mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-15 14:57:23 +00:00
Merge branch 'main' into v-mathavale-6063796
This commit is contained in:
Meghana Athavale
commit
16d3e582b0
@ -19564,6 +19564,16 @@
|
||||
"source_path": "education/windows/get-minecraft-device-promotion.md",
|
||||
"redirect_url": "/education/windows/get-minecraft-for-education",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md",
|
||||
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-group-policy",
|
||||
"redirect_document_id": false
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md",
|
||||
"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune",
|
||||
"redirect_document_id": false
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
@ -97,6 +97,7 @@ Firewall
|
||||
----------------Protocol
|
||||
----------------LocalPortRanges
|
||||
----------------RemotePortRanges
|
||||
----------------IcmpTypesAndCodes
|
||||
----------------LocalAddressRanges
|
||||
----------------RemoteAddressRanges
|
||||
----------------Description
|
||||
@ -340,6 +341,12 @@ Comma separated list of ranges, For example, 100-120,200,300-320.
|
||||
If not specified, the default is All.
|
||||
Value type is string. Supported operations are Add, Get, Replace, and Delete.
|
||||
|
||||
|
||||
<a href="" id="icmptypesandcodes"></a>**FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes**
|
||||
ICMP types and codes applicable to the firewall rule. To specify all ICMP types and codes, use the “\*” character. For specific ICMP types and codes, use the “:” character to separate the type and code, for example, 3:4, 1:\*. The “\*” character can be used to represent any code. The “\*” character cannot be used to specify any type; examples such as “\*:4” or “\*:\*” are invalid.
|
||||
If not specified, the default is All.
|
||||
Value type is string. Supported operations are Add, Get, Replace, and Delete.
|
||||
|
||||
<a href="" id="localaddressranges"></a>**FirewallRules/*FirewallRuleName*/LocalAddressRanges**
|
||||
Comma-separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:
|
||||
|
||||
|
||||
@ -1483,7 +1483,7 @@ This policy setting allows you to enable or disable low CPU priority for schedul
|
||||
|
||||
If you enable this setting, low CPU priority will be used during scheduled scans.
|
||||
|
||||
If you disable or don't configure this setting, not changes will be made to CPU priority for scheduled scans.
|
||||
If you disable or don't configure this setting, no changes will be made to CPU priority for scheduled scans.
|
||||
|
||||
Supported values:
|
||||
|
||||
@ -1922,10 +1922,7 @@ The following list shows the supported values:
|
||||
> [!NOTE]
|
||||
> This policy is only enforced in Windows 10 for desktop.
|
||||
|
||||
Selects the time of day that the Windows Defender quick scan should run.
|
||||
|
||||
> [!NOTE]
|
||||
> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting.
|
||||
Selects the time of day that the Windows Defender quick scan should run. The Windows Defender quick scan runs daily if a time is specified.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -4415,7 +4415,7 @@ The following list shows the supported values:
|
||||
<!--/SupportedValues-->
|
||||
<!--ADMXBacked-->
|
||||
ADMX Info:
|
||||
- GP Friendly name: *Allows enterprises to provide their users with a single-browser experience*
|
||||
- GP Friendly name: *Enable extended hot keys in Internet Explorer mode*
|
||||
- GP name: *EnableExtendedIEModeHotkeys*
|
||||
- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management*
|
||||
- GP ADMX file name: *inetres.admx*
|
||||
@ -14317,4 +14317,4 @@ ADMX Info:
|
||||
|
||||
## Related topics
|
||||
|
||||
[Policy configuration service provider](policy-configuration-service-provider.md)
|
||||
[Policy configuration service provider](policy-configuration-service-provider.md)
|
||||
|
||||
@ -24,9 +24,10 @@ The table below shows the applicability of Windows:
|
||||
|Enterprise|Yes|Yes|
|
||||
|Education|Yes|Yes|
|
||||
|
||||
The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely wipe a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely wiped after being lost or stolen.
|
||||
The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely reset a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely reset after being lost or stolen.
|
||||
|
||||
The following example shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server.
|
||||
|
||||
```
|
||||
./Vendor/MSFT
|
||||
RemoteWipe
|
||||
@ -39,15 +40,16 @@ RemoteWipe
|
||||
--------LastError
|
||||
--------Status
|
||||
```
|
||||
|
||||
<a href="" id="dowipe"></a>**doWipe**
|
||||
Specifies that a remote wipe of the device should be performed. The return status code indicates whether the device accepted the Exec command.
|
||||
Exec on this node starts a remote reset of the device. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with **Clean Data** set to No and **Delete Files** set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, the PC will attempt to roll-back to the pre-reset state. If the PC can't be rolled-back, the recovery environment will take no additional actions and the PC could be in an unusable state and Windows will have to be reinstalled.
|
||||
|
||||
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
|
||||
|
||||
Supported operation is Exec.
|
||||
|
||||
<a href="" id="dowipepersistprovisioneddata"></a>**doWipePersistProvisionedData**
|
||||
Specifies that provisioning data should be backed up to a persistent location, and then a remote wipe of the device should be performed.
|
||||
Exec on this node specifies that provisioning packages in the `%SystemDrive%\ProgramData\Microsoft\Provisioning` folder will be retained and then applied to the OS after the reset.
|
||||
|
||||
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
|
||||
|
||||
@ -56,14 +58,14 @@ Supported operation is Exec.
|
||||
The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command.
|
||||
|
||||
<a href="" id="doWipeProtected"></a>**doWipeProtected**
|
||||
Added in Windows 10, version 1703. Exec on this node performs a remote wipe on the device and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command.
|
||||
Added in Windows 10, version 1703. Exec on this node performs a remote reset on the device and also fully cleans the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command, but not whether the reset was successful.
|
||||
|
||||
The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done.
|
||||
The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, if a reset that uses doWipeProtected is interrupted, upon restart it will clean the PC's disk partitions. Because doWipeProtected will clean the partitions in case of failure or interruption, use doWipeProtected in lost/stolen device scenarios.
|
||||
|
||||
Supported operation is Exec.
|
||||
|
||||
<a href="" id="doWipePersistUserData"></a>**doWipePersistUserData**
|
||||
Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
|
||||
Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting "Reset this PC > Keep my files" when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command.
|
||||
|
||||
<a href="" id="automaticredeployment"></a>**AutomaticRedeployment**
|
||||
Added in Windows 10, version 1809. Node for the Autopilot Reset operation.
|
||||
|
||||
@ -94,7 +94,7 @@ You can also use Group Policy to manage access to Microsoft Store.
|
||||
4. On the **Turn off the Store application** setting page, click **Enabled**, and then click **OK**.
|
||||
|
||||
> [!Important]
|
||||
> Enabling **Turn off the Store application** policy turns off app updates from Microsoft Store.
|
||||
> When you enable the policy to **Turn off the Store application**, it turns off app updates from the Microsoft Store. To allow store apps to update, disable the policy to **Turn off automatic download and install of Updates**. This configuration allows in-box store apps to update while still blocking access to the store.
|
||||
|
||||
## Show private store only using Group Policy
|
||||
|
||||
|
||||
@ -139,8 +139,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica
|
||||
|
||||
On **MDT01**:
|
||||
|
||||
1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200120117_en_US.exe) to **D:\\setup\\adobe** on MDT01.
|
||||
2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2200120117_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
|
||||
1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200120142_en_US.exe) to **D:\\setup\\adobe** on MDT01.
|
||||
2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2200120142_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
|
||||
3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
|
||||
4. Right-click the **Applications** node, and create a new folder named **Adobe**.
|
||||
|
||||
@ -560,6 +560,12 @@ Some properties to use in the MDT Production rules file are as follows:
|
||||
- **USMTMigFiles(\*).** List of USMT templates (controlling what to backup and restore).
|
||||
- **EventService.** Activates logging information to the MDT monitoring web service.
|
||||
|
||||
> [!NOTE]
|
||||
> For more information about localization support, see the following articles:
|
||||
>
|
||||
> - [MDT sample guide](/mem/configmgr/mdt/samples-guide#fully-automated-lti-deployment-for-a-refresh-computer-scenario)
|
||||
> - [LCID (Locale ID) codes](/openspecs/office_standards/ms-oe376/6c085406-a698-4e12-9d4d-c3b0ee3dbc4a)
|
||||
|
||||
### Optional deployment share configuration
|
||||
|
||||
If your organization has a Microsoft Software Assurance agreement, you also can subscribe to the additional Microsoft Desktop Optimization Package (MDOP) license (at an additional cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, as well as troubleshoot Windows itself.
|
||||
|
||||
@ -42,7 +42,7 @@ Each MDM Policy links to its documentation in the CSP hierarchy, providing its e
|
||||
| Policy | Data type | Value | Function |
|
||||
|--------------------------|-|-|------------------------------------------------------------|
|
||||
|**Provider/*ProviderID*/**[**CommercialID**](/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |String |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. |
|
||||
|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. |
|
||||
|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Sends basic device info, including quality-related data, app compatibility, and other similar data to keep the device secure and up-to-date. For more information, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization). |
|
||||
|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
|
||||
|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
|
||||
| **System/**[**AllowUpdateComplianceProcessing**](/windows/client-management/mdm/policy-csp-system#system-allowUpdateComplianceProcessing) |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
|
||||
|
||||
@ -40,7 +40,7 @@ Before you begin the process to add Update Compliance to your Azure subscription
|
||||
- **Diagnostic data requirements**: Update Compliance requires devices to send diagnostic data at *Required* level (previously *Basic*). Some queries in Update Compliance require devices to send diagnostic data at *Optional* level (previously *Full*) for Windows 11 devices or *Enhanced* level for Windows 10 devices. To learn more about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319).
|
||||
- **Data transmission requirements**: Devices must be able to contact specific endpoints required to authenticate and send diagnostic data. These are enumerated in detail at [Configuring Devices for Update Compliance manually](update-compliance-configuration-manual.md).
|
||||
- **Showing device names in Update Compliance**: For Windows 10, version 1803 or later, device names will not appear in Update Compliance unless you individually opt-in devices by using policy. The steps to accomplish this is outlined in [Configuring Devices for Update Compliance](update-compliance-configuration-manual.md).
|
||||
- **Azure AD device join**: All devices enrolled in Update Compliance must meet all prerequisites for enabling Windows diagnostic data processor configuration, including the Azure AD join requirement. This prerequisite will be enforced for Update Compliance starting on October 15, 2022.
|
||||
- **Azure AD device join** or **hybrid Azure AD join**: All devices enrolled in Update Compliance must meet all prerequisites for enabling Windows diagnostic data processor configuration, including the Azure AD join requirement. This prerequisite will be enforced for Update Compliance starting on October 15, 2022.
|
||||
|
||||
## Add Update Compliance to your Azure subscription
|
||||
|
||||
|
||||
@ -25,6 +25,9 @@ ms.topic: article
|
||||
|
||||
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
|
||||
|
||||
> [!NOTE]
|
||||
> Windows Server _doesn't_ get feature updates from Windows Update, so only the quality update policies apply. This behavior doesn't apply to [Azure Stack hyperconverged infrastructure (HCI)](/azure-stack/hci/).
|
||||
|
||||
You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
|
||||
|
||||
> [!IMPORTANT]
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Delivery Optimization Frequently Asked Questions
|
||||
ms.reviewer:
|
||||
ms.reviewer: aaroncz
|
||||
manager: dougeby
|
||||
description: The following is a list of frequently asked questions for Delivery Optimization.
