From 11d6e0a8e027f07d19a140776eb60fcc9dec74ee Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 22 Apr 2020 13:49:44 -0700 Subject: [PATCH 01/16] fix link --- ...-a-custom-windows-pe-boot-image-with-configuration-manager.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index 091ae48f32..487840d670 100644 --- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -90,7 +90,6 @@ Next, see [Add a Windows 10 operating system image using Configuration Manager]( ## Related topics -[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
From 1d4a4c8bc565dfeba2586985c7ea5fb659e43537 Mon Sep 17 00:00:00 2001 From: Kelly Baker Date: Mon, 27 Apr 2020 10:09:45 -0700 Subject: [PATCH 02/16] Edit pass: enterprisedataprotection-csp.md @Dansimp The edit is complete on this article. Please review and let me know if you'd like to make any changes before we merge. Thanks! Kelly --- .../mdm/enterprisedataprotection-csp.md | 31 ++++++++++--------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index 70759a6c03..4b8f0cc80e 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -14,17 +14,17 @@ ms.date: 08/09/2017 # EnterpriseDataProtection CSP -The EnterpriseDataProtection configuration service provider (CSP) is used to configure Windows Information Protection (WIP) (formerly known as Enterprise Data Protection) specific settings. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip). +The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip). -> **Note**   ->- To make WIP functional the AppLocker CSP and the network isolation specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md). ->- This CSP was added in Windows 10, version 1607. +> [!Note]   +> - To make WIP functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md). +> - This CSP was added in Windows 10, version 1607. While WIP has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md). -To learn more about WIP, see the following TechNet topics: +To learn more about WIP, see the following TechNet articles: - [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy) - [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip) @@ -56,13 +56,14 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format.

Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client. -> **Note**  The client requires domain name to be canonical, otherwise the setting will be rejected by the client. +> [!Note]   +> The client requires domain name to be canonical, otherwise the setting will be rejected by the client.

Here are the steps to create canonical domain names: -1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com. +1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com. 2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. 3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0). @@ -95,16 +96,18 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format.

The CSP checks the current edition and hardware support (TPM), and returns an error message if the device does not have the required hardware. -> **Note**  This setting is only supported in Windows 10 Mobile. +> [!Note]   +> This setting is only supported in Windows 10 Mobile.

Supported operations are Add, Get, Replace and Delete. Value type is integer. **Settings/DataRecoveryCertificate** -

Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through MDM instead of Group Policy. +

Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through mobile device management (MDM) instead of Group Policy. -> **Note**  If this policy and the corresponding Group Policy setting are both configured, the Group Policy setting is enforced. +> [!Note]   +> If this policy and the corresponding Group Policy setting are both configured, the Group Policy setting is enforced.

DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP. The binary blob is the serialized version of following structure: @@ -246,7 +249,7 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {

Supported operations are Add, Get, Replace and Delete. Value type is integer. **Settings/RevokeOnMDMHandoff** -

Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from MAM to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. +

Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. - 0 - Don't revoke keys - 1 (default) - Revoke keys @@ -254,7 +257,7 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {

Supported operations are Add, Get, Replace and Delete. Value type is integer. **Settings/RMSTemplateIDForEDP** -

TemplateID GUID to use for RMS encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access. +

TemplateID GUID to use for Rights Management Service (RMS) encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access.

Supported operations are Add, Get, Replace and Delete. Value type is string (GUID). @@ -267,12 +270,12 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {

Supported operations are Add, Get, Replace and Delete. Value type is integer. **Settings/SMBAutoEncryptedFileExtensions** -

Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an SMB share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list. +

Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list.

When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted.

Supported operations are Add, Get, Replace and Delete. Value type is string. **Settings/EDPShowIcons** -

Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles in the Start menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app. +

Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app.

The following list shows the supported values: From 47b874eea703ed73db5f64a6b263f66cea702714 Mon Sep 17 00:00:00 2001 From: Kelly Baker Date: Mon, 27 Apr 2020 10:27:48 -0700 Subject: [PATCH 03/16] Update enterprisedataprotection-csp.md --- .../mdm/enterprisedataprotection-csp.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index 4b8f0cc80e..b089a046b0 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -49,7 +49,7 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format. - 2 – Allow override mode (encrypt, prompt and allow overrides, and audit). - 3 – Hides overrides (encrypt, prompt but hide overrides, and audit). -

Supported operations are Add, Get, Replace and Delete. Value type is integer. +

Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/EnterpriseProtectedDomainNames**

A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running. @@ -67,7 +67,7 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format. 2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. 3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0). -

Supported operations are Add, Get, Replace and Delete. Value type is string. +

Supported operations are Add, Get, Replace, and Delete. Value type is string. **Settings/AllowUserDecryption**

Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences. @@ -82,7 +82,7 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format.

Most restricted value is 0. -

Supported operations are Add, Get, Replace and Delete. Value type is integer. +

Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/RequireProtectionUnderLockConfig**

Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured. A PIN must be configured on the device before you can apply this policy. @@ -101,7 +101,7 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format. -

Supported operations are Add, Get, Replace and Delete. Value type is integer. +

Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/DataRecoveryCertificate**

Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through mobile device management (MDM) instead of Group Policy. @@ -236,7 +236,7 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG {

For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate. -

Supported operations are Add, Get, Replace and Delete. Value type is base-64 encoded certificate. +

Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate. **Settings/RevokeOnUnenroll**

This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1. @@ -246,7 +246,7 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG { - 0 – Don't revoke keys. - 1 (default) – Revoke keys. -

Supported operations are Add, Get, Replace and Delete. Value type is integer. +

Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/RevokeOnMDMHandoff**

Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. @@ -254,12 +254,12 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG { - 0 - Don't revoke keys - 1 (default) - Revoke keys -

Supported operations are Add, Get, Replace and Delete. Value type is integer. +

Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/RMSTemplateIDForEDP**

TemplateID GUID to use for Rights Management Service (RMS) encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access. -

Supported operations are Add, Get, Replace and Delete. Value type is string (GUID). +

Supported operations are Add, Get, Replace, and Delete. Value type is string (GUID). **Settings/AllowAzureRMSForEDP**

Specifies whether to allow Azure RMS encryption for WIP. @@ -267,7 +267,7 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG { - 0 (default) – Don't use RMS. - 1 – Use RMS. -

Supported operations are Add, Get, Replace and Delete. Value type is integer. +

Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/SMBAutoEncryptedFileExtensions**

Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list. @@ -282,7 +282,7 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG { - 0 (default) - No WIP overlays on icons or tiles. - 1 - Show WIP overlays on protected files and apps that can only create enterprise content. -

Supported operations are Add, Get, Replace and Delete. Value type is integer. +

Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Status**

A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured. From dd3131a49c288c5f939c348088128d1b1f944668 Mon Sep 17 00:00:00 2001 From: Rebecca Agiewich Date: Fri, 1 May 2020 14:33:48 -0700 Subject: [PATCH 04/16] trying to fix note formatting --- windows/client-management/mdm/enterprisedataprotection-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index b089a046b0..d9ee967eef 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -17,7 +17,7 @@ ms.date: 08/09/2017 The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip). > [!Note]   -> - To make WIP functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md). +> To make WIP functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md). > - This CSP was added in Windows 10, version 1607. From 4724eeb3a2e7ffa340b0acbe4b973671fd9ebaf5 Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Mon, 4 May 2020 15:53:54 -0700 Subject: [PATCH 05/16] Update enterprisedataprotection-csp.md Remove extra spaces to the right of the NOTE declaration on line 19 --- windows/client-management/mdm/enterprisedataprotection-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index d9ee967eef..2d8a4566b7 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -16,7 +16,7 @@ ms.date: 08/09/2017 The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip). -> [!Note]   +> [!Note] > To make WIP functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md). > - This CSP was added in Windows 10, version 1607. From cf6552de452c51c2c6da50c4184cd2ed60d3373f Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Mon, 4 May 2020 16:32:41 -0700 Subject: [PATCH 06/16] Update enterprisedataprotection-csp.md remove extra spaces after [NOTE] declaration in lines 59, 99 and 109. --- .../client-management/mdm/enterprisedataprotection-csp.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index 2d8a4566b7..f1b700570f 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -56,7 +56,7 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format.

Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client. -> [!Note]   +> [!Note] > The client requires domain name to be canonical, otherwise the setting will be rejected by the client. @@ -96,7 +96,7 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format.

The CSP checks the current edition and hardware support (TPM), and returns an error message if the device does not have the required hardware. -> [!Note]   +> [!Note] > This setting is only supported in Windows 10 Mobile. @@ -106,7 +106,7 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format. **Settings/DataRecoveryCertificate**

Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through mobile device management (MDM) instead of Group Policy. -> [!Note]   +> [!Note] > If this policy and the corresponding Group Policy setting are both configured, the Group Policy setting is enforced.

DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP. From 294a18829bb7d88fb88747bd2b4bd8c973245f4b Mon Sep 17 00:00:00 2001 From: Rebecca Agiewich Date: Mon, 4 May 2020 17:03:23 -0700 Subject: [PATCH 07/16] removed unecessary code --- .../mdm/enterprisedataprotection-csp.md | 91 +++++++++---------- 1 file changed, 45 insertions(+), 46 deletions(-) diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index f1b700570f..087a86e9a8 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -34,82 +34,82 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format. ![enterprisedataprotection csp diagram](images/provisioning-csp-enterprisedataprotection.png) **./Device/Vendor/MSFT/EnterpriseDataProtection** -

The root node for the CSP. +The root node for the CSP. **Settings** -

The root node for the Windows Information Protection (WIP) configuration settings. +The root node for the Windows Information Protection (WIP) configuration settings. **Settings/EDPEnforcementLevel** -

Set the WIP enforcement level. Note that setting this value is not sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running. +Set the WIP enforcement level. Note that setting this value is not sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running. -

The following list shows the supported values: +The following list shows the supported values: - 0 (default) – Off / No protection (decrypts previously protected data). - 1 – Silent mode (encrypt and audit only). - 2 – Allow override mode (encrypt, prompt and allow overrides, and audit). - 3 – Hides overrides (encrypt, prompt but hide overrides, and audit). -

Supported operations are Add, Get, Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/EnterpriseProtectedDomainNames** -

A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running. +A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running. -

Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client. +Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client. > [!Note] > The client requires domain name to be canonical, otherwise the setting will be rejected by the client. -

Here are the steps to create canonical domain names: +Here are the steps to create canonical domain names: 1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com. 2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. 3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0). -

Supported operations are Add, Get, Replace, and Delete. Value type is string. +Supported operations are Add, Get, Replace, and Delete. Value type is string. **Settings/AllowUserDecryption** -

Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences. +Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences. > [!IMPORTANT] > Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. -

The following list shows the supported values: +The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. -

Most restricted value is 0. +Most restricted value is 0. -

Supported operations are Add, Get, Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/RequireProtectionUnderLockConfig** -

Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured. A PIN must be configured on the device before you can apply this policy. +Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured. A PIN must be configured on the device before you can apply this policy. -

The following list shows the supported values: +The following list shows the supported values: - 0 (default) – Not required. - 1 – Required. -

Most restricted value is 1. +Most restricted value is 1. -

The CSP checks the current edition and hardware support (TPM), and returns an error message if the device does not have the required hardware. +The CSP checks the current edition and hardware support (TPM), and returns an error message if the device does not have the required hardware. > [!Note] > This setting is only supported in Windows 10 Mobile. -

Supported operations are Add, Get, Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/DataRecoveryCertificate** -

Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through mobile device management (MDM) instead of Group Policy. +Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through mobile device management (MDM) instead of Group Policy. > [!Note] > If this policy and the corresponding Group Policy setting are both configured, the Group Policy setting is enforced. -

DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP. +DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP. The binary blob is the serialized version of following structure: ``` syntax @@ -234,60 +234,59 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG { ``` -

For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate. +For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate. -

Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate. +Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate. **Settings/RevokeOnUnenroll** -

This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1. +This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1. -

The following list shows the supported values: +The following list shows the supported values: - 0 – Don't revoke keys. - 1 (default) – Revoke keys. -

Supported operations are Add, Get, Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/RevokeOnMDMHandoff** -

Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. +Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. - 0 - Don't revoke keys - 1 (default) - Revoke keys -

Supported operations are Add, Get, Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/RMSTemplateIDForEDP** -

TemplateID GUID to use for Rights Management Service (RMS) encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access. +TemplateID GUID to use for Rights Management Service (RMS) encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access. -

Supported operations are Add, Get, Replace, and Delete. Value type is string (GUID). +Supported operations are Add, Get, Replace, and Delete. Value type is string (GUID). **Settings/AllowAzureRMSForEDP** -

Specifies whether to allow Azure RMS encryption for WIP. +Specifies whether to allow Azure RMS encryption for WIP. - 0 (default) – Don't use RMS. - 1 – Use RMS. -

Supported operations are Add, Get, Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/SMBAutoEncryptedFileExtensions** -

Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list. -

When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. -

Supported operations are Add, Get, Replace and Delete. Value type is string. +Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list. +When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. +Supported operations are Add, Get, Replace and Delete. Value type is string. **Settings/EDPShowIcons** -

Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app. - -

The following list shows the supported values: +Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app. +The following list shows the supported values: - 0 (default) - No WIP overlays on icons or tiles. - 1 - Show WIP overlays on protected files and apps that can only create enterprise content. -

Supported operations are Add, Get, Replace, and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Status** -

A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured. +A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured. -

Suggested values: +Suggested values: @@ -322,13 +321,13 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG { -

Bit 0 indicates whether WIP is on or off. +Bit 0 indicates whether WIP is on or off. -

Bit 1 indicates whether AppLocker WIP policies are set. +Bit 1 indicates whether AppLocker WIP policies are set. -

Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies are not configured, the bit 3 is set to 0 (zero). +Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies are not configured, the bit 3 is set to 0 (zero). -

Here's the list of mandatory WIP policies: +Here's the list of mandatory WIP policies: - EDPEnforcementLevel in EnterpriseDataProtection CSP - DataRecoveryCertificate in EnterpriseDataProtection CSP @@ -336,9 +335,9 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG { - NetworkIsolation/EnterpriseIPRange in Policy CSP - NetworkIsolation/EnterpriseNetworkDomainNames in Policy CSP -

Bits 2 and 4 are reserved for future use. +Bits 2 and 4 are reserved for future use. -

