From f187a70c66f129af27aea29b09113f194a14b7c0 Mon Sep 17 00:00:00 2001
From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com>
Date: Wed, 12 May 2021 15:19:16 -0700
Subject: [PATCH 1/6] Update reqs-md-app-guard.md
---
.../microsoft-defender-application-guard/reqs-md-app-guard.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
index ab3603b914..351fc52cb2 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -22,7 +22,7 @@ ms.technology: mde
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
>[!NOTE]
->Microsoft Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
+>Given the technological complexity, the security promise of Microsoft Defender Application Guard (MDAG) may not hold true on VMs and VDI environment. Hence, MDAG is currently not official supported on VMs and VDI environment. However, for testing and automation on non-production machines, you may enable MDAG on a VM by enabling Hyper-V nested virtualization on the host.
## Hardware requirements
Your environment needs the following hardware to run Microsoft Defender Application Guard.
@@ -42,4 +42,4 @@ Your environment needs the following software to run Microsoft Defender Applicat
|--------|-----------|
|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. |
|Browser|Microsoft Edge and Internet Explorer|
-|Management system
(only for managed devices)|[Microsoft Intune](/intune/)
**-OR-**
[Microsoft Endpoint Configuration Manager](/configmgr/)
**-OR-**
[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
**-OR-**
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
\ No newline at end of file
+|Management system
(only for managed devices)|[Microsoft Intune](/intune/)
**-OR-**
[Microsoft Endpoint Configuration Manager](/configmgr/)
**-OR-**
[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
**-OR-**
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
From 058e0b0dc05730baf8028d68221bc4eb424e1f2d Mon Sep 17 00:00:00 2001
From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com>
Date: Wed, 12 May 2021 16:08:32 -0700
Subject: [PATCH 2/6] Update
windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../microsoft-defender-application-guard/reqs-md-app-guard.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
index 351fc52cb2..6e11d6eabb 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -22,7 +22,7 @@ ms.technology: mde
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
>[!NOTE]
->Given the technological complexity, the security promise of Microsoft Defender Application Guard (MDAG) may not hold true on VMs and VDI environment. Hence, MDAG is currently not official supported on VMs and VDI environment. However, for testing and automation on non-production machines, you may enable MDAG on a VM by enabling Hyper-V nested virtualization on the host.
+> Given the technological complexity, the security promise of Microsoft Defender Application Guard (MDAG) may not hold true on VMs and in VDI environments. Hence, MDAG is currently not officially supported on VMs and in VDI environments. However, for testing and automation purposes on non-production machines, you may enable MDAG on a VM by enabling Hyper-V nested virtualization on the host.
## Hardware requirements
Your environment needs the following hardware to run Microsoft Defender Application Guard.
From 1f1d9d807c884b12b242a5e8b890473220574e09 Mon Sep 17 00:00:00 2001
From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com>
Date: Wed, 12 May 2021 16:08:39 -0700
Subject: [PATCH 3/6] Update
windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../microsoft-defender-application-guard/reqs-md-app-guard.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
index 6e11d6eabb..0c9b491dc5 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -21,7 +21,7 @@ ms.technology: mde
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
->[!NOTE]
+> [!NOTE]
> Given the technological complexity, the security promise of Microsoft Defender Application Guard (MDAG) may not hold true on VMs and in VDI environments. Hence, MDAG is currently not officially supported on VMs and in VDI environments. However, for testing and automation purposes on non-production machines, you may enable MDAG on a VM by enabling Hyper-V nested virtualization on the host.
## Hardware requirements
From c4a3e588e19935ade4b151f3310c824821ef1a4e Mon Sep 17 00:00:00 2001
From: "Sean Williams [MSFT]" <72675818+sewillia-msft@users.noreply.github.com>
Date: Thu, 13 May 2021 18:13:58 -0700
Subject: [PATCH 4/6] "Disable WDAC Policies": Cleanup formatting
This PR performs a few list/callout-related changes to the article ["Disable Windows Defender Application Control Policies"](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies):
* Move list of WDAC policy locations into "Note" callout referencing them
* Replace boldface "Note" with DFM `[!NOTE]` tags
---
...s-defender-application-control-policies.md | 21 ++++++++++---------
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
index a84b17e822..6cbf4d90fa 100644
--- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
@@ -32,7 +32,6 @@ This topic covers how to disable unsigned or signed WDAC policies.
There may come a time when an administrator wants to disable a WDAC policy. For unsigned WDAC policies, this process is simple. The method used to deploy the policy (such as Group Policy) must first be disabled, then simply delete the SIPolicy.p7b policy file from the following locations, and the WDAC policy will be disabled on the next computer restart:
- <EFI System Partition>\\Microsoft\\Boot\\
-
- <OS Volume>\\Windows\\System32\\CodeIntegrity\\
Note that as of the Windows 10 May 2019 Update (1903), WDAC allows multiple policies to be deployed to a device. To fully disable WDAC when multiple policies are in effect, you must first disable each method being used to deploy a policy. Then delete the {Policy GUID}.cip policy files found in the \CIPolicies\Active subfolder under each of the paths listed above in addition to any SIPolicy.p7b file found in the root directory.
@@ -43,21 +42,22 @@ Signed policies protect Windows from administrative manipulation as well as malw
> [!NOTE]
> For reference, signed WDAC policies should be replaced and removed from the following locations:
-
-- <EFI System Partition>\\Microsoft\\Boot\\
-
-- <OS Volume>\\Windows\\System32\\CodeIntegrity\\
+>
+> * <EFI System Partition>\\Microsoft\\Boot\\
+> * <OS Volume>\\Windows\\System32\\CodeIntegrity\\
1. Replace the existing policy with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
- > **Note** To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
+ > [!NOTE]
+ > To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
2. Restart the client computer.
3. Verify that the new signed policy exists on the client.
- > **Note** If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
+ > [!NOTE]
+ > If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
4. Delete the new policy.
@@ -67,13 +67,15 @@ If the signed WDAC policy has been deployed using by using Group Policy, you mus
1. Replace the existing policy in the GPO with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
- > **Note** To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
+ > [!NOTE]
+ > To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
2. Restart the client computer.
3. Verify that the new signed policy exists on the client.
- > **Note** If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
+ > [!NOTE]
+ > If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
4. Set the GPO to disabled.
@@ -86,5 +88,4 @@ If the signed WDAC policy has been deployed using by using Group Policy, you mus
There may be a time when signed WDAC policies cause a boot failure. Because WDAC policies enforce kernel mode drivers, it is important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed WDAC policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows:
- <EFI System Partition>\\Microsoft\\Boot\\
-
- <OS Volume>\\Windows\\System32\\CodeIntegrity\\
From 2c9464c0bc6267e07680d969a58dc8e127e9f845 Mon Sep 17 00:00:00 2001
From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com>
Date: Sun, 16 May 2021 10:12:07 +0200
Subject: [PATCH 5/6] Note addition to the Countermeasure section
As requested in issue ticket #9523 (**Please add a note**), the aim of this PR
is to add a note to the Countermeasure section of the document article
"Deny access to this computer from the network".
Thanks to Daniele Bona (dbona75) for the request.
Proposed change:
- Add a Note blob explaining the required Network Logon rights to the domain controllers.
Codestyle & whitespace changes:
- Remove any redundant end-of-line (EOL) blanks.
Closes #9523
---
...ccess-to-this-computer-from-the-network.md | 44 ++++++++++---------
1 file changed, 24 insertions(+), 20 deletions(-)
diff --git a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
index 426bbb78d9..59358f537b 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
@@ -14,14 +14,14 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 05/19/2021
ms.technology: mde
---
# Deny access to this computer from the network
**Applies to**
-- Windows 10
+- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Deny access to this computer from the network** security policy setting.
@@ -33,12 +33,12 @@ Constant: SeDenyNetworkLogonRight
### Possible values
-- User-defined list of accounts
-- Guest
+- User-defined list of accounts
+- Guest
### Best practices
-- Because all Active Directory Domain Services programs use a network logon for access, use caution when you assign this user right on domain controllers.
+- Because all Active Directory Domain Services programs use a network logon for access, use caution when you assign this user right on domain controllers.
### Location
@@ -53,13 +53,13 @@ The following table lists the actual and effective default policy values. Defaul
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy | Not defined |
-| Default Domain Controller Policy | Guest |
-| Stand-Alone Server Default Settings | Guest |
-| Domain Controller Effective Default Settings | Guest |
-| Member Server Effective Default Settings | Guest |
-| Client Computer Effective Default Settings | Guest |
-
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Guest |
+| Stand-Alone Server Default Settings | Guest |
+| Domain Controller Effective Default Settings | Guest |
+| Member Server Effective Default Settings | Guest |
+| Client Computer Effective Default Settings | Guest |
+
## Policy management
This section describes features and tools available to help you manage this policy.
@@ -74,10 +74,10 @@ Any change to the user rights assignment for an account becomes effective the ne
Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update:
-1. Local policy settings
-2. Site policy settings
-3. Domain policy settings
-4. OU policy settings
+1. Local policy settings
+2. Site policy settings
+3. Domain policy settings
+4. OU policy settings
When a local setting is greyed out, it indicates that a GPO currently controls that setting.
@@ -93,13 +93,17 @@ Users who can log on to the device over the network can enumerate lists of accou
Assign the **Deny access to this computer from the network** user right to the following accounts:
-- Anonymous logon
-- Built-in local Administrator account
-- Local Guest account
-- All service accounts
+- Anonymous logon
+- Built-in local Administrator account
+- Local Guest account
+- All service accounts
An important exception to this list is any service accounts that are used to start services that must connect to the device over the network. For example, let’s say you have configured a shared folder for web servers to access, and you present content within that folder through a website. You may need to allow the account that runs IIS to log on to the server with the shared folder from the network. This user right is particularly effective when you must configure servers and workstations on which sensitive information is handled because of regulatory compliance concerns.
+> [!NOTE]
+> If the service account is configured in the logon properties of a Windows Service,
+> it requires Network Logon rights to the domain controllers to start properly.
+
### Potential impact
If you configure the **Deny access to this computer from the network** user right for other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should verify that delegated tasks are not negatively affected.
From 6fea59ffdf2a99859cec7eca847b33905cfa6ae4 Mon Sep 17 00:00:00 2001
From: Daniel Simpson
Date: Mon, 17 May 2021 09:58:29 -0700
Subject: [PATCH 6/6] Update
windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../deny-access-to-this-computer-from-the-network.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
index 59358f537b..04844990fd 100644
--- a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
+++ b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md
@@ -101,8 +101,7 @@ Assign the **Deny access to this computer from the network** user right to the f
An important exception to this list is any service accounts that are used to start services that must connect to the device over the network. For example, let’s say you have configured a shared folder for web servers to access, and you present content within that folder through a website. You may need to allow the account that runs IIS to log on to the server with the shared folder from the network. This user right is particularly effective when you must configure servers and workstations on which sensitive information is handled because of regulatory compliance concerns.
> [!NOTE]
-> If the service account is configured in the logon properties of a Windows Service,
-> it requires Network Logon rights to the domain controllers to start properly.
+> If the service account is configured in the logon properties of a Windows service, it requires network logon rights to the domain controllers to start properly.
### Potential impact