|
||||
ms.prod: w10
|
||||
@ -37,17 +37,23 @@ For Delivery Optimization to successfully use the proxy, you should set up the p
|
||||
|
||||
## What hostnames should I allow through my firewall to support Delivery Optimization?
|
||||
|
||||
For communication between clients and the Delivery Optimization cloud service: **\*.do.dsp.mp.microsoft.com**.
|
||||
**For communication between clients and the Delivery Optimization cloud service**:
|
||||
|
||||
- `*.do.dsp.mp.microsoft.com`
|
||||
|
||||
**For Delivery Optimization metadata**:
|
||||
|
||||
- *.dl.delivery.mp.microsoft.com
|
||||
- *.emdl.ws.microsoft.com
|
||||
- `*.dl.delivery.mp.microsoft.com`
|
||||
- `*.emdl.ws.microsoft.com`
|
||||
|
||||
**For the payloads (optional)**:
|
||||
|
||||
- *.download.windowsupdate.com
|
||||
- *.windowsupdate.com
|
||||
- `*.download.windowsupdate.com`
|
||||
- `*.windowsupdate.com`
|
||||
|
||||
**For group peers across multiple NATs (Teredo)**:
|
||||
|
||||
- `win1910.ipv6.microsoft.com`
|
||||
|
||||
## Does Delivery Optimization use multicast?
|
||||
|
||||
|
||||
@ -147,15 +147,19 @@ S = Supported; Not considered a downgrade or an upgrade
|
||||
|
||||
**Destination Edition: (Starting)**
|
||||
|
||||
|Edition|Home|Pro|Pro for Workstations|Pro Education|Education|Enterprise LTSC|Enterprise|
|
||||
|--- |--- |--- |--- |--- |--- |--- |--- |
|
||||
|Home||||||||
|
||||
|Pro||||||||
|
||||
|Pro for Workstations||||||||
|
||||
|Pro Education||||||||
|
||||
|Education||✔|✔|✔|||S|
|
||||
|Enterprise LTSC||||||||
|
||||
|Enterprise||✔|✔|✔|S|||
|
||||
 (green checkmark) = Supported downgrade path</br>
|
||||
 (blue checkmark) = Not considered a downgrade or an upgrade<br>
|
||||
 (X) = not supported or not a downgrade</br>
|
||||
|
||||
| **Edition** | **Home** | **Pro** | **Pro for Workstations** | **Pro Education** | **Education** | **Enterprise LTSC** | **Enterprise** |
|
||||
|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |--------------------------------------------- |
|
||||
| **Home** |  |  |  |  |  |  |  |
|
||||
| **Pro** |  |  |  |  |  |  |  |
|
||||
| **Pro for Workstations** |  |  |  |  |  |  |  |
|
||||
| **Pro Education** |  |  |  |  |  |  |  |
|
||||
| **Education** |  |  |  |  |  |  |  |
|
||||
| **Enterprise LTSC** |  |  |  |  |  |  |  |
|
||||
| **Enterprise** |  |  |  |  |  |  |  |
|
||||
|
||||
> **Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above.
|
||||
|
||||
|
||||
@ -25,7 +25,7 @@ sections:
|
||||
- question: Is Windows 365 for Enterprise supported with Windows Autopatch?
|
||||
answer: |
|
||||
Windows Autopatch supports Windows 365 for Enterprise. Windows 365 for Business isn't supported.
|
||||
- question: Does Windows Autopatch support Windows Education (A3) or Windows Front Line Worker (F3) licensing?
|
||||
- question: Does Windows Autopatch support Windows Education (A3/A5) or Windows Front Line Worker (F3) licensing?
|
||||
answer: |
|
||||
Autopatch isn't available for 'A' or 'F' series licensing.
|
||||
- question: Will Windows Autopatch support local domain join Windows 10?
|
||||
|
||||
@ -11,7 +11,7 @@ ms.collection:
|
||||
- M365-modern-desktop
|
||||
- highpri
|
||||
ms.topic: tutorial
|
||||
ms.date: 05/12/2022
|
||||
ms.date: 07/12/2022
|
||||
---
|
||||
|
||||
# Demonstrate Autopilot deployment
|
||||
@ -42,14 +42,11 @@ You'll need the following components to complete this lab:
|
||||
|
||||
| Component | Description |
|
||||
|:---|:---|
|
||||
|**Windows 10 installation media**|Windows 10 Professional or Enterprise ISO file for a supported version of Windows 10, general availability channel. If you don't already have an ISO to use, download an evaluation version of Windows 10 Enterprise.|
|
||||
|**Windows 10 installation media**|Windows 10 Enterprise ISO file for a supported version of Windows 10, general availability channel. If you don't already have an ISO to use, download an [evaluation version of Windows 10 Enterprise](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).|
|
||||
|**Internet access**|If you're behind a firewall, see the detailed [networking requirements](/mem/autopilot/software-requirements#networking-requirements). Otherwise, just make sure that you have a connection to the internet.|
|
||||
|**Hyper-V or a physical device running Windows 10**|The guide assumes that you'll use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.|
|
||||
|**An account with Azure Active Directory (Azure AD) Premium license**|This guide will describe how to get a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.|
|
||||
|
||||
> [!NOTE]
|
||||
> The Microsoft Evaluation Center is temporarily unavailable. To access Windows client evaluation media, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).<!-- 6049663 -->
|
||||
|
||||
## Procedures
|
||||
|
||||
A summary of the sections and procedures in the lab is provided below. Follow each section in the order it's presented, skipping the sections that don't apply to you. Optional procedures are provided in the appendices.
|
||||
@ -142,10 +139,7 @@ After you determine the ISO file location and the name of the appropriate networ
|
||||
|
||||
### Set ISO file location
|
||||
|
||||
Download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise. Choose a 64-bit version.
|
||||
|
||||
> [!NOTE]
|
||||
> The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).<!-- 6049663 -->
|
||||
Download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise from the [Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). Choose a 64-bit version.
|
||||
|
||||
After you download an ISO file, the name will be long. For example, `19042.508.200927-1902.20h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso`
|
||||
|
||||
@ -180,7 +174,8 @@ All VM data will be created under the current path in your PowerShell prompt. Co
|
||||
|
||||
```powershell
|
||||
New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter | Where-Object {$_.Status -eq "Up" -and !$_.Virtual}).Name
|
||||
New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
|
||||
New-VM -Name WindowsAutopilot -MemoryStartupBytes 4GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
|
||||
Set-VMProcessor WindowsAutopilot -Count 2
|
||||
Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
|
||||
Start-VM -VMName WindowsAutopilot
|
||||
```
|
||||
|
||||
@ -38,3 +38,8 @@ By enabling Windows Defender Credential Guard, the following features and soluti
|
||||
- [What's New in Kerberos Authentication for Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11))
|
||||
- [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd378897(v=ws.10))
|
||||
- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
|
||||
- [Mitigating Credential Theft using the Windows 10 Isolated User Mode](/shows/seth-juarez/mitigating-credential-theft-using-windows-10-isolated-user-mode)
|
||||
- [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel](/shows/seth-juarez/isolated-user-mode-processes-features-in-windows-10-logan-gabriel)
|
||||
- [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert](/shows/seth-juarez/more-on-processes-features-in-windows-10-isolated-user-mode-dave-probert)
|
||||
- [Isolated User Mode in Windows 10 with Dave Probert](/shows/seth-juarez/isolated-user-mode-in-windows-10-dave-probert)
|
||||
- [Windows 10 Virtual Secure Mode with David Hepkin](/shows/seth-juarez/windows-10-virtual-secure-mode-david-hepkin)
|
||||
|
||||
@ -93,7 +93,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync
|
||||
|
||||
3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You will now be prompted for delegated permissions consent.
|
||||
|
||||
4. In the Graph Explorer URL, enter https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName, where **[userid]** is the user principal name of a user in Azure Active Directory. Select **Run query**.
|
||||
4. In the Graph Explorer URL, enter `https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName`, where **[userid]** is the user principal name of a user in Azure Active Directory. Select **Run query**.
|
||||
|
||||
> [!NOTE]
|
||||
> Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios.
|
||||
@ -809,143 +809,23 @@ Sign-in the NDES server with access equivalent to _local administrator_.
|
||||
|
||||
The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune.
|
||||
|
||||
### Download Intune Certificate Connector
|
||||
|
||||
Sign-in a workstation with access equivalent to a _domain user_.
|
||||
|
||||
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
|
||||
|
||||
2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**.
|
||||
|
||||
3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section.
|
||||
|
||||
|
||||
|
||||
4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
|
||||
|
||||
5. Sign-out of the Microsoft Endpoint Manager admin center.
|
||||
|
||||
### Install the Intune Certificate Connector
|
||||
|
||||
Sign-in the NDES server with access equivalent to _domain administrator_.
|
||||
|
||||
1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server.
|
||||
|
||||
2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server.
|
||||
|
||||
3. On the **Microsoft Intune** page, click **Next**.
|
||||
|
||||
|
||||
|
||||
4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation.
|
||||
|
||||
5. On the **Destination Folder** page, click **Next**.
|
||||
|
||||
6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**.
|
||||
|
||||
|
||||
|
||||
7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**.
|
||||
|
||||
|
||||
|
||||
> [!NOTE]
|
||||
> The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page.
|
||||
|
||||
8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**.
|
||||
|
||||
9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**.
|
||||
|
||||
|
||||
|
||||
> [!NOTE]
|
||||
> You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder.
|
||||
|
||||
10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task.
|
||||
|
||||
|
||||
|
||||
### Configure the Intune Certificate Connector
|
||||
|
||||
Sign-in the NDES server with access equivalent to _domain administrator_.
|
||||
|
||||
1. The **NDES Connector** user interface should be open from the last task.
|
||||
|
||||
> [!NOTE]
|
||||
> If the **NDES Connector** user interface is not open, you can start it from **\<install_Path>\NDESConnectorUI\NDESConnectorUI.exe**.
|
||||
|
||||
2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect. Click **Apply**
|
||||
|
||||
|
||||
|
||||
3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role.
|
||||
|
||||
|
||||
|
||||
> [!IMPORTANT]
|
||||
> The user account must have a valid Intune license assigned. If the user account does not have a valid Intune license, the sign-in fails.
|
||||
|
||||
4. Optionally, you can configure the NDES Connector for certificate revocation. If you want to do this, continue to the next task. Otherwise, Click **Close**, restart the **Intune Connector Service** and the **World Wide Web Publishing Service**, and skip the next task.
|
||||
|
||||
To learn how to download, install, and configure the Intune Certificate Connector, see [Install the Certificate Connector for Microsoft Intune](/mem/intune/protect/certificate-connector-install).
|
||||
|
||||
### Configure the NDES Connector for certificate revocation (**Optional**)
|
||||
|
||||
Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users is removed, deleted, or the profile is deleted).
|
||||
Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users are removed, deleted, or the profile is deleted). You need to select the **Certificate revocation** option during the connector configuration to enable automatic certificate revocation for certificates issued from a Microsoft Active Directory Certification Authority. Additionally, you need to enable the NDES Service account for revocation.
|
||||
|
||||
#### Enabling the NDES Service account for revocation
|
||||
1. Sign in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_.
|
||||
|
||||
Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_.
|
||||
2. Start the **Certification Authority** management console.
|
||||
|
||||
1. Start the **Certification Authority** management console.
|
||||
3. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
|
||||
|
||||
2. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
|
||||
|
||||
3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**.