Supported operation is Get. Value type is integer. +Supported operation is Get. Value type is integer. From 945ba0b862f25cdd2d57e1ed5a9809ff40ea01ea Mon Sep 17 00:00:00 2001 From: Rebecca Agiewich Date: Tue, 5 May 2020 10:34:15 -0700 Subject: [PATCH 08/16] removed reference to TechNet --- windows/client-management/mdm/enterprisedataprotection-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index 087a86e9a8..8cc8149b7f 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -24,7 +24,7 @@ The EnterpriseDataProtection configuration service provider (CSP) is used to con While WIP has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md). -To learn more about WIP, see the following TechNet articles: +To learn more about WIP, see the following articles: - [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy) - [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip) From 91ecbd1e8c0618b528a884b8bd2da4d2e08d040a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 5 May 2020 11:13:58 -0700 Subject: [PATCH 09/16] Update enable-attack-surface-reduction.md --- .../enable-attack-surface-reduction.md | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 9b5990bdb7..33f69364a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 05/13/2019 +ms.date: 05/05/2020 ms.reviewer: manager: dansimp --- @@ -43,16 +43,10 @@ Enterprise-level management such as Intune or Microsoft Endpoint Configuration M You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices. -> [!WARNING] +> [!IMPORTANT] > Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded. -> > If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md). -> [!IMPORTANT] -> File and folder exclusions do not apply to the following ASR rules: -> -> * Block process creations originating from PSExec and WMI commands -> * Block JavaScript or VBScript from launching downloaded executable content You can specify individual files or folders (using folder paths or fully qualified resource names), but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. From 40a8d48ae3ba1533f0abdfd26c30f4faadbe1cb8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 5 May 2020 11:41:46 -0700 Subject: [PATCH 10/16] Update attack-surface-reduction-rules-in-windows-10-enterprise-e3.md --- ...ction-rules-in-windows-10-enterprise-e3.md | 29 ++++++++++--------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md index 7dfd283a11..c2f19fa10a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md @@ -20,6 +20,7 @@ ms.custom: asr **Applies to:** +- Windows 10 Enterprise E5 - Windows 10 Enterprise E3 Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license. @@ -28,19 +29,21 @@ A limited subset of basic attack surface reduction rules can technically be used Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. -The limited subset of rules that can be used in Windows 10 Enterprise E3 include: - -- Block executable content from email client and webmail -- Block all Office applications from creating child processes -- Block Office applications from creating executable content -- Block Office applications from injecting code into other processes -- Block JavaScript or VBScript from launching downloaded executable content -- Block execution of potentially obfuscated scripts -- Block Win32 API calls from Office macro -- Use advanced protection against ransomware -- Block credential stealing from the Windows local security authority subsystem (lsass.exe) -- Block process creations originating from PSExec and WMI commands -- Block untrusted and unsigned processes that run from USB +|Rule |Windows E3 |Windows E5 | +|--|--|--| +[Block executable content from email client and webmail](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail) |Yes |Yes | +|[Block all Office applications from creating child processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-all-office-applications-from-creating-child-processes) |Yes |Yes | +|[Block Office applications from creating executable content](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-creating-executable-content) |Yes |Yes | +|[Block Office applications from injecting code into other processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-injecting-code-into-other-processes) |Yes |Yes | +|[Block JavaScript or VBScript from launching downloaded executable content](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content) |Yes |Yes | +|[Block execution of potentially obfuscated scripts](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts) |Yes |Yes | +|[Block Win32 API calls from Office macros](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-win32-api-calls-from-office-macros) |Yes |Yes | +|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | | | +|[Use advanced protection against ransomware](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#use-advanced-protection-against-ransomware) | | | +|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | | | +|[Block untrusted and unsigned processes that run from USB](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-untrusted-and-unsigned-processes-that-run-from-usb) | | | +|Block process creations originating from PSExec and WMI commands | | | +| Block untrusted and unsigned processes that run from USB | | | For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md). From e31804ce155c24d1c8014d86efd13aa6c68c651e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 5 May 2020 12:25:30 -0700 Subject: [PATCH 11/16] Update attack-surface-reduction-rules-in-windows-10-enterprise-e3.md --- ...ction-rules-in-windows-10-enterprise-e3.md | 41 +++++++++---------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md index c2f19fa10a..0eeee01dff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md @@ -31,26 +31,25 @@ Attack surface reduction rules are supported on Windows Server 2019 as well as W |Rule |Windows E3 |Windows E5 | |--|--|--| -[Block