deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

improving the content format and conistency

Browse Source
This commit is contained in:
Shesh 2022-05-18 21:18:50 +05:30
parent 3b531d1925
commit 1f75129a35
6 changed files with 87 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
windows/client-management/mdm/policy-csp-userrights.md
View File

@ -14,7 +14,6 @@ manager: dansimp
# Policy CSP - UserRights
<hr/>
User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. For reference, see [Well-Known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab).
@ -77,7 +76,7 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s
> [!NOTE]
> `&#xF000;` is the entity encoding of 0xF000.
For example, the following syntax grants user rights to Authenticated Users and Replicator user groups:
For example, the following syntax grants user rights to Authenticated Users and Replicator user groups.:
```xml
<![CDATA[Authenticated Users&#xF000;Replicator]]>
@ -197,6 +196,7 @@ For example, the following syntax grants user rights to a specific user or group
<a href="" id="userrights-accesscredentialmanagerastrustedcaller"></a>**UserRights/AccessCredentialManagerAsTrustedCaller**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -236,6 +236,7 @@ GP Info:
<a href="" id="userrights-accessfromnetwork"></a>**UserRights/AccessFromNetwork**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -259,6 +260,7 @@ GP Info:
<!--/Scope-->
<!--Description-->
This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services isn't affected by this user right.
> [!NOTE]
> Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
@ -277,6 +279,7 @@ GP Info:
<a href="" id="userrights-actaspartoftheoperatingsystem"></a>**UserRights/ActAsPartOfTheOperatingSystem**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -300,6 +303,7 @@ GP Info:
<!--/Scope-->
<!--Description-->
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned.
> [!CAUTION]
> Assigning this user right can be a security risk. Assign this user right to trusted users only.
@ -318,6 +322,7 @@ GP Info:
<a href="" id="userrights-allowlocallogon"></a>**UserRights/AllowLocalLogOn**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -341,6 +346,7 @@ GP Info:
<!--/Scope-->
<!--Description-->
This user right determines which users can sign in to the computer.
> [!NOTE]
> Modifying this setting might affect compatibility with clients, services, and applications. For compatibility information about this setting, see [Allow log on locally](https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.
@ -359,6 +365,7 @@ GP Info:
<a href="" id="userrights-backupfilesanddirectories"></a>**UserRights/BackupFilesAndDirectories**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -382,6 +389,7 @@ GP Info:
<!--/Scope-->
<!--Description-->
This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system: Traverse Folder/Execute File, Read.
> [!CAUTION]
> Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, assign this user right to trusted users only.
@ -400,6 +408,7 @@ GP Info:
<a href="" id="userrights-changesystemtime"></a>**UserRights/ChangeSystemTime**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -423,8 +432,9 @@ GP Info:
<!--/Scope-->
<!--Description-->
This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.
> [!CAUTION]
> Configuring user rights replaces existing users or groups previously assigned those user rights. The system requires that Local Service account (SID S-1-5-19) always has the ChangeSystemTime right. Therefore, Local Service must always be specified in addition to any other accounts being configured in this policy.
> Configuring user rights replaces existing users or groups previously assigned to those user rights. The system requires that Local Service account (SID S-1-5-19) always has the ChangeSystemTime right. Therefore, Local Service must always be specified in addition to any other accounts being configured in this policy.
>
> Not including the Local Service account will result in failure with the following error:
>
@ -447,6 +457,7 @@ GP Info:
<a href="" id="userrights-createglobalobjects"></a>**UserRights/CreateGlobalObjects**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -470,6 +481,7 @@ GP Info:
<!--/Scope-->
<!--Description-->
This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they don't have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption.
> [!CAUTION]
> Assigning this user right can be a security risk. Assign this user right to trusted users only.
@ -488,6 +500,7 @@ GP Info:
<a href="" id="userrights-createpagefile"></a>**UserRights/CreatePageFile**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -527,6 +540,7 @@ GP Info:
<a href="" id="userrights-createpermanentsharedobjects"></a>**UserRights/CreatePermanentSharedObjects**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -566,6 +580,7 @@ GP Info:
<a href="" id="userrights-createsymboliclinks"></a>**UserRights/CreateSymbolicLinks**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -589,8 +604,10 @@ GP Info:
<!--/Scope-->
<!--Description-->
This user right determines if the user can create a symbolic link from the computer they're signed in to.
> [!CAUTION]
> This privilege should be given to trusted users only. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them.
> [!NOTE]
> This setting can be used in conjunction with a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.
@ -609,6 +626,7 @@ GP Info:
<a href="" id="userrights-createtoken"></a>**UserRights/CreateToken**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -632,6 +650,7 @@ GP Info:
<!--/Scope-->
<!--Description-->
This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it's necessary, don't assign this user right to a user, group, or process other than Local System.
> [!CAUTION]
> Assigning this user right can be a security risk. Don't assign this user right to any user, group, or process that you don't want to take over the system.
@ -650,6 +669,7 @@ GP Info:
<a href="" id="userrights-debugprograms"></a>**UserRights/DebugPrograms**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -673,6 +693,7 @@ GP Info:
<!--/Scope-->
<!--Description-->
This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications don't need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components.
> [!CAUTION]
> Assigning this user right can be a security risk. Assign this user right to trusted users only.
@ -691,6 +712,7 @@ GP Info:
<a href="" id="userrights-denyaccessfromnetwork"></a>**UserRights/DenyAccessFromNetwork**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -713,7 +735,7 @@ GP Info:
<!--/Scope-->
<!--Description-->
This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.
This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access to this computer from the network policy setting if a user account is subject to both policies.
<!--/Description-->
<!--DbMapped-->
@ -730,6 +752,7 @@ GP Info:
<a href="" id="userrights-denylocallogon"></a>**UserRights/DenyLocalLogOn**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -772,6 +795,7 @@ GP Info:
<a href="" id="userrights-denyremotedesktopserviceslogon"></a>**UserRights/DenyRemoteDesktopServicesLogOn**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -811,6 +835,7 @@ GP Info:
<a href="" id="userrights-enabledelegation"></a>**UserRights/EnableDelegation**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -834,6 +859,7 @@ GP Info:
<!--/Scope-->
<!--Description-->
This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account doesn't have the Account can't be delegated account control flag set.
> [!CAUTION]
> Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
@ -852,6 +878,7 @@ GP Info:
<a href="" id="userrights-generatesecurityaudits"></a>**UserRights/GenerateSecurityAudits**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -891,6 +918,7 @@ GP Info:
<a href="" id="userrights-impersonateclient"></a>**UserRights/ImpersonateClient**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -914,14 +942,19 @@ GP Info:
<!--/Scope-->
<!--Description-->
Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels.
> [!CAUTION]
> Assigning this user right can be a security risk. Assign this user right to trusted users only.
> [!NOTE]
> By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
1) The access token that is being impersonated is for this user.
2) The user, in this sign-in session, created the access token by signing in to the network with explicit credentials.
3) The requested level is less than Impersonate, such as Anonymous or Identify.
1. The access token that is being impersonated is for this user.
1. The user, in this sign-in session, created the access token by signing in to the network with explicit credentials.
1. The requested level is less than Impersonate, such as Anonymous or Identify.
Because of these factors, users don't usually need this user right.
> [!WARNING]
> If you enable this setting, programs that previously had the Impersonate privilege might lose it, and they might not run.
@ -940,6 +973,7 @@ GP Info:
<a href="" id="userrights-increaseschedulingpriority"></a>**UserRights/IncreaseSchedulingPriority**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -984,6 +1018,7 @@ GP Info:
<a href="" id="userrights-loadunloaddevicedrivers"></a>**UserRights/LoadUnloadDeviceDrivers**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -1007,6 +1042,7 @@ GP Info:
<!--/Scope-->
<!--Description-->
This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right doesn't apply to Plug and Play device drivers. It's recommended that you don't assign this privilege to other users.
> [!CAUTION]
> Assigning this user right can be a security risk. Don't assign this user right to any user, group, or process that you don't want to take over the system.
@ -1025,6 +1061,7 @@ GP Info:
<a href="" id="userrights-lockmemory"></a>**UserRights/LockMemory**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -1064,6 +1101,7 @@ GP Info:
<a href="" id="userrights-manageauditingandsecuritylog"></a>**UserRights/ManageAuditingAndSecurityLog**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -1103,6 +1141,7 @@ GP Info:
<a href="" id="userrights-managevolume"></a>**UserRights/ManageVolume**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -1125,7 +1164,7 @@ GP Info:
<!--/Scope-->
<!--Description-->
This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
This user right determines which users and groups can run maintenance tasks on a volume, such as remote de-fragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.
<!--/Description-->
<!--DbMapped-->
@ -1142,6 +1181,7 @@ GP Info:
<a href="" id="userrights-modifyfirmwareenvironment"></a>**UserRights/ModifyFirmwareEnvironment**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -1165,6 +1205,7 @@ GP Info:
<!--/Scope-->
<!--Description-->
This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should be modified only by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.
> [!NOTE]
> This security setting doesn't affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties.
@ -1183,6 +1224,7 @@ GP Info:
<a href="" id="userrights-modifyobjectlabel"></a>**UserRights/ModifyObjectLabel**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -1222,6 +1264,7 @@ GP Info:
<a href="" id="userrights-profilesingleprocess"></a>**UserRights/ProfileSingleProcess**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -1261,6 +1304,7 @@ GP Info:
<a href="" id="userrights-remoteshutdown"></a>**UserRights/RemoteShutdown**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -1300,6 +1344,7 @@ GP Info:
<a href="" id="userrights-restorefilesanddirectories"></a>**UserRights/RestoreFilesAndDirectories**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -1323,6 +1368,7 @@ GP Info:
<!--/Scope-->
<!--Description-->
This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and it determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system: Traverse Folder/Execute File, Write.
> [!CAUTION]
> Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, assign this user right to trusted users only.
@ -1341,6 +1387,7 @@ GP Info:
<a href="" id="userrights-takeownership"></a>**UserRights/TakeOwnership**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -1364,6 +1411,7 @@ GP Info:
<!--/Scope-->
<!--Description-->
This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.
> [!CAUTION]
> Assigning this user right can be a security risk. Since owners of objects have full control of them, assign this user right to trusted users only.
@ -1378,3 +1426,7 @@ GP Info:
<hr/>
<!--/Policies-->
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

20
windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
View File

@ -28,13 +28,13 @@ manager: dansimp
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="virtualizationbasedtechnology-hypervisorenforcedcodeintegrity"></a>**VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -57,7 +57,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
Allows the IT admin to control the state of Hypervisor-protected Code Integrity (HVCI) on devices. HVCI is a feature within Virtualization Based Security, and is frequently referred to as Memory integrity. Learn more [here](/windows-hardware/design/device-experiences/oem-vbs).
Allows the IT admin to control the state of Hypervisor-Protected Code Integrity (HVCI) on devices. HVCI is a feature within Virtualization Based Security, and is frequently referred to as Memory integrity. Learn more [here](/windows-hardware/design/device-experiences/oem-vbs).
>[!NOTE]
>After the policy is pushed, a system reboot will be required to change the state of HVCI.
@ -66,9 +66,9 @@ Allows the IT admin to control the state of Hypervisor-protected Code Integrity
<!--SupportedValues-->
The following are the supported values:
- 0: (Disabled) Turns off Hypervisor-Protected Code Integrity remotely if configured previously without UEFI Lock
- 1: (Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock
- 2: (Enabled without lock) Turns on Hypervisor-Protected Code Integrity without UEFI lock
- 0: (Disabled) Turns off Hypervisor-Protected Code Integrity remotely if configured previously without UEFI Lock.
- 1: (Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock.
- 2: (Enabled without lock) Turns on Hypervisor-Protected Code Integrity without UEFI lock.
<!--/SupportedValues-->
<!--Example-->
@ -84,6 +84,7 @@ The following are the supported values:
<a href="" id="virtualizationbasedtechnology-requireuefimemoryattributestable"></a>**VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
@ -106,7 +107,7 @@ The following are the supported values:
<!--/Scope-->
<!--Description-->
Allows the IT admin to control the state of Hypervisor-protected Code Integrity (HVCI) on devices. HVCI is a feature within Virtualization Based Security, and is frequently referred to as Memory integrity. Learn more [here](/windows-hardware/design/device-experiences/oem-vbs).
Allows the IT admin to control the state of Hypervisor-Protected Code Integrity (HVCI) on devices. HVCI is a feature within Virtualization Based Security, and is frequently referred to as Memory integrity. Learn more [here](/windows-hardware/design/device-experiences/oem-vbs).
>[!NOTE]
>After the policy is pushed, a system reboot will be required to change the state of HVCI.
@ -116,8 +117,8 @@ Allows the IT admin to control the state of Hypervisor-protected Code Integrity
The following are the supported values:
- 0: (Disabled) Do not require UEFI Memory Attributes Table
- 1: (Enabled) Require UEFI Memory Attributes Table
- 0: (Disabled) Do not require UEFI Memory Attributes Table.
- 1: (Enabled) Require UEFI Memory Attributes Table.
<!--/SupportedValues-->
<!--Example-->
@ -131,3 +132,6 @@ The following are the supported values:
<!--/Policies-->
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

2
windows/client-management/mdm/policy-csp-windowsinkworkspace.md
View File

@ -119,7 +119,7 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Value type is int. The following list shows the supported values:
Supported value type is int. The following list shows the supported values:
- 0 - access to ink workspace is disabled. The feature is turned off.
- 1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.

4
windows/client-management/mdm/policy-csp-wirelessdisplay.md
View File

@ -295,7 +295,7 @@ Allow or disallow turning off the projection to a PC.
If you set it to 0 (zero), your PC isn't discoverable and you can't project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** &gt; **System** &gt; **Projecting to this PC**.
Value type is integer.
Supported value type is integer.
<!--/Description-->
<!--ADMXMapped-->
@ -430,7 +430,7 @@ Allow or disallow requirement for a PIN for pairing.
If you turn on this policy, the pairing ceremony for new devices will always require a PIN. If you turn off this policy or don't configure it, a PIN isn't required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** &gt; **System** &gt; **Projecting to this PC**.
Value type is integer.
Supported value type is integer.
<!--/Description-->
<!--ADMXMapped-->

9
windows/client-management/mdm/windowsautopilot-csp.md
View File

@ -25,17 +25,20 @@ The table below shows the applicability of Windows:
|Education|No|Yes|
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The WindowsAutopilot CSP exposes Windows Autopilot related device information. The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot.
**./Vendor/MSFT/WindowsAutopilot**
Root node. Supported operation is Get.
Root node for the WindowsAutopilot configuration service provider.
Supported operation is Get.
**HardwareMismatchRemediationData**
Interior node. Supported operation is Get. Collects hardware information about a device and returns it as an encoded string. This string is used as input for calling Windows Autopilot Service to remediate a device if the device underwent a hardware change that affects its ability to use Windows Autopilot.
Interior node for the HardwareMismatchRemediationData configuration service provider. Collects hardware information about a device and returns it as an encoded string. This string is used as input for calling Windows Autopilot Service to remediate a device if the device underwent a hardware change that affects its ability to use Windows Autopilot.
Supported operation is Get.
## Related topics

12
windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
View File

@ -40,17 +40,17 @@ Microsoft Defender SmartScreen protects against phishing or malware websites and
Microsoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially engineered attack. The primary benefits are:
- **Anti-phishing and anti-malware support.** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more information about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97)
- **Anti-phishing and anti-malware support:** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more information about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97)
- **Reputation-based URL and app protection.** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user.
- **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user.
- **Operating system integration.** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) that attempts to download and run.
- **Operating system integration:** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) that attempts to download and run.
- **Improved heuristics and diagnostic data.** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files.
- **Improved heuristics and diagnostic data:** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files.
- **Management through Group Policy and Microsoft Intune.** Microsoft Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md).
- **Management through Group Policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md).
- **Blocking URLs associated with potentially unwanted applications.** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
- **Blocking URLs associated with potentially unwanted applications:** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
> [!IMPORTANT]
> SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares.