From 7c6db515fe99a7ca73069c2607e5b85aaba9920b Mon Sep 17 00:00:00 2001 From: "Yong Rhee [MSFT]" <56358587+YongRhee-MSFT@users.noreply.github.com> Date: Wed, 12 Apr 2023 06:57:39 -0700 Subject: [PATCH 1/6] Update defender-csp.md Adding info about MDMWinsOverGP not being relevant for the Defender CSP. MDMWinsOverGP only applies to the Windows Client Management CSP. --- windows/client-management/mdm/defender-csp.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index fe160a4fe0..3f2a9eadaa 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -20,6 +20,10 @@ ms.topic: reference +> [!NOTE] +> [ControlPolicyConflict (MDMWinsOverGP)](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict) is not applicable to the Defender CSP. +> If using a MDM, you will want to clean up your current Defender Group Policy (GPO) settings in order to not conflict with your MDM settings. + The following list shows the Defender configuration service provider nodes: From 0ecd9deff88d32decd9ee70d9f85834050445a78 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 12 Apr 2023 10:09:14 -0400 Subject: [PATCH 2/6] Update defender-csp.md Move the note inside editable section --- windows/client-management/mdm/defender-csp.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 3f2a9eadaa..5d33d60e48 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -18,11 +18,9 @@ ms.topic: reference - - > [!NOTE] -> [ControlPolicyConflict (MDMWinsOverGP)](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict) is not applicable to the Defender CSP. -> If using a MDM, you will want to clean up your current Defender Group Policy (GPO) settings in order to not conflict with your MDM settings. +> [ControlPolicyConflict (MDMWinsOverGP)](policy-csp-controlpolicyconflict.md) is not applicable to the Defender CSP. If using MDM, remove your current Defender group policy settings to avoid conflicts with your MDM settings. + The following list shows the Defender configuration service provider nodes: From a86ec42861a2a437e6ba84044ec5151b559361ff Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 12 Apr 2023 10:14:49 -0400 Subject: [PATCH 3/6] Update policy-csp-controlpolicyconflict.md --- .../mdm/policy-csp-controlpolicyconflict.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index b6865f7b07..4d9b9ad115 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -44,15 +44,14 @@ If set to 1 then any MDM policy that is set that has an equivalent GP policy wil > [!NOTE] -> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs. -This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. -The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. +> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). + +This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. > [!NOTE] > This policy doesn't support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1. -The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy. -This ensures that: +The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy. This ensures that: - GP settings that correspond to MDM applied settings aren't conflicting - The current Policy Manager policies are refreshed from what MDM has set @@ -65,8 +64,7 @@ The [Policy DDF](configuration-service-provider-ddf.md) contains the following t - \ - \ -For the list MDM-GP mapping list, see [Policies in Policy CSP supported by Group Policy -](./policies-in-policy-csp-supported-by-group-policy.md). +For the list MDM-GP mapping list, see [Policies in Policy CSP supported by Group Policy](./policies-in-policy-csp-supported-by-group-policy.md). The MDM Diagnostic report shows the applied configurations states of a device including policies, certificates, configuration sources, and resource information. The report includes a list of blocked GP settings because MDM equivalent is configured, if any. To get the diagnostic report, go to **Settings** > **Accounts** > **Access work or school** > and then click the desired work or school account. Scroll to the bottom of the page to **Advanced Diagnostic Report** and then click **Create Report**. From d4f3b5663416395a485f800eb9b0bae6e5d49d5a Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Wed, 12 Apr 2023 19:49:42 +0530 Subject: [PATCH 4/6] reanmed Password Policy as per user report #11435 , i changed from **Password Policy** to **Account Lockout Policy** --- .../security-policy-settings/account-lockout-duration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md index 969423ed4a..713bd9297b 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md @@ -44,7 +44,7 @@ It's advisable to set **Account lockout duration** to approximately 15 minutes. ### Location -**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** +**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy** ### Default values From a1585564c29ed28baead785324ed5234d9f51342 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Wed, 12 Apr 2023 19:59:10 +0530 Subject: [PATCH 5/6] updated link as per user report #11450,so i updated new link **https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines** --- .../windows-security-baselines.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index 5220f9868b..238193ef00 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -75,6 +75,6 @@ There are several ways to get and use security baselines: ## See also -- [Microsoft Security Guidance Blog](/archive/blogs/secguide/) +- [Microsoft Security Baselines Blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines) - [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319) - [Security Baseline Policy Analyzer](https://learn-video.azurefd.net/vod/player?show=defrag-tools&ep=174-security-baseline-policy-analyzer-lgpo) From 309999997aa80fff72cb8c33f9cce33e60df7b90 Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Wed, 12 Apr 2023 10:08:31 -0500 Subject: [PATCH 6/6] Update defender-csp.md Acro edits. --- windows/client-management/mdm/defender-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 5d33d60e48..7550924275 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -2481,7 +2481,7 @@ Information about the current status of the threat. The following list shows the | 7 | Removed | | 8 | Cleaned | | 9 | Allowed | -| 10 | No Status ( Cleared) | +| 10 | No Status (Cleared) | @@ -3676,7 +3676,7 @@ OfflineScan action starts a Microsoft Defender Offline scan on the computer wher -RollbackEngine action rolls back Microsoft Defender engine to it's last known good saved version on the computer where you run the command. +RollbackEngine action rolls back Microsoft Defender engine to its last known good saved version on the computer where you run the command.