+ + +## ServiceControlManager policies + + + +
+ + +**ServiceControlManager/SvchostProcessMitigation** + + +
| Home | +Pro | +Business | +Enterprise | +Education | +Mobile | +Mobile Enterprise | +
|---|---|---|---|---|---|---|
 |
+ |
+  6 |
+ 6 |
+ 6 |
+ + | + |
+ + + +This policy setting enables process mitigation options on svchost.exe processes. + +If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. + +This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, as well as a policy disallowing dynamically-generated code. + +If you disable or do not configure this policy setting, the stricter security settings will not be applied. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Enable svchost.exe mitigation options* +- GP name: *SvchostProcessMitigationEnable* +- GP path: *System/Service Control Manager Settings/Security Settings* +- GP ADMX file name: *ServiceControlManager.admx* + + + +Supported values: +- disabled - Do not add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes. +- enabled - Add ACG/CIG enforcement and other process mitigation/code integrity policies to SVCHOST processes. + + + + + + + + + + + +
+ +Footnotes: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in Windows 10, version 1903. \ No newline at end of file diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md index 7d77e94d7d..6efbed9a1f 100644 --- a/windows/client-management/new-policies-for-windows-10.md +++ b/windows/client-management/new-policies-for-windows-10.md @@ -254,6 +254,7 @@ No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId= ## Related topics +[Group Policy Settings Reference Spreadsheet Windows 1803](https://www.microsoft.com/download/details.aspx?id=56946) [Manage corporate devices](manage-corporate-devices.md) diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index 1232a8f3f0..8b6e9832e9 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -83,7 +83,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a ## Export the Start layout -When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell to export the Start layout to an .xml file. +When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell to export the Start layout to an .xml file. Start layout is located by default at C:\Users\username\AppData\Local\Microsoft\Windows\Shell\ >[!IMPORTANT] >If you include secondary Microsoft Edge tiles (tiles that link to specific websites in Microsoft Edge), see [Add custom images to Microsoft Edge secondary tiles](start-secondary-tiles.md) for instructions. @@ -155,6 +155,8 @@ When you have the Start layout that you want your users to see, use the [Export- >* If you place executable files or scripts in the \ProgramData\Microsoft\Windows\Start Menu\Programs folder, they will not pin to Start. > >* Start on Windows 10 does not support subfolders. We only support one folder. For example, \ProgramData\Microsoft\Windows\Start Menu\Programs\Folder. If you go any deeper than one folder, Start will compress the contents of all the subfolder to the top level. +> +>* Three additional shortcuts are pinned to the start menu after the export. These are shortcuts to %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs, %APPDATA%\Microsoft\Windows\Start Menu\Programs, and %APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\. ## Configure a partial Start layout diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 0dac7f3654..a8f9235264 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -74,7 +74,7 @@ You can use Group Policy or an MDM solution like Intune to configure Delivery Op You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**. In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**. -Starting with Windows Intune version 1902, you can set many Delivery Optimization policies as a profile which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](https://docs.microsoft.com/intune/delivery-optimization-windows)) +Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](https://docs.microsoft.com/intune/delivery-optimization-windows)) **Starting with Windows 10, version 1903,** you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index 37103745b0..2807a78f24 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -45,7 +45,7 @@ Semi-Annual Channel is the default servicing channel for all Windows 10 devices >The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). >[!NOTE] ->Semi-Annual Channel (Targeted) should be used only by the customers that are using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). For those, who don't use Windows Update for Business, Semi-Annual Channel (Targeted) would be the same as Semi-Annual Channel. +>Semi-Annual Channel (Targeted) should be used only by the customers that are using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). For those who don't use Windows Update for Business, Semi-Annual Channel (Targeted) would be the same as Semi-Annual Channel. ## Assign devices to Semi-Annual Channel diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index 9942044960..e2e21a62bc 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -84,11 +84,13 @@ If you have devices that appear in other solutions, but not Device Health (the D 1. Using the Azure portal, remove the Device Health (appears as DeviceHealthProd on some pages) solution from your Log Analytics workspace. After completing this, add the Device Health solution to you workspace again. 2. Confirm that the devices are running Windows 10. 3. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551). -4. Confirm that devices have opted in to provide diagnostic data by checking in the registry that **AllowTelemetry** is set to 2 (Enhanced) or 3 (Full) in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which takes precedence if set). +4. Confirm that devices are opted in to send diagnostic data by checking in the registry that **AllowTelemetry** is set to either 2 (Enhanced) or 3 (Full). + - **AllowTelemetry** under **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is the location set by Group Policy or MDM + - **AllowTelemetry** under **HKLM\Software\Policies\Microsoft\Windows\DataCollection** is the location set by local tools such as the Settings app. + - By convention the Group Policy location would take precedence if both are set. Starting with Windows 10, version 1803, the default precedence is modified to enable a device user to lower the diagnostic data level from that set by IT. For organizations which have no requirement to allow the user to override IT, the conventional (IT wins) behavior can be re-enabled using **DisableTelemetryOptInSettingsUx**. This policy can be set via Group Policy as **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface**. 5. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information. -6. Add the Device Health solution back to your Log Analytics workspace. -7. Wait 48 hours for activity to appear in the reports. -8. If you need additional troubleshooting, contact Microsoft Support. +6. Wait 48 hours for activity to appear in the reports. +7. If you need additional troubleshooting, contact Microsoft Support. ### Device crashes not appearing in Device Health Device Reliability diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md index b7b51ae981..5c36726a38 100644 --- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md +++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md @@ -45,4 +45,10 @@ In order to enable this scenario, you need: - Set the reg key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection\DisableEnterpriseAuthProxy to 0. If the value does not exist, create a new DWORD, name it DisableEnterpriseAuthProxy and set the value to 0. The deployment script will check this is configured correctly. - Set ClientProxy=User in bat. +>[!IMPORTANT] +> Using **Logged-in user's internet connection** with **DisableEnterpriseAuthProxy = 0** scenario is incompatible with ATP where the required value of that attribute is 1.(Read more here)[https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection] + + + + diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index c68d13cadf..a9e92983f8 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -666,7 +666,7 @@ To remove the News app: -or- >[!IMPORTANT] -> If you have any issues with these commands, do a system reboot and try the scripts again. +> If you have any issues with these commands, restart the system and try the scripts again. > - Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml index 9d8c343d5d..65f77cb12b 100644 --- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml +++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml @@ -70,7 +70,6 @@ sections:
gov.uk websites that don’t support “HSTS” may not be accessible
See details >
May 14, 2019
KB4494440
KB4505052
02:00 PM PT
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details >
April 25, 2019
KB4493473
KB4494440
10:00 AM PT
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.
See details >
April 25, 2019
KB4493473
KB4494440
10:00 AM PT
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >
March 12, 2019
KB4489882
KB4493473
02:00 PM PT
| Details | Originating update | Status | History |
| Issue using PXE to start a device from WDS After installing KB4489882, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension. Affected platforms:
Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options: Option 1: Open an Administrator Command prompt and type the following: Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No Option 2: Use the Windows Deployment Services UI to make the following adjustment:
Option 3: Set the following registry value to 0: HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension Restart the WDSServer service after disabling the Variable Window Extension. Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release. Back to top | OS Build 14393.2848 March 12, 2019 KB4489882 | Mitigated | Last updated: April 25, 2019 02:00 PM PT Opened: March 12, 2019 10:00 AM PT |
| Custom URI schemes may not start corresponding application After installing KB4489882, Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer. Affected platforms:
Resolution: This issue is resolved in KB4493473. Back to top | OS Build 14393.2848 March 12, 2019 KB4489882 | Resolved KB4493473 | Resolved: April 25, 2019 02:00 PM PT Opened: March 12, 2019 10:00 AM PT |
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details >
January 08, 2019
KB4480973
02:00 PM PT
gov.uk websites that don’t support “HSTS” may not be accessible
See details >
May 14, 2019
KB4499181
KB4505055
02:00 PM PT
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details >
April 25, 2019
KB4493436
KB4499181
10:00 AM PT
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >
March 12, 2019
KB4489871
KB4493436
02:00 PM PT
| Details | Originating update | Status | History |
| Custom URI schemes may not start corresponding application After installing KB4489871, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer. Affected platforms:
Resolution: This issue is resolved in KB4493436. Back to top | OS Build 15063.1689 March 12, 2019 KB4489871 | Resolved KB4493436 | Resolved: April 25, 2019 02:00 PM PT Opened: March 12, 2019 10:00 AM PT |
gov.uk websites that don’t support “HSTS” may not be accessible
See details >
May 14, 2019
KB4498946
KB4505062
02:00 PM PT
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details >
April 25, 2019
KB4493440
KB4499179
10:00 AM PT
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.