|
||||
4. Select the **Security** tab, then select **Add**. In the **Enter the object names to select** box, enter **NDESSvc** (or the name you gave the NDES Service account). Select *Check Names*, then select **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Select **OK**.
|
||||
|
||||
|
||||
|
||||
4. Close the **Certification Authority**
|
||||
|
||||
#### Enable the NDES Connector for certificate revocation
|
||||
|
||||
Sign-in the NDES server with access equivalent to _domain administrator_.
|
||||
|
||||
1. Open the **NDES Connector** user interface (**\<install_Path>\NDESConnectorUI\NDESConnectorUI.exe**).
|
||||
|
||||
2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**.
|
||||
|
||||
|
||||
|
||||
3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**.
|
||||
|
||||
### Test the NDES Connector
|
||||
|
||||
Sign-in the NDES server with access equivalent to _domain admin_.
|
||||
|
||||
1. Open a command prompt.
|
||||
|
||||
2. Type the following command to confirm the NDES Connector's last connection time is current.
|
||||
|
||||
```console
|
||||
reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus
|
||||
```
|
||||
|
||||
3. Close the command prompt.
|
||||
|
||||
4. Open **Internet Explorer**.
|
||||
|
||||
5. In the navigation bar, type:
|
||||
|
||||
```console
|
||||
https://[fqdnHostName]/certsrv/mscep/mscep.dll
|
||||
```
|
||||
|
||||
where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
|
||||
A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
|
||||
|
||||
|
||||
|
||||
6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**.
|
||||
5. Close the **Certification Authority**.
|
||||
|
||||
## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile
|
||||
|
||||
|
||||
@ -4,7 +4,7 @@ description: Describes several known issues that you may encounter while using n
|
||||
ms.technology: windows-sec
|
||||
ms.prod: m365-security
|
||||
ms.localizationpriority: medium
|
||||
author: Teresa-Motiv
|
||||
author: v-tappelgate
|
||||
ms.author: v-tappelgate
|
||||
manager: kaushika
|
||||
ms.reviewer: kaushika
|
||||
|
||||
@ -223,7 +223,7 @@ Value | Description
|
||||
**4.** | If present, Secure Memory Overwrite is available.
|
||||
**5.** | If present, NX protections are available.
|
||||
**6.** | If present, SMM mitigations are available.
|
||||
**7.** | If present, Mode Based Execution Control is available.
|
||||
**7.** | If present, MBEC/GMET is available.
|
||||
**8.** | If present, APIC virtualization is available.
|
||||
|
||||
#### InstanceIdentifier
|
||||
@ -243,7 +243,7 @@ Value | Description
|
||||
**4.** | If present, Secure Memory Overwrite is needed.
|
||||
**5.** | If present, NX protections are needed.
|
||||
**6.** | If present, SMM mitigations are needed.
|
||||
**7.** | If present, Mode Based Execution Control is needed.
|
||||
**7.** | If present, MBEC/GMET is needed.
|
||||
|
||||
#### SecurityServicesConfigured
|
||||
|
||||
|
||||
@ -85,7 +85,7 @@ This section describes how an attacker might exploit a feature or its configurat
|
||||
|
||||
### Vulnerability
|
||||
|
||||
The **Log on as a batch job** user right presents a low-risk vulnerability. For most organizations, the default settings are sufficient. Members of the local Administrators group have this right by default.
|
||||
The **Log on as a batch job** user right presents a low-risk vulnerability that allows non-administrators to perform administrator-like functions. If not assessed, understood, and restricted accordingly, attackers can easily exploit this potential attack vector to compromise systems, credentials, and data. For most organizations, the default settings are sufficient. Members of the local Administrators group have this right by default.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
|
||||
@ -47,9 +47,13 @@ When you enable this audit policy, it functions in the same way as the **Network
|
||||
|
||||
The domain controller will log events for NTLM authentication logon attempts that use domain accounts when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain accounts**.
|
||||
|
||||
- Not defined
|
||||
- **Enable for domain servers**
|
||||
|
||||
This is the same as **Disable** and results in no auditing of NTLM traffic.
|
||||
The domain controller will log events for NTLM authentication requests to all servers in the domain when NTLM authentication would be denied because the **Network security: Restrict NTLM: NTLM authentication in this domain** policy setting is set to **Deny for domain servers**.
|
||||
|
||||
- **Enable all**
|
||||
|
||||
The domain controller on which this policy is set will log all events for incoming NTLM traffic.
