From e0c6d39e7f96548fab13dd7fac86f8e97c964334 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 22 Jun 2018 10:37:34 -0700 Subject: [PATCH 1/8] added default info --- ...-platform-module-services-group-policy-settings.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md index fe5000ea4f..142bab2ed6 100644 --- a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -52,7 +52,6 @@ This policy setting allows you to enforce or ignore the computer's local list of The local list of blocked TPM commands is configured outside of Group Policy by typing **tpm.msc** at the command prompt to open the TPM Management Console, or scripting using the **Win32\_Tpm** interface. (The default list of blocked TPM commands is preconfigured by Windows.) - If you enable this policy setting, the Windows operating system will ignore the computer's local list of blocked TPM commands, and it will block only those TPM commands that are specified by Group Policy or the default list. If you disable or do not configure this policy setting, Windows will block the TPM commands in the local list, in addition to the commands that are specified in Group Policy and the default list of blocked TPM commands. @@ -65,9 +64,9 @@ This policy setting configures how much of the TPM owner authorization informati There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**. -- **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. +- **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0. -- **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows. +- **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1803. - **None**   This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications. @@ -88,8 +87,10 @@ The following table shows the TPM owner authorization values in the registry. | 2 | Delegated | | 4 | Full | -A value of 5 means discard the **Full** TPM owner authorization for TPM 1.2 but keep it for TPM 2.0. -  +Beginning with Windows 10 version 1803, the new default value for this setting is 5. This value is implemented during provisioning so that another Windows component can either delete it or take ownership of it, depending on the system configuration. +For TPM 2.0, a value of 5 means keep the lockout authorization. +For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization. + If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose. If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not From 7e7674e48ce3e020a7e99fcf5993a53be6d94afc Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 22 Jun 2018 15:57:14 -0700 Subject: [PATCH 2/8] revised description for owner authorization --- ...m-module-services-group-policy-settings.md | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md index 142bab2ed6..7936b618c3 100644 --- a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 08/16/2017 +ms.date: 06/22/2018 --- # TPM Group Policy settings @@ -58,15 +58,22 @@ If you disable or do not configure this policy setting, Windows will block the T ## Configure the level of TPM owner authorization information available to the operating system -Beginning with Windows 10 version 1607 and Windows Server 2016, this policy setting is no longer used by Windows, but it continues to appear in GPEdit.msc for compatibility with previous versions. +>[!IMPORTANT] +>Beginning with Windows 10 version 1607 and Windows Server 2016, this policy setting is no longer used by Windows, but it continues to appear in GPEdit.msc for compatibility with previous versions. Beginning with Windows 10 version 1703, the default value is 5. This value is implemented during provisioning so that another Windows component can either delete it or take ownership of it, depending on the system configuration. For TPM 2.0, a value of 5 means keep the lockout authorization. For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization. -This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information that is stored locally, the Windows operating system and TPM-based applications can perform certain actions in the TPM that require TPM owner authorization without requiring the user to enter the TPM owner password. +This policy setting configured which TPM authorization values are stored in the registry of the local computer. Certain authorization values are required in order to allow Windows to perform certain actions. + +|TPM 1.2 value | TPM 2.0 value | Purpose | Kept at level 0?| Kept at level 2?| Kept at level 4? | +|--------------|---------------|---------|-----------------|-----------------|------------------| +| OwnerAuthAdmin | StorageOwnerAuth | Create SRK | No | Yes | Yes | +| OwnerAuthEndorsement | EndorsementAuth | Create or use EK (1.2 only: Create AIK) | No | Yes | Yes | +| OwnerAuthFull | LockoutAuth | Reset/change Dictionary Attack Protection | No | No | No | There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**. - **Full**   This setting stores the full TPM owner authorization, the TPM administrative delegation blob, and the TPM user delegation blob in the local registry. With this setting, you can use the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that do not require you to reset the TPM anti-hammering logic or change the TPM owner authorization value. Some TPM-based applications may require that this setting is changed before features that depend on the TPM anti-hammering logic can be used. Full owner authorization in TPM 1.2 is similar to lockout authorization in TPM 2.0. Owner authorization has a different meaning for TPM 2.0. -- **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1803. +- **Delegated**   This setting stores only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM antihammering logic. This is the default setting in Windows prior to version 1703. - **None**   This setting provides compatibility with previous operating systems and applications. You can also use it for scenarios when TPM owner authorization cannot be stored locally. Using this setting might cause issues with some TPM-based applications. @@ -87,13 +94,10 @@ The following table shows the TPM owner authorization values in the registry. | 2 | Delegated | | 4 | Full | -Beginning with Windows 10 version 1803, the new default value for this setting is 5. This value is implemented during provisioning so that another Windows component can either delete it or take ownership of it, depending on the system configuration. -For TPM 2.0, a value of 5 means keep the lockout authorization. -For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization. If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose. -If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not +On Windows 10 prior to version 1607, if you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry. ## Standard User Lockout Duration From 90ca7c0b5e6ff153f7716e3da2fa8f9eb7126443 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Fri, 29 Jun 2018 09:09:44 -0700 Subject: [PATCH 3/8] Added new beta rule. --- .../attack-surface-reduction-exploit-guard.md | 15 +++++++++++++-- .../customize-attack-surface-reduction.md | 4 +++- .../enable-attack-surface-reduction.md | 3 ++- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 3cc13b3320..8077146f92 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 06/13/2018 +ms.date: 06/29/2018 --- @@ -82,6 +82,10 @@ Windows 10, version 1803 has five new Attack surface reduction rules: - Block process creations originating from PSExec and WMI commands - Block untrusted and unsigned processes that run from USB +In addition, the following rule is available for beta testing: + +- Block Office communication applications from creating child processes + The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table: Rule name | GUID @@ -98,6 +102,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 +Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version. @@ -123,7 +128,7 @@ This rule blocks the following file types from being run or launched from an ema ### Rule: Block Office applications from creating child processes -Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, Outlook, and Access. +Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. @@ -203,6 +208,12 @@ With this rule, admins can prevent unsigned or untrusted executable files from r - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) +### Rule: Block Office communication applications from creating child processes + +Office communication apps will not be allowed to create child processes. This includes Outlook. + +This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. + ## Review Attack surface reduction events in Windows Event Viewer You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited): diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 7260ed4758..345e29bb18 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 06/15/2018 +ms.date: 06/29/2018 --- # Customize Attack surface reduction @@ -76,6 +76,8 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 +Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark no](images/svg/check-no.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869 + See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 8541457872..de3f852b51 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 06/29/2018 --- @@ -64,6 +64,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 +Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. From eddcec4aeb6316ea54a5545d38131a13f2c68425 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Fri, 29 Jun 2018 09:34:32 -0700 Subject: [PATCH 4/8] Add beta note --- .../attack-surface-reduction-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 8077146f92..1e25be6fc4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -102,7 +102,7 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869 The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version. From 751985fc28b382e0bf701ef0d9959e10adc1093d Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 29 Jun 2018 11:03:15 -0700 Subject: [PATCH 5/8] dates --- .../trusted-platform-module-services-group-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md index 7936b618c3..41d6404f4b 100644 --- a/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 06/22/2018 +ms.date: 06/29/2018 --- # TPM Group Policy settings From f3ab131595dfeee8ca29fc620d6d6ab63804b8a5 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Fri, 29 Jun 2018 11:03:34 -0700 Subject: [PATCH 6/8] Added notes, incorporated review comments. --- .../attack-surface-reduction-exploit-guard.md | 6 ++++++ .../customize-attack-surface-reduction.md | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 1e25be6fc4..a977673685 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -179,10 +179,16 @@ This rule attempts to block Office files that contain macro code that is capable This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list: - Executable files (such as .exe, .dll, or .scr) + +>[NOTE!] +>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. ### Rule: Use advanced protection against ransomware This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list. + +>[NOTE!] +>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. ### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 345e29bb18..0732ac1826 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -76,7 +76,7 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark no](images/svg/check-no.