See details >
April 25, 2019
KB4493440
KB4499179
10:00 AM PT
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >
March 12, 2019
KB4489886
KB4493440
02:00 PM PT
| Details | Originating update | Status | History |
| Custom URI schemes may not start corresponding application After installing KB4489886, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer. Affected platforms:
Resolution: This issue is resolved in KB4493440. Back to top | OS Build 16299.1029 March 12, 2019 KB4489886 | Resolved KB4493440 | Resolved: April 25, 2019 02:00 PM PT Opened: March 12, 2019 10:00 AM PT |
gov.uk websites that don’t support “HSTS” may not be accessible
See details >
May 14, 2019
KB4499167
KB4505064
02:00 PM PT
When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel.
See details >
April 25, 2019
KB4493437
KB4499167
10:00 AM PT
Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.
See details >
April 25, 2019
KB4493437
KB4499167
10:00 AM PT
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.
See details >
March 12, 2019
KB4489868
KB4493437
02:00 PM PT
| Details | Originating update | Status | History |
| Issue using PXE to start a device from WDS After installing KB4489868, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension. Affected platforms:
Workaround: To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options: Option 1: Open an Administrator Command prompt and type the following: Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No Option 2: Use the Windows Deployment Services UI to make the following adjustment:
Option 3: Set the following registry value to 0: HKLM\\System\\CurrentControlSet\\Services\\WDSServer\\Providers\\WDSTFTP\\EnableVariableWindowExtension Restart the WDSServer service after disabling the Variable Window Extension. Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release. Back to top | OS Build 17134.648 March 12, 2019 KB4489868 | Mitigated | Last updated: April 25, 2019 02:00 PM PT Opened: March 12, 2019 10:00 AM PT |
| Custom URI schemes may not start corresponding application After installing KB4489868, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer. Affected platforms:
Resolution: This issue is resolved in KB4493437. Back to top | OS Build 17134.648 March 12, 2019 KB4489868 | Resolved KB4493437 | Resolved: April 25, 2019 02:00 PM PT Opened: March 12, 2019 10:00 AM PT |
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.
| Summary | Originating update | Status | Last updated |
| Windows Sandbox may fail to start with error code “0x80070002” Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates See details > | OS Build 18362.113 May 14, 2019 KB4497936 | Acknowledged | May 24, 2019 04:20 PM PT |
| Loss of functionality in Dynabook Smartphone Link app After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application. See details > | OS Build 18362.113 May 14, 2019 KB4497936 | Investigating | May 24, 2019 03:10 PM PT |
| Windows Sandbox may fail to start with error code “0x80070002” Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates See details > | OS Build 18362.116 May 20, 2019 KB4505057 | Acknowledged | May 24, 2019 04:20 PM PT |
| Loss of functionality in Dynabook Smartphone Link app After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application. See details > | OS Build 18362.116 May 20, 2019 KB4505057 | Investigating | May 24, 2019 03:10 PM PT |
| Display brightness may not respond to adjustments Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. See details > | OS Build 18362.116 May 21, 2019 KB4505057 | Investigating | May 21, 2019 04:47 PM PT |
| Audio not working with Dolby Atmos headphones and home theater Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater. See details > | OS Build 18362.116 May 21, 2019 KB4505057 | Investigating | May 21, 2019 07:17 AM PT |
| Duplicate folders and documents showing in user profile directory If known folders (e.g. Desktop, Documents, or Pictures folders) are redirected, an empty folder with that same name may be created. See details > | OS Build 18362.116 May 21, 2019 KB4505057 | Investigating | May 21, 2019 07:16 AM PT |
| Details | Originating update | Status | History |
| Windows Sandbox may fail to start with error code “0x80070002” Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903. Affected platforms:
Next steps: We are working on a resolution and estimate a solution will be available in late June. Back to top | OS Build 18362.113 May 14, 2019 KB4497936 | Acknowledged | Last updated: May 24, 2019 04:20 PM PT Opened: May 24, 2019 04:20 PM PT |
| Loss of functionality in Dynabook Smartphone Link app Some users may experience a loss of functionality after updating to Windows 10, version 1903 when using the Dynabook Smartphone Link application on Windows devices. Loss of functionality may affect the display of phone numbers in the Call menu and the ability to answer phone calls on the Windows PC. To safeguard your update experience, we have applied a compatibility hold on devices with Dynabook Smartphone Link from being offered Windows 10, version 1903, until this issue is resolved. Affected platforms:
Next steps: Microsoft and Dynabook are working on a resolution; the Dynabook Smartphone Link application may have a loss of functionality until this issue is resolved. Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved. Back to top | OS Build 18362.113 May 14, 2019 KB4497936 | Investigating | Last updated: May 24, 2019 03:10 PM PT Opened: May 24, 2019 03:10 PM PT |
