in the logon event
+##### New fields in the sign-in event
-The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624:
+The sign-in event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624:
1. **MachineLogon** String: yes or no
If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no.
2. **ElevatedToken** String: yes or no
- If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown.
+ If an account signed in to the PC through the "administrative sign-in" method, this field will be yes. Otherwise, the field is no. Additionally, if this field is part of a split token, the linked sign-in ID (LSAP\_LOGON\_SESSION) will also be shown.
3. **TargetOutboundUserName** String
**TargetOutboundUserDomain** String
The username and domain of the identity that was created by the LogonUser method for outbound traffic.
@@ -146,7 +146,7 @@ The logon event ID 4624 has been updated to include more verbose information to
##### New fields in the process creation event
-The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688:
+The sign-in event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688:
1. **TargetUserSid** String
The SID of the target principal.
2. **TargetUserName** String
@@ -154,7 +154,7 @@ The logon event ID 4688 has been updated to include more verbose information to
3. **TargetDomainName** String
The domain of the target user..
4. **TargetLogonId** String
- The logon ID of the target user.
+ The sign-in ID of the target user.
5. **ParentProcessName** String
The name of the creator process.
6. **ParentProcessId** String
@@ -224,9 +224,9 @@ Some things that you can check on the device are:
User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment.
-You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Universal Windows Platform apps stop working. You must always set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10.
+You shouldn't turn off UAC because this setting isn't supportive of devices running Windows 10. If you do turn off UAC, all Universal Windows Platform apps stop working. You must always set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This setting isn't recommended for devices running Windows 10.
-For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings).
+For more information about how to manage UAC, see [UAC Group Policy Settings and Registry Key Settings](/windows/access-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings).
In Windows 10, User Account Control has added some improvements.
@@ -309,7 +309,7 @@ Administrators can also use mobile device management (MDM) or Group Policy to di
### Microsoft Store for Business
**New in Windows 10, version 1511**
-With the Microsoft Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
+With the Microsoft Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or reuse licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
For more information, see [Microsoft Store for Business overview](/microsoft-store/windows-store-for-business-overview).
@@ -318,15 +318,15 @@ For more information, see [Microsoft Store for Business overview](/microsoft-sto
Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.
-By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
+By using [Group Policy Objects](/previous-versions/cc498727(v=msdn.10)), Windows Update for Business is an easily established and implemented system that enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing:
- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met).
-- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient.
+- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth efficient.
- **Use with existing tools** such as Microsoft Endpoint Manager and the [Enterprise Mobility Suite](/enterprise-mobility-security).
-Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)) and [Microsoft Endpoint Configuration Manager](/configmgr).
+Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, and provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)) and [Microsoft Endpoint Configuration Manager](/configmgr).
Learn more about [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb).
diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md
index 48342fd24c..981388e744 100644
--- a/windows/whats-new/whats-new-windows-10-version-1607.md
+++ b/windows/whats-new/whats-new-windows-10-version-1607.md
@@ -1,6 +1,6 @@
---
title: What's new in Windows 10, version 1607 (Windows 10)
-description: What's new in Windows 10 for Windows 10 (version 1607).
+description: What's new in Windows 10 for Windows 10 (version 1607)?
ms.prod: w10
ms.localizationpriority: medium
ms.reviewer:
@@ -22,7 +22,7 @@ Below is a list of some of the new and updated features in Windows 10, version 1
### Windows Imaging and Configuration Designer (ICD)
-In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install additional features for Windows ICD to run. Starting in version 1607, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
+In previous versions of the Windows 10 Assessment and Deployment Kit (ADK), you had to install more features for Windows ICD to run. Starting in version 1607, you can install just the configuration designer component independent of the rest of the imaging components. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
Windows ICD now includes simplified workflows for creating provisioning packages:
@@ -34,9 +34,9 @@ Windows ICD now includes simplified workflows for creating provisioning packages
### Windows Upgrade Readiness
-Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
+Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for more direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10.
-With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
+With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they're known to Microsoft.
Use Upgrade Readiness to get:
@@ -69,9 +69,9 @@ Isolated User Mode is now included with Hyper-V so you don't have to install it
### Windows Hello for Business
-When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+When Windows 10 was first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in Windows 10, version 1607. Customers who have already deployed Microsoft Passport for Work won't experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
-Additional changes for Windows Hello in Windows 10, version 1607:
+Other changes for Windows Hello in Windows 10, version 1607:
- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys.
- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**.
@@ -82,7 +82,7 @@ Additional changes for Windows Hello in Windows 10, version 1607:
### VPN
- The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients.
-- The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
+- The VPN client can integrate with Windows Information Protection (WIP) policy to provide extra security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection.
- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew_1607)
- Microsoft Intune: *VPN* profile template includes support for native VPN plug-ins. For more information, see [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure).
@@ -102,7 +102,7 @@ Several new features and management options have been added to Windows Defender
- [Windows Defender Offline in Windows 10](/microsoft-365/security/defender-endpoint/microsoft-defender-offline) can be run directly from within Windows, without having to create bootable media.
- [Use PowerShell cmdlets for Windows Defender](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus) to configure options and run scans.
-- [Enable the Block at First Sight feature in Windows 10](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware.
+- [Enable the Block at First Sight feature in Windows 10](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) to use the Windows Defender cloud for near-instant protection against new malware.
- [Configure enhanced notifications for Windows Defender in Windows 10](/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus) to see more information about threat detections and removal.
- [Run a Windows Defender scan from the command line](/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus).
- [Detect and block Potentially Unwanted Applications with Windows Defender](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times.
@@ -136,17 +136,17 @@ Windows 10, Version 1607, introduces shared PC mode, which optimizes Windows 10
Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Microsoft Store, and interact with them as if they were installed locally.
-With the release of Windows 10, version 1607, App-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users.
+With the release of Windows 10, version 1607, App-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and App-V or if you're upgrading from a previous version of App-V, you’ll need to download, activate, and install server- and client-side components to start delivering virtual applications to users.
[Learn how to deliver virtual applications with App-V.](/windows/application-management/app-v/appv-getting-started)
### User Experience Virtualization (UE-V) for Windows 10
-Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options.
+Many users customize their settings for Windows and for specific applications. Customizable Windows settings include Microsoft Store appearance, language, background picture, font size, and accent colors. Customizable application settings include language, appearance, behavior, and user interface options.
-With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.
+With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users sign in, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they sign in to.
-With the release of Windows 10, version 1607, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices.
+With the release of Windows 10, version 1607, UE-V is included with the Windows 10 for Enterprise edition. If you're new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices.
[Learn how to synchronize user-customized settings with UE-V.](/windows/configuration/ue-v/uev-for-windows)
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 5a1f162a4f..c6f958b3fe 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -15,7 +15,7 @@ ROBOTS: NOINDEX
Below is a list of some of what's new in Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update).
-For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](./index.yml). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update](https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/).
+For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](./index.yml). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update}(https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/).
>[!NOTE]
>Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](/windows/deployment/planning/windows-10-removed-features).
@@ -59,18 +59,15 @@ Enterprises have been able to apply customized Start and taskbar layouts to devi
Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10, version 1703, adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management).
-[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include:
+[More MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include:
- Settings for the User tile: [**Start/HideUserTile**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings)
- Settings for Power: [**Start/HidePowerButton**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep)
-- Additional new settings: [**Start/HideFrequentlyUsedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](/windows/client-management/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist).
-
-
-
+- Other new settings: [**Start/HideFrequentlyUsedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](/windows/client-management/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist).
### Cortana at work
-Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.
+Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. Cortana has powerful configuration options, optimized for your business. When your employees sign in with an Azure Active Directory (Azure AD) account, they can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work.
Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data.
@@ -83,9 +80,9 @@ For more info about Cortana at work, see [Cortana integration in your business o
MBR2GPT.EXE is a new command-line tool available in Windows 10 version 1703 and later versions. MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
-The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
+The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports other partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
-Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
+Other security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
@@ -106,7 +103,7 @@ New features in Microsoft Defender for Endpoint for Windows 10, version 1703 inc
- [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
- [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Microsoft Defender for Endpoint.
-- **Response**: When detecting an attack, security response teams can now take immediate action to contain a breach:
+- **Response**: When an attack is detected, security response teams can now take immediate action to contain a breach:
- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
- [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
@@ -145,7 +142,7 @@ You can read more about ransomware mitigations and detection capability in Micro
### Device Guard and Credential Guard
-Additional security qualifications for Device Guard and Credential Guard help protect vulnerabilities in UEFI runtime.
+More security qualifications for Device Guard and Credential Guard help protect vulnerabilities in UEFI runtime.
For more information, see [Device Guard Requirements](/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard) and [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
### Group Policy Security Options
@@ -153,7 +150,7 @@ For more information, see [Device Guard Requirements](/windows/device-security/d
The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
A new security policy setting
-[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
+[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign-in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
### Windows Hello for Business
@@ -172,7 +169,7 @@ You can also now collect your audit event logs by using the Reporting configurat
### Windows Update for Business
-The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
+The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy hasn't been configured. We've also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
@@ -184,12 +181,12 @@ We recently added the option to download Windows 10 Insider Preview builds using
### Optimize update delivery
-With changes delivered in Windows 10, version 1703, [express updates](/windows/deployment/do/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
+With changes delivered in Windows 10, version 1703, [express updates](/windows/deployment/do/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, and with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This support is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
>[!NOTE]
> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
-Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios.
+Delivery Optimization policies now enable you to configure more restrictions to have more control in various scenarios.
Added policies include:
- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level)
@@ -204,7 +201,7 @@ To check out all the details, see [Configure Delivery Optimization for Windows 1
Starting with Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.
-Additionally, apps de-provisioned by admins on Windows 10, version 1703 machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10, version 1607 (or earlier) to version 1703.
+Additionally, apps de-provisioned by admins on Windows 10, version 1703 machines will stay de-provisioned after future feature update installations. This condition won't apply to the update from Windows 10, version 1607 (or earlier) to version 1703.
## Management
@@ -214,7 +211,7 @@ Windows 10, version 1703 adds many new [configuration service providers (CSPs)](
Some of the other new CSPs are:
-- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
+- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
- The [CleanPC CSP](/windows/client-management/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data.
@@ -237,7 +234,7 @@ For more info, see [Implement server-side support for mobile application managem
### MDM diagnostics
-In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
+In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we're introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as an extra tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
### Application Virtualization for Windows (App-V)
Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart.
@@ -265,32 +262,31 @@ Learn about the new Group Policies that were added in Windows 10, version 1703.
In the Windows 10, version 1703, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](/openspecs/windows_protocols/ms-mice/9598ca72-d937-466c-95f6-70401bb10bdb).
-Miracast over Infrastructure offers a number of benefits:
+Miracast over Infrastructure offers many benefits:
- Windows automatically detects when sending the video stream over this path is applicable.
- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network.
-- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections.
+- Users don't have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections.
- No changes to current wireless drivers or PC hardware are required.
-- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct.
-- It leverages an existing connection which both reduces the time to connect and provides a very stable stream.
-
+- It works well with older wireless hardware that isn't optimized for Miracast over Wi-Fi Direct.
+- It uses an existing connection that reduces the time to connect and provides a stable stream.
### How it works
-Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
+Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, and via multicast DNS (mDNS). If the name isn't resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
### Enabling Miracast over Infrastructure
-If you have a device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
+If you have a device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following requirements are true within your deployment:
- The device (PC or Surface Hub) needs to be running Windows 10, version 1703.
- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows device can act as a Miracast over Infrastructure *source*.
- - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
+ - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (for example, using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
- As a Miracast source, the device must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
-- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
+- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this resolution by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
-It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
+It's important to note that Miracast over Infrastructure isn't a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
## New features in related products
The following new features aren't part of Windows 10, but help you make the most of it.
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index 0585c1b9ab..4e26d46510 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -39,14 +39,14 @@ Windows 10 Subscription Activation lets you deploy Windows 10 Enterprise in your
### Autopilot Reset
-IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](/education/windows/autopilot-reset).
+IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom sign-in screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](/education/windows/autopilot-reset).
## Update
### Windows Update for Business
-Windows Update for Business now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
+Windows Update for Business now has more controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
### Windows Insider Program for Business
@@ -98,7 +98,7 @@ Window Defender Exploit Guard provides intrusion prevention capabilities to redu
### Windows Defender Device Guard
-Configurable code integrity is being rebranded as Windows Defender Application Control. This is to help distinguish it as a standalone feature to control execution of applications. For more information about Device Guard, see Windows [Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
+Configurable code integrity is being rebranded as Windows Defender Application Control. This rebranding is to help distinguish it as a standalone feature to control execution of applications. For more information about Device Guard, see Windows [Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
### Windows Information Protection
@@ -106,7 +106,7 @@ Windows Information Protection is now designed to work with Microsoft Office and
### Windows Hello
-New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. More details about this feature will be available soon. For general information, see [Windows Hello for Business](/windows/access-protection/hello-for-business/hello-identity-verification).
+New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you aren't present. More details about this feature will be available soon. For general information, see [Windows Hello for Business](/windows/access-protection/hello-for-business/hello-identity-verification).
### BitLocker
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index d8903b9bbb..159845ee44 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -30,7 +30,7 @@ The following 3-minute video summarizes some of the new features that are availa
[Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot) provides a modern device lifecycle management service powered by the cloud that delivers a zero touch experience for deploying Windows 10.
-Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly.
+With the help of Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly.
Windows Autopilot is now available with Surface, Lenovo, and Dell. Other OEM partners such as HP, Toshiba, Panasonic, and Fujitsu will support Autopilot in coming months. Check back here later for more information.
@@ -45,13 +45,13 @@ Some additional information about Windows 10 in S mode:
- Choice and flexibility. Save your files to your favorite cloud, like OneDrive or DropBox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps.
- S mode, on a range of modern devices. Enjoy all the great Windows multi-tasking features, like snapping Windows, task view and virtual desktops on a range of S mode enabled devices.
-If you want to switch out of S mode, you will be able to do so at no charge, regardless of edition. Once you switch out of S mode, you cannot switch back.
+If you want to switch out of S mode, you'll be able to do so at no charge, regardless of edition. Once you switch out of S mode, you can't switch back.
For more information, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode).
### Windows 10 kiosk and Kiosk Browser
-With this release you can easily deploy and manage kiosk devices with Microsoft Intune in single and multiple app scenarios. This includes the new Kiosk Browser available from the Microsoft Store. Kiosk Browser is great for delivering a reliable and custom-tailored browsing experience for scenarios such as retail and signage. A summary of new features is below.
+With this release, you can easily deploy and manage kiosk devices with Microsoft Intune in single- and multiple-app scenarios. These scenarios include the new Kiosk Browser available from the Microsoft Store. Kiosk Browser is great for delivering a reliable and custom-tailored browsing experience for scenarios such as retail and signage. A summary of new features is below.