|
||||
|
||||
### Best practices
|
||||
|
||||
|
||||
@ -38,7 +38,7 @@ Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId Tagg
|
||||
|
||||
## Deploy AppId Tagging Policies with MDM
|
||||
|
||||
Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
|
||||
Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
|
||||
|
||||
## Deploy AppId Tagging Policies with Configuration Manager
|
||||
|
||||
|
||||
@ -73,13 +73,13 @@
|
||||
href: windows-defender-application-control-deployment-guide.md
|
||||
items:
|
||||
- name: Deploy WDAC policies with MDM
|
||||
href: deploy-windows-defender-application-control-policies-using-intune.md
|
||||
- name: Deploy WDAC policies with MEMCM
|
||||
href: deployment/deploy-windows-defender-application-control-policies-using-intune.md
|
||||
- name: Deploy WDAC policies with Configuration Manager
|
||||
href: deployment/deploy-wdac-policies-with-memcm.md
|
||||
- name: Deploy WDAC policies with script
|
||||
href: deployment/deploy-wdac-policies-with-script.md
|
||||
- name: Deploy WDAC policies with Group Policy
|
||||
href: deploy-windows-defender-application-control-policies-using-group-policy.md
|
||||
- name: Deploy WDAC policies with group policy
|
||||
href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
|
||||
- name: Audit WDAC policies
|
||||
href: audit-windows-defender-application-control-policies.md
|
||||
- name: Merge WDAC policies
|
||||
|
||||
@ -155,10 +155,10 @@ Merge-CIPolicy -PolicyPaths $DenyPolicy, $AllowAllPolicy -OutputFilePath $DenyPo
|
||||
|
||||
Policies should be thoroughly evaluated and first rolled out in audit mode before strict enforcement. Policies can be deployed via multiple options:
|
||||
|
||||
1. Mobile Device Management (MDM): [Deploy Windows Defender Application Control (WDAC) policies using Mobile Device Management (MDM) (Windows)](deploy-windows-defender-application-control-policies-using-intune.md)
|
||||
1. Mobile Device Management (MDM): [Deploy WDAC policies using Mobile Device Management (MDM)](deployment/deploy-windows-defender-application-control-policies-using-intune.md)
|
||||
|
||||
2. Configuration Manager: [Deploy Windows Defender Application Control (WDAC) policies by using Configuration Manager (Windows)](deployment/deploy-wdac-policies-with-memcm.md)
|
||||
|
||||
3. Scripting [Deploy Windows Defender Application Control (WDAC) policies using script (Windows)](deployment/deploy-wdac-policies-with-script.md)
|
||||
|
||||
4. Group Policy: [Deploy WDAC policies via Group Policy (Windows)](deploy-windows-defender-application-control-policies-using-group-policy.md)
|
||||
4. Group Policy: [Deploy WDAC policies via Group Policy (Windows)](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md)
|
||||
|
||||
@ -113,3 +113,10 @@ See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-c
|
||||
|
||||
> [!NOTE]
|
||||
> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format Windows Defender Application Control policies.
|
||||
|
||||
### Known Issues in Multiple Policy Format
|
||||
|
||||
* If the maximum number of policies is exceeded, the device may bluescreen referencing ci.dll with a bug check value of 0x0000003b.
|
||||
* If policies are loaded without requiring a reboot such as `PS_UpdateAndCompareCIPolicy`, they will still count towards this limit.
|
||||
* This may pose an especially large challenge if the value of `{PolicyGUID}.cip` changes between releases. It may result in a long window between a change and the resultant reboot.
|
||||
|
||||
|
||||
@ -1,22 +1,19 @@
|
||||
---
|
||||
title: Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Endpoint Configuration Manager (MEMCM) (Windows)
|
||||
description: You can use Microsoft Endpoint Configuration Manager (MEMCM) to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
|
||||
keywords: security, malware
|
||||
title: Deploy Windows Defender Application Control policies with Configuration Manager
|
||||
description: You can use Microsoft Endpoint Configuration Manager to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
|
||||
ms.prod: m365-security
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
author: jsuther1974
|
||||
ms.reviewer: jogeurte
|
||||
ms.author: jogeurte
|
||||
ms.manager: jsuther
|
||||
manager: dansimp
|
||||
ms.date: 07/19/2021
|
||||
ms.technology: windows-sec
|
||||
ms.topic: article
|
||||
ms.collection: M365-security-compliance
|
||||
author: jgeurten
|
||||
ms.reviewer: aaroncz
|
||||
ms.author: jogeurte
|
||||
manager: jsuther
|
||||
ms.date: 06/27/2022
|
||||
ms.topic: how-to
|
||||
ms.localizationpriority: medium
|
||||
---
|
||||
|
||||
# Deploy WDAC policies by using Microsoft Endpoint Configuration Manager (MEMCM)
|
||||
# Deploy WDAC policies by using Microsoft Endpoint Configuration Manager
|
||||
|
||||
**Applies to:**
|
||||
|
||||
@ -24,22 +21,70 @@ ms.localizationpriority: medium
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](../feature-availability.md).
|
||||
|
||||
You can use Microsoft Endpoint Configuration Manager to configure Windows Defender Application Control (WDAC) on client machines.
|
||||
|
||||
## Use MEMCM's built-in policies
|
||||
## Use Configuration Manager's built-in policies
|
||||
|
||||
Microsoft Endpoint Configuration Manager includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow:
|
||||
Configuration Manager includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow:
|
||||
|
||||
- Windows components
|
||||
- Microsoft Store apps
|
||||
- Apps installed by Configuration Manager (Configuration Manager self-configured as a managed installer)
|
||||
- [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG)
|
||||
- [Optional] Apps and executables already installed in admin-definable folder locations that Configuration Manager will allow through a one-time scan during policy creation on managed endpoints.
|
||||
- (Optional) Reputable apps as defined by the Intelligent Security Graph (ISG)
|
||||
- (Optional) Apps and executables already installed in admin-definable folder locations that Configuration Manager will allow through a one-time scan during policy creation on managed endpoints.
|
||||
|
||||
Note that Configuration Manager does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable Windows Defender Application Control (WDAC) altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.
|
||||
Configuration Manager doesn't remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable Windows Defender Application Control (WDAC) altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.
|
||||
|
||||
### Create a WDAC Policy in Configuration Manager
|
||||
|
||||
1. Select **Asset and Compliance** > **Endpoint Protection** > **Windows Defender Application Control** > **Create Application Control Policy**
|
||||
|
||||
|
||||
|
||||
2. Enter the name of the policy > **Next**
|
||||
3. Enable **Enforce a restart of devices so that this policy can be enforced for all processes**
|
||||
4. Select the mode that you want the policy to run (Enforcement enabled / Audit Only)
|
||||
5. Select **Next**
|
||||
|
||||
|
||||
|
||||
6. Select **Add** to begin creating rules for trusted software
|
||||
|
||||
|
||||
|
||||
7. Select **File** or **Folder** to create a path rule > **Browse**
|
||||
|
||||
|
||||
|
||||
8. Select the executable or folder for your path rule > **OK**
|
||||
|
||||
|
||||
|
||||
9. Select **OK** to add the rule to the table of trusted files or folder
|
||||
10. Select **Next** to navigate to the summary page > **Close**
|
||||
|
||||
|
||||
|
||||
### Deploy the WDAC policy in Configuration Manager
|
||||
|
||||
1. Right-click the newly created policy > **Deploy Application Control Policy**
|
||||
|
||||
|
||||
|
||||
2. Select **Browse**
|
||||
|
||||
|
||||
|
||||
3. Select the Device Collection you created earlier > **OK**
|
||||
|
||||
|
||||
|
||||
4. Change the schedule > **OK**
|
||||
|
||||
|
||||
|
||||
For more information on using Configuration Manager's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager).