| Windows Sandbox may fail to start with error code “0x80070002” Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903. Affected platforms:
Next steps: We are working on a resolution and estimate a solution will be available in late June. Back to top | OS Build 18362.116 May 20, 2019 KB4505057 | Acknowledged | Last updated: May 24, 2019 04:20 PM PT Opened: May 24, 2019 04:20 PM PT |
| Loss of functionality in Dynabook Smartphone Link app Some users may experience a loss of functionality after updating to Windows 10, version 1903 when using the Dynabook Smartphone Link application on Windows devices. Loss of functionality may affect the display of phone numbers in the Call menu and the ability to answer phone calls on the Windows PC. To safeguard your update experience, we have applied a compatibility hold on devices with Dynabook Smartphone Link from being offered Windows 10, version 1903, until this issue is resolved. Affected platforms:
Next steps: Microsoft and Dynabook are working on a resolution; the Dynabook Smartphone Link application may have a loss of functionality until this issue is resolved. Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved. Back to top | OS Build 18362.116 May 20, 2019 KB4505057 | Investigating | Last updated: May 24, 2019 03:10 PM PT Opened: May 24, 2019 03:10 PM PT |
| Display brightness may not respond to adjustments Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Window 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change. To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved. Affected platforms:
Workaround: Restart your device to apply changes to brightness. Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved. Next steps: We are working on a resolution that will be made available in upcoming release. Back to top | OS Build 18362.116 May 21, 2019 KB4505057 | Investigating | Last updated: May 21, 2019 04:47 PM PT Opened: May 21, 2019 07:56 AM PT |
| Audio not working with Dolby Atmos headphones and home theater After updating to Windows 10, version 1903, you may experience loss of audio with Dolby Atmos for home theater (free extension) or Dolby Atmos for headphones (paid extension) acquired through the Microsoft Store due to a licensing configuration error. This occurs due to an issue with a Microsoft Store licensing component, where license holders are not able to connect to the Dolby Access app and enable Dolby Atmos extensions. To safeguard your update experience, we have applied protective hold on devices from being offered Windows 10, version 1903 until this issue is resolved. This configuration error will not result in loss of access for the acquired license once the problem is resolved. Affected platforms:
Next steps: We are working on a resolution for Microsoft Store and estimate a solution will be available in mid-June. Note We recommend you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved. Back to top | OS Build 18362.116 May 21, 2019 KB4505057 | Investigating | Last updated: May 21, 2019 07:17 AM PT Opened: May 21, 2019 07:16 AM PT |
| Duplicate folders and documents showing in user profile directory If you have redirected known folders (e.g. Desktop, Documents, or Pictures folders) you may see an empty folder with the same name in your %userprofile% directories after updating to Windows 10, version 1903. This may occur if known folders were redirected when you chose to back up your content to OneDrive using the OneDrive wizard, or if you chose to back up your content during the Windows Out-of-Box-Experience (OOBE). This may also occur if you redirected your known folders manually through the Properties dialog box in File Explorer. This issue does not cause any user files to be deleted and a solution is in progress. To safeguard your update experience, we have applied a quality hold on devices with redirected known folders from being offered Windows 10, version 1903, until this issue is resolved. Affected platforms:
Next steps: Microsoft is working on a resolution and estimates a solution will be available in late May. Note We recommend that you do not attempt to manually update to Windows 10, version 1903 using the Update now button or the Media Creation Tool until this issue has been resolved. Back to top | OS Build 18362.116 May 21, 2019 KB4505057 | Investigating | Last updated: May 21, 2019 07:16 AM PT Opened: May 21, 2019 07:16 AM PT |
| System unresponsive after restart if Sophos Endpoint Protection installed Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart. See details > | April 09, 2019 KB4493472 | Resolved | May 14, 2019 01:22 PM PT |
| System may be unresponsive after restart if Avira antivirus software installed Devices with Avira antivirus software installed may become unresponsive upon restart. See details > | April 09, 2019 KB4493472 | Resolved | May 14, 2019 01:21 PM PT |
| Authentication may fail for services after the Kerberos ticket expires Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires. See details > | March 12, 2019 KB4489878 | Resolved KB4499164 | May 14, 2019 10:00 AM PT |
| Devices may not respond at login or Welcome screen if running certain Avast software Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart. See details > | April 09, 2019 KB4493472 | Resolved | April 25, 2019 02:00 PM PT |
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.