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark no](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. From 73509af7ca3385b865da6e842351d5a15697edfc Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Fri, 29 Jun 2018 11:22:44 -0700 Subject: [PATCH 7/8] Fixed note formatting. --- .../attack-surface-reduction-exploit-guard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index a977673685..8cecfe7be5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -180,14 +180,14 @@ This rule blocks the following file types from being run or launched unless they - Executable files (such as .exe, .dll, or .scr) ->[NOTE!] +>[!NOTE] >You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. ### Rule: Use advanced protection against ransomware This rule provides an extra layer of protection against ransomware. Executable files that enter the system will be scanned to determine whether they are trustworthy. If the files exhibit characteristics that closely resemble ransomware, they are blocked from being run or launched, provided they are not already in the trusted list or exception list. ->[NOTE!] +>[!NOTE] >You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. ### Rule: Block credential stealing from the Windows local security authority subsystem (lsass.exe) From 16253f9f1697a27e87472dd1db23b7e57cf04fd4 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Fri, 29 Jun 2018 21:44:03 +0000 Subject: [PATCH 8/8] Merged PR 9484: More updates to this page to resolve licensing conflicts Removing some sections --- .../upgrade/windows-10-edition-downgrades.md | 39 +++++++------------ 1 file changed, 13 insertions(+), 26 deletions(-) diff --git a/windows/deployment/upgrade/windows-10-edition-downgrades.md b/windows/deployment/upgrade/windows-10-edition-downgrades.md index d09ca77718..42e55a7327 100644 --- a/windows/deployment/upgrade/windows-10-edition-downgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-downgrades.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.localizationpriority: high ms.pagetype: mobile author: greg-lindsay -ms.date: 06/28/2018 +ms.date: 06/29/2018 --- # Windows 10 edition downgrade @@ -21,21 +21,12 @@ To perform a downgrade, you can use the same methods as when performing an [edit Downgrading from any edition of Windows 10 to Windows 7, 8, or 8.1 by entering a different product key is not supported. The only downgrade method available for this path is through the rollback of a previous upgrade. You also cannot downgrade from a later version to an earlier version of the same edition (Ex: Windows 10 Pro 1709 to 1703) unless the rollback process is used. This topic does not discuss version downgrades. -### Firmware-embedded activation keys - -As of October 2017, computers that are supplied by an OEM include a firmware embedded product key that can affect the available downgrade paths. If this key exists, you can display it and the pre-installed OS edition by typing the following commands at an elevated Windows PowerShell prompt: - -``` -(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey -(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKeyDescription -``` - ### Scenario example Downgrading from Enterprise - - Original edition with firmware-embedded key: **Professional OEM** - - Upgrade edition: **Enterprise** - - Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education** +- Original edition: **Professional OEM** +- Upgrade edition: **Enterprise** +- Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education** You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supercede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you are a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/en-us/download/details.aspx?id=11091). @@ -45,10 +36,9 @@ You can move directly from Enterprise to any valid destination edition. In this >Edition changes that are considered upgrades (Ex: Pro to Enterprise, Pro to Pro for Workstations) are not shown here. >For more information see [Windows 10 edition upgrade](windows-10-edition-upgrades.md).
-Switching between different editions of Pro might not be possible if the source OS is associated with a [firmware-embedded activation key](#firmware-embedded-activation-keys). An exception is that you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key, and then later downgrade this computer back to Pro. - ✔ = Supported downgrade path
- N  = Not supported from OEM pre-installed
+ S  = Supported; Not considered a downgrade or an upgrade
+[blank] = Not supported or not a downgrade

@@ -102,8 +92,8 @@ Switching between different editions of Pro might not be possible if the source - - + + @@ -117,7 +107,7 @@ Switching between different editions of Pro might not be possible if the source - + @@ -135,7 +125,7 @@ Switching between different editions of Pro might not be possible if the source - + @@ -145,14 +135,11 @@ Switching between different editions of Pro might not be possible if the source >**Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above. +Some slightly more complex scenarios are not represented by the table above. For example, you can perform an upgrade from Pro to Pro for Workstation on a computer with an embedded Pro key using a Pro for Workstation license key, and then later downgrade this computer back to Pro with the firmware-embedded key. The downgrade is allowed but only because the pre-installed OS is Pro. + ## Related Topics [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md)
[Windows upgrade and migration considerations](windows-upgrade-and-migration-considerations.md)
[Windows 10 edition upgrade](windows-10-edition-upgrades.md)
-[Windows 10 upgrade paths](windows-10-upgrade-paths.md) - - - - - +[Windows 10 upgrade paths](windows-10-upgrade-paths.md) \ No newline at end of file
Pro Education NN S
Enterprise LTSC S