|
||||
|
||||
|
||||
@ -14,7 +14,7 @@ author: jsuther1974
|
||||
ms.reviewer: jogeurte
|
||||
ms.author: dansimp
|
||||
manager: dansimp
|
||||
ms.date: 02/28/2018
|
||||
ms.date: 06/27/2022
|
||||
ms.technology: windows-sec
|
||||
---
|
||||
|
||||
@ -22,14 +22,13 @@ ms.technology: windows-sec
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
|
||||
>
|
||||
> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment.
|
||||
|
||||
Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. The following procedure walks you through how to deploy a WDAC policy called **ContosoPolicy.bin** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**.
|
||||
@ -41,9 +40,9 @@ To deploy and manage a Windows Defender Application Control policy with Group Po
|
||||
2. Create a new GPO: right-click an OU and then click **Create a GPO in this domain, and Link it here**.
|
||||
|
||||
> [!NOTE]
|
||||
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control policy management](plan-windows-defender-application-control-management.md).
|
||||
> You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control lifecycle policy management](../plan-windows-defender-application-control-management.md).
|
||||
|
||||
|
||||
|
||||
|
||||
3. Name the new GPO. You can choose any name.
|
||||
|
||||
@ -51,7 +50,7 @@ To deploy and manage a Windows Defender Application Control policy with Group Po
|
||||
|
||||
5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**.
|
||||
|
||||
|
||||
|
||||
|
||||
6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the WDAC policy deployment path.
|
||||
|
||||
@ -60,7 +59,7 @@ To deploy and manage a Windows Defender Application Control policy with Group Po
|
||||
> [!NOTE]
|
||||
> This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
|
||||
|
||||
|
||||
|
||||
|
||||
> [!NOTE]
|
||||
> You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
|
||||
@ -14,7 +14,7 @@ author: jsuther1974
|
||||
ms.reviewer: isbrahm
|
||||
ms.author: dansimp
|
||||
manager: dansimp
|
||||
ms.date: 04/29/2020
|
||||
ms.date: 06/27/2022
|
||||
ms.technology: windows-sec
|
||||
---
|
||||
|
||||
@ -22,12 +22,12 @@ ms.technology: windows-sec
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
|
||||
|
||||
You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
|
||||
|
||||
@ -51,7 +51,7 @@ To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windo
|
||||
## Deploy WDAC policies with custom OMA-URI
|
||||
|
||||
> [!NOTE]
|
||||
> Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) which allow more granular policy.
|
||||
> Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](../deploy-multiple-windows-defender-application-control-policies.md) which allow more granular policy.
|
||||
|
||||
### Deploy custom WDAC policies on Windows 10 1903+
|
||||
|
||||
@ -71,7 +71,7 @@ The steps to use Intune's custom OMA-URI functionality are:
|
||||
- **Certificate file**: upload your binary format policy file. You do not need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
> 
|
||||
|
||||
> [!NOTE]
|
||||
> For the _Policy GUID_ value, do not include the curly brackets.
|
||||
@ -1,40 +1,35 @@
|
||||
---
|
||||
title: Windows Defender Application Control Feature Availability
|
||||
title: Windows Defender Application Control feature availability
|
||||
description: Compare Windows Defender Application Control (WDAC) and AppLocker feature availability.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
author: denisebmsft
|
||||
ms.reviewer: jgeurten
|
||||
ms.author: deniseb
|
||||
manager: dansimp
|
||||
ms.date: 05/09/2022
|
||||
ms.custom: asr
|
||||
ms.technology: windows-sec
|
||||
ms.localizationpriority: medium
|
||||
ms.collection: M365-security-compliance
|
||||
author: jgeurten
|
||||
ms.reviewer: aaroncz
|
||||
ms.author: jogeurte
|
||||
manager: jsuther
|
||||
ms.date: 06/27/2022
|
||||
ms.custom: asr
|
||||
ms.topic: overview
|
||||
---
|
||||
|
||||
# Windows Defender Application Control and AppLocker feature availability
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
- Windows 10
|
||||
- Windows 11
|
||||
- Windows Server 2016 and above
|
||||
|
||||
>[!NOTE]
|
||||
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. See below to learn more.
|
||||
> [!NOTE]
|
||||
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. See below to learn more.
