From 6ad42996cea451a6a91dbee709f54812de4d5d57 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Fri, 16 Dec 2022 14:32:08 -0500 Subject: [PATCH 01/17] clarified WDAC evaluation of COM objects with multipolicy --- ...stration-in-windows-defender-application-control-policy.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md index 21694d67d5..b3e65b47bf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md @@ -70,6 +70,10 @@ One attribute: - The setting needs to be placed in the order of ASCII values (first by Provider, then Key, then ValueName) +### Multiple policy considerations + +Similar to executable files, COM objects must pass each policy on the system to be allowed by WDAC. For example, if the COM object under evaluation passes most but not all of your WDAC policies, the COM object will not be allowed. If you are using a combination of base and supplemental policies, the COM object just needs to be allowlisted in either the base policy or one of the supplemental policies. + ### Examples Example 1: Allows registration of all COM object GUIDs in any provider From 89dfa36ede376883d959a84822faf30616c1e8a7 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 23 Dec 2022 17:34:33 +0530 Subject: [PATCH 02/17] added windows 11 after reading this article, i conformed windows 11 is supported --- .../security-policy-settings/security-options.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md index 6a88de5b89..b7b56bf6a8 100644 --- a/windows/security/threat-protection/security-policy-settings/security-options.md +++ b/windows/security/threat-protection/security-policy-settings/security-options.md @@ -19,6 +19,7 @@ ms.topic: conceptual # Security Options **Applies to** +- Windows 11 - Windows 10 Provides an introduction to the **Security Options** settings for local security policies and links to more information. From 45303a8ee382d0ce6f8b429a2faf01142784f1ff Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 23 Dec 2022 17:36:42 +0530 Subject: [PATCH 03/17] added windows 11 after reading this article, i confirmed windows 11 is supported --- .../accounts-administrator-account-status.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md index 03e09cb0e4..e247a80951 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Accounts: Administrator account status **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Accounts: Administrator account status** security policy setting. From 9803c5447d638288073a0f93fab0601f5ec23dfe Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 23 Dec 2022 17:37:45 +0530 Subject: [PATCH 04/17] added windows 11 after reading this article, i confirmed windows 11 is supported --- .../accounts-block-microsoft-accounts.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md index 31ea250022..bd80ebe594 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Accounts: Block Microsoft accounts **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, management, and security considerations for the **Accounts: Block Microsoft accounts** security policy setting. From 7c01db55502734238112bce4c65a5f9437ec2c90 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 23 Dec 2022 17:38:39 +0530 Subject: [PATCH 05/17] added windows 11 after reading this article, i confirmed windows 11 is supported --- .../security-policy-settings/accounts-guest-account-status.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md index e8296570ec..f23fc8dd7e 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Accounts: Guest account status - security policy setting **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Accounts: Guest account status** security policy setting. From 0025691668a91ba529d96acfb9b3492606c0ea09 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 23 Dec 2022 17:40:05 +0530 Subject: [PATCH 06/17] added windows 11 after reading this article, i confirmed windows 11 is supported --- ...local-account-use-of-blank-passwords-to-console-logon-only.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md index 632ece9ddd..6b3f24d9e6 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Accounts: Limit local account use of blank passwords to console logon only **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Accounts: Limit local account use of blank passwords to console logon only** security policy setting. From bdb14bf7d959d5c72862927636d43c9afba68021 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 23 Dec 2022 17:41:09 +0530 Subject: [PATCH 07/17] added windows 11 after reading this article, i confirmed windows 11 is supported --- .../accounts-rename-administrator-account.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md index dedf4c2e88..bd8090dfe7 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Accounts: Rename administrator account **Applies to** +- Windows 11 - Windows 10 This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting. From 904db045a85cf314dd0424bde7c5854db6351cb6 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 23 Dec 2022 17:42:10 +0530 Subject: [PATCH 08/17] added windows 11 after reading this article, i confirmed windows 11 is supported --- .../security-policy-settings/accounts-rename-guest-account.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md index 53052044e5..6bfcf412ae 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Accounts: Rename guest account - security policy setting **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Accounts: Rename guest account** security policy setting. From b11de88be609aa3eb2ad86b73309be441fba9348 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 23 Dec 2022 17:43:57 +0530 Subject: [PATCH 09/17] added windows 11 after reading this article, i confirmed windows 11 is supported --- .../audit-audit-the-use-of-backup-and-restore-privilege.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md index 25d16578cf..7d38765755 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Audit: Audit the use of Backup and Restore privilege **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Audit: Audit the use of Backup and Restore privilege** security policy setting. From 90373e03e43de8030ca6237e6e27324f3c51b19e Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 23 Dec 2022 17:44:59 +0530 Subject: [PATCH 10/17] added windows 11 after reading this article, i confirmed windows 11 is supported --- .../audit-force-audit-policy-subcategory-settings-to-override.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md index 17ed033d50..42e645eb95 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md +++ b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** security policy setting. From 61c7695b48e316ccc606a8d168ff41a45d929b57 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 23 Dec 2022 17:46:20 +0530 Subject: [PATCH 11/17] added windows 11 after reading this article, i confirmed windows 11 is supported --- ...t-down-system-immediately-if-unable-to-log-security-audits.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md index a470ec0246..614fbe0d12 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md +++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Audit: Shut down system immediately if unable to log security audits **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, management practices, and security considerations for the **Audit: Shut down system immediately if unable to log security audits** security policy setting. From 038e5987f11bef8da2f8623252586bce1163e7a0 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 23 Dec 2022 17:49:38 +0530 Subject: [PATCH 12/17] added windows 11 after reading this article, i confirmed windows 11 is supported --- ...ons-in-security-descriptor-definition-language-sddl-syntax.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index e9ee7fcc6c..e549425217 100644 --- a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** security policy setting. From ed22195359255784c51de7d20531ae566276fda9 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 23 Dec 2022 17:51:14 +0530 Subject: [PATCH 13/17] added windows 11 after reading this article, i confirmed windows 11 is supported --- .../devices-allow-undock-without-having-to-log-on.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md index 1b00fd452b..42bcd1198e 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Devices: Allow undock without having to log on **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Devices: Allow undock without having to log on** security policy setting. From 25cb7f60c0c3bafc6b49fa1413a5c39387d5239b Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 23 Dec 2022 17:52:12 +0530 Subject: [PATCH 14/17] added windows 11 after reading this article, i confirmed windows 11 is supported --- .../devices-allowed-to-format-and-eject-removable-media.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md index 1a2d4569b1..f27b736149 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md +++ b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Devices: Allowed to format and eject removable media **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Devices: Allowed to format and eject removable media** security policy setting. From eacb0fb990dff233514745899177417ae2b54cc9 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 23 Dec 2022 17:53:24 +0530 Subject: [PATCH 15/17] added windows 11 after reading this article, i confirmed windows 11 is supported --- .../devices-prevent-users-from-installing-printer-drivers.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md index c23872dd05..48ec7ee37d 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md +++ b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Devices: Prevent users from installing printer drivers **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Devices: Prevent users from installing printer drivers** security policy setting. From b330f20677efe021ab0d8e11e7a6dd8e5cbbbd90 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 23 Dec 2022 17:54:19 +0530 Subject: [PATCH 16/17] added windows 11 after reading this article, i confirmed windows 11 is supported --- ...ices-restrict-cd-rom-access-to-locally-logged-on-user-only.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md index b7bf3097f3..606f90388d 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md +++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md @@ -20,6 +20,7 @@ ms.technology: itpro-security # Devices: Restrict CD-ROM access to locally logged-on user only **Applies to** +- Windows 11 - Windows 10 Describes the best practices, location, values, and security considerations for the **Devices: Restrict CD-ROM access to locally logged-on user only** security policy setting. From a156149ebd870d3de481b4abf23f109d0f73a707 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 3 Jan 2023 17:15:55 -0800 Subject: [PATCH 17/17] remove old note per PM --- windows/deployment/do/waas-delivery-optimization-setup.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 44ace484d1..8b49d9f487 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -92,8 +92,6 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you have more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you have more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB. -[//]: # (default of 50 aimed at consumer) - To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 10 (if you have more than 30 devices) or 1 (if you have more than 100 devices). To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinFileSizeToCache](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominfilesizetocache) to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices).