mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-16 07:17:24 +00:00
Merged PR 14962: 3/26 AM Publish
This commit is contained in:
Huaping Yu (Beyondsoft Consulting Inc)
commit
135077fc55
@ -15,19 +15,26 @@ ms.topic: article
|
||||
---
|
||||
|
||||
# Deploying the latest firmware and drivers for Surface devices
|
||||
Although Surface devices are typically automatically updated with the latest device drivers and firmware via Windows Update, sometimes it's necessary to download and install updates manually, such as during a Windows deployment. If you need to install drivers and firmware separately from Windows Update, you can find the requisite files on the Microsoft Download Center. Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices.
|
||||
Although Surface devices are typically automatically updated with the latest device drivers and firmware via Windows Update, sometimes it's necessary to download and install updates manually, such as during a Windows deployment.
|
||||
|
||||
## Downloading MSI files
|
||||
To download MSI files, refer to the following Microsoft Support page:
|
||||
|
||||
- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface)<br>
|
||||
Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices.
|
||||
|
||||
## Deploying MSI files
|
||||
Driver and firmware updates for Surface devices containing all required cumulative updates are available as separate MSI files packaged for specific versions of Windows 10. For example, for Surface Pro 6, there are separate MSI files for Windows 10 versions 16299, 17134, and 17763.
|
||||
When deploying updates to Surface devices in your organization, you need to first determine the appropriate .MSI file for the Windows version running on your target devices.
|
||||
Driver and firmware updates for Surface devices containing all required cumulative updates are packaged in separate MSI files for specific versions of Windows 10.
|
||||
In the name of each of these files you will find a Windows build number, this number indicates the minimum supported build required to install the drivers and firmware contained within. Refer to [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information) for a list of the build numbers for each version. For example, to install the drivers contained in SurfacePro6_Win10_16299_1900307_0.msi file you must have Windows 10 Fall Creators Update version 1709, or newer installed on your Surface Pro 6.
|
||||
|
||||
### Naming convention for Surface MSI files
|
||||
Each .MSI file is named in accordance with a formula that begins with the product and Windows release information, followed by the Windows OS floor number and version number, and ending with the revision of version number:
|
||||
|
||||
### Surface MSI naming convention
|
||||
Each .MSI file is named in accordance with a formula that begins with the product and Windows release information, followed by the Windows build number and version number, and ending with the revision of version number. SurfacePro6_Win10_16299_1900307_0.msi is classified as follows:
|
||||
|
||||
**Example:**
|
||||
SurfacePro6_Win10_16299_1900307_0.msi :
|
||||
|
||||
| Product | Windows release | OS floor | Version | Revision of version |
|
||||
| Product | Windows release | Build | Version | Revision of version |
|
||||
| --- | --- | --- | --- | --- |
|
||||
| SurfacePro6 | Win10 | 16299 | 1900307 | 0 |
|
||||
| | | | Indicates key date and sequence information | Indicates release history of the MSI file |
|
||||
@ -42,31 +49,9 @@ Look to the **version** number to determine the latest files that contain the mo
|
||||
|
||||
The first file — SurfacePro6_Win10_16299_1900307_0.msi — is the newest because its VERSION field has the newest build in 2019; the other files are from 2018.
|
||||
|
||||
### Downloading MSI files
|
||||
To download MSI files, refer to the following Microsoft Support page:
|
||||
|
||||
- [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface)
|
||||
## Supported devices
|
||||
Downloadable MSI files are available for Surface devices from Surface Pro 2 and later.
|
||||
|
||||
|
||||
The following MSI files are available:
|
||||
|
||||
- Surface Laptop 2
|
||||
- Surface Pro 6
|
||||
- Surface Go
|
||||
- Surface Go with LTE Advanced
|
||||
- Surface Book 2
|
||||
- Surface Laptop
|
||||
- Surface Pro
|
||||
- Surface Pro with LTE Advanced
|
||||
- Surface Pro 6
|
||||
- Surface Studio
|
||||
- Surface Studio 2
|
||||
- Surface Book
|
||||
- Surface Pro 4
|
||||
- Surface Pro 3
|
||||
- Surface 3
|
||||
- Surface 3 LTE
|
||||
- Surface Pro 2
|
||||
|
||||
[!NOTE]
|
||||
There are no downloadable firmware or driver updates available for Surface devices with Windows RT, including Surface RT and Surface 2. Updates can only be applied using Windows Update.