|
||||
|
||||
| Capability | Windows Defender Application Control | AppLocker |
|
||||
|-------------|------|-------------|
|
||||
| Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later | Available on Windows 8 or later |
|
||||
| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.<br>For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.<br>Policies deployed through MDM are effective on all SKUs. |
|
||||
| Management solutions | <ul><li>[Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)</li><li>[Configuration Manager](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)</li><li>[Group Policy](./deploy-windows-defender-application-control-policies-using-group-policy.md) </li><li>PowerShell</li></ul> | <ul><li>[Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>Configuration Manager (custom policy deployment via Software Distribution only)</li><li>[Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)</li><li>PowerShell</li><ul> |
|
||||
| Management solutions | <ul><li>[Intune](./deployment/deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)</li><li>[Microsoft Endpoint Configuration Manager](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via software distribution)</li><li>[Group policy](./deployment/deploy-windows-defender-application-control-policies-using-group-policy.md) </li><li>PowerShell</li></ul> | <ul><li>[Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>Configuration Manager (custom policy deployment via software distribution only)</li><li>[Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)</li><li>PowerShell</li><ul> |
|
||||
| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
|
||||
| Kernel mode policies | Available on all Windows 10 versions and Windows 11 | Not available |
|
||||
| Per-app rules | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) | Not available |
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 52 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 152 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 149 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 270 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 119 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 61 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 43 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 44 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 41 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 114 KiB |
@ -99,13 +99,13 @@ landingContent:
|
||||
- linkListType: tutorial
|
||||
links:
|
||||
- text: Deployment with MDM
|
||||
url: deploy-windows-defender-application-control-policies-using-intune.md
|
||||
- text: Deployment with MEMCM
|
||||
url: deployment/deploy-windows-defender-application-control-policies-using-intune.md
|
||||
- text: Deployment with Configuration Manager
|
||||
url: deployment/deploy-wdac-policies-with-memcm.md
|
||||
- text: Deployment with script and refresh policy
|
||||
url: deployment/deploy-wdac-policies-with-script.md
|
||||
- text: Deployment with Group Policy
|
||||
url: deploy-windows-defender-application-control-policies-using-group-policy.md
|
||||
- text: Deployment with group policy
|
||||
url: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
|
||||
# Card
|
||||
- title: Learn how to monitor WDAC events
|
||||
linkLists:
|
||||
|
||||
@ -108,7 +108,7 @@ If you do not have a code signing certificate, see [Optional: Create a code sign
|
||||
> [!NOTE]
|
||||
> The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
|
||||
|
||||
9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
|
||||
9. Validate the signed file. When complete, the commands should output a signed policy file called {PolicyID}.cip to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md).
|
||||
|
||||
> [!NOTE]
|
||||
> The device with the signed policy must be rebooted one time with Secure Boot enabled for the UEFI lock to be set.
|
||||
|
||||
@ -129,5 +129,5 @@ Packaged apps are not supported with the Microsoft Intelligent Security Graph he
|
||||
|
||||
The ISG doesn't authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run.
|
||||
|
||||
>[!NOTE]
|
||||
> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Endpoint Manager Intune's built-in Windows Defender Application Control support includes the option to trust apps with good reputation via the Microsoft Intelligent Security Graph, but it has no option to add explicit allow or deny rules. In most circumstances, customers enforcing application control need to deploy a custom WDAC policy (which can include the Microsoft Intelligent Security Graph option if desired) using [Intune's OMA-URI functionality](deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
|
||||
> [!NOTE]
|
||||
> A rule that explicitly denies or allows a file will take precedence over that file's reputation data. Microsoft Endpoint Manager Intune's built-in Windows Defender Application Control support includes the option to trust apps with good reputation via the Microsoft Intelligent Security Graph, but it has no option to add explicit allow or deny rules. In most circumstances, customers enforcing application control need to deploy a custom WDAC policy (which can include the Microsoft Intelligent Security Graph option if desired) using [Intune's OMA-URI functionality](deployment/deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
|
||||
|
||||
@ -1,21 +1,16 @@
|
||||
---
|
||||
title: Deploying Windows Defender Application Control (WDAC) policies (Windows)
|
||||
title: Deploying Windows Defender Application Control (WDAC) policies
|
||||
description: Learn how to plan and implement a WDAC deployment.
|
||||
keywords: security, malware
|
||||
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
author: jsuther1974
|
||||
ms.reviewer: jogeurte
|
||||
ms.author: dansimp
|
||||
manager: dansimp
|
||||
ms.date: 05/16/2018
|
||||
ms.technology: windows-sec
|
||||
ms.localizationpriority: medium
|
||||
ms.collection: M365-security-compliance
|
||||
author: jgeurten
|
||||
ms.reviewer: aaroncz
|
||||
ms.author: jogeurte
|
||||
manager: jsuther
|
||||
ms.date: 06/27/2022
|
||||
ms.topic: overview
|
||||
---
|
||||
|
||||
# Deploying Windows Defender Application Control (WDAC) policies
|
||||
@ -41,7 +36,7 @@ All Windows Defender Application Control policy changes should be deployed in au
|
||||
|
||||
There are several options to deploy Windows Defender Application Control policies to managed endpoints, including:
|
||||
|
||||
1. [Deploy using a Mobile Device Management (MDM) solution](deploy-windows-defender-application-control-policies-using-intune.md), such as Microsoft Intune
|
||||
2. [Deploy using Microsoft Endpoint Configuration Manager](deployment/deploy-wdac-policies-with-memcm.md)
|
||||
3. [Deploy via script](deployment/deploy-wdac-policies-with-script.md)
|
||||
4. [Deploy via Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md)
|
||||
- [Deploy using a Mobile Device Management (MDM) solution](deployment/deploy-windows-defender-application-control-policies-using-intune.md), such as Microsoft Intune
|
||||
- [Deploy using Microsoft Endpoint Configuration Manager](deployment/deploy-wdac-policies-with-memcm.md)
|
||||
- [Deploy via script](deployment/deploy-wdac-policies-with-script.md)
|
||||
- [Deploy via group policy](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md)
|
||||
|
||||
@ -48,7 +48,7 @@ The blocking filters can be categorized under these filter origins:
|
||||
|
||||
g. Windows Service Hardening (WSH) default
|
||||
|
||||
The next section describes the improvements made to audits 5157 and 5152, and how the above filter origins are used in these events. These improvements were added in Iron release.
|
||||
The next section describes the improvements made to audits 5157 and 5152, and how the above filter origins are used in these events. These improvements were added in the Windows Server 2022 and Windows 11 releases.
|
||||
|
||||
## Improved firewall audit
|
||||
|
||||
|
||||
@ -112,7 +112,7 @@ An array of folders, each representing a location on the host machine that will
|
||||
|
||||
### Logon command
|
||||
|
||||
Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account.
|
||||
Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account. The container user account should be an administrator account.
|
||||
|
||||
```xml
|
||||
<LogonCommand>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user