- Using Intune, you can deploy the Kiosk Browser from the Microsoft Store, configure start URL, allowed URLs, and enable/disable navigation buttons.
- Using Intune, you can deploy and configure shared devices and kiosks using assigned access to create a curated experience with the correct apps and configuration policies
@@ -78,7 +78,7 @@ The following new DISM commands have been added to manage feature updates:
| Command | Description |
|---|---|
-| `DISM /Online /Initiate-OSUninstall` | Initiates a OS uninstall to take the computer back to the previous installation of windows. |
+| `DISM /Online /Initiate-OSUninstall` | Initiates an OS uninstall to take the computer back to the previous installation of windows. |
| `DISM /Online /Remove-OSUninstall` | Removes the OS uninstall capability from the computer. |
| `DISM /Online /Get-OSUninstallWindow` | Displays the number of days after upgrade during which uninstall can be performed. |
| `DISM /Online /Set-OSUninstallWindow` | Sets the number of days after upgrade during which uninstall can be performed. |
@@ -96,7 +96,7 @@ Prerequisites:
For more information, see [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
-It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option:
+It's also now possible to run a script if the user rolls back their version of Windows using the PostRollback option:
`/PostRollback
-Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
+Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provide recommended actions to contain, increase organizational resilience, and prevent specific threats.
- [Custom detection](/microsoft-365/security/defender/custom-detections-overview)
- With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
+ With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This query creation can be done by using the power of Advanced hunting through the creation of custom detection rules.
- [Managed security service provider (MSSP) support](/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration.
@@ -164,10 +164,10 @@ The integration will allow MSSPs to take the following actions:
Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
- [Integration with Azure Defender](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
-Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers.
+Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration, Azure Defender can use the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers.
- [Integration with Microsoft Cloud App Security](/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
-Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender for Endpoint monitored machines.
+Microsoft Cloud App Security uses Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender for Endpoint monitored machines.
- [Onboard Windows Server 2019](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
@@ -185,7 +185,7 @@ Cloud clipboard helps users copy content between devices. It also manages the cl
3. Turn on **Clipboard history**.
-4. Turn on **Sync across devices**. Chose whether or not to automatically sync copied text across your devices.
+4. Turn on **Sync across devices**. Choose whether or not to automatically sync copied text across your devices.
## Kiosk setup experience
@@ -199,7 +199,7 @@ Microsoft Edge kiosk mode running in single-app assigned access has two kiosk ty
1. **Digital / Interactive signage** that displays a specific website full-screen and runs InPrivate mode.
-2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity.
+2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users can't minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity.
@@ -212,7 +212,7 @@ Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk typ
-**Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books.
+**Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store isn't set up, users can't get books.
@@ -245,12 +245,12 @@ Do you have shared devices deployed in your work place? **Fast sign-in** enables
>[!IMPORTANT]
>This is a private preview feature and therefore not meant or recommended for production purposes. This setting is not currently supported at this time.
-Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing **web sign-in**, a new way of signing into your Windows PC. Web sign-in enables Windows logon support for credentials not available on Windows. Web sign-in is restricted to only support Azure AD temporary access pass.
+Until now, Windows sign-in only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We're introducing **web sign-in**, a new way of signing into your Windows PC. Web sign-in enables Windows sign-in support for credentials not available on Windows. Web sign-in is restricted to only support Azure AD temporary access pass.
**To try out web sign-in:**
1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
-2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in.
+2. Set the Policy CSP, and the Authentication and EnableWebSignIn policies to enable web sign-in.
3. On the lock screen, select web sign-in under sign-in options.
@@ -264,12 +264,11 @@ Until now, Windows logon only supported the use of identities federated to ADFS
## Your Phone app
-Android phone users, you can finally stop emailing yourself photos. With Your Phone you get instant access to your Android’s most recent photos on your PC. Drag and drop a photo from your phone onto your PC, then you can copy, edit, or ink on the photo. Try it out by opening the **Your Phone** app. You’ll receive a text with a link to download an app from Microsoft to your phone. Android 7.0+ devices with ethernet or Wi-Fi on unmetered networks are compatible with the **Your Phone** app. For PCs tied to the China region, **Your Phone** app services will be enabled in the future.
+Android phone users, you can finally stop emailing yourself photos. With Your Phone, you get instant access to your Android’s most recent photos on your PC. Drag and drop a photo from your phone onto your PC, then you can copy, edit, or ink on the photo. Try it out by opening the **Your Phone** app. You’ll receive a text with a link to download an app from Microsoft to your phone. Android 7.0+ devices with ethernet or Wi-Fi on unmetered networks are compatible with the **Your Phone** app. For PCs tied to the China region, **Your Phone** app services will be enabled in the future.
-For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing–-read, watch, or browse-- with all the benefits of a bigger screen.
+For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing-read, watch, or browse-with all the benefits of a bigger screen.
-> [!div class="mx-imgBorder"]
-> 
+:::image type="content" source="images/your-phone.png" alt-text="Your phone.":::
The desktop pin takes you directly to the **Your Phone** app for quicker access to your phone’s content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**.
@@ -278,8 +277,8 @@ The desktop pin takes you directly to the **Your Phone** app for quicker access
One of the things we’ve heard from you is that it’s hard to know when you’re wirelessly projecting and how to disconnect your session when started from file explorer or from an app. In Windows 10, version 1809, you’ll see a control banner at the top of your screen when you’re in a session (just like you see when using remote desktop). The banner keeps you informed of the state of your connection, allows you to quickly disconnect or reconnect to the same sink, and allows you to tune the connection based on what you are doing. This tuning is done via **Settings**, which optimizes the screen-to-screen latency based on one of the three modes:
* Game mode minimizes the screen-to-screen latency to make gaming over a wireless connection possible
-* Video mode increases the screen-to-screen latency to ensure the video on the big screen plays back smoothly
-* Productivity modes strikes a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often.
+* Video mode increases the screen-to-screen latency to ensure the video on the large screen plays back smoothly
+* Productivity modes strike a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often.
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index d29e02749d..4dbfe4141b 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -26,15 +26,15 @@ This article lists new and updated features and content that are of interest to
[Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. The following Windows Autopilot features are available in Windows 10, version 1903 and later:
-- [Windows Autopilot for white glove deployment](/windows/deployment/windows-autopilot/white-glove) is new in this version of Windows. "White glove" deployment enables partners or IT staff to pre-provision devices so they are fully configured and business ready for your users.
+- [Windows Autopilot for white glove deployment](/windows/deployment/windows-autopilot/white-glove) is new in this version of Windows. "White glove" deployment enables partners or IT staff to pre-provision devices so they're fully configured and business ready for your users.
- The Intune [enrollment status page](/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
- [Cortana voiceover](/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
-- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
+- Windows Autopilot is self-updating during OOBE. From Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
- Windows Autopilot will set the [diagnostics data](/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
### SetupDiag
-[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
+[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
### Reserved storage
@@ -42,13 +42,13 @@ This article lists new and updated features and content that are of interest to
## Servicing
-- [**Delivery Optimization**](/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Manager content coming soon!
-- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
-- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
-- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
-- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again.
+- [**Delivery Optimization**](/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](/windows/client-management/mdm/policy-csp-deliveryoptimization). These new policies now support Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Manager content coming soon!
+- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically sign in as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
+- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
+- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device backed up and run normally.
+- **Pause updates**: We've extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you'll need to update your device before pausing again.
- **Improved update notifications**: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
-- **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
+- **Intelligent active hours**: To further enhance active hours, users will now be able to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
## Security
@@ -71,7 +71,7 @@ The draft release of the [security configuration baseline settings](/archive/blo
### Microsoft Defender for Endpoint
-- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses.
+- [Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URL’s and IP addresses.
- [Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
- Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
- Tamper-proofing capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
@@ -80,9 +80,9 @@ The draft release of the [security configuration baseline settings](/archive/blo
### Microsoft Defender for Endpoint next-gen protection technologies:
- **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
-- **Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected.
+- **Emergency outbreak protection**: Provides emergency outbreak protection that will automatically update devices with new intelligence when a new outbreak has been detected.
- **Certified ISO 27001 compliance**: Ensures that the cloud service has analyzed for threats, vulnerabilities and impacts, and that risk management and security controls are in place.
-- **Geolocation support**: Support geolocation and sovereignty of sample data as well as configurable retention policies.
+- **Geolocation support**: Support geolocation and sovereignty of sample data and configurable retention policies.
### Threat Protection
@@ -91,26 +91,26 @@ The draft release of the [security configuration baseline settings](/archive/blo
- [Windows Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements:
- Standalone users can install and configure their Windows Defender Application Guard settings without needing to change Registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior.
- - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the WDAG Edge browser. There is also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
+ - WDAG is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend WDAG’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the WDAG extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the WDAG Edge browser. There's also a companion app to enable this feature in the Microsoft Store. Users can quickly launch WDAG from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates.
To try this extension:
1. Configure WDAG policies on your device.
2. Go to the Chrome Web Store or Firefox Add-ons and search for Application Guard. Install the extension.
- 3. Follow any additional configuration steps on the extension setup page.
+ 3. Follow any of the other configuration steps on the extension setup page.
4. Reboot the device.
5. Navigate to an untrusted site in Chrome and Firefox.
- WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
-- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903, Windows Defender Application Control has a number of new features that light up key scenarios and provide feature parity with AppLocker.
+- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903, Windows Defender Application Control has many new features that light up key scenarios and provide feature parity with AppLocker.
- [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): Windows Defender Application Control now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
- - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, Windows Defender Application Control has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
- This brings Windows Defender Application Control (WDAC) to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
- - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
+ - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, Windows Defender Application Control has an option that allows admins to enforce at runtime that only code from paths that aren't user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it's authorized by something other than a path rule like a signer or hash rule.
+ This functionality brings WDAC to parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that isn't available with AppLocker.
+ - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where more COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
#### System Guard
-[System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has added a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they will be coming out in the next few months.
+[System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) has added a new feature in this version of Windows called **SMM Firmware Measurement**. This feature is built on top of [System Guard Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) to check that the System Management Mode (SMM) firmware on the device is operating in a healthy manner - specifically, OS memory and secrets are protected from SMM. There are currently no devices out there with compatible hardware, but they'll be coming out in the next few months.
This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly:
@@ -118,7 +118,7 @@ This new feature is displayed under the Device Security page with the string “
### Identity Protection
-- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
+- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less sign-in for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
- [Streamlined Windows Hello PIN reset experience](/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
- Sign-in with [Password-less](/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience!
- [Remote Desktop with Biometrics](/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
@@ -131,7 +131,7 @@ This new feature is displayed under the Device Security page with the string “
## Microsoft Edge
-Several new features are coming in the next version of Edge. See the [news from Build 2019](https://blogs.windows.com/msedgedev/2019/05/06/edge-chromium-build-2019-pwa-ie-mode-devtools/#2QJF4u970WjQ2Sv7.97) for more information.
+Several new features are coming in the next version of Edge. For more information, see the [news from Build 2019](https://blogs.windows.com/msedgedev/2019/05/06/edge-chromium-build-2019-pwa-ie-mode-devtools/#2QJF4u970WjQ2Sv7.97).
## See Also
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index 8f1b6a4c3c..4ca266485c 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -21,11 +21,11 @@ This article lists new and updated features and content that are of interest to
Windows 10, version 1909 is a scoped set of features for select performance improvements, enterprise features and quality enhancements.
-To deliver these updates in an optimal fashion, we are providing this feature update in a new way: using servicing technology. Users that are already running Windows 10, version 1903 (the May 2019 Update) will receive this update similar to how they receive monthly updates. If you are running version 1903, then updating to the new release will have a much faster update experience because the update will install like a monthly update.
+To deliver these updates in an optimal fashion, we're providing this feature update in a new way: using servicing technology. Users that are already running Windows 10, version 1903 (the May 2019 Update) will receive this update similar to how they receive monthly updates. If you're running version 1903, then updating to the new release will have a much faster update experience because the update will install like a monthly update.
-If you are updating from an older version of Windows 10 (version 1809 or earlier), the process of updating to the current version will be the same as it has been for previous Windows 10 feature updates. For more information, see [Evolving Windows 10 servicing and quality: the next steps](https://blogs.windows.com/windowsexperience/2019/07/01/evolving-windows-10-servicing-and-quality-the-next-steps/#rl2G5ETPhkhMvDeX.97).
+If you're updating from an older version of Windows 10 (version 1809 or earlier), the process of updating to the current version will be the same as it has been for previous Windows 10 feature updates. For more information, see [Evolving Windows 10 servicing and quality: the next steps](https://blogs.windows.com/windowsexperience/2019/07/01/evolving-windows-10-servicing-and-quality-the-next-steps/#rl2G5ETPhkhMvDeX.97).
-**Note**: Devices running the Enterprise, IoT Enterprise, or Education editions of Windows 10, version 1909 receive 30 months of support. For more information about the Windows servicing lifecycle, please see the [Windows lifecycle fact sheet](/lifecycle/faq/windows).
+**Note**: Devices running the Enterprise, IoT Enterprise, or Education editions of Windows 10, version 1909 receive 30 months of support. For more information about the Windows servicing lifecycle, see the [Windows lifecycle fact sheet](/lifecycle/faq/windows).
### Windows Server Update Services (WSUS)
@@ -35,13 +35,13 @@ The Windows 10, version 1909 enablement package will be available on WSUS as [KB
### Windows Update for Business
-If you are using Windows Update for Business, you will receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy.
+If you're using Windows Update for Business, you'll receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy.
## Security
### Windows Defender Credential Guard
-[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for additional protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
+[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard) is now available for ARM64 devices, for extra protection against credential theft for enterprises deploying ARM64 devices in their organizations, such as Surface Pro X.
### Microsoft BitLocker
@@ -53,7 +53,7 @@ Windows 10, version 1909 also includes two new features called **Key-rolling** a
### Transport Layer Security (TLS)
-An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 is not built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/status/tls13/)
+An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/status/tls13/)
## Virtualization
@@ -65,7 +65,7 @@ An experimental implementation of TLS 1.3 is included in Windows 10, version 190
[Windows Virtual Desktop](/azure/virtual-desktop/overview) (WVD) is now generally available globally!
-Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It’s the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, as well as an Azure tenant.
+Windows Virtual Desktop is a comprehensive desktop and app virtualization service running in the cloud. It’s the only virtual desktop infrastructure (VDI) that delivers simplified management, multi-session Windows 10, optimizations for Microsoft 365 Apps for enterprise, and support for Remote Desktop Services (RDS) environments. Deploy and scale your Windows desktops and apps on Azure in minutes, and get built-in security and compliance features. Windows Virtual Desktop requires a Microsoft E3 or E5 license, or a Microsoft 365 E3 or E5 license, and an Azure tenant.