Affected platforms:
- Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.
Back to top
KB4493472
May 14, 2019
01:23 PM PT
Opened:
April 09, 2019
10:00 AM PT
Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493472.
Affected platforms:
- Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.
Back to top
KB4493472
May 14, 2019
01:22 PM PT
Opened:
April 09, 2019
10:00 AM PT
Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.
Affected platforms:
- Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.
Back to top
KB4493472
May 14, 2019
01:21 PM PT
Opened:
April 09, 2019
10:00 AM PT
Microsoft and Avast have identified an issue on devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software after you install KB4493472 and restart. Devices may become unresponsive at the login or Welcome screen. Additionally, you may be unable to log in or log in after an extended period of time.
Affected platforms:
- Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: Avast has released emergency updates to address this issue. For more information and AV update schedule, see the Avast support KB article.
Back to top
KB4493472
April 25, 2019
02:00 PM PT
Opened:
April 09, 2019
10:00 AM PT
Devices with ArcaBit antivirus software installed may become unresponsive upon restart.
See details >
KB4493446
01:22 PM PT
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details >
KB4493446
01:22 PM PT
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details >
KB4493446
01:21 PM PT
Devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software may become unresponsive after restart.
See details >
KB4493446
02:00 PM PT
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.
Affected platforms:
- Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.
Back to top
KB4493446
May 14, 2019
01:22 PM PT
Opened:
April 09, 2019
10:00 AM PT
Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493446.
Affected platforms:
- Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.
Back to top
KB4493446
May 14, 2019
01:22 PM PT
Opened:
April 09, 2019
10:00 AM PT
Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.
Affected platforms:
- Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.
Back to top
KB4493446
May 14, 2019
01:21 PM PT
Opened:
April 09, 2019
10:00 AM PT
Microsoft and Avast have identified an issue on devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software after you install KB4493446 and restart. Devices may become unresponsive at the login or Welcome screen. Additionally, you may be unable to log in or log in after an extended period of time.
Affected platforms:
- Client: Windows 8.1; Windows 7 SP1
- Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: Avast has released emergency updates to address this issue. For more information and AV update schedule, see the Avast support KB article.
Back to top
KB4493446
April 25, 2019
02:00 PM PT
Opened:
April 09, 2019
10:00 AM PT
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-7 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-None |
-
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-11 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=System,cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight -[Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege -[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege |
-
[Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| - - -## Batch +## Batch Any user or process that accesses the system as a batch job (or through the batch queue) has the Batch identity. This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup job that deletes temporary files. Membership is controlled by the operating system. -
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-3 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-None |
-
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-3-1 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-None |
-
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-3-0 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-None |
-
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-1 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-None |
-
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-64-21 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-None |
-
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-9 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights Assignment |
-[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight -[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight |
-
[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight| - - -## Everyone +## Everyone All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group. @@ -400,615 +189,184 @@ On computers running Windows 2000 and earlier, the Everyone group included the Membership is controlled by the operating system. -
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-1-0 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight -[Act as part of the operating system](/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system): SeTcbPrivilege -[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege |
-
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-4 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-None |
-
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-19 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default user rights |
-[Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege -[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege -[Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemtimePrivilege -[Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege -[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege -[Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege -[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege -[Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege |
-
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
[Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemtimePrivilege
[Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege
[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
[Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
[Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege
| - - -## LocalSystem +## LocalSystem This is a service account that is used by the operating system. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password. -
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-18 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-None |
-
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-2 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-None |
-
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-20 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-[Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege -[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege -[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege -[Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege -[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege -[Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege -[Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege |
-
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
[Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
[Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege
[Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege
| - - -## NTLM Authentication +## NTLM Authentication -
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-64-10 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-None |
-
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-1000 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-None |
-
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-10 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-None |
-
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-14 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-None |
-
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-12 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-None |
-
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-64-14 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-None |
-
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-6 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege -[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege |
-
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
| -## Terminal Server User +## Terminal Server User Any user accessing the system through Terminal Services has the Terminal Server User identity. This identity allows users to access Terminal Server applications and to perform other necessary tasks with Terminal Server services. Membership is controlled by the operating system. -
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-13 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-None |
-
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-15 |
-
Object Class |
-Foreign Security Principal |
-
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-None |
-
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-- |
Object Class |
-- |
Default Location in Active Directory |
-cn=WellKnown Security Principals, cn=Configuration, dc=<forestRootDomain> |
-
Default User Rights |
-[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege -[Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege |
-
[Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege
| ## See also @@ -1016,4 +374,4 @@ Any user accessing the system through Terminal Services has the Terminal Server - [Security Principals](security-principals.md) -- [Access Control Overview](access-control.md) \ No newline at end of file +- [Access Control Overview](access-control.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index 58043d111b..ea8762d16e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -64,7 +64,7 @@ By default, the Active Directory Certificate Authority provides and publishes th Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials. 1. Open the **Certificate Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. +3. In the **Certificate Templates Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list. 5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs. **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. @@ -81,7 +81,7 @@ The Kerberos Authentication certificate template is the most current certificate Sign-in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. 1. Open the **Certificate Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. +3. In the **Certificate Templates Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. 4. Click the **Superseded Templates** tab. Click **Add**. 5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. 6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. @@ -98,7 +98,7 @@ Windows 10 clients use the https protocol when communicating with Active Directo Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials. 1. Open the **Certificate Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**. +3. In the **Certificate Templates Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. 5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. @@ -168,11 +168,11 @@ You want to confirm your domain controllers enroll the correct certificates and #### Use the Event Logs -Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers. Using the Event Viewer, navigate to the **CertificateServices-Lifecycles-System** event log under **Application and Services/Microsoft/Windows**. +Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers. Using the Event Viewer, navigate to the **CertificateServicesClient-Lifecycle-System** event log under **Application and Services/Microsoft/Windows**. Look for an event indicating a new certificate enrollment (autoenrollment). The details of the event include the certificate template on which the certificate was issued. The name of the certificate template used to issue the certificate should match the certificate template name included in the event. The certificate thumbprint and EKUs for the certificate are also included in the event. The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template. -Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServices-Lifecycles-System event. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. +Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServicesClient-Lifecycle-System event. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. #### Certificate Manager diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 99026497a4..c8fbed37c7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -284,9 +284,9 @@ A TPM implements controls that meet the specification described by the Trusted C - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard. - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015. -Windows�10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948). +Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948). -Windows�10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows�10 supports only TPM 2.0. +Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. TPM 2.0 provides a major revision to the capabilities over TPM 1.2: @@ -316,16 +316,3 @@ In a simplified manner, the TPM is a passive component with limited resources. I [Return to Top](hello-how-it-works-technology.md) - - - - - - - - - - - - - diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index dd447eb2b1..2534ee8e04 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -58,7 +58,18 @@ The Windows Hello for Business deployment depends on an enterprise public key in Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object. -The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012. +The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below. + +* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL. +* Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name). +* The certificate Key Usage section must contain Digital Signature and Key Encipherment. +* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None]. +* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1). +* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name. +* The certificate template must have an extension that has the BMP data value "DomainController". +* The domain controller certificate must be installed in the local computer's certificate store. + + > [!IMPORTANT] > For Azure AD joined device to authenticate to and use on-premises resources, ensure you: @@ -85,7 +96,7 @@ Organizations using older directory synchronization technology, such as DirSync
