From 1464d375b9715881e00505b1ce785b438d283945 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 23 Jul 2021 19:30:31 -0700 Subject: [PATCH] Fixes from "repo health" project --- ...-from-a-local-enterprise-mode-site-list.md | 29 +++++------ education/windows/autopilot-reset.md | 52 +++++++++++-------- .../windows/edu-deployment-recommendations.md | 40 +++++++++++--- .../hello-deployment-issues.md | 26 ++++++---- .../virtual-smart-card-tpmvscmgr.md | 24 ++++++--- .../applocker/delete-an-applocker-rule.md | 28 ++++++---- .../create-an-authentication-request-rule.md | 30 +++++------ 7 files changed, 142 insertions(+), 87 deletions(-) diff --git a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md index 93b323b78a..d6bb2e98eb 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md +++ b/browsers/internet-explorer/ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md @@ -31,32 +31,27 @@ ms.date: 07/27/2017 Remove websites that were added to a local Enterprise Mode site list by mistake or because the sites no longer have compatibility problems. -**Note**
The changes described in this topic only impact sites added to a local Enterprise Mode site list and not the list of sites deployed to all employees by an administrator. Employees can't delete sites added to the list by an administrator. +> [!NOTE] +> The changes described in this topic only impact sites added to a local Enterprise Mode site list and not the list of sites deployed to all employees by an administrator. Employees can't delete sites added to the list by an administrator. -  **To remove single sites from a local Enterprise Mode site list** +**To remove single sites from a local Enterprise Mode site list** 1. Open Internet Explorer 11 and go to the site you want to remove. -2. Click **Tools**, and then click **Enterprise Mode**.

-The checkmark disappears from next to Enterprise Mode and the site is removed from the list. +2. Click **Tools**, and then click **Enterprise Mode**. -**Note**
If the site is removed by mistake, it can be added back by clicking **Enterprise Mode** again. + The checkmark disappears from next to Enterprise Mode and the site is removed from the list. - **To remove all sites from a local Enterprise Mode site list** + > [!NOTE] + > If the site is removed by mistake, it can be added back by clicking **Enterprise Mode** again. -1. Open IE11, click **Tools**, and then click **Internet options**. +**To remove all sites from a local Enterprise Mode site list** + +1. Open Internet Explorer 11, click **Tools**, and then click **Internet options**. 2. Click the **Delete** button from the **Browsing history** area. 3. Click the box next to **Cookies and website data**, and then click **Delete**. -**Note**
This removes all of the sites from a local Enterprise Mode site list. - -   - -  - -  - - - + > [!NOTE] + > This removes all of the sites from a local Enterprise Mode site list. diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index dba25c2b0f..00b99a4c75 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -36,25 +36,29 @@ You can set the policy using one of these methods: - MDM provider - -Check your MDM provider documentation on how to set this policy. If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set. + Check your MDM provider documentation on how to set this policy. If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set. - For example, in Intune, create a new configuration policy and add an OMA-URI. - - OMA-URI: ./Vendor/MSFT/Policy/Config/CredentialProviders/DisableAutomaticReDeploymentCredentials - - Data type: Integer - - Value: 0 + For example, in Intune, create a new configuration policy and add an OMA-URI. + - OMA-URI: ./Vendor/MSFT/Policy/Config/CredentialProviders/DisableAutomaticReDeploymentCredentials + - Data type: Integer + - Value: 0 - Windows Configuration Designer - You can [use Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting and create a provisioning package. + You can [use Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) to set the **Runtime settings > Policies > CredentialProviders > DisableAutomaticReDeploymentCredentials** setting and create a provisioning package. - Set up School PCs app - Autopilot Reset in the Set up School PCs app is available in the latest release of the app. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app. You can check the version several ways: + Autopilot Reset in the Set up School PCs app is available in the latest release of the app. Make sure you are running Windows 10, version 1709 on the student PCs if you want to use Autopilot Reset through the Set up School PCs app. You can check the version several ways: + - Reach out to your device manufacturer. + - If you manage your PCs using Intune or Intune for Education, you can check the OS version by checking the **OS version** info for the device. If you are using another MDM provider, check the documentation for the MDM provider to confirm the OS version. + - Log into the PCs, go to the **Settings > System > About** page, look in the **Windows specifications** section and confirm **Version** is set to 1709. - To use the Autopilot Reset setting in the Set up School PCs app: + To use the Autopilot Reset setting in the Set up School PCs app: + - When using [Set up School PCs](use-set-up-school-pcs-app.md), in the **Configure student PC settings** screen, select **Enable Windows 10 Autopilot Reset** among the list of settings for the student PC as shown in the following example: ![Configure student PC settings in Set up School PCs](images/suspc_configure_pc2.jpg) @@ -66,30 +70,36 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo 1. From the Windows device lock screen, enter the keystroke: **CTRL + Windows key + R**. - ![Enter CTRL+Windows key+R on the Windows lockscreen](images/autopilot-reset-lockscreen.png) + ![Enter CTRL+Windows key+R on the Windows lockscreen](images/autopilot-reset-lockscreen.png) + + This will open up a custom login screen for Autopilot Reset. The screen serves two purposes: - This will open up a custom login screen for Autopilot Reset. The screen serves two purposes: 1. Confirm/verify that the end user has the right to trigger Autopilot Reset + 2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process. ![Custom login screen for Autopilot Reset](images/autopilot-reset-customlogin.png) 2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger Autopilot Reset. ->[!IMPORTANT] ->To reestablish Wi-Fi connectivity after reset, make sure the **Connect automatically** box is checked for the device's wireless network connection. + > [!IMPORTANT] + > To reestablish Wi-Fi connectivity after reset, make sure the **Connect automatically** box is checked for the device's wireless network connection. - Once Autopilot Reset is triggered, the reset process starts. + Once Autopilot Reset is triggered, the reset process starts. - After reset, the device: - - Sets the region, language, and keyboard. - - Connects to Wi-Fi. - - If you provided a provisioning package when Autopilot Reset is triggered, the system will apply this new provisioning package. Otherwise, the system will re-apply the original provisioning package on the device. - - Is returned to a known good managed state, connected to Azure AD and MDM. + After reset, the device: + + - Sets the region, language, and keyboard. + + - Connects to Wi-Fi. + + - If you provided a provisioning package when Autopilot Reset is triggered, the system will apply this new provisioning package. Otherwise, the system will re-apply the original provisioning package on the device. + + - Is returned to a known good managed state, connected to Azure AD and MDM. ![Notification that provisioning is complete](images/autopilot-reset-provisioningcomplete.png) - Once provisioning is complete, the device is again ready for use. + Once provisioning is complete, the device is again ready for use. @@ -99,7 +109,7 @@ Autopilot Reset will fail when the [Windows Recovery Environment (WinRE)](/windo To make sure WinRE is enabled, use the [REAgentC.exe tool](/windows-hardware/manufacture/desktop/reagentc-command-line-options) to run the following command: -``` +```console reagentc /enable ``` @@ -107,4 +117,4 @@ If Autopilot Reset fails after enabling WinRE, or if you are unable to enable Wi ## Related topics -[Set up Windows devices for education](set-up-windows-10.md) \ No newline at end of file +[Set up Windows devices for education](set-up-windows-10.md) diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index 268f6d2d8b..eaa2f7c35b 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -26,15 +26,21 @@ We want all students to have the chance to use the apps they need for success in ## Deployment best practices Keep these best practices in mind when deploying any edition of Windows 10 in schools or districts: + * A Microsoft account is only intended for consumer services. Enterprises and educational institutions should use enterprise versions where possible, such as Skype for Business, OneDrive for Business, and so on. For schools, consider using mobile device management (MDM) or Group Policy to block students from adding a Microsoft account as a secondary account. + * If schools allow the use of personal accounts by their students to access personal services, schools should be aware that these accounts belong to individuals, not the school. + * IT administrators, school officials, and teachers should also consider ratings when picking apps from the Microsoft Store. + * If you have students or school personnel who rely on assistive technology apps that are not available in the Microsoft Store for Education, and who are using a Windows 10 S device, configure their device to Windows 10 Pro Education to allow the download and use of non-Microsoft Store assistive technology apps. See [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) for more info. ## Windows 10 Contacts privacy settings If you’re an IT administrator who deploys Windows 10 in a school or district, we recommend that you review these deployment resources to make informed decisions about how you can configure telemetry for your school or district: + * [Configure Windows telemetry in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization) - Describes the types of telemetry we gather and the ways you can manage this data. + * [Manage connections from Windows operating system components to Microsoft services](/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services) - Learn about network connections that Windows components make to Microsoft and also the privacy settings (such as location, camera, messaging, and more) that affect data that is shared with either Microsoft or apps and how you can manage this data. In particular, the **Contacts** area in the **Settings** > **Privacy** section lets you choose which apps can access a student’s contacts list. By default, this setting is turned on. @@ -44,7 +50,9 @@ To change the setting, you can: * [Choose the apps that you want to allow access to contacts](#choose-the-apps-that-you-want-to-allow-access-to-contacts) ### Turn off access to contacts for all apps + To turn off access to contacts for all apps on individual Windows devices: + 1. On the computer, go to **Settings** and select **Privacy**. ![Privacy settings](images/win10_settings_privacy.png) @@ -56,10 +64,13 @@ To turn off access to contacts for all apps on individual Windows devices: 3. Turn off **Let apps access my contacts**. For IT-managed Windows devices, you can use a Group Policy to turn off the setting. To do this: + 1. Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts**. + 2. Set the **Select a setting** box to **Force Deny**. ### Choose the apps that you want to allow access to contacts + If you want to allow only certain apps to have access to contacts, you can use the switch for each app to specify which ones you want on or off. ![Choose apps with access to contacts](images/win10_settings_privacy_contacts_apps.png) @@ -67,62 +78,78 @@ If you want to allow only certain apps to have access to contacts, you can use t The list of apps on the Windows-based device may vary from the above example. The list depends on what apps you have installed and which of these apps access contacts. To allow only certain apps to have access to contacts, you can: + * Configure each app individually using the **Settings** > **Contacts** option in the Windows UI + * Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** and then specify the default for each app by adding the app's Package Family Name under the default behavior you want to enforce. - ![App privacy Group Policy](images/gp_letwinappsaccesscontacts.png) + ![App privacy Group Policy](images/gp_letwinappsaccesscontacts.png) + ## Skype and Xbox settings Skype (a Universal Windows Platform [UWP]) and Xbox are preinstalled as part of Windows 10. -The Skype app replaces the integration of Skype features into Skype video and Messaging apps on Windows PCs and large tablets. The Skype app provides all these features in one place and lets users have a single place to manage both their chat and voice conversations so they can take better advantage of their screen. For information about the new Skype UWP app preview, see this [FAQ](https://go.microsoft.com/fwlink/?LinkId=821441). +The Skype app replaces the integration of Skype features into Skype video and Messaging apps on Windows PCs and large tablets. The Skype app provides all these features in one place and lets users have a single place to manage both their chat and voice conversations so they can take better advantage of their screen. For information about the new Skype UWP app preview, see [Skype for Windows 10 Insiders – your most asked questions](https://go.microsoft.com/fwlink/?LinkId=821441). With the Xbox app, students can use their Xbox profiles to play and make progress on their games using their Windows-based device. They can also unlock achievements and show off to their friends with game clips and screenshots. The Xbox app requires a Microsoft account, which is a personal account. Both Skype and Xbox include searchable directories that let students find other people to connect to. The online privacy and security settings for Skype and Xbox are not manageable through Group Policy so we recommend that school IT administrators and school officials let parents and students know about these searchable directories. If the school allows the use of personal or Microsoft account in addition to organization accounts, we also recommend that IT administrators inform parents and students that they can optionally remove any identifying information from the directories by: + * [Managing the user profile](#managing-the-user-profile) * [Deleting the account if the user name is part of the identifying information](#delete-an-account-if-username-is-identifying) ### Managing the user profile + #### Skype + Skype uses the user’s contact details to deliver important information about the account and it also lets friends find each other on Skype. To manage and edit your profile in the Skype UWP app, follow these steps: + 1. In the Skype UWP app, select the user profile icon ![Skype profile icon](images/skype_uwp_userprofile_icon.png) to go to the user’s profile page. + 2. In the account page, select **Manage account** for the Skype account that you want to change. This will take you to the online Skype portal. + 3. In the online Skype portal, scroll down to the **Account details** section. In **Settings and preferences**, click **Edit profile**. The profile page includes these sections: - * Personal information - * Contact details - * Profile settings + * Personal information + * Contact details + * Profile settings 4. Review the information in each section and click **Edit profile** in either or both the **Personal information** and **Contact details** sections to change the information being shared. You can also remove the checks in the **Profile settings** section to change settings on discoverability, notifications, and staying in touch. + 5. If you do not wish the name to be included, edit the fields and replace the fields with **XXX**. + 6. To change the profile picture, go to the Skype app and click on the current profile picture or avatar. The **Manage Profile Picture** window pops up. ![Skype profile icon](images/skype_uwp_manageprofilepic.png) * To take a new picture, click the camera icon in the pop up window. To upload a new picture, click the three dots (**...**). + * You can also change the visibility of the profile picture between public (everyone) or for contacts only. To change the profile picture visibility, select the dropdown under **Profile picture** and choose between **Show to everyone** or **Show to contacts only**. #### Xbox + A user’s Xbox friends and their friends’ friends can see their real name and profile. By default, the Xbox privacy settings enforce that no personal identifying information of a minor is shared on the Xbox Live network, although adults in the child’s family can change these default settings to allow it to be more permissive. To learn more about how families can manage security and privacy settings on Xbox, see this [Xbox article on security](https://go.microsoft.com/fwlink/?LinkId=821445). ### Delete an account if username is identifying + If you want to delete either (or both) the Skype and the Xbox accounts, here’s how to do it. #### Skype + To delete a Skype account, you can follow the instructions here: [How do I close my Skype account?](https://go.microsoft.com/fwlink/?LinkId=816515) If you need help deleting the account, you can contact Skype customer service by going to the [Skype support request page](https://go.microsoft.com/fwlink/?LinkId=816519). You may need to sign in and specify a Skype account. Once you’ve signed in, you can: + 1. Select a help topic (**Account and Password**) 2. Select a related problem (**Deleting an account**) 3. Click **Next**. @@ -130,7 +157,8 @@ If you need help deleting the account, you can contact Skype customer service by #### Xbox + To delete an Xbox account, you can follow the instructions here: [How to delete your Microsoft account and personal information associated with it](https://go.microsoft.com/fwlink/?LinkId=816521). ## Related topics -[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) \ No newline at end of file +[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index 1620881268..a95d9212e0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -28,7 +28,7 @@ Applies to: - Azure AD joined deployments - Windows 10, version 1803 and later -PIN reset on Azure AD joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will shows a page with the "We can't open that page right now" error message. +PIN reset on Azure AD joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will shows a page with the error message "We can't open that page right now". ### Identifying Azure AD joined PIN Reset Allowed Domains Issue @@ -36,7 +36,7 @@ The user can launch the PIN reset flow from above lock using the "I forgot my PI In federated environments authentication may be configured to route to AD FS or a third party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it will fail and display the "We can't open that page right now" error if the domain for the server page is not included in an allow list. -If you are a customer of Azure US Government cloud, PIN reset will also attempt to navigate to a domain that is not included in the default allow list. This results in the "We can't open that page right now" being shown. +If you are a customer of Azure US Government cloud, PIN reset will also attempt to navigate to a domain that is not included in the default allow list. This results in "We can't open that page right now". ### Resolving Azure AD joined PIN Reset Allowed Domains Issue @@ -96,7 +96,7 @@ Description: The Kerberos client received a KDC certificate that does not have a matched domain name. Expected Domain Name: ad.contoso.com Error Code: 0xC000006D - ``` +``` ### Resolving On-premises Resource Access Issue with Third-Party CAs @@ -173,7 +173,7 @@ See https://go.microsoft.com/fwlink/?linkid=832647 for more details. If a device has recently been joined to a domain, then there may be a delay before the device authentication occurs. If the failing state of this prerequisite check persists, then it can indicate an issue with the AD FS configuration. -If this AD FS scope issue is present, event logs on the AD FS server will indicate an authentication failure from the client. This error will be logged in event logs under AD FS/Admin as event ID 1021 and the event will specify that the client is forbidden access to resource 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' with scope 'ugs': +If this AD FS scope issue is present, event logs on the AD FS server will indicate an authentication failure from the client. This error will be logged in event logs under AD FS/Admin as event ID 1021 and the event will specify that the client is forbidden access to resource `http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope` with scope 'ugs': ```console Log Name: AD FS/Admin @@ -198,16 +198,22 @@ Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthUnauthorizedClientE This issue is fixed in Windows Server, version 1903 and later. For Windows Server 2019, this issue can be remediated by adding the ugs scope manually. -1. Launch AD FS management console. Browse to "Services > Scope Descriptions". -2. Right click "Scope Descriptions" and select "Add Scope Description". -3. Under name type "ugs" and Click Apply > OK. +1. Launch AD FS management console. Browse to **Services > Scope Descriptions**. + +2. Right click **Scope Descriptions** and select **Add Scope Description**. + +3. Under name type **ugs** and click **Apply > OK**. + 4. Launch PowerShell as an administrator. + 5. Get the ObjectIdentifier of the application permission with the ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b": -``` PowerShell -(Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier -``` + ```powershell + (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier + ``` 6. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'`. + 7. Restart the AD FS service. + 8. On the client: Restart the client. User should be prompted to provision Windows Hello for Business. diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md index 0b086ea53a..4a9273d496 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md @@ -51,7 +51,7 @@ The Destroy command securely deletes a virtual smart card from a computer. > [!WARNING] > When a virtual smart card is deleted, it cannot be recovered. -| **Parameter** | **Description** | +| Parameter | Description | |---------------|-------------------| | /instance | Specifies the instance ID of the virtual smart card to be removed. The instanceID was generated as output by Tpmvscmgr.exe when the card was created. The **/instance** parameter is a required field for the Destroy command. | | /machine | Allows you to specify the name of a remote computer on which the virtual smart card will be deleted. This can be used in a domain environment only, and it relies on DCOM. For the command to succeed in deleting a virtual smart card on a different computer, the user running this command must be a member in the local administrators group on the remote computer. | @@ -67,26 +67,36 @@ For alphanumeric inputs, the full 127 character ASCII set is allowed. The following command shows how to create a virtual smart card that can be later managed by a smart card management tool launched from another computer. - tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey DEFAULT /PIN PROMPT +```console +tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey DEFAULT /PIN PROMPT +``` Alternatively, instead of using a default administrator key, you can create an administrator key at the command line. The following command shows how to create an administrator key. - tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey PROMPT /PIN PROMPT +```console +tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey PROMPT /PIN PROMPT +``` The following command will create the unmanaged virtual smart card that can be used to enroll certificates. - tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey RANDOM /PIN PROMPT /generate +```console +tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey RANDOM /PIN PROMPT /generate +``` The preceding command will create a virtual smart card with a randomized administrator key. The key is automatically discarded after the card is created. This means that if the user forgets the PIN or wants to the change the PIN, the user needs to delete the card and create it again. To delete the card, the user can run the following command. - tpmvscmgr.exe destroy /instance +```console +tpmvscmgr.exe destroy /instance +``` where <instance ID> is the value printed on the screen when the user created the card. Specifically, for the first card created, the instance ID is ROOT\\SMARTCARDREADER\\0000. The following command will create a TPM virtual smart card with the default value for the administrator key and a specified PIN policy and attestation method: - tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /PIN PROMPT /pinpolicy minlen 4 maxlen 8 /AdminKey DEFAULT /attestation AIK_AND_CERT /generate +```console +tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /PIN PROMPT /pinpolicy minlen 4 maxlen 8 /AdminKey DEFAULT /attestation AIK_AND_CERT /generate +``` ## Additional references -- [Virtual Smart Card Overview](virtual-smart-card-overview.md) \ No newline at end of file +- [Virtual Smart Card Overview](virtual-smart-card-overview.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md index 80c31abf85..37cc05e7a2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md @@ -50,20 +50,26 @@ When the following procedure is performed on the local device, the AppLocker pol ## To clear AppLocker policies on a single system or remote systems Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML file that contains the following contents: - - - - - - - +```xml + + + + + + + +``` To use the Set-AppLockerPolicy cmdlet, first import the AppLocker modules: - - PS C:\Users\Administrator> import-module AppLocker + +```powershell +PS C:\Users\Administrator> import-module AppLocker +``` We will create a file (for example, clear.xml), place it in the same directory where we are executing our cmdlet, and add the preceding XML contents. Then run the following command: - - C:\Users\Administrator> Set-AppLockerPolicy -XMLPolicy .\clear.xml + +```powershell +C:\Users\Administrator> Set-AppLockerPolicy -XMLPolicy .\clear.xml +``` This will remove all AppLocker Policies on a machine and could be potentially scripted to use on multiple machines using remote execution tools with accounts with proper access. diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md index 8d9c8d6a87..43156e1bc5 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md @@ -32,7 +32,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr To create the authentication request rule: -1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). +1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 2. In the navigation pane, right-click **Connection Security Rules**, and then click **New Rule**. @@ -55,32 +55,32 @@ To create the authentication request rule: 6. Optional: If you selected **Advanced** in the previous step, then Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**. - The **First authentication method** can be one of the following: + The **First authentication method** can be one of the following: - - **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows. + - **Computer (Kerberos V5)**. Selecting this option tells the device to request authentication of the device by using its domain credentials. This option works with other devices than can use IKE v1, including earlier versions of Windows. - - **Computer (NTLMv2)**. Selecting this option tells the device to use and require authentication of the device by using its domain credentials. This option works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. + - **Computer (NTLMv2)**. Selecting this option tells the device to use and require authentication of the device by using its domain credentials. This option works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. - - **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to request authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule. + - **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to request authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule. - - **Preshared key (not recommended)**. Selecting this method and entering a pre-shared key tells the device to authenticate by exchanging the pre-shared keys. If the keys match, then the authentication succeeds. This method is not recommended, and is included for backward compatibility and testing purposes only. + - **Preshared key (not recommended)**. Selecting this method and entering a pre-shared key tells the device to authenticate by exchanging the pre-shared keys. If the keys match, then the authentication succeeds. This method is not recommended, and is included for backward compatibility and testing purposes only. - If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails. + If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails. - The **Second authentication method** can be one of the following: + The **Second authentication method** can be one of the following: - - **User (Kerberos V5)**. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. + - **User (Kerberos V5)**. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other devices that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1. - - **User (NTLMv2)**. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other devices that can use AuthIP. User-based authentication using NTLMv2 is not supported by IKE v1. + - **User (NTLMv2)**. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other devices that can use AuthIP. User-based authentication using NTLMv2 is not supported by IKE v1. - - **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to request user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to certain users or user groups. + - **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to request user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to certain users or user groups. - - **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule. + - **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the device to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used for this rule. - If you check **Second authentication is optional**, the connection can succeed even if the authentication attempt specified in this column fails. + If you check **Second authentication is optional**, the connection can succeed even if the authentication attempt specified in this column fails. - > [!IMPORTANT] - > Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails. + > [!IMPORTANT] + > Make sure that you do not select the boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails. 7. After you have configured the authentication methods, click **OK** on each dialog box to save your changes and close it, until you return to the **Authentication Method** page in the wizard. Click **Next**.