executable content from email client and webmail](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail) |Yes |Yes | -|[Block all Office applications from creating child processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-all-office-applications-from-creating-child-processes) |Yes |Yes | -|[Block Office applications from creating executable content](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-creating-executable-content) |Yes |Yes | -|[Block Office applications from injecting code into other processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-injecting-code-into-other-processes) |Yes |Yes | -|[Block JavaScript or VBScript from launching downloaded executable content](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content) |Yes |Yes | -|[Block execution of potentially obfuscated scripts](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts) |Yes |Yes | -|[Block Win32 API calls from Office macros](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-win32-api-calls-from-office-macros) |Yes |Yes | -|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | | | -|[Use advanced protection against ransomware](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#use-advanced-protection-against-ransomware) | | | -|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | | | -|[Block untrusted and unsigned processes that run from USB](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-untrusted-and-unsigned-processes-that-run-from-usb) | | | -|Block process creations originating from PSExec and WMI commands | | | -| Block untrusted and unsigned processes that run from USB | | | +[Block executable content from email client and webmail](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail) |Yes |Yes | +|[Block all Office applications from creating child processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-all-office-applications-from-creating-child-processes) |Yes |Yes | +|[Block Office applications from creating executable content](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-creating-executable-content) |Yes |Yes | +|[Block Office applications from injecting code into other processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-applications-from-injecting-code-into-other-processes) |Yes |Yes | +|[Block JavaScript or VBScript from launching downloaded executable content](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-javascript-or-vbscript-from-launching-downloaded-executable-content) |Yes |Yes | +|[Block execution of potentially obfuscated scripts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-execution-of-potentially-obfuscated-scripts) |Yes |Yes | +|[Block Win32 API calls from Office macros](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-win32-api-calls-from-office-macros) |Yes |Yes | +|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | |Yes | +|[Use advanced protection against ransomware](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#use-advanced-protection-against-ransomware) |Yes |Yes | +|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-credential-stealing-from-the-windows-local-security-authority-subsystem) |Yes |Yes | +|[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands) |Yes |Yes | +|[Block untrusted and unsigned processes that run from USB](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-untrusted-and-unsigned-processes-that-run-from-usb) |Yes |Yes | +|[Block Office communication applications from creating child processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-office-communication-application-from-creating-child-processes) | |Yes | +|[Block Adobe Reader from creating child processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-adobe-reader-from-creating-child-processes) | |Yes | +|[Block persistence through WMI event subscription](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-persistence-through-wmi-event-subscription) | |Yes | -For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md). - ## Related topics - -Topic | Description ----|--- -[Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created. -[Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network. -[Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file. + ## Related articles +- [Attack surface reduction rules](attack-surface-reduction.md) +- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) +- [Enable attack surface reduction rules](enable-attack-surface-reduction.md) +- [Customize attack surface reduction rules](customize-attack-surface-reduction.md) From 4c94b4be4920d5f505e6eedac5c49e137db6f548 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 5 May 2020 12:30:14 -0700 Subject: [PATCH 12/16] Update attack-surface-reduction-rules-in-windows-10-enterprise-e3.md --- ...ack-surface-reduction-rules-in-windows-10-enterprise-e3.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md index 0eeee01dff..c9f391d415 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md @@ -25,10 +25,10 @@ ms.custom: asr Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license. -A limited subset of basic attack surface reduction rules can technically be used with Windows 10 Enterprise E3. They can be used without the benefits of reporting, monitoring, and analytics, which provide the ease of deployment and management capabilities necessary for enterprises. - Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. +To get the best protection, Windows Enterprise E5 enrollment is recommended. However, a limited subset of basic attack surface reduction rules can be used with Windows 10 Enterprise E3 (without the benefits of reporting, monitoring, and analytics). The following table lists attack surface reduction rules available in Windows E3 and Windows E5. + |Rule |Windows E3 |Windows E5 | |--|--|--| [Block executable content from email client and webmail](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-executable-content-from-email-client-and-webmail) |Yes |Yes | From df024d04f88d23e3d828b0c82adc166f17313cd2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 5 May 2020 12:36:09 -0700 Subject: [PATCH 13/16] Update attack-surface-reduction-rules-in-windows-10-enterprise-e3.md --- ...urface-reduction-rules-in-windows-10-enterprise-e3.