|
||||
|
||||
@ -277,6 +277,7 @@ Sample syncxml to provision the firewall settings to evaluate
|
||||
</ul>
|
||||
<p style="margin-left: 20px">If not specified, the default is All.</p>
|
||||
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
|
||||
<p style="margin-left: 20px">The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.</p>
|
||||
|
||||
<a href="" id="description"></a>**FirewallRules/_FirewallRuleName_/Description**
|
||||
<p style="margin-left: 20px">Specifies the description of the rule.</p>
|
||||
@ -306,7 +307,7 @@ Sample syncxml to provision the firewall settings to evaluate
|
||||
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
|
||||
|
||||
<a href="" id="direction"></a>**FirewallRules/_FirewallRuleName_/Direction**
|
||||
<p style="margin-left: 20px">Comma separated list. The rule is enabled based on the traffic direction as following. Supported values:</p>
|
||||
<p style="margin-left: 20px">The rule is enabled based on the traffic direction as following. Supported values:</p>
|
||||
<ul>
|
||||
<li>IN - the rule applies to inbound traffic.</li>
|
||||
<li>OUT - the rule applies to outbound traffic.</li>
|
||||
@ -320,7 +321,6 @@ Sample syncxml to provision the firewall settings to evaluate
|
||||
<li>RemoteAccess</li>
|
||||
<li>Wireless</li>
|
||||
<li>Lan</li>
|
||||
<li>MobileBroadband</li>
|
||||
</ul>
|
||||
<p style="margin-left: 20px">If not specified, the default is All.</p>
|
||||
<p style="margin-left: 20px">Value type is string. Supported operations are Get and Replace.</p>
|
||||
|
||||
@ -9,6 +9,8 @@ ms.sitesec: library
|
||||
ms.pagetype: mdt
|
||||
author: greg-lindsay
|
||||
ms.collection: M365-modern-desktop
|
||||
search.appverid:
|
||||
- MET150
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
|
||||
@ -103,7 +103,7 @@ Please check the driver instance for the device you are testing. Some drivers ma
|
||||
|
||||
|
||||
### What should I do if the drivers for my Thunderbolt™ 3 peripherals do not support DMA-remapping?
|
||||
If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support this functionality. Details for driver compatibility requirements can be found here (add link to OEM documentation).
|
||||
If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support this functionality.
|
||||
|
||||
### Do Microsoft drivers support DMA-remapping?
|
||||
In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA-remapping.
|
||||
|
||||
@ -78,7 +78,7 @@ All x86-based Certified For Windows 10 PCs must meet several requirements relat
|
||||
|
||||
These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems:
|
||||
|
||||
- **Use an operating system with a certified bootloader.** Because all Certified For Windows 10 PCs must trust Microsoft’s certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows 10 PCs. In fact, an [open source bootloader](http://mjg59.dreamwidth.org/20303.html) capable of loading Linux is already available. To begin the process of obtaining a certificate, go to <http://sysdev.microsoft.com>.
|
||||
- **Use an operating system with a certified bootloader.** Because all Certified For Windows 10 PCs must trust Microsoft’s certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows 10 PCs. In fact, an [open source bootloader](http://mjg59.dreamwidth.org/20303.html) capable of loading Linux is already available. To begin the process of obtaining a certificate, go to <http://partner.microsoft.com/dashboard>.
|
||||
- **Configure UEFI to trust your custom bootloader.** All Certified For Windows 10 PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any operating system, including homemade operating systems.
|
||||
- **Turn off Secure Boot.** All Certified For Windows 10 PCs allow you to turn off Secure Boot so that you can run any software. This does not help protect you from bootkits, however.
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 03/15/2019
|
||||
ms.date: 03/25/2019
|
||||
---
|
||||
|
||||
# Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune
|
||||
@ -67,6 +67,9 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
|
||||
- [Recommended apps](#add-recommended-apps)
|
||||
- [Store apps](#add-store-apps)
|
||||
- [Desktop apps](#add-desktop-apps)
|
||||
|
||||
>[!NOTE]
|
||||
>An application might return access denied errors after removing it from the list of protected apps. Rather than remove it from the list, uninstall and reinstall the application or exempt it from WIP policy.
|
||||
|
||||
### Add recommended apps
|
||||
|
||||
@ -397,7 +400,7 @@ To define the network boundaries, click **App policy** > the name of your policy
|
||||
|
||||
|
||||
|
||||
Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the following options, and then click **OK**.
|
||||
Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the options covered in the following subsections, and then click **OK**.
|
||||
|
||||
### Cloud resources
|
||||
|
||||
|
||||
@ -13,7 +13,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/26/2019
|
||||
ms.date: 03/25/2019
|
||||
---
|
||||
|
||||
# Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)
|
||||
@ -38,8 +38,15 @@ This table includes the recommended URLs to add to your Enterprise Cloud Resourc
|
||||
|Visual Studio Online |contoso.visualstudio.com |
|
||||
|Power BI |contoso.powerbi.com |
|
||||
|
||||
>[!NOTE]
|
||||
>You can add other work-only apps to the Cloud Resource list, or you can create a packaged app rule for the .exe file to protect every file the app creates or modifies. Depending on how the app is accessed, you might want to add both.
|
||||
You can add other work-only apps to the Cloud Resource list, or you can create a packaged app rule for the .exe file to protect every file the app creates or modifies. Depending on how the app is accessed, you might want to add both.
|
||||
|
||||
For Office 365 endpoints, see [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges).
|
||||
Office 365 endpoints are updated monthly.
|
||||
Allow the domains listed in section number 46 Allow Required and add also add the apps.
|
||||
Note that apps from officeapps.live.com can also store personal data.
|
||||
|
||||
When multiple files are selected from SharePoint Online or OneDrive, the files are aggregated and the URL can change. In this case, add a entry for a second-level domain and use a wildcard such as .svc.ms.
|
||||
|
||||
|
||||
## Recommended Neutral Resources
|
||||
We recommended adding these URLs if you use the Neutral Resources network setting with Windows Information Protection (WIP).
|
||||
|
||||
@ -389,6 +389,7 @@
|
||||
#####Rules
|
||||
###### [Manage suppression rules](windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md)
|
||||
###### [Manage automation allowed/blocked](windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
|
||||
###### [Manage allowed/blocked](windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
|
||||
###### [Manage automation file uploads](windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
|
||||
###### [Manage automation folder exclusions](windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
@ -376,6 +376,7 @@
|
||||
####Rules
|
||||
##### [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md)
|
||||
##### [Manage automation allowed/blocked](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
|
||||
##### [Manage allowed/blocked](manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
|
||||
##### [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
|
||||
##### [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 11/16/2018
|
||||
---
|
||||
|
||||
# Configure advanced features in Windows Defender ATP
|
||||
|
||||
@ -0,0 +1,77 @@
|
||||
---
|
||||
title: Manage allowed/blocked lists
|
||||
description: Create indicators for a file hash, IP address, URLs or domains that define the detection, prevention, and exclusion of entities.
|
||||
keywords: manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# Manage allowed/blocked lists
|
||||
|
||||
**Applies to:**
|
||||
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
[!include[Prerelease information](prerelease.md)]
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
|
||||
|
||||
|
||||
Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to.
|
||||
|
||||
On the top navigation you can:
|
||||
- Import a list
|
||||
- Add an indicator
|
||||
- Customize columns to add or remove columns
|
||||
- Export the entire list in CSV format
|
||||
- Select the items to show per page
|
||||
- Navigate between pages
|
||||
- Apply filters
|
||||
|
||||
## Create an indicator
|
||||
1. In the navigation pane, select **Settings** > **Allowed/blocked list**.
|
||||
|
||||
2. Select the tab of the type of entity you'd like to create an indicator for. You can choose any of the following entities:
|
||||
- File hash
|
||||
- IP address
|
||||
- URLs/Domains
|
||||
|
||||
3. Click **Add indicator**.
|
||||
|
||||
4. For each attribute specify the following details:
|
||||
- Indicator - Specify the entity details and define the expiration of the indicator.
|
||||
- Action - Specify the action to be taken and provide a description.
|
||||
- Scope - Define the scope of the machine group.
|
||||
|
||||
5. Review the details in the Summary tab, then click **Save**.
|
||||
|
||||
## Manage indicators
|
||||
1. In the navigation pane, select **Settings** > **Allowed/blocked list**.
|
||||
|
||||
2. Select the tab of the entity type you'd like to manage.
|
||||
|
||||
3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list.
|
||||
|
||||
## Import a list
|
||||
You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.
|
||||
|
||||
Download the sample CSV to know the supported column attributes.
|
||||
|
||||
|
||||
## Related topics
|
||||
- [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -43,6 +43,7 @@ For more information on the array of features in Windows 10 editions, see [Compa
|
||||
|
||||
For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://go.microsoft.com/fwlink/p/?linkid=2069559).
|
||||
|
||||
For more information about licensing requirements for Windows Defender ATP platform on Windows Server, see [Protecting Windows Servers with Windows Defender ATP](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114).
|
||||
|
||||
|
||||
## Related topic
|
||||
|
||||
@ -66,7 +66,7 @@ Review the following details to verify minimum system requirements:
|
||||
|
||||
- Install either [.NET framework 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
|
||||
|
||||
>[NOTE]
|
||||
>[!NOTE]
|
||||
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
|
||||
>Don't install .NET framework 4.0.x, since it will negate the above installation.
|
||||
|
||||
|
||||
@ -24,6 +24,18 @@ Some applications, including device drivers, may be incompatible with HVCI.
|
||||
This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself.
|
||||
If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
|
||||
|
||||
>[!NOTE]
|
||||
>HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required *Mode based execution control (MBE) Virtualization*.
|
||||
|
||||
>[!TIP]
|
||||
> "The Secure Kernel relies on the Mode-Based Execution Control (MBEC) feature, if present in hardware, which enhances the SLAT with a user/kernel executable bit, or the hypervisor’s software emulation of this feature, called Restricted User Mode (RUM).". Mark Russinovich and Alex Ionescu. Windows Internals 7th Edition book
|
||||
|
||||
## HVCI Features
|
||||
|
||||
* HVCI protects modification of the Code Flow Guard (CFG) bitmap.
|
||||
* HVCI also ensure your other Truslets, like Credential Guard have a valid certificate.
|
||||
* Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI.
|
||||
|
||||
## How to turn on HVCI in Windows 10
|
||||
|
||||
To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these options:
|
||||
@ -279,6 +291,6 @@ Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
|
||||
### Requirements for running HVCI in Hyper-V virtual machines
|
||||
- The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
|
||||
- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
|
||||
- HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time.
|
||||
- HVCI and [virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time
|
||||
- Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
|
||||
- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user