## Deployment
@@ -81,7 +81,7 @@ Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Mana
[SetupDiag](/windows/deployment/upgrade/setupdiag) version 1.6.0.42 is available.
-SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. .
+SetupDiag is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
### Windows Assessment and Deployment Toolkit (ADK)
@@ -115,7 +115,7 @@ With Intel Turbo Boost Max Technology 3.0, an operating system will use informat
### Debugging
-Additional debugging capabilities for newer Intel processors have been added in this release. This is only relevant for hardware manufacturers.
+More debugging capabilities for newer Intel processors have been added in this release. These newly added capabilities are only relevant for hardware manufacturers.
### Efficiency
@@ -128,7 +128,7 @@ General battery life and power efficiency improvements for PCs with certain proc
[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
[What Windows 10, version 1909 Means for Developers](https://blogs.windows.com/windowsdeveloper/2019/10/16/what-windows-10-version-1909-means-for-developers/): New and updated features in Windows 10 that are of interest to developers.
[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
-[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
+[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed.
[How to get the Windows 10 November 2019 Update](https://aka.ms/how-to-get-1909): John Cable blog.
[How to get Windows 10, Version 1909: Enablement Mechanics](https://aka.ms/1909mechanics): Mechanics blog.
[What’s new for IT pros in Windows 10, version 1909](https://aka.ms/whats-new-in-1909): Windows IT Pro blog.
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md
index a00b411668..e0d940dbf9 100644
--- a/windows/whats-new/whats-new-windows-10-version-2004.md
+++ b/windows/whats-new/whats-new-windows-10-version-2004.md
@@ -28,7 +28,7 @@ To download and install Windows 10, version 2004, use Windows Update (**Settings
- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
-- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
+- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign-in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
- Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
@@ -36,7 +36,7 @@ To download and install Windows 10, version 2004, use Windows Update (**Settings
### Windows Defender System Guard
-In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO.
+In this release, [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to other resources like registers and IO.
With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon.
@@ -66,15 +66,15 @@ For more information, see Windows Setup enhancements in the [Windows IT Pro Blog
In Windows 10, version 2004, SetupDiag is now automatically installed.
-[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues.
+[SetupDiag](/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When log files are being searched, SetupDiag uses a set of rules to match known issues.
-During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there is an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup.
+During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there's an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup.
### Windows Autopilot
With this release, you can configure [Windows Autopilot user-driven](/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
-If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this was only supported with self-deploying profiles.
+If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this skip was only supported with self-deploying profiles.
### Microsoft Endpoint Manager
@@ -90,7 +90,7 @@ For information about what's new in the ADK, see [What's new in the Windows ADK
### Microsoft Deployment Toolkit (MDT)
-MDT version 8456 supports Windows 10, version 2004, but there is currently an issue that causes MDT to incorrectly detect that UEFI is present. There is an [update available](https://support.microsoft.com/help/4564442/windows-10-deployments-fail-with-microsoft-deployment-toolkit) for MDT to address this issue.
+MDT version 8456 supports Windows 10, version 2004, but there's currently an issue that causes MDT to incorrectly detect that UEFI is present. There's an [update available](https://support.microsoft.com/help/4564442/windows-10-deployments-fail-with-microsoft-deployment-toolkit) for MDT to address this issue.
For the latest information about MDT, see the [MDT release notes](/mem/configmgr/mdt/release-notes).
@@ -102,9 +102,9 @@ Windows PowerShell cmdlets have been improved:
- **Get-DeliveryOptimizationStatus** has added the **-PeerInfo** option for a real-time peak behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent).
- **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections.
-- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting.
+- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to help in troubleshooting.
-Additional improvements:
+Other improvements:
- Enterprise network [throttling is enhanced](/windows-insider/archive/new-in-20H1#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
- Automatic cloud-based congestion detection is available for PCs with cloud service support.
@@ -123,9 +123,9 @@ The following [Delivery Optimization](/windows/deployment/update/waas-delivery-o
- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
-- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds.
+- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we've created a new policy that enables admins to opt devices out of the built-in safeguard holds.
-- Update less: Last year, we [changed update installation policies](https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency/#l2jH7KMkOkfcWdBs.97) for Windows 10 to only target devices running a feature update version that is nearing end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings **Advanced Options** page starting on Windows 10, version 2004. If you wish to continue leveraging deferrals, you can use local Group Policy (**Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview builds and Feature Updates are received** or **Select when Quality Updates are received**). For more information about this change, see [Simplified Windows Update settings for end users](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplified-windows-update-settings-for-end-users/ba-p/1497215).
+- Update less: Last year, we [changed update installation policies](https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency/#l2jH7KMkOkfcWdBs.97) for Windows 10 to only target devices running a feature update version that is nearing end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings **Advanced Options** page starting on Windows 10, version 2004. If you wish to continue using deferrals, you can use local Group Policy (**Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview builds and Feature Updates are received** or **Select when Quality Updates are received**). For more information about this change, see [Simplified Windows Update settings for end users](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplified-windows-update-settings-for-end-users/ba-p/1497215).
## Networking
@@ -146,7 +146,7 @@ In this release, Tunnel Extensible Authentication Protocol (TEAP) has been added
[Windows Sandbox configuration](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file) includes:
- MappedFolders now supports a destination folder. Previously no destination could be specified, it was always mapped to the Sandbox desktop.
- AudioInput/VideoInput settings now enable you to share their host microphone or webcam with the Sandbox.
-- ProtectedClient is a new security setting that runs the connection to the Sandbox with extra security settings enabled. This is disabled by default due to issues with copy & paste.
+- ProtectedClient is a new security setting that runs the connection to the Sandbox with extra security settings enabled. This setting is disabled by default due to issues with copy & paste.
- PrinterRedirection: You can now enable and disable host printer sharing with the Sandbox.
- ClipboardRedirection: You can now enable and disable host clipboard sharing with the Sandbox.
- MemoryInMB adds the ability to specify the maximum memory usage of the Sandbox.
@@ -161,7 +161,7 @@ Windows Sandbox also has improved accessibility in this release, including:
### Windows Subsystem for Linux (WSL)
-With this release, memory that is no longer in use in a Linux VM will be freed back to Windows. Previously, a WSL VM's memory could grow, but would not shrink when no longer needed.
+With this release, memory that is no longer in use in a Linux VM will be freed back to Windows. Previously, a WSL VM's memory could grow, but wouldn't shrink when no longer needed.
[WSL2](/windows/wsl/wsl2-index) support has been added for ARM64 devices if your device supports virtualization.
@@ -169,7 +169,7 @@ For a full list of updates to WSL, see the [WSL release notes](/windows/wsl/rele
### Windows Virtual Desktop (WVD)
-Windows 10 is an integral part of WVD, and several enhancements are available in the Spring 2020 update. Check out [Windows Virtual Desktop documentation](/azure/virtual-desktop/) for the latest and greatest information, as well as the [WVD Virtual Event from March](https://aka.ms/wvdvirtualevent).
+Windows 10 is an integral part of WVD, and several enhancements are available in the Spring 2020 update. Check out [Windows Virtual Desktop documentation](/azure/virtual-desktop/) for the latest and greatest information, and the [WVD Virtual Event from March](https://aka.ms/wvdvirtualevent).
## Microsoft Edge
@@ -205,7 +205,7 @@ Windows Search is improved in several ways. For more information, see [Superchar
### Virtual Desktops
-There is a new [Update on Virtual Desktop renaming (Build 18975)](/windows-insider/archive/new-in-20H1#update-on-virtual-desktop-renaming-build-18975), where, instead of getting stuck with the system-issued names like Desktop 1, you can now rename your virtual desktops more freely.
+There's a new [Update on Virtual Desktop renaming (Build 18975)](/windows-insider/archive/new-in-20H1#update-on-virtual-desktop-renaming-build-18975), where, instead of getting stuck with the system-issued names like Desktop 1, you can now rename your virtual desktops more freely.
### Bluetooth pairing
@@ -262,4 +262,4 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha
- [What's new for business in Windows 10 Insider Preview Builds](/windows-insider/Active-Dev-Branch): A preview of new features for businesses.
- [What's new in Windows 10, version 2004 - Windows Insiders](/windows-insider/archive/new-in-20h1): This list also includes consumer focused new features.
- [Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
-- [Windows 10 features we're no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
+- [Windows 10 features we're no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed.
diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md
index b3f400dbeb..14b2588859 100644
--- a/windows/whats-new/whats-new-windows-10-version-20H2.md
+++ b/windows/whats-new/whats-new-windows-10-version-20H2.md
@@ -57,7 +57,7 @@ Activities are grouped into the following phases: **Plan** > **Prepare** > **Dep
- Ensure that [users are ready](/windows/deployment/update/prepare-deploy-windows) for updates
**Deploy** and manage Windows 10 strategically in your organization:
-- Use [Windows Autopilot](/mem/autopilot/windows-autopilot) to streamline the set up, configuration, and delivery of new devices
+- Use [Windows Autopilot](/mem/autopilot/windows-autopilot) to streamline the setup, configuration, and delivery of new devices
- Use [Configuration Manager](/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager) or [MDT](/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt) to deploy new devices and update existing devices
- Use [Windows Update for Business](/windows/deployment/update/waas-configure-wufb) with Group Policy to [customize update settings](/windows/deployment/update/waas-wufb-group-policy) for your devices
- [Deploy Windows updates](/windows/deployment/update/waas-manage-updates-wsus) with Windows Server Update Services (WSUS)
@@ -73,7 +73,7 @@ Enhancements to Windows Autopilot since the last release of Windows 10 include:
### Windows Assessment and Deployment Toolkit (ADK)
-There is no new ADK for Windows 10, version 20H2. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
+There's no new ADK for Windows 10, version 20H2. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2. For more information, see [Download and install the Windows ADK](/windows-hardware/get-started/adk-install).
## Device management
@@ -146,4 +146,4 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha
[What's New in Windows 10](./index.yml): See what’s new in other versions of Windows 10.
[Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
[Features and functionality removed in Windows 10](/windows/deployment/planning/windows-10-removed-features): Removed features.
-[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
+[Windows 10 features we’re no longer developing](/windows/deployment/planning/windows-10-deprecated-features): Features that aren't being developed.
diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md
index 7f67c4a774..6b9654ecf4 100644
--- a/windows/whats-new/windows-11-plan.md
+++ b/windows/whats-new/windows-11-plan.md
@@ -20,7 +20,7 @@ ms.collection: highpri
This article provides guidance to help you plan for Windows 11 in your organization.
-Since Windows 11 is built on the same foundation as Windows 10, you can use the same deployment capabilities, scenarios, and tools—as well as the same basic deployment strategy that you use today for Windows 10. You will need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows 11.
+Since Windows 11 is built on the same foundation as Windows 10, you can use the same deployment capabilities, scenarios, and tools—and the same basic deployment strategy that you use today for Windows 10. You'll need to review and update your servicing strategy to adjust for changes in [Servicing and support](#servicing-and-support) for Windows 11.
At a high level, this strategy should include the following steps:
- [Create a deployment plan](/windows/deployment/update/create-deployment-plan)
@@ -29,13 +29,13 @@ At a high level, this strategy should include the following steps:
- [Determine application readiness](/windows/deployment/update/plan-determine-app-readiness)
- [Define your servicing strategy](/windows/deployment/update/plan-define-strategy)
-If you are looking for ways to optimize your approach to deploying Windows 11, or if deploying a new version of an operating system is not a familiar process for you, some items to consider are provided below.
+If you're looking for ways to optimize your approach to deploying Windows 11, or if deploying a new version of an operating system isn't a familiar process for you, some items to consider are provided below:
## Determine eligibility
-As a first step, you will need to know which of your current devices meet the Windows 11 hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows 11. Verify that your device meets or exceeds [Windows 11 requirements](windows-11-requirements.md) to ensure it is compatible.
+As a first step, you'll need to know which of your current devices meet the Windows 11 hardware requirements. Most devices purchased in the last 18-24 months will be compatible with Windows 11. Verify that your device meets or exceeds [Windows 11 requirements](windows-11-requirements.md) to ensure it's compatible.
-Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the [PC Health Check](https://www.microsoft.com/windows/windows-11#pchealthcheck) app to determine their eligibility for Windows 11. Users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they are eligible for the upgrade.
+Microsoft is currently developing analysis tools to help you evaluate your devices against the Windows 11 hardware requirements. When Windows 11 reaches general availability, users running Windows 10 Home, Pro, and Pro for Workstations will be able to use the [PC Health Check](https://www.microsoft.com/windows/windows-11#pchealthcheck) app to determine their eligibility for Windows 11. Users running Windows 10 Enterprise and Education editions should rely on their IT administrators to let them know when they're eligible for the upgrade.
Enterprise organizations looking to evaluate device readiness in their environments can expect this capability to be integrated into existing Microsoft tools, such as Endpoint analytics and Update Compliance. This capability will be available when Windows 11 is generally available. Microsoft is also working with software publishing partners to facilitate adding Windows 11 device support into their solutions.
@@ -45,19 +45,19 @@ The availability of Windows 11 will vary according to a device's hardware and wh
##### Managed devices
-Managed devices are devices that are under organization control. Managed devices include those managed by Microsoft Intune, Microsoft Endpoint Configuration Manager, or other endpoint management solutions.
+Managed devices are devices that are under organization control. Managed devices include those devices managed by Microsoft Intune, Microsoft Endpoint Configuration Manager, or other endpoint management solutions.
-If you manage devices on behalf of your organization, you will be able to upgrade eligible devices to Windows 11 using your existing deployment and management tools at no cost when the upgrade reaches general availability. Organizations that use Windows Update for Business will have added benefits, such as:
+If you manage devices on behalf of your organization, you'll be able to upgrade eligible devices to Windows 11 using your existing deployment and management tools at no cost when the upgrade reaches general availability. Organizations that use Windows Update for Business will have added benefits, such as:
-- Ensuring that devices that don't meet the minimum hardware requirements are not automatically offered the Windows 11 upgrade.
-- Additional insight into safeguard holds. While safeguard holds will function for Windows 11 devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows 11.
+- Ensuring that devices that don't meet the minimum hardware requirements aren't automatically offered the Windows 11 upgrade.
+- More insight into safeguard holds. While safeguard holds will function for Windows 11 devices just as they do for Windows 10 today, administrators using Windows Update for Business will have access to information on which safeguard holds are preventing individual devices from taking the upgrade to Windows 11.
> [!NOTE]
> Also, Windows 11 has new Microsoft Software License Terms. If you are deploying with Windows Update for Business or Windows Server Update Services, you are accepting these new license terms on behalf of the users in your organization.
##### Unmanaged devices
-Unmanaged devices are devices that are not managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices are not subject to organizational policies that manage upgrades or updates.
+Unmanaged devices are devices that aren't managed by an IT administrator on behalf of an organization. For operating system (OS) deployment, these devices aren't subject to organizational policies that manage upgrades or updates.
Windows 11 will be offered to eligible Windows 10 devices beginning later in the 2021 calendar year. Messaging on new devices will vary by PC manufacturer, but users will see labels such as **This PC will upgrade to Windows 11 once available** on products that are available for purchase.
@@ -69,10 +69,10 @@ Just like Windows 10, the machine learning based [intelligent rollout](https://t
The recommended method to determine if your infrastructure, deployment processes, and management tools are ready for Windows 11 is to join the [Windows Insider Program for Business](https://insider.windows.com/for-business). As a participant in the [Release Preview Channel](/windows-insider/business/validate-Release-Preview-Channel), you can validate that your devices and applications work as expected, and explore new features.
-As you plan your endpoint management strategy for Windows 11, consider moving to cloud-based mobile device management (MDM), such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). If a cloud-only approach isn't right for your organization just yet, you can still modernize and streamline essential pieces of your endpoint management strategy as follows:
+As you plan your endpoint management strategy for Windows 11, consider moving to cloud-based mobile device management (MDM), such as [Microsoft Intune](/mem/intune/fundamentals/what-is-intune). If a cloud-only approach isn't right for your organization yet, you can still modernize and streamline essential pieces of your endpoint management strategy as follows:
- Create a [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview) (CMG) to manage Configuration Manager clients over the internet.
- Attach your existing Configuration Management estate to the cloud with [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions) so you can manage all devices from within the Microsoft Endpoint Manager admin center.
-- Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune. This allows you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview).
+- Use [co-management](/mem/configmgr/comanage/overview) to concurrently manage devices using both Configuration Manager and Microsoft Intune. This concurrent management allows you to take advantage of cloud-powered capabilities like [Conditional Access](/azure/active-directory/conditional-access/overview).
For more information on the benefits of these approaches, see [Cloud Attach Your Future: The Big 3](https://techcommunity.microsoft.com/t5/configuration-manager-blog/cloud-attach-your-future-part-ii-quot-the-big-3-quot/ba-p/1750664).
@@ -92,7 +92,7 @@ Along with user experience and security improvements, Windows 11 introduces enha
When Windows 11 reaches general availability, a consolidated Windows 11 update history will be available on support.microsoft.com, similar to what is [available today for Windows 10](https://support.microsoft.com/topic/windows-10-update-history-1b6aac92-bf01-42b5-b158-f80c6d93eb11). Similarly, the [Windows release health](/windows/release-health/) hub will offer quick access to Windows 11 servicing announcements, known issues, and safeguard holds.
-It is important that organizations have adequate time to plan for Windows 11. Microsoft also recognizes that many organizations will have a mix of Windows 11 and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 will continue to receive monthly Windows 10 security updates through 2025, as well as incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about the Windows 10 General Availability Channel and Long-term Servicing Channel (LTSC) releases.
+It's important that organizations have adequate time to plan for Windows 11. Microsoft also recognizes that many organizations will have a mix of Windows 11 and Windows 10 devices across their ecosystem. Devices on in-service versions of Windows 10 will continue to receive monthly Windows 10 security updates through 2025, and incremental improvements to Windows 10 to support ongoing Microsoft 365 deployments. For more information, see the [Windows 10 release information](/windows/release-health/release-information) page, which offers information about the Windows 10 General Availability Channel and Long-term Servicing Channel (LTSC) releases.
## Application compatibility
@@ -104,7 +104,7 @@ If you run into compatibility issues or want to ensure that your organization's
**App Assure**: With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows 11 can be resolved. Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats.
-**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://aka.ms/testbase) (currently in private preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form.
+**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://aka.ms/testbase) (currently in private preview) is a service that allows you to validate your apps across various Windows features and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form.
You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows 11.
diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md
index 532493e1e3..84525fe130 100644
--- a/windows/whats-new/windows-11-prepare.md
+++ b/windows/whats-new/windows-11-prepare.md
@@ -30,7 +30,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil
#### On-premises solutions
-- If you use [Windows Server Update Service (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you will need to sync the new **Windows 11** product category. After you sync the product category, you will see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well.
+- If you use [Windows Server Update Service (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), you'll need to sync the new **Windows 11** product category. After you sync the product category, you'll see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well.
> [!NOTE]
> During deployment, you will be prompted to agree to the Microsoft Software License Terms on behalf of your users. Additionally, you will not see an x86 option because Windows 11 is not supported on 32-bit architecture.
@@ -42,14 +42,14 @@ The tools that you use for core workloads during Windows 10 deployments can stil
#### Cloud-based solutions
-- If you use Windows Update for Business policies, you will need to use the **Target Version** capability (either through policy or the Windows Update for Business deployment service) rather than using feature update deferrals alone to upgrade from Windows 10 to Windows 11. Feature update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but won't automatically devices move between products (Windows 10 to Windows 11).
- - If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use the [feature update deployments](/mem/intune/protect/windows-10-feature-updates) page to select **Windows 11, version 21H2** and upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11 on the **Update Rings** page in Intune. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11.
+- If you use Windows Update for Business policies, you'll need to use the **Target Version** capability (either through policy or the Windows Update for Business deployment service) rather than using feature update deferrals alone to upgrade from Windows 10 to Windows 11. Feature update deferrals are great to move to newer versions of your current product (for example, Windows 10, version 20H2 to 21H1), but won't automatically devices move between products (Windows 10 to Windows 11).
+ - If you use Microsoft Intune and have a Microsoft 365 E3 license, you'll be able to use the [feature update deployments](/mem/intune/protect/windows-10-feature-updates) page to select **Windows 11, version 21H2** and upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11 on the **Update Rings** page in Intune. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you're currently on. When you're ready to start upgrading devices, change the feature update deployment setting to specify Windows 11.
- In Group Policy, **Select target Feature Update version** has two entry fields after taking the 9/1/2021 optional update ([KB5005101](https://support.microsoft.com/topic/september-1-2021-kb5005101-os-builds-19041-1202-19042-1202-and-19043-1202-preview-82a50f27-a56f-4212-96ce-1554e8058dc1)) or a later update: **Product Version** and **Target Version**.
- The product field must specify Windows 11 in order for devices to upgrade to Windows 11. If only the target version field is configured, the device will be offered matching versions of the same product.
- For example, if a device is running Windows 10, version 2004 and only the target version is configured to 21H1, this device will be offered version Windows 10, version 21H1, even if multiple products have a 21H1 version.
-- Quality update deferrals will continue to work the same across both Windows 10 and Windows 11. This is true regardless of which management tool you use to configure Windows Update for Business policies.
-- If you use Microsoft Intune and have a Microsoft 365 E3 license, you will be able to use [feature update deployments](/mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you are currently on. When you are ready to start upgrading devices, change the feature update deployment setting to specify Windows 11.
+- Quality update deferrals will continue to work the same across both Windows 10 and Windows 11, which is true regardless of which management tool you use to configure Windows Update for Business policies.
+- If you use Microsoft Intune and have a Microsoft 365 E3 license, you'll be able to use [feature update deployments](/mem/intune/protect/windows-10-feature-updates) to easily update devices from one release of Windows 10 to another, or to upgrade Windows 10 devices to Windows 11. You can also continue using the same update experience controls to manage Windows 10 and Windows 11. If you aren’t ready to move to Windows 11, keep the feature update version set at the version you're currently on. When you're ready to start upgrading devices, change the feature update deployment setting to specify Windows 11.
> [!NOTE]
> Endpoints managed by Windows Update for Business will not automatically upgrade to Windows 11 unless an administrator explicitly configures a **Target Version** using the [TargetReleaseVersion](/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion) setting using a Windows CSP, a [feature update profile](/mem/intune/protect/windows-10-feature-updates) in Intune, or the [Select target Feature Update version setting](/windows/deployment/update/waas-wufb-group-policy#i-want-to-stay-on-a-specific-version) in a group policy.
@@ -64,13 +64,13 @@ The following are some common use cases and the corresponding Microsoft Endpoint
- **Configure rules and control settings for users, apps, and devices**: When you enroll devices in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), administrators have full control over apps, settings, features, and security for both Windows 11 and Windows 10. You can also use app protection policies to require multifactor authentication (MFA) for specific apps.
- **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows 11 by using Microsoft Endpoint Manager.
-If you are exclusively using an on-premises device management solution (for example, Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune. These solutions can make it easier to keep devices secure and up-to-date.
+If you're exclusively using an on-premises device management solution (for example, Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune. These solutions can make it easier to keep devices secure and up-to-date.
## Review servicing approach and policies
-Every organization will transition to Windows 11 at its own pace. Microsoft is committed to supporting you through your migration to Windows 11, whether you are a fast adopter or will make the transition over the coming months or years.
+Every organization will transition to Windows 11 at its own pace. Microsoft is committed to supporting you through your migration to Windows 11, whether you're a fast adopter or will make the transition over the coming months or years.
-When you think of operating system updates as an ongoing process, you will automatically improve your ability to deploy updates. This approach enables you to stay current with less effort, and less impact on productivity. To begin, think about how you roll out Windows feature updates today: which devices, and at what pace.
+When you think of operating system updates as an ongoing process, you'll automatically improve your ability to deploy updates. This approach enables you to stay current with less effort, and less impact on productivity. To begin, think about how you roll out Windows feature updates today: which devices, and at what pace.
Next, craft a deployment plan for Windows 11 that includes deployment groups, rings, users, or devices. There are no absolute rules for exactly how many rings to have for your deployments, but a common structure is:
- Preview (first or canary): Planning and development
@@ -81,7 +81,7 @@ For detailed information, see [Create a deployment plan](/windows/deployment/upd
#### Review policies
-Review deployment-related policies, taking into consideration your organization's security objectives, update compliance deadlines, and device activity. Apply changes where you can gain a clear improvement, particularly with regard to the speed of the update process or security.
+Review deployment-related policies, taking into consideration your organization's security objectives, update compliance deadlines, and device activity. Apply changes where you can gain a clear improvement, particularly regarding the speed of the update process or security.
#### Validate apps and infrastructure
@@ -90,16 +90,16 @@ To validate that your apps, infrastructure, and deployment processes are ready f
If you use Windows Server Update Services, you can deploy directly from the Windows Insider Pre-release category using one of the following processes:
- Set **Manage Preview Builds** to **Release Preview** in Windows Update for Business.
-- Leverage Azure Virtual Desktop and Azure Marketplace images.
+- Use Azure Virtual Desktop and Azure Marketplace images.
- Download and deploy ISOs from Microsoft’s Windows Insider Program ISO Download page.
Regardless of the method you choose, you have the benefit of free Microsoft support when validating pre-release builds. Free support is available to any commercial customer deploying Windows 10 or Windows 11 Preview Builds, once they become available through the Windows Insider Program.
#### Analytics and assessment tools
-If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you will have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows 11 upgrade.
+If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint analytics, you'll have access to a hardware readiness assessment later this year. This tool enables you to quickly identify which of your managed devices are eligible for the Windows 11 upgrade.
-[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) does not support Windows 11. You must use [Endpoint analytics](/mem/analytics/overview).
+[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) doesn't support Windows 11. You must use [Endpoint analytics](/mem/analytics/overview).
## Prepare a pilot deployment
@@ -117,8 +117,8 @@ At a high level, the tasks involved are:
## User readiness
-Do not overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They will also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11:
-- Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they will see the changes.
+Don't overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They'll also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11:
+- Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they'll see the changes.
- Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options.
- Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices.
diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md
index b2aef79c6d..fe1621a610 100644
--- a/windows/whats-new/windows-11-requirements.md
+++ b/windows/whats-new/windows-11-requirements.md
@@ -26,7 +26,7 @@ To install or upgrade to Windows 11, devices must meet the following minimum har
- Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](https://aka.ms/CPUlist) or system on a chip (SoC).
- RAM: 4 gigabytes (GB) or greater.
- Storage: 64 GB\* or greater available storage is required to install Windows 11.
- - Additional storage space might be required to download updates and enable specific features.
+ - Extra storage space might be required to download updates and enable specific features.
- Graphics card: Compatible with DirectX 12 or later, with a WDDM 2.0 driver.
- System firmware: UEFI, Secure Boot capable.
- TPM: [Trusted Platform Module](/windows/security/information-protection/tpm/trusted-platform-module-overview) (TPM) version 2.0.
@@ -34,7 +34,7 @@ To install or upgrade to Windows 11, devices must meet the following minimum har
- Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features.
- Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use.
-\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Windows 11 specifications](https://www.microsoft.com/windows/windows-11-specifications).
+\* There might be more requirements over time for updates, and to enable specific features within the operating system. For more information, see [Windows 11 specifications](https://www.microsoft.com/windows/windows-11-specifications).
Also see [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/).
@@ -51,7 +51,7 @@ Eligible Windows 10 devices must be on version 2004 or later, and have installed
## Feature-specific requirements
-Some features in Windows 11 have requirements beyond those listed above. See the following list of features and associated requirements.
+Some features in Windows 11 have requirements beyond those requirements listed above. See the following list of features and associated requirements.
- **5G support**: requires 5G capable modem.
- **Auto HDR**: requires an HDR monitor.
@@ -74,7 +74,7 @@ Some features in Windows 11 have requirements beyond those listed above. See the
- **Wi-Fi 6E**: requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router.
- **Windows Hello**: requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103).
- **Windows Projection**: requires a display adapter that supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct.
-- **Xbox app**: requires an Xbox Live account, which is not available in all regions. Please go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription.
+- **Xbox app**: requires an Xbox Live account, which isn't available in all regions. Go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription.
## Virtual machine support
@@ -84,11 +84,11 @@ The following configuration requirements apply to VMs running Windows 11.
- Storage: 64 GB or greater
- Security: Secure Boot capable, virtual TPM enabled
- Memory: 4 GB or greater
-- Processor: 2 or more virtual processors
+- Processor: Two or more virtual processors
The VM host CPU must also meet Windows 11 [processor requirements](/windows-hardware/design/minimum/windows-processor-requirements).
-\* In-place upgrade of existing generation 1 VMs to Windows 11 is not possible.
+\* In-place upgrade of existing generation 1 VMs to Windows 11 isn't possible.
> [!NOTE]
> Procedures to configure required VM settings depend on the VM host type. For VM hosts running Hyper-V, virtualization (VT-x, VT-d) must be enabled in BIOS. Virtual TPM 2.0 is emulated in the guest VM independent of the Hyper-V host TPM presence or version.