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md index c9f391d415..f715c377b6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md @@ -1,6 +1,6 @@ --- title: Use attack surface reduction rules in Windows 10 Enterprise E3 -description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware +description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -23,11 +23,7 @@ ms.custom: asr - Windows 10 Enterprise E5 - Windows 10 Enterprise E3 -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license. - -Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. - -To get the best protection, Windows Enterprise E5 enrollment is recommended. However, a limited subset of basic attack surface reduction rules can be used with Windows 10 Enterprise E3 (without the benefits of reporting, monitoring, and analytics). The following table lists attack surface reduction rules available in Windows E3 and Windows E5. +Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction includes the rules, monitoring, reporting, and analytics necessary for deployment, and this is included in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md). These capabilities require the Windows 10 Enterprise E5 license. However, a limited subset of basic attack surface reduction rules can be used with Windows 10 Enterprise E3 (without the benefits of reporting, monitoring, and analytics). The table below lists attack surface reduction rules available in Windows E3 and Windows E5. |Rule |Windows E3 |Windows E5 | |--|--|--| @@ -47,6 +43,7 @@ To get the best protection, Windows Enterprise E5 enrollment is recommended. How |[Block Adobe Reader from creating child processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-adobe-reader-from-creating-child-processes) | |Yes | |[Block persistence through WMI event subscription](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-persistence-through-wmi-event-subscription) | |Yes | +Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. ## Related articles - [Attack surface reduction rules](attack-surface-reduction.md) From f26b9439f1e7c129f32877632c5ced8b491e5108 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 5 May 2020 12:37:13 -0700 Subject: [PATCH 14/16] Update attack-surface-reduction-rules-in-windows-10-enterprise-e3.md --- ...ttack-surface-reduction-rules-in-windows-10-enterprise-e3.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md index f715c377b6..1208a74f4c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md @@ -23,7 +23,7 @@ ms.custom: asr - Windows 10 Enterprise E5 - Windows 10 Enterprise E3 -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction includes the rules, monitoring, reporting, and analytics necessary for deployment, and this is included in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md). These capabilities require the Windows 10 Enterprise E5 license. However, a limited subset of basic attack surface reduction rules can be used with Windows 10 Enterprise E3 (without the benefits of reporting, monitoring, and analytics). The table below lists attack surface reduction rules available in Windows E3 and Windows E5. +Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction includes the rules, monitoring, reporting, and analytics necessary for deployment, and this is included in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md). These capabilities require the Windows 10 Enterprise E5 license. A limited subset of basic attack surface reduction rules can be used with Windows 10 Enterprise E3 (without the benefits of reporting, monitoring, and analytics). The table below lists attack surface reduction rules available in Windows E3 and Windows E5. |Rule |Windows E3 |Windows E5 | |--|--|--| From b1aa1c017d73aa2381dd8bd3acd29eedfd727b28 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 5 May 2020 12:38:39 -0700 Subject: [PATCH 15/16] Update enable-attack-surface-reduction.md --- .../microsoft-defender-atp/enable-attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 33f69364a7..9115bc352e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -1,5 +1,5 @@ --- -title: Enable ASR rules individually to protect your organization +title: Enable attack surface reduction rules individually to protect your organization description: Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques. keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on search.product: eADQiWindows 10XVcnh From 6eb3ae7bcf97be7ffa666668112166f8a43db74b Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 5 May 2020 15:19:30 -0700 Subject: [PATCH 16/16] add protected trust --- devices/surface/windows-autopilot-and-surface-devices.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md index 0860600d05..8e719279f3 100644 --- a/devices/surface/windows-autopilot-and-surface-devices.md +++ b/devices/surface/windows-autopilot-and-surface-devices.md @@ -55,7 +55,8 @@ Surface partners that are enabled for Windows Autopilot include: | * [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface/windows-autopilot.html) | * [Bechtle](https://www.bechtle.com/marken/microsoft/microsoft-windows-autopilot) | | | * [SHI](https://www.shi.com/Surface) | * [Cancom](https://www.cancom.de/) | | | * [LDI Connect](https://www.myldi.com/managed-it/) | * [Computacenter](https://www.computacenter.com/uk) | | -| * [F1](https://www.functiononeit.com/#empower) | | +| * [F1](https://www.functiononeit.com/#empower) | | | +| * [Protected Trust](https://go.microsoft.com/fwlink/p/?LinkID=2129005) | | | ## Learn more