## Federation with Azure ## -You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2. +You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2. ### Section Review ### > [!div class="checklist"] diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 58614660a4..bca87f02c5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -97,7 +97,7 @@ Windows Hello for Business can use either keys (hardware or software) or certifi ## Learn more -[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/830/Implementing-Windows-Hello-for-Business-at-Microsoft) +[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/en-us/itshowcase/implementing-windows-hello-for-business-at-microsoft) [Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index cb2349d9bd..d2f6bc7823 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -117,7 +117,7 @@ You will want to balance testing in a lab with providing results to management q ## The Process -The journey to password-less is to take each work persona through each password-less step. In the begging, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like +The journey to password-less is to take each work persona through each password-less step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like 1. Password-less replacement offering (Step 1) 1. Identify test users that represent the targeted work persona. diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index 137f60c277..6648747efc 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -163,16 +163,41 @@ Use Windows Event Forwarding to collect and aggregate your WIP audit events. You 2. In the console tree under **Application and Services Logs\Microsoft\Windows**, click **EDP-Audit-Regular** and **EDP-Audit-TCB**. +## Collect WIP audit logs using Azure Monitor +You can collect audit logs using Azure Monitor. See [Windows event log data sources in Azure Monitor.](https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs) +**To view the WIP events in Azure Monitor** +1. Use an existing or create a new Log Analytics workspace. +2. In **Log Analytics** > **Advanced Settings**, select **Data**. In Windows Event Logs, add logs to receive: + ``` + Microsoft-Windows-EDP-Application-Learning/Admin + Microsoft-Windows-EDP-Audit-TCB/Admin + ``` + >[!NOTE] + >If using Windows Events Logs, the event log names can be found under Properties of the event in the Events folder (Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB). +3. Download Microsoft [Monitoring Agent](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation). +4. To get MSI for Intune installation as stated in the Azure Monitor article, extract: MMASetup-.exe /c /t: +Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. More information on Workspace ID and Primary key can be found in **Log Analytics** > **Advanced Settings**. +5. To deploy MSI via Intune, in installation parameters add: /q /norestart NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID=
Enable conditional access to better protect users, devices, and data. +- [Conditional Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
Enable conditional access to better protect users, devices, and data. - [Microsoft Defender ATP Community center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection)
The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index fe229e350d..faa63ea948 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -26,6 +26,7 @@ The SCT enables administrators to effectively manage their enterprise’s Group The Security Compliance Toolkit consists of: - Windows 10 security baselines + - Windows 10 Version 1903 (May 2019 Update) - Windows 10 Version 1809 (October 2018 Update) - Windows 10 Version 1803 (April 2018 Update) - Windows 10 Version 1709 (Fall Creators Update) @@ -69,4 +70,4 @@ LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files It can export local policy to a GPO backup. It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file. -Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). \ No newline at end of file +Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). diff --git a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md index e62f0051cb..b0715daedf 100644 --- a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md +++ b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md @@ -69,6 +69,9 @@ Enabling this policy setting allows the operating system to store passwords in a Disable the **Store password using reversible encryption** policy setting. +>[!Note] +> When policy settings are disabled, only new passwords will be stored using one-way encryption by default. Existing passwords will be stored using reversible encryption until they are changed. + ### Potential impact If your organization uses CHAP through remote access or IAS, or Digest Authentication in IIS, you must configure this policy setting to Enabled. This presents a security risk when you apply the setting through Group Policy on a user-by-user basis because it requires the appropriate user account object to be opened in Active Directory Users and Computers. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md index 901c6c4995..471d647e37 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md @@ -26,7 +26,7 @@ You can manage and configure Windows Defender Antivirus with the following tools - System Center Configuration Manager - Group Policy - PowerShell cmdlets -- Windows Management Instruction (WMI) +- Windows Management Instrumentation (WMI) - The mpcmdrun.exe utility The topics in this section provide further information, links, and resources for using these tools to manage and configure Windows Defender Antivirus. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index b895c48fac..e39c054561 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -95,7 +95,16 @@ Security intelligence and product updates Upload location for files submitted to Microsoft via the Submission form or automatic sample submission
+ussus1westprod.blob.core.windows.net
+usseu1northprod.blob.core.windows.net
+usseu1westprod.blob.core.windows.net
+ussuk1southprod.blob.core.windows.net
+ussuk1westprod.blob.core.windows.net
+ussas1eastprod.blob.core.windows.net
+ussas1southeastprod.blob.core.windows.net
+ussau1eastprod.blob.core.windows.net
+ussau1southeastprod.blob.core.windows.net
-[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
-[What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
-[Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709. +- [Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features. +- [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10. +- [What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware. +- [Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709. diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index c77493d952..41a0e83637 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -120,7 +120,7 @@ The draft release of the [security configuration baseline settings](https://blog - [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD. - [Streamlined Windows Hello PIN reset experience](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web. -- Sign-in with [Password-less](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience! i +- Sign-in with [Password-less](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience! - [Remote Desktop with Biometrics](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. ### Security management