From 5a51181c75aafc19ee66ba46e00e4396080bfc1f Mon Sep 17 00:00:00 2001 From: qrscharmed <38082753+qrscharmed@users.noreply.github.com> Date: Tue, 10 Apr 2018 15:00:11 -0700 Subject: [PATCH 1/5] Update wd-app-guard-overview.md --- .../wd-app-guard-overview.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md index a9148f2252..7e437ce4b1 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md +++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -13,7 +13,8 @@ ms.date: 10/23/2017 # Windows Defender Application Guard overview **Applies to:** -- Windows 10 Enterprise edition, version 1709 +- Windows 10 Enterprise edition, version 1709 or higher +- Windows 10 Professional edition, version 1803 The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. @@ -27,7 +28,7 @@ If an employee goes to an untrusted site through either Microsoft Edge or Intern ![Hardware isolation diagram](images/appguard-hardware-isolation.png) ### What types of devices should use Application Guard? -Application Guard has been created to target 3 types of enterprise systems: +Application Guard has been created to target several types of systems: - **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network. @@ -35,6 +36,8 @@ Application Guard has been created to target 3 types of enterprise systems: - **Bring your own device (BYOD) mobile laptops.** These personally-owned laptops are not domain-joined, but are managed by your organization through tools like Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home. +- **Personal devices.** These personally-owned desktops or mobile laptops are not domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside. + ## In this section |Topic |Description | |------|------------| @@ -42,4 +45,4 @@ Application Guard has been created to target 3 types of enterprise systems: |[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.| |[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.| |[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.| -|[Frequently Asked Questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Common questions and answers around the features and functionality of Application Guard.| \ No newline at end of file +|[Frequently Asked Questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Common questions and answers around the features and functionality of Application Guard.| From 870e16f9c201cf4a00afd5e042cef8adbe75d4d3 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 11 Apr 2018 00:06:12 +0000 Subject: [PATCH 2/5] Merged PR 7060: Fix typo (issue #691) --- windows/configuration/ue-v/uev-getting-started.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md index 5ec8571305..301f4a7b07 100644 --- a/windows/configuration/ue-v/uev-getting-started.md +++ b/windows/configuration/ue-v/uev-getting-started.md @@ -16,8 +16,8 @@ ms.date: 03/08/2018 Follow the steps in this topic to deploy User Experience Virtualization (UE-V) for the first time in a test environment. Evaluate UE-V to determine whether it’s the right solution to manage user settings across multiple devices within your enterprise. ->**Note** -The information in this section is explained in greater detail throughout the rest of the documentation. If you’ve already determined that UE-V is the right solution and you don’t need to further evaluate it, see [Prepare a UE-V deployment](uev-prepare-for-deployment.md). +>[!NOTE] +>The information in this section is explained in greater detail throughout the rest of the documentation. If you’ve already determined that UE-V is the right solution and you don’t need to further evaluate it, see [Prepare a UE-V deployment](uev-prepare-for-deployment.md). The standard installation of UE-V synchronizes the default Microsoft Windows and Office settings and many Windows applications settings. For best results, ensure that your test environment includes two or more user computers that share network access. @@ -94,13 +94,13 @@ A storage path must be configured on the client-side to tell where the personali 4. Select **Enabled**, fill in the **Settings storage path**, and click **OK**. - - Ensure that the storage path ends with **%username%** to ensure that eah user gets a unique folder. + - Ensure that the storage path ends with **%username%** to ensure that each user gets a unique folder. **To set the storage path for UE-V with PowerShell** 1. In a PowerShell window, type **Set-uevConfiguration -SettingsStoragePath [StoragePath]** where **[StoragePath]** is the path to the location created in step 2 followed by **\%username%**. - - Ensure that the storage path ends with **%username%** to ensure that eah user gets a unique folder. + - Ensure that the storage path ends with **%username%** to ensure that each user gets a unique folder. With Windows 10, version 1607 and later, the UE-V service is installed on user devices when the operating system is installed. Enable the service to start using UE-V. You can enable the service with the Group Policy editor or with Windows PowerShell. From 7c1a333041824869a37c7593246556da4ba25ec5 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 10 Apr 2018 17:31:52 -0700 Subject: [PATCH 3/5] clarified SSO is blocked --- .../credential-guard/credential-guard-considerations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md index 01dbef4001..8457313a96 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md @@ -24,7 +24,7 @@ Passwords are still weak. We recommend that in addition to deploying Windows Def Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not supported. ## Wi-fi and VPN Considerations -When you enable Windows Defender Credential Guard, you can no longer use NTLM classic deployment model authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. +When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for Single Sign-On. You will be forced to enter your credentials to use these protocols and cannot save the credentials for future use. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. ## Kerberos Considerations From f031d81925bb3e1e2237056670fa840955bcd84c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 10 Apr 2018 17:40:29 -0700 Subject: [PATCH 4/5] fixed link text --- ...windows-event-forwarding-to-assist-in-intrusion-detection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 75dda71497..8e5b6d0232 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -175,7 +175,7 @@ To gain the most value out of the baseline subscription we recommend to have the - Enable disabled event channels and set the minimum size for modern event files. - Currently, there is no GPO template for enabling or setting the maximum size for the modern event files. This must be done by using a GPO. For more info, see [Appendix C – Event Channel Settings (enable and Channel Access) methods](#bkmk-appendixc). -The annotated event query can be found in the following. For more info, see [Appendix F – Annotated Baseline Subscription Event Query](#bkmk-appendixf). +The annotated event query can be found in the following. For more info, see [Appendix F – Annotated Suspect Subscription Event Query](#bkmk-appendixf). - Anti-malware events from Microsoft Antimalware or Windows Defender. This can be configured for any given anti-malware product easily if it writes to the Windows event log. - Security event log Process Create events. From 75bdad3f0a60f865d0b9918628cefe218fab7d78 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 10 Apr 2018 17:54:55 -0700 Subject: [PATCH 5/5] fixed quotes --- .../bitlocker/bitlocker-management-for-enterprises.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index d5952e711b..961c0d224c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -108,7 +108,7 @@ For Azure AD-joined computers, including virtual machines, the recovery password ``` PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector -PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:” +PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:" PS C:\>BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId ``` @@ -118,7 +118,7 @@ For domain-joined computers, including servers, the recovery password should be ``` PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector -PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:” +PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:" PS C:\>Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId ```