deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into v-smandalika-5694287-B21

Browse Source
This commit is contained in:
Siddarth Mandalika 2022-08-01 10:21:32 +05:30
commit 2307bdb3e3
271 changed files with 2617 additions and 2534 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -19584,6 +19584,11 @@
"source_path": "smb/index.md",
"redirect_url": "https://techcommunity.microsoft.com/t5/small-and-medium-business-blog/bg-p/Microsoft365BusinessBlog",
"redirect_document_id": false
},
{
"source_path": "windows/whats-new/contribute-to-a-topic.md",
"redirect_url": "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/CONTRIBUTING.md#editing-windows-it-professional-documentation",
"redirect_document_id": false
}
]
}

36
browsers/internet-explorer/internet-explorer.yml
View File

@ -6,9 +6,9 @@ metadata:
title: Internet Explorer 11 documentation
description: Consistent, reliable web browsing on Windows 7, Windows 8.1, and Windows 10, with the security, performance, backward compatibility, and modern standards support that large organizations need.
ms.topic: landing-page
author: lizap
ms.author: elizapo
ms.date: 07/06/2020
author: aczechowski
ms.author: aaroncz
ms.date: 07/29/2022
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new
@ -38,14 +38,6 @@ landingContent:
url: https://www.microsoft.com/download/details.aspx?id=49974
- text: Cumulative security updates for Internet Explorer 11
url: https://www.catalog.update.microsoft.com/Search.aspx?q=cumulative%20security%20update%20for%20internet%20explorer%2011
- linkListType: learn
links:
- text: Getting started with Windows 10 for IT professionals
url: https://mva.microsoft.com/training-courses/getting-started-with-windows-10-for-it-professionals-10629?l=fCowqpy8_5905094681
- text: 'Windows 10: Top Features for IT Pros'
url: https://mva.microsoft.com/training-courses/windows-10-top-features-for-it-pros-16319?l=xBnT2ihhC_7306218965
- text: 'Virtual Lab: Enterprise Mode'
url: https://www.microsoft.com/handsonlabs/SelfPacedLabs/?storyGuid=e4155067-2c7e-4b46-8496-eca38bedca02
# Card
- title: Plan
@ -62,8 +54,6 @@ landingContent:
url: ./ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
- text: Manage Windows upgrades with Upgrade Readiness
url: /windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness
- text: 'Demo: Plan and manage Windows 10 upgrades and feature updates with'
url: https://techcommunity.microsoft.com/t5/Microsoft-Ignite-Content-2017/Windows-Analytics-Plan-and-manage-Windows-10-upgrades-and/td-p/98639
- linkListType: how-to-guide
links:
- text: Turn on Enterprise Mode and use a site list
@ -125,11 +115,7 @@ landingContent:
- text: Out-of-date ActiveX control blocking
url: ./ie11-deploy-guide/out-of-date-activex-control-blocking.md
- text: Update to block out-of-date ActiveX controls in Internet Explorer
url: https://support.microsoft.com/help/2991000/update-to-block-out-of-date-activex-controls-in-internet-explorer
- text: Script to join user to AD with automatic Local user Profile Migration
url: https://gallery.technet.microsoft.com/scriptcenter/script-to-join-active-7b16d9d3
- text: Scripts for IT professionals
url: https://gallery.technet.microsoft.com/scriptcenter/site/search?query=Microsoft%20Edge%20or%20Internet
url: https://support.microsoft.com/topic/update-to-block-out-of-date-activex-controls-in-internet-explorer-39ced8f8-5d98-3c7b-4792-b62fad4e2277
# Card
- title: Support
@ -137,25 +123,19 @@ landingContent:
- linkListType: get-started
links:
- text: Change or reset Internet Explorer settings
url: https://support.microsoft.com/help/17441/windows-internet-explorer-change-reset-settings
url: https://support.microsoft.com/windows/change-or-reset-internet-explorer-settings-2d4bac50-5762-91c5-a057-a922533f77d5
- text: Troubleshoot problems with setup, installation, auto configuration, and more
url: ./ie11-deploy-guide/troubleshoot-ie11.md
- text: Disable VBScript execution in Internet Explorer for Internet Zone and Restricted Sites Zone
url: https://support.microsoft.com/help/4012494/option-to-disable-vbscript-execution-in-internet-explorer-for-internet
url: https://support.microsoft.com/topic/option-to-disable-vbscript-execution-in-internet-explorer-for-internet-zone-and-restricted-sites-zone-3a2104c0-5af0-9aae-6c57-8207d3cb3e65
- text: Frequently asked questions about IEAK 11
url: ./ie11-faq/faq-ieak11.yml
- text: Internet Explorer 8, 9, 10, 11 forum
url: https://social.technet.microsoft.com/forums/ie/home?forum=ieitprocurrentver
- text: Contact a Microsoft support professional
url: https://support.microsoft.com/contactus
- text: Support options for Microsoft Partners
url: https://mspartner.microsoft.com/Pages/Support/get-support.aspx
- text: Microsoft Services Premier Support
url: https://www.microsoft.com/en-us/microsoftservices/support.aspx
- text: Microsoft Small Business Support Center
url: https://smallbusiness.support.microsoft.com/product/internet-explorer
- text: General support
url: https://support.microsoft.com/products/internet-explorer
url: https://support.microsoft.com/windows/internet-explorer-help-23360e49-9cd3-4dda-ba52-705336cc0de2
# Card
- title: Stay informed
@ -167,4 +147,4 @@ landingContent:
- text: Microsoft Edge Dev blog
url: https://blogs.windows.com/msedgedev
- text: Microsoft Edge Dev on Twitter
url: https://twitter.com/MSEdgeDev
url: https://twitter.com/MSEdgeDev

11
education/includes/education-content-updates.md
View File

@ -2,6 +2,17 @@
## Week of July 25, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 7/26/2022 | [Upgrade Windows Home to Windows Education on student-owned devices](/education/windows/change-home-to-edu) | added |
| 7/26/2022 | [Secure the Windows boot process](/education/windows/change-home-to-edu) | modified |
| 7/25/2022 | Edit an existing topic using the Edit link | removed |
| 7/26/2022 | [Windows Hello for Business Videos](/education/windows/change-home-to-edu) | modified |
## Week of June 27, 2022

34
education/index.yml
View File

@ -44,24 +44,24 @@ productDirectory:
imageSrc: ./images/EDU-Lockbox.svg
links:
- url: /azure/active-directory/fundamentals/active-directory-deployment-checklist-p2
text: AAD feature deployment guide
- url: https://techcommunity.microsoft.com/t5/Azure-Information-Protection/Azure-Information-Protection-Deployment-Acceleration-Guide/ba-p/334423
text: Azure Active Directory feature deployment guide
- url: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/azure-information-protection-deployment-acceleration-guide/ba-p/334423
text: Azure information protection deployment acceleration guide
- url: /cloud-app-security/getting-started-with-cloud-app-security
- url: /defender-cloud-apps/get-started
text: Microsoft Defender for Cloud Apps
- url: /microsoft-365/compliance/create-test-tune-dlp-policy
text: Data loss prevention
- url: /microsoft-365/compliance/
text: Microsoft 365 Compliance
text: Microsoft Purview compliance
- url: https://social.technet.microsoft.com/wiki/contents/articles/35748.office-365-what-is-customer-lockbox-and-how-to-enable-it.aspx
text: Deploying Lockbox
# Card
- title: Analytics & insights
imageSrc: ./images/EDU-Education.svg
links:
- url: /power-bi/service-admin-administering-power-bi-in-your-organization
- url: /power-bi/admin/service-admin-administering-power-bi-in-your-organization
text: Power BI for IT admins
- url: /dynamics365/#pivot=get-started
- url: /dynamics365/
text: Dynamics 365
# Card
- title: Find deployment help and other support resources
@ -69,11 +69,9 @@ productDirectory:
links:
- url: /microsoft-365/education/deploy/find-deployment-help
text: IT admin help
- url: https://social.technet.microsoft.com/forums/en-us/home
text: TechNet
- url: https://support.office.com/en-us/education
- url: https://support.office.com/education
text: Education help center
- url: https://support.office.com/en-us/article/teacher-training-packs-7a9ee74a-8fe5-43d3-bc23-a55185896921
- url: /learn/educator-center/
text: Teacher training packs
# Card
- title: Check out our education journey
@ -98,9 +96,9 @@ additionalContent:
summary: Learn how web applications can use the API to provide a locked down experience for taking tests.
url: /windows/uwp/apps-for-education/take-a-test-api
# Card
- title: Office Education Dev center
summary: Integrate with Office 365 across devices and services to extend Microsoft enterprise-scale compliance and security to students, teachers, and staff in your education app
url: https://developer.microsoft.com/office/edu
- title: Office dev center
summary: Integrate with Office 365 across devices and services to extend Microsoft enterprise-scale compliance and security to students, teachers, and staff in your education app.
url: https://developer.microsoft.com/office/
# Card
- title: Data Streamer
summary: Bring new STEM experiences into the classroom with real-time data in Excel using Data Streamer. Data Streamer can send data to Excel from a sensor or application.
@ -111,15 +109,7 @@ additionalContent:
# Card
- title: Microsoft Partner Network
summary: Discover the latest news and resources for Microsoft Education products, solutions, licensing and readiness.
url: https://partner.microsoft.com/solutions/education
# Card
- title: Authorized Education Partner (AEP) program
summary: Become authorized to purchase and resell academic priced offers and products to Qualified Educational Users (QEUs).
url: https://www.mepn.com/
# Card
- title: Authorized Education Partner Directory
summary: Search through the list of Authorized Education Partners worldwide who can deliver on customer licensing requirements, and provide solutions and services to current and future school needs.
url: https://www.mepn.com/MEPN/AEPSearch.aspx
url: https://partner.microsoft.com/explore/education
# Card
- title: Education Partner community Yammer group
summary: Sign in with your Microsoft Partner account and join the Education Partner community private group on Yammer.

2
education/windows/TOC.yml
View File

@ -65,6 +65,8 @@
href: s-mode-switch-to-edu.md
- name: Change to Windows 10 Pro Education from Windows 10 Pro
href: change-to-pro-education.md
- name: Upgrade Windows Home to Windows Education on student-owned devices
href: change-home-to-edu.md
- name: Chromebook migration guide
href: chromebook-migration-guide.md
- name: Change history for Windows 10 for Education

229
education/windows/change-home-to-edu.md Normal file
View File

@ -0,0 +1,229 @@
---
title: Upgrade Windows Home to Windows Education on student-owned devices
description: Learn how IT Pros can upgrade student-owned devices from Windows Home to Windows Education using Mobile Device Management or Kivuto OnTheHub with qualifying subscriptions.
ms.date: 07/05/2021
ms.prod: windows
ms.technology: windows
ms.topic: how-to
ms.localizationpriority: medium
author: scottbreenmsft
ms.author: scbree
ms.reviewer: paoloma
manager: jeffbu
ms.collection: highpri
---
# Upgrade Windows Home to Windows Education on student-owned devices
## Overview
Customers with qualifying subscriptions can upgrade student-owned and institution-owned devices from *Windows Home* to *Windows Education*, which is designed for both the classroom and remote learning.
> [!NOTE]
> To be qualified for this process, customers must have a Windows Education subscription that includes the student use benefit and must have access to the Volume Licensing Service Center (VLSC) or the Microsoft 365 Admin Center.
IT admins can upgrade student devices using a multiple activation key (MAK) manually or through Mobile Device Management (MDM). Alternatively, IT admins can set up a portal through [Kivuto OnTheHub](http://onthehub.com) where students can request a *Windows Pro Education* product key. The table below provides the recommended method depending on the scenario.
| Method | Product key source | Device ownership | Best for |
|-|-|-|-|
| MDM | VLSC | Personal (student-owned) | IT admin initiated via MDM |
| Kivuto | Kivuto | Personal (student-owned) | Initiated on device by student, parent or guardian |
| Provisioning package | VLSC | Personal (student-owned) or Corporate (institution-owned) | IT admin initiated at first boot |
These methods apply to devices with *Windows Home* installed; institution-owned devices can be upgraded from *Windows Professional* or *Windows Pro Edu* to *Windows Education* or *Windows Enterprise* using [Windows 10/11 Subscription Activation](/windows/deployment/windows-10-subscription-activation).
## User Notifications
Users aren't notified their device has been or will be upgraded to Windows Education when using MDM. It's the responsibility of the institution to notify their users. Institutions should notify their users that MDM will initiate an upgrade to Windows Education and this upgrade will give the institution extra capabilities, such as installing applications.
Device users can disconnect from MDM in the Settings app, to prevent further actions from being taken on their personal device. For instructions on disconnecting from MDM, see [Remove your Windows device from management](/mem/intune/user-help/unenroll-your-device-from-intune-windows).
## Why upgrade student-owned devices from Windows Home to Windows Education?
Some school institutions want to streamline student onboarding for student-owned devices using MDM. Typical MDM requirements include installing certificates, configuring WiFi profiles and installing applications. On Windows, MDM uses Configuration Service Providers (CSPs) to configure settings. Some CSPs aren't available on Windows Home, which can limit the capabilities. Some of the CSPs not available in Windows Home that can affect typical student onboarding are:
- [EnterpriseDesktopAppManagement](/windows/client-management/mdm/enterprisemodernappmanagement-csp) - which enables deployment of Windows installer or Win32 applications.
- [DeliveryOptimization](/windows/client-management/mdm/policy-csp-deliveryoptimization) - which enables configuration of Delivery Optimization.
A full list of CSPs are available at [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference). For more information about enrolling devices into Microsoft Intune, see [Deployment guide: Enroll Windows devices in Microsoft Intune](/mem/intune/fundamentals/deployment-guide-enrollment-windows).
## Requirements for using a MAK to upgrade from Windows Home to Windows Education
- Access to Volume Licensing Service Center (VLSC) or the Microsoft 365 Admin Center.
- A qualifying Windows subscription such as:
- Windows A3, or;
- Windows A5.
- A pre-installed and activated instance of Windows 10 Home or Windows 11 Home.
You can find more information in the [Microsoft Product Terms](https://www.microsoft.com/licensing/terms/productoffering).
## How the upgrade process works
IT admins with access to the VLSC or the Microsoft 365 Admin Center, can find their MAK for Windows Education and trigger an upgrade using Mobile Device Management or manually on devices.
> [!WARNING]
> The MAK is highly sensitive and should always be protected. Only authorized staff should be given access to the key and it should never be distributed to students or broadly to your organization in documentation or emails.
### Recommended methods for using a MAK
It's critical that MAKs are protected whenever they're used. The following processes provide the best protection for a MAK being applied to a device:
- Provisioning package by institution approved staff;
- Manual entry by institution approved staff (don't distribute the key via email);
- Mobile Device Management (like Microsoft Intune) via [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp);
> [!IMPORTANT]
> If you are using a Mobile Device Management product other than Microsoft Intune, ensure the key isn't accessible by students.
- Operating System Deployment processes with tools such as Microsoft Deployment Toolkit or Microsoft Endpoint Configuration Manager.
For a full list of methods to perform a Windows edition upgrade and more details, see [Windows 10 edition upgrade](/windows/deployment/upgrade/windows-10-edition-upgrades).
## Downgrading, resetting, reinstalling and graduation rights
After upgrading from *Windows Home* to *Windows Education* there are some considerations for what happens during downgrade, reset or reinstall of the operating system.
The table below highlights the differences by upgrade product key type:
| Product Key Type | Downgrade (in-place) | Reset | Student reinstall |
|-|-|-|-|
| VLSC | No | Yes | No |
| Kivuto OnTheHub | No | Yes | Yes |
### Downgrade
It isn't possible to downgrade to *Windows Home* from *Windows Education* without reinstalling Windows.
### Reset
If the computer is reset, Windows Education will be retained.
### Reinstall
The Education upgrade doesn't apply to reinstalling Windows. Use the original Windows edition when reinstalling Windows. The original product key or [firmware-embedded product key](#what-is-a-firmware-embedded-activation-key) will be used to activate Windows.
If students require a *Windows Pro Education* key that can work on a new install of Windows, they should use [Kivuto OnTheHub](http://onthehub.com) to request a key prior to graduation.
For details on product keys and reinstalling Windows, see [Find your Windows product key](https://support.microsoft.com/windows/find-your-windows-product-key-aaa2bf69-7b2b-9f13-f581-a806abf0a886).
### Resale
The license will remain installed on the device if resold and the same conditions above apply for downgrade, reset or reinstall.
## Step by step process for customers to upgrade student-owned devices using Microsoft Intune
These steps provide instructions on how to use Microsoft Intune to upgrade devices from Home to Education.
### Step 1: Create a Windows Home edition filter
These steps configure a filter that will only apply to devices running the *Windows Home edition*. This filter will ensure only devices running *Windows Home edition* are upgraded. For more information about filters, see [Create filters in Microsoft Intune](/mem/intune/fundamentals/filters).
- Start in the [**Microsoft Endpoint Manager admin console**](https://endpoint.microsoft.com)
- Select **Tenant administration** > **Filters**
- Select **Create**
- Specify a name for the filter (for example *Windows Home edition*)
- Select the **platform** as **Windows 10 and later**
- Select **Next**
- On the **Rules** screen, configure the following rules:
- **operatingSystemSKU** equals **Core (Windows 10/11 Home (101))**
- OR
- **operatingSystemSKU** equals **CoreN (Windows 10/11 Home N (98))**
- OR
- **operatingSystemSKU** equals **CoreSingleLanguage (Windows 10/11 Home single language (100))**
> [!NOTE]
> Ensure you've selected OR as the operator in the right And/Or column
:::image type="content" source="images/change-home-to-edu-windows-home-edition-intune-filter.png" alt-text="Example of configuring the Windows Home filter":::
- Optionally select scope tags as required
- Save the filter by selecting **Create**
### Step 2: Create a Windows edition upgrade policy
These steps create and assign a Windows edition upgrade policy. For more information, see [Windows 10/11 device settings to upgrade editions or enable S mode in Intune](/mem/intune/configuration/edition-upgrade-windows-settings).
- Start in the [**Microsoft Endpoint Manager admin console**](https://endpoint.microsoft.com)
- Select **Devices** > **Configuration profiles**
- Select **Create profile**
- Select the **Platform** as **Windows 10 or later**
- Select the **Profile type** as **Templates**
- Select the **Template** as **Edition upgrade and mode switch**
- Select **Create**
- Specify a name for the policy (for example *Windows Education edition upgrade*), select **Next**
- On the **Configuration settings** screen
- Expand **Edition Upgrade**
- Change **Edition to upgrade** to **Windows 10/11 Education**
- In the **Product Key**, enter your *Windows 10/11 Education MAK*
- Select **Next**
:::image type="content" source="images/change-home-to-edu-windows-edition-upgrade-policy.png" alt-text="Example of configuring the Windows upgrade policy in Microsoft Intune":::
- Optionally select scope tags as required and select **Next**
- On the **assignments** screen;
- Select **Add all devices**
- Next to **All devices**, select **Edit filter**
> [!NOTE]
> You can also target other security groups that contain a smaller scope of users or devices and apply the filter rather than All devices.
- Select to **Include filtered devices in assignment**
- Select the *Windows Home edition* filter you created earlier
- Choose **Select** to save the filter selection
- Select **Next** to progress to the next screen
- Don't configure any applicability rules and select **next**
- Review your settings and select **Create**
The edition upgrade policy will now apply to all existing and new Windows Home edition devices targeted.
### Step 3: Report on device edition
You can check the Windows versions of managed devices in the Microsoft Endpoint Manager admin console.
- Start in the **Microsoft Endpoint Manager admin console**
- Select **Devices** > **Windows**
- Select the **Columns** button
- Select **Sku Family**
- Select **Export**
- Select **Only include the selected columns in the exported file** and select **Yes**
- Open the file in Excel and filter on the Sku Family column to identify which devices are running the Home SKU
## Frequently asked questions (FAQ)
### My MAK key has run out of activations, how do I request a new one?
Increases to MAK Activation quantity can be requested by contacting [VLSC support](/licensing/contact-us) and may be granted by exception. A request can be made by accounts with the VLSC Administrator, Key Administrator, or Key Viewer permissions. The request should include the following information:
- Agreement/Enrollment Number or License ID and Authorization.
- Product Name (includes version and edition).
- Last five characters of the product key.
- The number of host activations required.
- Business Justification or Reason for Deployment.
### What is a firmware-embedded activation key?
A firmware-embedded activation key is a Windows product key that is installed into the firmware of your device. The embedded key makes it easier to install and activate Windows. To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt:
```powershell
(Get-CimInstance -query 'select * from SoftwareLicensingService').OA3xOriginalProductKey
```
If the device has a firmware-embedded activation key, it will be displayed in the output. Otherwise, the device doesn't have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key.
A firmware embedded key is only required to upgrade using Subscription Activation, a MAK upgrade doesn't require the firmware embedded key.
### What is a multiple activation key and how does it differ from using KMS, Active Directory based activation or Subscription Activation?
A multiple activation key activates either individual computers or a group of computers by connecting directly to servers over the internet or by telephone. KMS, Active Directory based activation and subscription activation are bulk activation methods that work based on network proximity or joining to Active Directory or Azure Active Directory. The table below shows which methods can be used for each scenario.
| Scenario | Ownership | MAK | KMS | AD based activation | Subscription Activation |
|-|-|:-:|:-:|:-:|:-:|
| **Workplace join (add work or school account)** | Personal (or student-owned) | X | | | |
| **Azure AD Join** | Organization | X | X | | X |
| **Hybrid Azure AD Join** | Organization | X | X | X | X |
## Related links
- [Windows 10 edition upgrade (Windows 10)](/windows/deployment/upgrade/windows-10-edition-upgrades)
- [Windows 10/11 Subscription Activation](/windows/deployment/windows-10-subscription-activation)
- [Equip Your Students with Windows 11 Education - Kivuto](https://kivuto.com/windows-11-student-use-benefit/)
- [Upgrade Windows Home to Windows Pro (microsoft.com)](https://support.microsoft.com/windows/upgrade-windows-home-to-windows-pro-ef34d520-e73f-3198-c525-d1a218cc2818)
- [Partner Center: Upgrade Education customers from Windows 10 Home to Windows 10 Education](/partner-center/upgrade-windows-to-education)

BIN
education/windows/images/change-home-to-edu-windows-edition-upgrade-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
education/windows/images/change-home-to-edu-windows-home-edition-intune-filter.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

8
education/windows/set-up-school-pcs-whats-new.md
View File

@ -17,6 +17,14 @@ manager: dansimp
# What's new in Set up School PCs
Learn whats new with the Set up School PCs app each week. Find out about new app features and functionality, see updated screenshots, and find information about past releases.
## Week of July 25, 2022
### Reimage option for Windows 11 SE
Set up School PCs has added an option to reimage your Windows SE devices during the creation of a provisioning package. Previously, the process to reimage a device was specific to the OEM and required technical knowledge. The new reimaging feature in SUSPCs provides a unified way for all OEMs, using a simple and easy solution. Now you can plug in your USB stick with a Windows 11 SE image and a provisioning package on it, and your device will be reimaged before the provisioning package is installed on that device.
Note: If after you have reimaged the device, you notice there are missing drivers, the IT admin should manually add those drivers to the image. The SUSPC reimaging tool has been tested on Surface SE devices, but since there are a variety of SE devices, the SUSPC reimage tool has not been tested on all SE devices. Contact your OEM to learn more about the necessary drivers.
The option to reimage by getting the image from an OEM is still viable.
## Week of August 24, 2020

33
education/windows/set-up-students-pcs-with-apps.md
View File

@ -1,11 +1,7 @@
---
title: Provision student PCs with apps
description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
keywords: shared cart, shared PC, school, provision PCs with apps, Windows Configuration Designer
ms.prod: w10
ms.pagetype: edu
ms.mktglfcycl: plan
ms.sitesec: library
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
@ -15,17 +11,19 @@ manager: dansimp
---
# Provision student PCs with apps
**Applies to:**
- Windows 10
- Windows 10
To create and apply a provisioning package that contains apps to a device running all desktop editions of Windows 10 except Windows 10 Home, follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps).
To create and apply a provisioning package that contains apps to a device running all desktop editions of Windows 10 except Windows 10 Home, follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps).
Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
- If you want to [provision a school PC to join a domain](set-up-students-pcs-to-join-domain.md) and add apps in the same provisioning package, follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps).
You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
- If you want to [provision a school PC to join a domain](set-up-students-pcs-to-join-domain.md) and add apps in the same provisioning package, follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps).
- If you want to provision a school PC to join Azure AD, set up the PC using the steps in [Use Set up School PCs App](use-set-up-school-pcs-app.md). Set up School PCs now lets you add recommended apps from the Store so you can add these apps while you're creating your package through Set up School PCs. You can also follow the steps in [Provision PCs with apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps) if you want to add apps to student PCs after initial setup with the Set up School PCs package.
<!--
@ -46,7 +44,7 @@ You can apply a provisioning package on a USB drive to off-the-shelf devices dur
## Create a provisioning package to add apps after initial setup
Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK.](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit)
1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe).
@ -124,7 +122,7 @@ Universal apps that you can distribute in the provisioning package can be line-o
10. Set a value for **Package Version**.
**Tip**  
**Tip**
You can make changes to existing packages and change the version number to update previously applied packages.
11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
@ -133,8 +131,8 @@ Universal apps that you can distribute in the provisioning package can be line-o
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
**Important**  
We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently. 
**Important**
We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.
12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.<p>
Optionally, you can click **Browse** to change the default output location.
@ -217,11 +215,6 @@ On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work ac
## Learn more
- [Develop Universal Windows Education apps](/windows/uwp/apps-for-education/)
-[Develop Universal Windows Education apps](/windows/uwp/apps-for-education/)
- [Build and apply a provisioning package]( https://go.microsoft.com/fwlink/p/?LinkId=629651)
- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
- Watch the video: [Windows 10 for Mobile Devices: Provisioning Isn't Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
 
- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)

145
education/windows/test-windows10s-for-edu.md
View File

@ -1,11 +1,7 @@
---
title: Test Windows 10 in S mode on existing Windows 10 education devices
description: Provides guidance on downloading and testing Windows 10 in S mode for existing Windows 10 education devices.
keywords: Windows 10 in S mode, try, download, school, education, Windows 10 in S mode installer, existing Windows 10 education devices
ms.mktglfcycl: deploy
ms.prod: w10
ms.pagetype: edu
ms.sitesec: library
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
@ -23,53 +19,56 @@ The Windows 10 in S mode self-installer will allow you to test Windows 10 in S m
Windows 10 in S mode is built to give schools the familiar, robust, and productive experiences you count on from Windows in an experience that's been streamlined for security and performance in the classroom, and built to work with Microsoft Education<sup>[2](#footnote2)</sup>.
Windows 10 in S mode is different from other editions of Windows 10 as everything that runs on the device is verified by Microsoft for security and performance. Therefore, Windows 10 in S mode works exclusively with apps from the Microsoft Store. Some accessories and apps compatible with Windows 10 may not work and performance may vary. Certain default settings, features, and apps can't be changed. When you install Windows 10 in S mode, your existing applications and settings will be deleted and you'll only be able to install apps from the Microsoft Store.
Windows 10 in S mode is different from other editions of Windows 10 as everything that runs on the device is verified by Microsoft for security and performance. Therefore, Windows 10 in S mode works exclusively with apps from the Microsoft Store. Some accessories and apps compatible with Windows 10 may not work and performance may vary. Certain default settings, features, and apps can't be changed. When you install Windows 10 in S mode, your existing applications and settings will be deleted, and you'll only be able to install apps from the Microsoft Store.
**Configuring Windows 10 in S mode for school use is easy:** Education customers must configure **SetEduPolicies** for use in K-12 schools. For more information on how to do these configurations, see [Use the Set up School PCs app](use-set-up-school-pcs-app.md) and [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
**Configuring Windows 10 in S mode for school use is easy:** Education customers must configure **SetEduPolicies** for use in K-12 schools. For more information on how to do these configurations, see [Use the Set up School PCs app](use-set-up-school-pcs-app.md) and [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
**Installing Office 365 for Windows 10 in S mode (Education preview)**: To install the Office applications in a school environment, you must use the free Set up School PCs app, which is available on the Microsoft Store for Education and from the Microsoft Store.
**Installing Office 365 for Windows 10 in S mode (Education preview)**: To install the Office applications in a school environment, you must use the free Setup School PCs app, which is available on the Microsoft Store for Education and from the Microsoft Store.
As we finalize development of Office 365 for Windows 10 in S mode (Education preview), the applications will be updated automatically. You must have an Office license to activate the applications once they're installed.To learn more about Office 365 for Education plans, see [FAQ: Office on Windows 10 in S mode](https://support.office.com/article/717193b5-ff9f-4388-84c0-277ddf07fe3f).
As we finalize development of Office 365 for Windows 10 in S mode (Education preview), the applications will be updated automatically. You must have an Office license to activate the applications once they're installed. For more information about Office 365 for Education plans, see [Office on Windows 10 in S mode](https://support.microsoft.com/office/office-on-windows-10-in-s-mode-717193b5-ff9f-4388-84c0-277ddf07fe3f?ui=en-us&rs=en-us&ad=us).
## Before you install Windows 10 in S mode
### Important information
Before you install Windows 10 in S mode, be aware that non-Microsoft Store apps won't work, peripherals that require custom drivers may not work, and other errors may occur. In particular, this release of Windows 10 in S mode:
* Is intended for education customers to test compatibility with existing hardware
* May not work with some device drivers, which may not yet be ready for Windows 10 in S mode and may cause some loss in functionality
* May not be compatible with all peripherals that require custom drivers and, even if compatible, may cause aspects of the peripheral to not function
* Has software and feature limitations compared to other Windows 10 editions, primarily that Windows 10 in S mode is limited to Store apps only
Before you install Windows 10 in S mode, understand that non-Microsoft Store apps won't work, peripherals that require custom drivers may not work, and other errors may occur. In particular, this release of Windows 10 in S mode:
- Is intended for education customers to test compatibility with existing hardware
- May not work with some device drivers, which may not yet be ready for Windows 10 in S mode and may cause some loss in functionality
- May not be compatible with all peripherals that require custom drivers and, even if compatible, may cause aspects of the peripheral to not function
- Has software and feature limitations compared to other Windows 10 editions, primarily that Windows 10 in S mode is limited to Store apps only
> [!WARNING]
> You can install Windows 10 in S mode on devices running other editions of Windows 10. For more information, see [Supported devices](#supported-devices). However, we don't recommend installing Windows 10 in S mode on Windows 10 Home devices as you won't be able to activate it.
* Won't run current Win32 software and might result in the loss of any data associated with that software, which might include software already purchased
- Won't run current Win32 software and might result in the loss of any data associated with that software, which might include software already purchased
Due to these reasons, we recommend that you use the installation tool and avoid doing a clean install from an ISO media.
Before you install Windows 10 in S mode on your existing Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise device:
* Make sure that you updated your existing device to Windows 10, version 1703 (Creators Update).
See [Download Windows 10](https://www.microsoft.com/software-download/windows10) and follow the instructions to update your device to Windows 10, version 1703. You can verify your current version in **Settings > System > About**.
- Make sure that you updated your existing device to Windows 10, version 1703.
* Install the latest Windows Update.
To update your device to Windows 10, version 1703, see [Download Windows 10](https://www.microsoft.com/software-download/windows10). You can verify your current version in **Settings > System > About**.
- Install the latest Windows Update.
To do this task, go to **Settings > Update & security > Windows Update**.
* Create a system backup in case you would like to return to your previously installed version of Windows 10 after trying Windows 10 in S mode.
- Create a system backup in case you would like to return to your previously installed version of Windows 10 after trying Windows 10 in S mode.
For more information on how to create the system backup, see [Create a recovery drive](#create-a-recovery-drive).
## Supported devices
The Windows 10 in S mode install will install and activate on the following editions of Windows 10 in use by schools:
* Windows 10 Pro
* Windows 10 Pro Education
* Windows 10 Education
* Windows 10 Enterprise
Other Windows 10 editions can't be activated and aren't supported. If your device isn't running one of these supported Windows 10 editions, don't proceed with using the Windows 10 in S mode installer. Windows 10-N editions and running in virtual machines aren't supported by the Windows 10 in S mode installer.
- Windows 10 Pro
- Windows 10 Pro Education
- Windows 10 Education
- Windows 10 Enterprise
Other Windows 10 editions can't be activated and aren't supported. If your device isn't running one of these supported Windows 10 editions, don't proceed with using the Windows 10 in S mode installer. Windows 10-N editions and running in virtual machines aren't supported by the Windows 10 in S mode installer.
### Preparing your device to install drivers
@ -77,28 +76,7 @@ Make sure all drivers are installed and working properly on your device running
### Supported devices and drivers
Check with your device manufacturer before trying Windows 10 in S mode on your device to see if the drivers are available and supported by the device manufacturer.
| &nbsp; | &nbsp; | &nbsp; |
| - | - | - |
| <a href="https://www.acer.com/ac/en/US/content/windows10s-compatible-list" target="_blank">Acer</a> | <a href="https://www.51cube.com/ch/win10s-help.php" target="_blank">Alldocube</a> | <a href="https://www.ibuypower.com/site/computer/windows-10-s" target="_blank">American Future Tech</a> |
| <a href="https://www.prestigio.com/support/compatibility-with-windows-10-s/" target="_blank">ASBISC</a> | <a href="https://www.asus.com/event/2017/win10S/" target="_blank">Asus</a> | <a href="https://www.atec.kr/contents/ms_info.html" target="_blank">Atec</a> |
| <a href="https://www.odys.de/web/web_lan_en_hmp_1_win10s_ja.html" target="_blank">Axdia</a> | <a href="https://www.casper.com.tr/window10sdestegi" target="_blank">Casper</a> | <a href="https://www.cyberpowerpc.com/page/Windows-10-S/" target="_blank">Cyberpower</a> |
| <a href="https://www.lucoms.com/v2/cs/cs_windows10.asp" target="_blank">Daewoo</a> | <a href="https://www.daten.com.br/suportes/windows10s/" target="_blank">Daten</a> | <a href="https://www.dell.com/support/article/us/en/19/sln307174/dell-computers-tested-for-windows-10-s?lang=en" target="_blank">Dell</a> |
| <a href="https://www.epson.jp/support/misc/windows10s.htm" target="_blank">Epson</a> | <a href="https://exo.com.ar/actualizaciones-de-windows-10" target="_blank">EXO</a> | <a href="https://www.fujitsu.com/au/products/computing/pc/microsoft/s-compatible/" target="_blank">Fujitsu</a> |
| <a href="https://apac.getac.com/support/windows10s.html" target="_blank">Getac</a> | <a href="https://compaq.com.br/sistemas-compativeis-com-windows-10-s.html" target="_blank">Global K</a> | <a href="https://www.onda.cn/SearchDetails.aspx?id=1654" target="_blank">Guangzhou</a> |
| <a href="https://support.hp.com/us-en/document/c05588871" target="_blank">HP</a> | <a href="https://consumer.huawei.com/cn/support/notice/detail/index.htm?id=1541" target="_blank">Huawei</a> | <a href="https://www.i-life.us/not-available/" target="_blank">I Life</a> |
| <a href="https://www.inet-tek.com/en/product-qadetail-86.html" target="_blank">iNET</a> | <a href="https://www.intel.com/content/www/us/en/support/boards-and-kits/000025096.html" target="_blank">Intel</a> | <a href="https://irbis-digital.ru/support/podderzhka-windows-10-s/" target="_blank">LANIT Trading</a> |
| <a href="https://support.lenovo.com/us/en/solutions/ht504589" target="_blank">Lenovo</a> | <a href="https://www.lg.com/us/content/html/hq/windows10update/Win10S_UpdateInfo.html" target="_blank">LG</a> | <a href="https://www2.mouse-jp.co.jp/ssl/user_support2/info.asp?N_ID=361" target="_blank">MCJ</a> |
| <a href="https://support.linxtablets.com/WindowsSupport/Articles/Windows_10_S_Supported_Devices.aspx" target="_blank">Micro P/Exertis</a> | <a href="https://support.microsoft.com/help/4094045/surface-devices-that-work-with-windows-10-s" target="_blank">Microsoft</a> | <a href="https://www.msi.com/Landing/Win10S" target="_blank">MSI</a> |
| <a href="https://panasonic.net/cns/pc/Windows10S/" target="_blank">Panasonic</a> | <a href="https://www.bangho.com.ar/windows10s" target="_blank">PC Arts</a> | <a href="https://www.positivoinformatica.com.br/atualizacao-windows-10" target="_blank">Positivo SA</a> |
| <a href="https://www.br.vaio.com/atualizacao-windows-10/" target="_blank">Positivo da Bahia</a> | <a href="https://www.samsung.com/us/support/windows10s/" target="_blank">Samsung</a> | <a href="https://www.teclast.com/zt/aboutwin10s/" target="_blank">Teclast</a> |
| <a href="https://www.dospara.co.jp/support/share.php?contents=about_windows10s" target="_blank">Thirdwave</a> | <a href="https://www.tongfangpc.com/service/win10.aspx" target="_blank">Tongfang</a> | <a href="https://win10upgrade.toshiba.com/win10s/information?region=TAIS&country=US&lang=en" target="_blank">Toshiba</a> |
| <a href="https://www.trekstor.de/windows-10-s-en.html" target="_blank">Trekstor</a> | <a href="https://www.trigem.co.kr/windows/win10S.html" target="_blank">Trigem</a> | <a href="https://us.vaio.com/support/knowledge-base/windows-10-s-compatibility-information/" target="_blank">Vaio</a> |
| <a href="https://www.wortmann.de/en-gb/content/+windows-10-s-supportinformation/windows-10-s-supportinformation.aspx" target="_blank">Wortmann</a> | <a href="https://www.yifangdigital.com/Customerservice/win10s.aspx" target="_blank">Yifang</a> | |
> [!NOTE]
> If you don't see any device listed on the manufacturer's web site, check back again later as more devices get added in the future.
Check with your device manufacturer before trying Windows 10 in S mode on your device to see if the drivers are available and supported by the device manufacturer.
## Kept files
@ -110,12 +88,13 @@ Back up all your data before installing Windows 10 in S mode. Only personal file
## Domain join
Windows 10 in S mode doesn't support non-Azure Active Directory domain accounts. Before installing Windows 10 in S mode, you must have at least one of these administrator accounts:
- Local administrator
- Microsoft account administrator
- Azure Active Directory administrator
- Azure Active Directory administrator
> [!WARNING]
> If you don't have one of these administrator accounts accessible before migration, you'll not be able to log in to your device after migrating to Windows 10 in S mode.
> If you don't have one of these administrator accounts accessible before migration, you'll not be able to sign in to your device after migrating to Windows 10 in S mode.
We recommend [creating a recovery drive](#create-a-recovery-drive) before migrating to Windows 10 in S mode in case you run into this issue.
@ -126,35 +105,39 @@ After installing Windows 10 in S mode, use the free [Set up School PCs app](use-
## Switch to previously installed Windows 10 editions
If Windows 10 in S mode isn't right for you, you can switch to the Windows 10 edition previously installed on your device(s).
* Education customers can switch devices to Windows 10 Pro Education using the Microsoft Store for Education. For more information, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 in S mode](change-to-pro-education.md).
* If you try Windows 10 in S mode and decide to switch back to the previously installed edition within 10 days, you can go back to the previously installed edition using the Windows Recovery option in Settings. For more info, see [Go back to your previous edition of Windows 10](#go-back-to-your-previous-edition-of-windows-10).
- Education customers can switch devices to Windows 10 Pro Education using the Microsoft Store for Education. For more information, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 in S mode](change-to-pro-education.md).
- If you try Windows 10 in S mode and decide to switch back to the previously installed edition within 10 days, you can go back to the previously installed edition using the Windows Recovery option in Settings. For more info, see [Go back to your previous edition of Windows 10](#go-back-to-your-previous-edition-of-windows-10).
## Device recovery
Before installing Windows 10 in S mode, we recommend that you create a system backup in case you would like to return to Windows 10 Pro or Windows 10 Pro Education after trying Windows 10 in S mode.
### Create a recovery drive
### Create a recovery drive
To create a recovery drive, follow these steps.
1. From the taskbar, search for **Create a recovery drive** and then select it. You might be asked to enter an admin password or confirm your choice.
2. In the **Recovery drive** tool, make sure **Back up system files to the recovery drive** is selected and then click **Next**.
3. Connect a USB drive to your PC, select it, and then select **Next > Create**.
2. In the **Recovery drive** tool, make sure **Back up system files to the recovery drive** is selected and then select **Next**.
3. Connect a USB drive to your PC, select it, and then select **Next > Create**.
Many files need to be copied to the recovery drive; so this process might take a while.
4. When it's done, you might see a **Delete the recovery partition from your PC** link on the final screen. If you want to free up drive space on your PC, select the link and then select **Delete**. If not, select **Finish**.
4. When it's done, you might see a **Delete the recovery partition from your PC** link on the final screen. If you want to free up drive space on your PC, select the link, and then select **Delete**. If not, select **Finish**.
### Go back to your previous edition of Windows 10
Alternatively, for 10 days after you install Windows 10 in S mode, you've the option to go back to your previous edition of Windows 10 from **Settings > Update & security > Recovery**. This revert operation will keep your personal files, but it will remove installed apps and any changes you made to **Settings**.
Alternatively, for 10 days after you install Windows 10 in S mode, you can go back to your previous edition of Windows 10 from **Settings > Update & security > Recovery**. This revert operation will keep your personal files, but it will remove installed apps and any changes you made to **Settings**.
To go back, you need to:
* Keep everything in the windows.old and $windows.~bt folders after the upgrade.
* Remove any user accounts you added after the upgrade.
- Keep everything in the `windows.old` and `$windows.~bt` folders after the upgrade.
- Remove any user accounts you added after the upgrade.
If going back isn't available:
* Check if you can restore your PC to factory settings. This restoration will reinstall the version of Windows that came with your PC and remove personal files, apps, and drivers you installed and any changes you made to **Settings**. Go to **Settings > Update & security > Recovery > Reset this PC > Get started** and look for **Restore factory settings**.
* If you've a product key for your previous version of Windows, use the media creation tool to create installation media of your previous Windows 10 edition and use it to do a clean install.
- Check if you can restore your PC to factory settings. This restoration will reinstall the version of Windows that came with your PC and remove personal files, apps, and drivers you installed and any changes you made to **Settings**. Go to **Settings > Update & security > Recovery > Reset this PC > Get started** and look for **Restore factory settings**.
- If you've a product key for your previous version of Windows, use the media creation tool. It can create installation media of your previous Windows 10 edition, and do a clean install.
After going back to your previous edition of Windows 10, you may receive the following message when launching Win32 apps:
@ -168,14 +151,14 @@ If you see this message, follow these steps to stop receiving the message:
4. After restarting, in the **Choose an option** page, select **Troubleshoot**.
5. In the **Troubleshoot** page, select **Advanced options**, and in the **Advanced options** page select **UEFI Firmware Settings**.
6. In the **UEFI Firmware Settings** page, select **Restart** to get to the device-specific UEFI/BIOS menu.
7. Once you've accessed UEFI, look for the menu item labeled **Security** or **Security Settings** and navigate to it.
7. Once you've accessed UEFI, look for the menu item labeled **Security** or **Security Settings**, and navigate to it.
8. Look for an option called **Secure boot configuration**, **Secure boot**, or **UEFI Boot**. If you can't find one of these options, check the **Boot** menu.
9. Disable the secure boot/UEFI boot option.
10. Save your settings and then exit UEFI. This exit action will restart your PC.
11. After Windows is done booting up, confirm that you no longer see the message.
11. After Windows is done booting up, confirm that you no longer see the message.
> [!NOTE]
> We recommend following these steps again to re-enable the **Secure boot configuration**, **Secure boot**, or **UEFI Boot** option, which you disabled in step 9, and then subsequently re-enable BitLocker (if you previously had this enabled).
> We recommend following these steps again to re-enable the **Secure boot configuration**, **Secure boot**, or **UEFI Boot** option, which you disabled in step 9, and then subsequently re-enable BitLocker (if you previously had this enabled).
### Use installation media to reinstall Windows 10
@ -195,7 +178,7 @@ To use an installation media to reinstall Windows 10, follow these steps.
If you're not seeing the setup screen, your PC might not be set up to boot from a drive. Check your PC manufacturer's website for information on how to change your PC's boot order, and then try again.
8. Select **Install now**.
9. On the **Enter the product key to active Windows** page, enter a product key if you've one. If you upgraded to Windows 10 for free, or bought and activated Windows 10 from the Microsoft Store, select **Skip** and Windows will automatically activate later. For more information, see [Activation in Windows 10](https://support.microsoft.com/help/12440/windows-10-activation).
9. On the **Enter the product key to active Windows** page, enter a product key if you've one. If you upgraded to Windows 10 for free, or bought and activated Windows 10 from the Microsoft Store, select **Skip** and Windows will automatically activate later. For more information, see [Activate Windows](https://support.microsoft.com/windows/activate-windows-c39005d4-95ee-b91e-b399-2820fda32227).
10. On the **License terms** page, select **I accept the license terms** if you agree, and then select **Next**.
11. On the **Which type of installation do you want?** page, select **Custom**.
12. On the **where do you want to install Windows?** page, select a partition, select a formatting option (if necessary), and then follow the instructions.
@ -203,45 +186,49 @@ To use an installation media to reinstall Windows 10, follow these steps.
14. Follow the rest of the setup instructions to finish installing Windows 10.
## Download Windows 10 in S mode
Ready to test Windows 10 in S mode on your existing Windows 10 Pro or Windows 10 Pro Education device? Make sure you read the [important pre-installation information](#important-information) and all the above information.
Ready to test Windows 10 in S mode on your existing Windows 10 Pro or Windows 10 Pro Education device? Make sure you read the [important pre-installation information](#important-information) and all the above information.
When you're ready, you can download the Windows 10 in S mode installer by clicking the **Download installer** button below:
> [!div class="nextstepaction" style="center"]
> [Download installer](https://go.microsoft.com/fwlink/?linkid=853240)
After you install Windows 10 in S mode, the OS defaults to the English version. To change the UI and show the localized UI, go to **Settings > Time & language > Region & language >** in **Languages** select **Add a language** to add a new language or select an existing language and set it as the default.
After you install Windows 10 in S mode, the OS defaults to the English version. To change the UI and show the localized UI, go to **Settings > Time & language > Region & language >** in **Languages**, select **Add a language** to add a new language or select an existing language, and set it as the default.
## Terms and Conditions
Because youre installing Windows 10 in S mode on a running version of Windows 10, you've already accepted the Windows 10 Terms and Conditions. you'ren't required to accept it again and the Windows 10 installer doesnt show a Terms and Conditions page during installation.
## Support
Thank you for testing Windows 10 in S mode. Your best experience will be running on a supported device as mentioned above. However, we invite you to try Windows 10 in S mode on existing devices with an eligible operating system. If you're having difficulty installing or running Windows 10 in S mode, use the Windows **Feedback Hub** to report your experience to Microsoft. This feedback is the best way to help improve Windows 10 in S mode with your feedback.
Because you're installing Windows 10 in S mode on a running version of Windows 10, you've already accepted the Windows 10 Terms and Conditions. you'ren't required to accept it again and the Windows 10 installer doesn't show a Terms and Conditions page during installation.
## Support
Thank you for testing Windows 10 in S mode. Your best experience will be running on a supported device as mentioned above. However, we invite you to try Windows 10 in S mode on existing devices with an eligible operating system. If you're having difficulty installing or running Windows 10 in S mode, use the Windows **Feedback Hub** to report your experience to Microsoft. This feedback is the best way to help improve Windows 10 in S mode with your feedback.
Common support questions for the Windows 10 in S mode test program:
* **How do I activate if I don't have a Windows 10 in S mode product key?**
### How do I activate if I don't have a Windows 10 in S mode product key?
As stated above, devices running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise can install and run Windows 10 in S mode and it will automatically activate. Testing Windows 10 in S mode on a device running Windows 10 Home isn't recommended and supported at this time.
As stated above, devices running Windows 10 Pro, Windows 10 Pro Education, Windows 10 Education, or Windows 10 Enterprise can install and run Windows 10 in S mode and it will automatically activate. Testing Windows 10 in S mode on a device running Windows 10 Home isn't recommended and supported at this time.
* **Will my OEM help me run Windows 10 in S mode?**
### Will my OEM help me run Windows 10 in S mode?
OEMs typically only support their devices with the operating system that was pre-installed. See [Supported devices](#supported-devices) for OEM devices that are best suited for testing Windows 10 in S mode. When testing Windows 10 in S mode, be ready to restore your own PC back to factory settings without assistance. Steps to return to your previous installation of Windows 10 are covered above.
OEMs typically only support their devices with the operating system that was pre-installed. See [Supported devices](#supported-devices) for OEM devices that are best suited for testing Windows 10 in S mode. When testing Windows 10 in S mode, be ready to restore your own PC back to factory settings without assistance. Steps to return to your previous installation of Windows 10 are covered above.
* **What happens when I run Reset or Fresh Start on Windows 10 in S mode?**
### What happens when I run Reset or Fresh Start on Windows 10 in S mode?
**Reset** or **Fresh Start** will operate correctly and keep you on Windows 10 in S mode. They also remove the 10-day go back ability. See [Switch to previously installed Windows 10 editions](#switch-to-previously-installed-windows-10-editions) to return to your previous installation of Windows 10 if you wish to discontinue using Windows 10 in S mode.
**Reset** or **Fresh Start** will operate correctly and keep you on Windows 10 in S mode. They also remove the 10-day go back ability. See [Switch to previously installed Windows 10 editions](#switch-to-previously-installed-windows-10-editions) to return to your previous installation of Windows 10 if you wish to discontinue using Windows 10 in S mode.
* **What if I want to move from Windows 10 in S mode to Windows 10 Pro?**
### What if I want to move from Windows 10 in S mode to Windows 10 Pro?
If you want to discontinue using Windows 10 in S mode, follow the instructions to return to your previous installation of Windows 10. If you already had Windows 10 Pro or Windows 10 Pro Education on the device you're testing on, you should be able to move to Windows 10 Pro or Windows 10 Pro Education at no charge with the instructions in this document. Otherwise, there may be a cost to acquire a Windows 10 Pro license in the Store.
If you want to discontinue using Windows 10 in S mode, follow the instructions to return to your previous installation of Windows 10. If you already had Windows 10 Pro or Windows 10 Pro Education on the device you're testing on, you should be able to move to Windows 10 Pro or Windows 10 Pro Education at no charge with the instructions in this document. Otherwise, there may be a cost to acquire a Windows 10 Pro license in the Store.
For help with activation issues, click on the appropriate link below for support options.
* For Volume Licensing Agreement or Shape the Future program customers, go to the [Microsoft Commercial Support](https://support.microsoft.com/gp/commercialsupport) website and select the country/region in which you're seeking commercial support to contact our commercial support team.
* If you don't have a Volume Licensing Agreement, go to the [Microsoft Support](https://support.microsoft.com/contactus/) website and choose a support option.
For help with activation issues, select the appropriate link below for support options.
- For Volume Licensing Agreement or Shape the Future program customers, go to the [Microsoft Commercial Support](https://support.microsoft.com/gp/commercialsupport) website and select the country/region in which you're seeking commercial support to contact our commercial support team.
- If you don't have a Volume Licensing Agreement, go to the [Microsoft Support](https://support.microsoft.com/contactus/) website and choose a support option.
<p>
<a name="footnote1"></a><sup>1</sup> <small>Internet access fees may apply.</small><br/>
<a name="footnote2"></a><sup>2</sup> <small>Devices must be configured for educational use by applying <strong><a href="/education/windows/configure-windows-for-education#setedupolicies" data-raw-source="[SetEduPolicies](./configure-windows-for-education.md#setedupolicies)">SetEduPolicies</a></strong> using the Set up School PCs app.</small><br/>
<a name="footnote2"></a><sup>2</sup> <small>Devices must be configured for educational use by applying <strong><a href="/education/windows/configure-windows-for-education#setedupolicies" data-raw-source="[SetEduPolicies](./configure-windows-for-education.md#setedupolicies)">SetEduPolicies</a></strong> using the Setup School PCs app.</small><br/>
</p>

3
education/windows/windows-11-se-overview.md
View File

@ -75,14 +75,13 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run
|NonVisual Desktop Access |2021.3.1 |Win32 |NV Access|
|NWEA Secure Testing Browser |5.4.300.0 |Win32 |NWEA|
|Pearson TestNav |1.10.2.0 |Store |Pearson|
|Questar Secure Browser |4.8.3.376 |Win32 |Questar|
|Questar Secure Browser |4.8.3.376 |Win32 |Questar, Inc|
|ReadAndWriteForWindows |12.0.60.0 |Win32 |Texthelp Ltd.|
|Remote Desktop client (MSRDC) |1.2.3213.0 |Win32 |Microsoft|
|Remote Help |3.8.0.12 |Win32 |Microsoft|
|Respondus Lockdown Browser |2.0.8.05 |Win32 |Respondus|
|Safe Exam Browser |3.3.2.413 |Win32 |Safe Exam Browser|
|Secure Browser |14.0.0 |Win32 |Cambium Development|
|Secure Browser |4.8.3.376 |Win32 |Questar, Inc|
|Senso.Cloud |2021.11.15.0 |Win32|Senso.Cloud|
|SuperNova Magnifier & Screen Reader |21.02 |Win32 |Dolphin Computer Access|
|Zoom |5.9.1 (2581)|Win32 |Zoom|

4
windows/application-management/app-v/appv-auto-provision-a-vm.md
View File

@ -33,7 +33,7 @@ Provisioning your new VM includes creating a VHD file, setting up a user account
#### Create a VHD file
For this process to work, you must have a base operating system available as a VHD image file, we recommend using the [Convert-WindowsImage.ps1](https://gallery.technet.microsoft.com/scriptcenter/Convert-WindowsImageps1-0fe23a8f) command-line tool.
For this process to work, you must have a base operating system available as a VHD image file, we recommend using the [Convert-WindowsImage.ps1](https://www.powershellgallery.com/packages/Convert-WindowsImage/10.0) command-line tool.
#### Create a VHD file with the Convert-WindowsImage command-line tool
@ -122,6 +122,6 @@ After you sequence your packages, you can automatically clean up any unpublished
### Related articles
- [Download the **Convert-WindowsImage** tool](https://www.powershellgallery.com/packages/Convert-WindowsImage/10.0)
- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit)
- [Download the Windows ADK](/windows-hardware/get-started/adk-install)
- [How to install the App-V Sequencer](appv-install-the-sequencer.md)
- [Learn about Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/Hyper-V-on-Windows-Server)

15
windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
View File

@ -1,5 +1,5 @@
---
title: Deploying Microsoft Office 2010 by Using App-V (Windows 10/11)
title: Deploying Microsoft Office 2010 by Using App-V
description: Create Office 2010 packages for Microsoft Application Virtualization (App-V) using the App-V Sequencer or the App-V Package Accelerator.
author: aczechowski
ms.prod: w10
@ -33,15 +33,6 @@ The following table shows the App-V versions, methods of Office package creation
Sequencing Office 2010 is one of the main methods for creating an Office 2010 package on App-V. For more information, see [How to Sequence a New Application with App-V 5.0](/microsoft-desktop-optimization-pack/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030).
## Creating Office 2010 App-V packages using package accelerators
Office 2010 App-V packages can be created through package accelerators. Microsoft has provided package accelerators for creating Office 2010 on Windows 10/11, Windows 8, and Windows 7. The following pages will show you which package accelerator is best for creating Office 2010 App-V packages on your version of Windows:
* [App-V 5.0 Package Accelerator for Office Professional Plus 2010 Windows 8](https://gallery.technet.microsoft.com/App-V-50-Package-a29410db)
* [App-V 5.0 Package Accelerator for Office Professional Plus 2010 Windows 7](https://gallery.technet.microsoft.com/App-V-50-Package-e7ef536b)
For detailed instructions on how to create virtual application packages using App-V package accelerators, see [How to Create a Virtual Application Package Using an App-V Package Accelerator](appv-create-a-virtual-application-package-package-accelerator.md).
## Deploying the Microsoft Office package for App-V
You can deploy Office 2010 packages by using any of the following App-V deployment methods:
@ -73,7 +64,7 @@ The following table provides a full list of supported integration points for Off
|Primary Interop Assemblies|Support managed add-ins||
|Office Document Cache Handler|Allows Document Cache for Office applications||
|Outlook Protocol Search handler|User can search in Outlook|Yes|
|Active X Controls:<br>- Groove.SiteClient<br>- PortalConnect.PersonalSite<br>- SharePoint.openDocuments<br>- SharePoint.ExportDatabase<br>- SharePoint.SpreadSheetLauncher<br>- SharePoint.StssyncHander<br>- SharePoint.DragUploadCtl<br>- SharePoint.DragDownloadCtl<br>- Sharpoint.OpenXMLDocuments<br> - Sharepoint.ClipboardCtl<br>- WinProj.Activator<br>- Name.NameCtrl<br>- STSUPld.CopyCtl<br>- CommunicatorMeetingJoinAx.JoinManager<br>- LISTNET.Listnet<br>- OneDrive Pro Browser Helper|Active X Control. <br><br>For more information about ActiveX controls, see the [ActiveX Control API Reference](<https://msdn.microsoft.com/library/office/ms440037(v=office.14).aspx>).||
|Active X Controls:<br>- Groove.SiteClient<br>- PortalConnect.PersonalSite<br>- SharePoint.openDocuments<br>- SharePoint.ExportDatabase<br>- SharePoint.SpreadSheetLauncher<br>- SharePoint.StssyncHander<br>- SharePoint.DragUploadCtl<br>- SharePoint.DragDownloadCtl<br>- Sharpoint.OpenXMLDocuments<br> - Sharepoint.ClipboardCtl<br>- WinProj.Activator<br>- Name.NameCtrl<br>- STSUPld.CopyCtl<br>- CommunicatorMeetingJoinAx.JoinManager<br>- LISTNET.Listnet<br>- OneDrive Pro Browser Helper|Active X Control. <br><br>For more information about ActiveX controls, see the [ActiveX Control API Reference](/previous-versions/office/developer/sharepoint-2010/ms440037(v=office.14)).||
|OneDrive Pro Icon Overlays|Windows explorer shell icon overlays when users look at folders OneDrive Pro folders||
### Connection Groups
@ -82,4 +73,4 @@ The following table provides a full list of supported integration points for Off
### Dynamic Configuration
* [About App-V Dynamic Configuration](appv-dynamic-configuration.md)
* [About App-V Dynamic Configuration](appv-dynamic-configuration.md)

51
windows/application-management/app-v/appv-performance-guidance.md
View File

@ -1,5 +1,5 @@
---
title: Performance Guidance for Application Virtualization (Windows 10/11)
title: Performance Guidance for Application Virtualization
description: Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI.
author: aczechowski
ms.prod: w10
@ -36,11 +36,11 @@ You should read and understand the following information before reading this doc
Finally, this document will provide you with the information to configure the computer running App-V client and the environment for optimal performance. Optimize your virtual application packages for performance using the sequencer, and to understand how to use User Experience Virtualization (UE-V) or other user environment management technologies to provide the optimal user experience with App-V in both Remote Desktop Services (RDS) and non-persistent virtual desktop infrastructure (VDI).
To help determine what information is relevant to your environment, you should review each sections brief overview and applicability checklist.
To help determine what information is relevant to your environment, you should review each section's brief overview and applicability checklist.
## <a href="" id="---------app-v-5-1-in-stateful--non-persistent-deployments"></a> App-V in stateful\* non-persistent deployments
This section provides information about an approach that helps ensure a user will have access to all virtual applications within seconds after logging in. This access is achieved by uniquely addressing the often long-running App-V publishing refresh. As you'll discover the basis of the approach, the fastest publishing refresh, is one that doesnt have to actually do anything. Many conditions must be met and steps followed to provide the optimal user experience.
This section provides information about an approach that helps ensure a user will have access to all virtual applications within seconds after logging in. This access is achieved by uniquely addressing the often long-running App-V publishing refresh. As you'll discover the basis of the approach, the fastest publishing refresh, is one that doesn't have to actually do anything. Many conditions must be met and steps followed to provide the optimal user experience.
Use the information in the following section for more information:
@ -54,7 +54,7 @@ Use the information in the following section for more information:
- Steps to Prepare the Base Image Whether in a non-persistent VDI or RDSH environment, only a few steps must be completed in the base image to enable this approach.
- Use UE-V as the User Profile Management (UPM) solution for the App-V approach the cornerstone of this approach is the ability of a UEM solution to persist the contents of just a few registry and file locations. These locations constitute the user integrations\*. Be sure to review the specific requirements for the UPM solution.
- Use UE-V as the User Profile Management (UPM) solution for the App-V approach the cornerstone of this approach is the ability of a UEM solution to persist the contents of just a few registry and file locations. These locations constitute the user integrations\*. Be sure to review the specific requirements for the UPM solution.
[User Experience Walk-through](#bkmk-uewt)
@ -122,8 +122,7 @@ The following information displays the required steps to prepare the base image
- Enable the App-V client as described in [Enable the App-V in-box client](appv-enable-the-app-v-desktop-client.md).
- Enable UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.
- Configure for Shared Content Store (SCS) mode. For more information, see [Deploying the
App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md).
- Configure for Shared Content Store (SCS) mode. For more information, see [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md).
- Configure Preserve User Integrations on Login Registry DWORD.
- Pre-configure all global-targeted packages, for example, **Add-AppvClientPackage**.
- Pre-configure all global-targeted connection groups, for example, **Add-AppvClientConnectionGroup**.
@ -144,7 +143,7 @@ For critical App-V Client configurations and for a little more context and how-t
For every package that meets the above conditions, effectively twice the work will be done during publishing/refresh.
If you dont plan to pre-configure every available user package in the base image, use this setting.
If you don't plan to pre-configure every available user package in the base image, use this setting.
- Configure in the Registry under `HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Integration`.
- Create the DWORD value **PreserveUserIntegrationsOnLogin** with a value of 1.
@ -170,12 +169,10 @@ For more information, see:
- [Get Started with UE-V](/windows/configuration/ue-v/uev-getting-started)
In essence all that is required is to enable the UE-V service and download the following Microsoft authored App-V settings template from the [Microsoft User Experience Virtualization (UE-V) template gallery](https://gallery.technet.microsoft.com/Authored-UE-V-Settings-bb442a33). Register the template. For more information about UE-V templates, see [User Experience Virtualization (UE-V) for Windows client overview](/windows/configuration/ue-v/uev-for-windows).
> [!Note]
> Without performing an additional configuration step, User Environment Virtualization (UE-V) won't be able to synchronize the Start menu shortcuts (.lnk files) on the target computer. The .lnk file type is excluded by default.
UE-V will only support removing the .lnk file type from the exclusion list in the RDS and VDI scenarios, where every users device will have the same set of applications installed to the same location and every .lnk file is valid for all the users devices. For example, UE-V wouldn't currently support the following two scenarios, because the net result will be that the shortcut will be valid on one but not all devices.
UE-V will only support removing the .lnk file type from the exclusion list in the RDS and VDI scenarios, where every user's device will have the same set of applications installed to the same location and every .lnk file is valid for all the users' devices. For example, UE-V wouldn't currently support the following two scenarios, because the net result will be that the shortcut will be valid on one but not all devices.
- If a user has an application installed on one device with .lnk files enabled and the same native application installed on another device to a different installation root with .lnk files enabled.
@ -306,7 +303,7 @@ This following process is a step-by-step walk-through of the App-V and UPM opera
Upgrading a package is a crucial aspect of the package lifecycle. To help guarantee users have access to the appropriate upgraded (published) or downgraded (unpublished) virtual application packages, it's recommended you update the base image to reflect these changes. To understand why review the following section:
App-V 5.0 SP2 introduced the concept of pending states. In the past,
App-V 5.0 SP2 introduced the concept of pending states. In the past,
- If an administrator changed entitlements or created a new version of a package (upgraded) and during a publishing/refresh that package was in-use, the unpublish or publish operation, respectively, would fail.
@ -318,37 +315,23 @@ In a non-persistent environment, it's unlikely these pended operations will be p
The following section contains lists with information about Microsoft documentation and downloads that may be useful when optimizing your environment for performance.
<!-- Following bold text used to say **.NET NGEN Blog and Script (Highly Recommended)** but the script doesn't seem to exist any more. The link to the script was [Script](https://aka.ms/DrainNGenQueue) -->
#### Windows Server
**.NET NGEN Blog (Highly Recommended)**
Server performance tuning guidelines for [Microsoft Windows Server 2012 R2](/previous-versions/dn529133(v=vs.85))
- [How to speed up NGEN optimization](https://blogs.msdn.com/b/dotnet/archive/2013/08/06/wondering-why-mscorsvw-exe-has-high-cpu-usage-you-can-speed-it-up.aspx)
#### Server roles
**Windows Server and Server Roles**
- [Remote Desktop Virtualization Host](/previous-versions/dn567643(v=vs.85))
Server Performance Tuning Guidelines for
- [Remote Desktop Session Host](/previous-versions/dn567648(v=vs.85))
- [Microsoft Windows Server 2012 R2](/previous-versions//dn529133(v=vs.85))
- [Microsoft Windows Server 2012](https://download.microsoft.com/download/0/0/B/00BE76AF-D340-4759-8ECD-C80BC53B6231/performance-tuning-guidelines-windows-server-2012.docx)
- [Microsoft Windows Server 2008 R2](https://download.microsoft.com/download/6/B/2/6B2EBD3A-302E-4553-AC00-9885BBF31E21/Perf-tun-srv-R2.docx)
**Server Roles**
- [Remote Desktop Virtualization Host](/previous-versions//dn567643(v=vs.85))
- [Remote Desktop Session Host](/previous-versions//dn567648(v=vs.85))
- [IIS Relevance: App-V Management, Publishing, Reporting Web Services](/previous-versions//dn567678(v=vs.85))
- [IIS Relevance: App-V Management, Publishing, Reporting Web Services](/previous-versions/dn567678(v=vs.85))
- [File Server (SMB) Relevance: If used for App-V Content Storage and Delivery in SCS Mode](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj134210(v=ws.11))
**Windows Client (Guest OS) Performance Tuning Guidance**
#### Windows Client (guest OS) performance tuning guidance
- [Optimization Script: (Provided by Microsoft Support)](/archive/blogs/jeff_stokes/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density)
- [Microsoft Windows 8](https://download.microsoft.com/download/6/0/1/601D7797-A063-4FA7-A2E5-74519B57C2B4/Windows_8_VDI_Image_Client_Tuning_Guide.pdf)
- [The Microsoft Premier Field Engineer (PFE) view on Virtual Desktop (VDI) Density](/archive/blogs/jeff_stokes/the-microsoft-premier-field-engineer-pfe-view-on-virtual-desktop-vdi-density)
- [Optimization Script: (Provided by Microsoft Support)](/archive/blogs/jeff_stokes/hot-off-the-presses-get-it-now-the-windows-8-vdi-optimization-script-courtesy-of-pfe)
@ -404,7 +387,7 @@ Removing FB1 doesn't require the original application installer. After completin
### Creating a new virtual application package on the sequencer
If, during sequencer monitoring, an SxS Assembly (such as a VC++ Runtime) is installed as part of an applications installation, SxS Assembly will be automatically detected and included in the package. The administrator will be notified and will have the option to exclude the SxS Assembly.
If, during sequencer monitoring, an SxS Assembly (such as a VC++ Runtime) is installed as part of an application's installation, SxS Assembly will be automatically detected and included in the package. The administrator will be notified and will have the option to exclude the SxS Assembly.
**Client Side**:

5
windows/client-management/mdm/policy-csp-update.md
View File

@ -3253,10 +3253,7 @@ The table below shows the applicability of Windows:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Enables the IT admin to schedule the time of the update installation.
Enables the IT admin to schedule the time of the update installation. Note that there is a window of approximately 30 minutes to allow for higher success rates of installation.
The supported data type is an integer.

18
windows/client-management/mdm/universalprint-csp.md
View File

@ -15,18 +15,18 @@ manager: dougeby
The table below shows the applicability of Windows:
|Edition|Windows 11|
|--- |--- |
|Home|No|
|Pro|Yes|
|Windows SE|Yes|
|Business|Yes|
|Enterprise|Yes|
|Education|Yes|
|Edition|Windows 11|Windows 10|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The UniversalPrint configuration service provider (CSP) is used to add Universal Print-compatible printers to Windows client endpoints. Universal Print is a cloud-based printing solution that runs entirely in Microsoft Azure. It doesn't require any on-premises infrastructure. For more specific information, go to [What is Universal Print](/universal-print/fundamentals/universal-print-whatis).
This CSP was added in Windows 11.
This CSP was added in Windows 11 and in Windows 10 21H2 July 2022 update [KB5015807](https://support.microsoft.com/topic/july-12-2022-kb5015807-os-builds-19042-1826-19043-1826-and-19044-1826-8c8ea8fe-ec83-467d-86fb-a2f48a85eb41).
The following example shows the UniversalPrint configuration service provider in tree format.

28
windows/configuration/ue-v/uev-application-template-schema-reference.md
View File

@ -66,9 +66,11 @@ The XML declaration must specify the XML version 1.0 attribute (&lt;?xml version
**Type: String**
UE-V uses the ```https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate``` namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
UE-V uses the `https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate` namespace for all applications. SettingsLocationTemplate is the root element and contains all other elements. Reference SettingsLocationTemplate in all templates using this tag:
`<SettingsLocationTemplate xmlns='https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate'>`
```xml
<SettingsLocationTemplate xmlns='https://schemas.microsoft.com/UserExperienceVirtualization/2012/SettingsLocationTemplate'>
```
### <a href="" id="data21"></a>Data types
@ -102,7 +104,7 @@ ProcessVersion defines a type with four child elements: **Major**, **Minor**, **
Architecture enumerates two possible values: **Win32** and **Win64**. These values are used to specify process architecture.
<a href="" id="process"></a>**Process**
The Process data type is a container used to describe processes to be monitored by UE-V. It contains six child elements: **Filename**, **Architecture**, **ProductName**, **FileDescription**, **ProductVersion**, and **FileVersion**. This table details each elements respective data type:
The Process data type is a container used to describe processes to be monitored by UE-V. It contains six child elements: **Filename**, **Architecture**, **ProductName**, **FileDescription**, **ProductVersion**, and **FileVersion**. This table details each element's respective data type:
|Element|Data Type|Mandatory|
|--- |--- |--- |
@ -117,11 +119,11 @@ The Process data type is a container used to describe processes to be monitored
The Processes data type represents a container for a collection of one or more Process elements. Two child elements are supported in the Processes sequence type: **Process** and **ShellProcess**. Process is an element of type Process and ShellProcess is of data type Empty. At least one item must be identified in the sequence.
<a href="" id="path"></a>**Path**
Path is consumed by RegistrySetting and FileSetting to refer to registry and file paths. This element supports two optional attributes: **Recursive** and **DeleteIfNotFound**. Both values are set to default=”False”.
Path is consumed by RegistrySetting and FileSetting to refer to registry and file paths. This element supports two optional attributes: **Recursive** and **DeleteIfNotFound**. Both values are set to default="False".
Recursive indicates that the path and all subfolders are included for file settings or that all child registry keys are included for registry settings. In both cases, all items at the current level are included in the data captured. For a FileSettings object, all files within the specified folder are included in the data captured by UE-V but folders are not included. For registry paths, all values in the current path are captured but child registry keys are not captured. In both cases, care should be taken to avoid capturing large data sets or large numbers of items.
The DeleteIfNotFound attribute removes the setting from the users settings storage path data. This may be desirable in cases where removing these settings from the package will save a large amount of disk space on the settings storage path file server.
The DeleteIfNotFound attribute removes the setting from the user's settings storage path data. This may be desirable in cases where removing these settings from the package will save a large amount of disk space on the settings storage path file server.
<a href="" id="filemask"></a>**FileMask**
FileMask specifies only certain file types for the folder that is defined by Path. For example, Path might be `C:\users\username\files` and FileMask could be `*.txt` to include only text files.
@ -138,7 +140,7 @@ Settings is a container for all the settings that apply to a particular template
|Element|Description|
|--- |--- |
|Asynchronous|Asynchronous settings packages are applied without blocking the application startup so that the application start proceeds while the settings are still being applied. This is useful for settings that can be applied asynchronously, such as those get/set through an API, like SystemParameterSetting.|
|PreventOverlappingSynchronization|By default, UE-V only saves settings for an application when the last instance of an application using the template is closed. When this element is set to false, UE-V exports the settings even if other instances of an application are running. Suited templates those that include a Common element section that are shipped with UE-V use this flag to enable shared settings to always export on application close, while preventing application-specific settings from exporting until the last instance is closed.|
|PreventOverlappingSynchronization|By default, UE-V only saves settings for an application when the last instance of an application using the template is closed. When this element is set to 'false', UE-V exports the settings even if other instances of an application are running. Suited templates - those that include a Common element section- that are shipped with UE-V use this flag to enable shared settings to always export on application close, while preventing application-specific settings from exporting until the last instance is closed.|
|AlwaysApplySettings|This parameter forces an imported settings package to be applied even if there are no differences between the package and the current state of the application. This parameter should be used only in special cases since it can slow down settings import.|
### <a href="" id="name21"></a>Name Element
@ -208,7 +210,7 @@ Version identifies the version of the settings location template for administrat
**Type: String**
Author identifies the creator of the settings location template. Two optional child elements are supported: **Name** and **Email**. Both attributes are optional, but, if the Email child element is specified, it must be accompanied by the Name element. Author refers to the full name of the contact for the settings location template, and email should refer to an email address for the author. We recommend that you include this information in templates published publicly, for example, on the [UE-V Template Gallery](https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V).
Author identifies the creator of the settings location template. Two optional child elements are supported: **Name** and **Email**. Both attributes are optional, but, if the Email child element is specified, it must be accompanied by the Name element. Author refers to the full name of the contact for the settings location template, and email should refer to an email address for the author. We recommend that you include this information in templates published publicly.
### <a href="" id="processes21"></a>Processes and Process Element
@ -250,7 +252,7 @@ Filename refers to the actual file name of the executable as it appears in the f
Valid filenames must not match the regular expression \[^\\\\\\?\\\*\\|&lt;&gt;/:\]+, that is, they may not contain backslash characters, asterisk or question mark wild-card characters, the pipe character, the greater than or less than sign, forward slash, or colon (the \\ ? \* | &lt; &gt; / or : characters.).
> [!TIP]
> To test a string against this regex, use a PowerShell command window and substitute your executables name for **YourFileName**:
> To test a string against this regex, use a PowerShell command window and substitute your executable's name for **YourFileName**:
`"YourFileName.exe" -match "[\\\?\*\|<>/:]+"`
@ -269,7 +271,7 @@ A value of **True** indicates that the string contains illegal characters. Here
In rare circumstances, the FileName value will not necessarily include the .exe extension, but it should be specified as part of the value. For example, `<Filename>MyApplication.exe</Filename>` should be specified instead of `<Filename>MyApplication</Filename>`. The second example will not apply the template to the process if the actual name of the executable file is “MyApplication.exe”.
In rare circumstances, the FileName value will not necessarily include the .exe extension, but it should be specified as part of the value. For example, `<Filename>MyApplication.exe</Filename>` should be specified instead of `<Filename>MyApplication</Filename>`. The second example will not apply the template to the process if the actual name of the executable file is "MyApplication.exe".
### Architecture
@ -279,7 +281,7 @@ In rare circumstances, the FileName value will not necessarily include the .exe
Architecture refers to the processor architecture for which the target executable was compiled. Valid values are Win32 for 32-bit applications or Win64 for 64-bit applications. If present, this tag limits the applicability of the settings location template to a particular application architecture. For an example of this, compare the %ProgramFiles%\\Microsoft User Experience Virtualization\\templates\\ MicrosoftOffice2016Win32.xml and MicrosoftOffice2016Win64.xml files included with UE-V. This is useful when relative paths change between different versions of an executable or if settings have been added or removed when moving from one processor architecture to another.
If this element is absent, the settings location template ignores the process architecture and applies to both 32 and 64-bit processes if the file name and other attributes apply.
If this element is absent, the settings location template ignores the process' architecture and applies to both 32 and 64-bit processes if the file name and other attributes apply.
> [!NOTE]
> UE-V does not support ARM processors in this version.
@ -342,7 +344,7 @@ For example, in a suited application, it might be useful to provide reminders ab
ProductVersion refers to the major and minor product versions of a file, as well as a build and patch level. ProductVersion is an optional element, but if specified, it must contain at least the Major child element. The value must express a range in the form Minimum="X" Maximum="Y" where X and Y are integers. The Minimum and Maximum values can be identical.
The product and file version elements may be left unspecified. Doing so makes the template “version agnostic”, meaning that the template will apply to all versions of the specified executable.
The product and file version elements may be left unspecified. Doing so makes the template "version agnostic", meaning that the template will apply to all versions of the specified executable.
**Example 1:**
@ -368,7 +370,7 @@ File version: 5.0.2.1000 specified in the UE-V template generator produces the f
</FileVersion>
```
**Incorrect Example 1 incomplete range:**
**Incorrect Example 1 - incomplete range:**
Only the Minimum attribute is present. Maximum must be included in a range as well.
@ -378,7 +380,7 @@ Only the Minimum attribute is present. Maximum must be included in a range as we
</ProductVersion>
```
**Incorrect Example 2 Minor specified without Major element:**
**Incorrect Example 2 - Minor specified without Major element:**
Only the Minor element is present. Major must be included as well.

30
windows/configuration/ue-v/uev-prepare-for-deployment.md
View File

@ -15,13 +15,13 @@ ms.topic: article
**Applies to**
- Windows 10, version 1607
Before you deploy User Experience Virtualization (UE-V), review this topic for important information about the type of deployment youre planning and for preparations you can make beforehand so that your deployment is successful. If you leave this page, be sure to come back and read through the planning information in this topic.
Before you deploy User Experience Virtualization (UE-V), review this topic for important information about the type of deployment you're planning and for preparations you can make beforehand so that your deployment is successful. If you leave this page, be sure to come back and read through the planning information in this topic.
## Plan your UE-V deployment
With UE-V, you can synchronize user-defined application and operating system settings across all the devices that a user works from. Use UE-V to synchronize settings for Windows applications and custom applications, such as third-party and line-of-business applications.
Whether you want to synchronize settings for only default Windows applications or for both Windows and custom applications, youll need to first deploy the features required to use UE-V.
Whether you want to synchronize settings for only default Windows applications or for both Windows and custom applications, you'll need to first deploy the features required to use UE-V.
[Deploy required UE-V features](uev-deploy-required-features.md)
@ -29,7 +29,7 @@ Whether you want to synchronize settings for only default Windows applications o
- [Enable the UE-V service](uev-deploy-required-features.md#enable-the-ue-v-service) on user computers
If you want to use UE-V to synchronize user-defined settings for custom applications (third-party or line-of-business), youll need to install and configure these optional additional UE-V features:
If you want to use UE-V to synchronize user-defined settings for custom applications (third-party or line-of-business), you'll need to install and configure these optional additional UE-V features:
[Deploy UE-V for custom applications](uev-deploy-uev-for-custom-applications.md)
@ -49,11 +49,11 @@ The workflow diagram below illustrates a typical UE-V deployment and the decisio
### Planning a UE-V deployment
Review the following topics to determine which UE-V components youll be deploying.
Review the following topics to determine which UE-V components you'll be deploying.
- [Decide whether to synchronize settings for custom applications](#decide-whether-to-synchronize-settings-for-custom-applications)
If you want to synchronize settings for custom applications, youll need to install the UE-V template generator. Use the generator to create custom settings location templates, which involves the following tasks:
If you want to synchronize settings for custom applications, you'll need to install the UE-V template generator. Use the generator to create custom settings location templates, which involves the following tasks:
- Review the [settings that are synchronized automatically in a UE-V deployment](#settings-automatically-synchronized-in-a-ue-v-deployment).
@ -79,11 +79,7 @@ This section explains which settings are synchronized by default in UE-V, includ
- A statement of support for Windows applications setting synchronization
For downloadable UE-V templates, see:
- [Microsoft Authored Office 2016 UE-V Templates](https://gallery.technet.microsoft.com/Authored-Office-2016-32-0dc05cd8)
- [User Experience Virtualization (UE-V) settings templates for Microsoft Office](https://www.microsoft.com/download/details.aspx?id=46367) (for Office 2013 and Office 2010)
For downloadable UE-V templates, see: [User Experience Virtualization (UE-V) settings templates for Microsoft Office](https://www.microsoft.com/download/details.aspx?id=46367)
### Desktop applications synchronized by default in UE-V
@ -91,7 +87,7 @@ When you enable the UE-V service on user devices, it registers a default group o
| Application category | Description |
|-----------------------------|-------------------|
| Microsoft Office 2016 applications<br>[Download a list of all settings synced](https://gallery.technet.microsoft.com/Authored-Office-2016-32-0dc05cd8) | Microsoft Access 2016<br>Microsoft Lync 2016<br>Microsoft Excel 2016<br>Microsoft OneNote 2016<br>Microsoft Outlook 2016<br>Microsoft PowerPoint 2016<br>Microsoft Project 2016<br>Microsoft Publisher 2016<br>Microsoft SharePoint Designer 2013 (not updated for 2016)<br>Microsoft Visio 2016<br>Microsoft Word 2016<br>Microsoft Office Upload Manager<br>Microsoft Infopath has been removed (deprecated) from the Office 2016 suite |
| Microsoft Office 2016 applications | Microsoft Access 2016<br>Microsoft Lync 2016<br>Microsoft Excel 2016<br>Microsoft OneNote 2016<br>Microsoft Outlook 2016<br>Microsoft PowerPoint 2016<br>Microsoft Project 2016<br>Microsoft Publisher 2016<br>Microsoft SharePoint Designer 2013 (not updated for 2016)<br>Microsoft Visio 2016<br>Microsoft Word 2016<br>Microsoft Office Upload Manager<br>Microsoft Infopath has been removed (deprecated) from the Office 2016 suite |
| Microsoft Office 2013 applications<br>[Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367) | Microsoft Word 2013<br>Microsoft Excel 2013<br>Microsoft Outlook 2013<br>Microsoft Access 2013<br>Microsoft Project 2013<br>Microsoft PowerPoint 2013<br>Microsoft Publisher 2013<br>Microsoft Visio 2013<br>Microsoft InfoPath 2013<br>Microsoft Lync 2013<br>Microsoft OneNote 2013<br>Microsoft SharePoint Designer 2013<br>Microsoft Office 2013 Upload Center<br>Microsoft OneDrive for Business 2013
| Microsoft Office 2010 applications<br>[Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367) | Microsoft Word 2010<br>Microsoft Excel 2010<br>Microsoft Outlook 2010<br>Microsoft Access 2010<br>Microsoft Project 2010<br>Microsoft PowerPoint 2010<br>Microsoft Publisher 2010<br>Microsoft Visio 2010<br>Microsoft SharePoint Workspace 2010<br>Microsoft InfoPath 2010<br>Microsoft Lync 2010<br>Microsoft OneNote 2010<br>Microsoft SharePoint Designer 2010 |
| Browser options: Internet Explorer 11 and 10 | Synchronize favorites, home page, tabs, and toolbars.<br>**Note**<br>UE-V does not roam settings for Internet Explorer cookies. |
@ -120,7 +116,7 @@ UE-V includes settings location templates that capture settings values for these
| **Application Settings** | Windows applications | Close application<br>Windows application settings change event | Start the UE-V App Monitor at startup<br>Open app<br>Windows application settings change event<br>Arrival of a settings package |
| | Desktop applications | Application closes | Application opens and closes |
| **Desktop settings** | Desktop background | Lock or log off | Log on, unlock, remote connect, notification of new package arrival, or scheduled task runs |
| | Ease of Access (Common Accessibility, Narrator, Magnifier, On-Screen-Keyboard) | Lock or Log off | Log on |
| | Ease of Access (Common - Accessibility, Narrator, Magnifier, On-Screen-Keyboard) | Lock or Log off | Log on |
| | Ease of Access (Shell - Audio, Accessibility, Keyboard, Mouse) | Lock or log off | Log on, unlock, remote connect, notification of new package arrival, or scheduled task runs |
| | Desktop settings | Lock or log off | Log on |
@ -150,7 +146,7 @@ Printer roaming in UE-V requires one of these scenarios:
### Determine whether you need settings synchronized for other applications
After you have reviewed the settings that are synchronized automatically in a UE-V deployment, youll need to decide whether to synchronize settings for other applications as your decision will determine how you deploy UE-V throughout your enterprise.
After you have reviewed the settings that are synchronized automatically in a UE-V deployment, you'll need to decide whether to synchronize settings for other applications as your decision will determine how you deploy UE-V throughout your enterprise.
As an administrator, when you consider which desktop applications to include in your UE-V solution, consider which settings can be customized by users, and how and where the application stores its settings. Not all desktop applications have settings that can be customized or that are routinely customized by users. In addition, not all desktop applications settings can be synchronized safely across multiple devices or environments.
@ -164,7 +160,7 @@ In general, you can synchronize settings that meet the following criteria:
### Checklist for evaluating custom applications
If youve decided that you need to synchronize settings for custom applications, use this checklist to determine which applications youll include.
If you've decided that you need to synchronize settings for custom applications, use this checklist to determine which applications you'll include.
| &nbsp; | Description |
|-------|--------------------------|
@ -266,7 +262,7 @@ For more information, see the [Windows Application List](uev-managing-settings-l
### Custom UE-V settings location templates
If you are deploying UE-V to synchronize settings for custom applications, youll use the UE-V template generator to create custom settings location templates for those desktop applications. After you create and test a custom settings location template in a test environment, you can deploy the settings location templates to user devices.
If you are deploying UE-V to synchronize settings for custom applications, you'll use the UE-V template generator to create custom settings location templates for those desktop applications. After you create and test a custom settings location template in a test environment, you can deploy the settings location templates to user devices.
Custom settings location templates must be deployed with an existing deployment infrastructure, such as an enterprise software distribution method, including Microsoft Endpoint Configuration Manager, with preferences, or by configuring a UE-V settings template catalog. Templates that are deployed with Configuration Manager or Group Policy must be registered using UE-V WMI or Windows PowerShell.
@ -298,7 +294,7 @@ Specify your requirements for UE-V with standard disk capacity and network healt
UE-V uses a Server Message Block (SMB) share for the storage of settings packages. The size of settings packages varies depending on the settings information for each application. While most settings packages are small, the synchronization of potentially large files, such as desktop images, can result in poor performance, particularly on slower networks.
To reduce problems with network latency, create settings storage locations on the same local networks where the users computers reside. We recommend 20 MB of disk space per user for the settings storage location.
To reduce problems with network latency, create settings storage locations on the same local networks where the users' computers reside. We recommend 20 MB of disk space per user for the settings storage location.
By default, UE-V synchronization times out after 2 seconds to prevent excessive lag due to a large settings package. You can configure the SyncMethod=SyncProvider setting by using [Group Policy objects](uev-configuring-uev-with-group-policy-objects.md).
@ -339,7 +335,7 @@ Before you proceed, ensure that your environment meets these requirements for us
> [!NOTE]
> - Windows Server 2012 operating systems come with .NET Framework 4.5 installed. The Windows 10 operating system comes with .NET Framework 4.6 installed.
>
> - The “Delete Roaming Cache” policy for mandatory profiles is not supported with UE-V and should not be used.
> - The "Delete Roaming Cache" policy for mandatory profiles is not supported with UE-V and should not be used.
There are no special random access memory (RAM) requirements specific to UE-V.

9
windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md
View File

@ -17,14 +17,11 @@ ms.topic: article
Microsoft User Experience Virtualization (UE-V) supports the synchronization of Microsoft Office application settings. The combination of UE-V and App-V support for Office enables the same experience on virtualized instances of Office from any UE-V-enabled device or virtualized desktop.
To synchronize Office applications settings, you can download Office templates from the [User Experience Virtualization (UE-V) Template Gallery](https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V&f%5B0%5D.Text=UE-V). This resource provides Microsoft-authored UE-V settings location templates as well as community-developed settings location templates.
## Microsoft Office support in UE-V
UE-V includes settings location templates for Microsoft Office 2016, 2013, and 2010. In previous versions of UE-V, settings location templates for Office 2013 and Office 2010 were distributed and registered when you installed the UE-V agent. Now that UE-V is a feature in Windows 10, version 1607, settings location templates are installed when you install or upgrade to the new operating system.
These templates help synchronize users Office experience between devices. Microsoft Office 2016 settings roamed by Office 365 experience are not included in these settings. For a list of Office 365-specific settings, see [Overview of user and roaming settings for Office](/previous-versions/office/office-2013-resource-kit/jj733593(v=office.15)).
These templates help synchronize users' Office experience between devices. Microsoft Office 2016 settings roamed by Office 365 experience are not included in these settings. For a list of Office 365-specific settings, see [Overview of user and roaming settings for Office](/previous-versions/office/office-2013-resource-kit/jj733593(v=office.15)).
## Synchronized Office Settings
@ -56,6 +53,6 @@ You can deploy UE-V settings location template with the following methods:
For more information about using UE-V and Windows PowerShell, see [Managing UE-V settings location templates using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).
- **Registering template with Template Catalog Path**. If you use the Settings Template Catalog Path to manage templates on users computers, copy the Office template into the folder defined in the UE-V service. The next time the Template Auto Update (ApplySettingsCatalog.exe) scheduled task runs, the settings location template will be registered on the device. For more information, see [Deploy a settings template catalog](uev-deploy-uev-for-custom-applications.md).
- **Registering template with Template Catalog Path**. If you use the Settings Template Catalog Path to manage templates on users' computers, copy the Office template into the folder defined in the UE-V service. The next time the Template Auto Update (ApplySettingsCatalog.exe) scheduled task runs, the settings location template will be registered on the device. For more information, see [Deploy a settings template catalog](uev-deploy-uev-for-custom-applications.md).
- **Registering template with Configuration Manager**. If you use Configuration Manager to manage your UE-V settings storage templates, recreate the Template Baseline CAB, import it into Configuration Manager, and then deploy the baseline to user devices.
- **Registering template with Configuration Manager**. If you use Configuration Manager to manage your UE-V settings storage templates, recreate the Template Baseline CAB, import it into Configuration Manager, and then deploy the baseline to user devices.

36
windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md
View File

@ -10,22 +10,22 @@ ms.author: aaroncz
ms.topic: article
---
# What's New in UE-V
# What's new in UE-V
**Applies to**
- Windows 10, version 1607
User Experience Virtualization (UE-V) for Windows 10, version 1607, includes these new features and capabilities compared to UE-V 2.1. See [UE-V Release notes](uev-release-notes-1607.md) for more information about the UE-V for Windows 10, version 1607 release.
User Experience Virtualization (UE-V) for Windows 10, version 1607, includes these new features and capabilities compared to UE-V 2.1. For more information about the UE-V for Windows 10, version 1607 release, see [UE-V Release notes](uev-release-notes-1607.md).
## UE-V is now a feature in Windows 10
## UE-V is a feature in Windows 10
With Windows 10, version 1607 and later releases, UE-V is included with [Windows 10 for Enterprise](https://www.microsoft.com/WindowsForBusiness/windows-for-enterprise) and is no longer part of the Microsoft Desktop Optimization Pack.
With Windows 10, version 1607 and later releases, UE-V is included with Windows Enterprise. It's no longer part of the Microsoft Desktop Optimization Pack.
The changes in UE-V for Windows 10, version 1607 impact already existing implementations of UE-V in the following ways:
- The UE-V Agent is replaced by the UE-V service. The UE-V service is installed with Windows 10, version 1607 and no longer has to be deployed separately. Performing an in-place upgrade to Windows 10, version 1607, on user devices automatically installs the UE-V service, migrates users UE-V configurations, and updates the settings storage path.
- The UE-V Agent is replaced by the UE-V service. The UE-V service is installed with Windows 10, version 1607 and no longer has to be deployed separately. Performing an in-place upgrade to Windows 10, version 1607, on user devices automatically installs the UE-V service, migrates users' UE-V configurations, and updates the settings storage path.
- The UE-V template generator is available from the Windows 10 ADK. In previous releases of UE-V, the template generator was included in the Microsoft Desktop Optimization Pack. Although youll need to use the new template generator to create new settings location templates, existing settings location templates will continue to work.
- The UE-V template generator is available from the Windows 10 ADK. In previous releases of UE-V, the template generator was included in the Microsoft Desktop Optimization Pack. Although you'll need to use the new template generator to create new settings location templates, existing settings location templates will continue to work.
- The Company Settings Center was removed and is no longer available on user devices. Users can no longer manage their synchronized settings.
@ -33,11 +33,11 @@ The changes in UE-V for Windows 10, version 1607 impact already existing impleme
For more information about how to configure an existing UE-V installation after upgrading user devices to Windows 10, see [Upgrade to UE-V for Windows 10](uev-upgrade-uev-from-previous-releases.md).
> **Important**&nbsp;&nbsp;You can upgrade your existing UE-V installation to Windows 10 from UE-V versions 2.1 or 2.0 only. If you are using a previous version of UE-V, youll need to upgrade from that version to UE-V 2.x before you upgrade to Windows 10.
> **Important**&nbsp;&nbsp;You can upgrade your existing UE-V installation to Windows 10 from UE-V versions 2.1 or 2.0 only. If you are using a previous version of UE-V, you'll need to upgrade from that version to UE-V 2.x before you upgrade to Windows 10.
## New UE-V template generator is available from the Windows 10 ADK
UE-V for Windows 10 includes a new template generator, available from a new location. If you are upgrading from an existing UE-V installation, youll need to use the new generator to create settings location templates. The UE-V for Windows 10 template generator is now available in the [Windows 10 Assessment and Deployment Kit](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) (Windows ADK).
UE-V for Windows 10 includes a new template generator, available from a new location. If you are upgrading from an existing UE-V installation, you'll need to use the new generator to create settings location templates. The UE-V for Windows 10 template generator is now available in the [Windows 10 Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK).
## Company Settings Center removed in UE-V for Windows 10, version 1607
@ -57,21 +57,21 @@ Administrators can still define which user-customized application settings can s
With Windows 10, version 1607, users can synchronize Windows application settings and Windows operating system settings to Azure instead of to OneDrive. You can use the Windows 10 enterprise sync functionality together with UE-V for on-premises domain-joined devices only.
In hybrid cloud environments, UE-V can roam Win32 applications on-premises while [Enterprise State Roaming](/azure/active-directory/devices/enterprise-state-roaming-overview) (ESR) can roam the rest, e.g., Windows and desktop settings, themes, colors, etc., to an Azure cloud installation.
In hybrid cloud environments, UE-V can roam Win32 applications on-premises while [Enterprise State Roaming](/azure/active-directory/devices/enterprise-state-roaming-enable) (ESR) can roam the rest, e.g., Windows and desktop settings, themes, colors, etc., to an Azure cloud installation.
To configure UE-V to roam Windows desktop and application data only, change the following group policies:
- Disable “Roam Windows settings” group policy
- Disable "Roam Windows settings" group policy
- Enable “Do not synchronize Windows Apps” group policy
- Enable "Do not synchronize Windows Apps" group policy
For more information about using UE-V with Enterprise State Roaming, see [Settings and data roaming FAQ](/azure/active-directory/devices/enterprise-state-roaming-faqs#what-are-the-options-for-roaming-settings-for-existing-windows-desktop-applications).
For more information about using UE-V with Enterprise State Roaming, see [Settings and data roaming FAQ](/azure/active-directory/devices/enterprise-state-roaming-faqs#what-are-the-roaming-settings-options-for-existing-windows-desktop-applications-).
Additionally, to enable Windows 10 and UE-V to work together, configure these policy settings in the Microsoft User Experience Virtualization node:
- Enable “Do Not Synchronize Windows Apps”
- Enable "Do Not Synchronize Windows Apps"
- Disable “Sync Windows Settings”
- Disable "Sync Windows Settings"
## Settings Synchronization Behavior Changed in UE-V for Windows 10
@ -100,7 +100,7 @@ Printer roaming in UE-V requires one of these scenarios:
## Office 2016 Settings Location Template
UE-V for Windows 10, version 1607 includes the Microsoft Office 2016 settings location template with improved Outlook signature support. Weve added synchronization of default signature settings for new, reply, and forwarded emails. Users no longer have to choose the default signature settings.
UE-V for Windows 10, version 1607 includes the Microsoft Office 2016 settings location template with improved Outlook signature support. We've added synchronization of default signature settings for new, reply, and forwarded emails. Users no longer have to choose the default signature settings.
> **Note**&nbsp;&nbsp;An Outlook profile must be created on any device on which a user wants to synchronize their Outlook signature. If the profile is not already created, the user can create one and then restart Outlook on that device to enable signature synchronization.
@ -112,11 +112,7 @@ To enable settings synchronization using UE-V, do one of the following:
- Do not enable the Office 365 synchronization experience during Office 2013 installation
UE-V includes Office 2016, Office 2013, and Office 2010 templates. Office 2007 templates are no longer supported. Users can still use Office 2007 templates from UE-V 2.0 or earlier and can still get templates from the [User Experience Virtualization Template Gallery](https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V&f%5B0%5D.Text=UE-V).
UE-V includes Office 2016, Office 2013, and Office 2010 templates.
## Related topics

45
windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
View File

@ -1,6 +1,6 @@
---
title: Working with Custom UE-V Templates and the UE-V Template Generator
description: Create your own custom settings location templates by working with Custom User Experience Virtualization (UE-V) Templates and the UE-V Template Generator.
description: Create your own custom settings location templates by working with Custom User Experience Virtualization (UE-V) Templates and the UE-V Template Generator.
author: aczechowski
ms.prod: w10
ms.date: 04/19/2017
@ -14,7 +14,7 @@ ms.topic: article
# Working with custom UE-V templates and the UE-V template generator
**Applies to**
- Windows 10, version 1607
- Windows 10
User Experience Virtualization (UE-V) uses XML files called ***settings location templates*** to monitor and synchronize application settings and Windows settings between user devices. By default, some settings location templates are included in UE-V. However, if you want to synchronize settings for desktop applications other than those included in the default templates, you can create your own custom settings location templates with the UE-V template generator. You can also edit or validate custom settings location templates with the UE-V template generator.
@ -33,9 +33,9 @@ Discovered settings are grouped into two categories: **Standard** and **Non-stan
The UE-V template generator opens the application as part of the discovery process. The generator can capture settings in the following locations:
- **Registry Settings** Registry locations under **HKEY\_CURRENT\_USER**
- **Registry Settings** - Registry locations under **HKEY\_CURRENT\_USER**
- **Application Settings Files** Files that are stored under \\ **Users** \\ \[User name\] \\ **AppData** \\ **Roaming**
- **Application Settings Files** - Files that are stored under \\ **Users** \\ \[User name\] \\ **AppData** \\ **Roaming**
The UE-V template generator excludes locations, which commonly store application software files, but do not synchronize well between user computers or environments. The UE-V template generator excludes these locations. Excluded locations are as follows:
@ -57,7 +57,7 @@ If registry keys and files that are stored in these locations are required to sy
Use the UE-V template generator to edit settings location templates. When the revised settings are added to the templates with the UE-V template generator, the version information within the template is automatically updated to ensure that any existing templates that are deployed in the enterprise are updated correctly.
**To edit a UE-V settings location template with the UE-V template generator**
### To edit a UE-V settings location template with the UE-V template generator
1. Open the **Start** menu and navigate to **Windows Kits** > **Microsoft User Experience Virtualization (UE-V) Template Generator** to open the template generator.
@ -91,7 +91,7 @@ Use the UE-V template generator to edit settings location templates. When the re
After you edit the settings location template for an application, you should test the template. Deploy the revised settings location template in a lab environment before you put it into production in the enterprise.
**How to manually edit a settings location template**
### How to manually edit a settings location template
1. Create a local copy of the settings location template .xml file. UE-V settings location templates are .xml files that identify the locations where application store settings values.
@ -108,14 +108,14 @@ Use the UE-V template generator to edit settings location templates. When the re
6. Validate the modified settings location template file by using the UE-V template generator.
7. You must register the edited UE-V settings location template before it can synchronize settings between client computers. To register a template, open Windows PowerShell, and then run the following cmdlet: `update-uevtemplate [templatefilename]`. You can then copy the file to the settings storage catalog. The UE-V Agent on users computers should then update as scheduled in the scheduled task.
7. You must register the edited UE-V settings location template before it can synchronize settings between client computers. To register a template, open Windows PowerShell, and then run the following cmdlet: `update-uevtemplate [templatefilename]`. You can then copy the file to the settings storage catalog. The UE-V Agent on users' computers should then update as scheduled in the scheduled task.
## <a href="" id="validate"></a>Validate settings location templates with the UE-V template generator
It is possible to create or edit settings location templates in an XML editor without using the UE-V template generator. If you do, you can use the UE-V template generator to validate that the new or revised XML matches the schema that has been defined for the template.
**To validate a UE-V settings location template with the UE-V template generator**
To validate a UE-V settings location template with the UE-V template generator:
1. Open the **Start** menu and navigate to **Windows Kits** > **Microsoft User Experience Virtualization (UE-V) Template Generator** to open the template generator.
@ -129,35 +129,8 @@ It is possible to create or edit settings location templates in an XML editor wi
After you validate the settings location template for an application, you should test the template. Deploy the template in a lab environment before you put it into a production environment in enterprise.
## <a href="" id="share"></a>Share settings location templates with the Template Gallery
The [User Experience Virtualization Template Gallery](https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V&f%5B0%5D.Text=UE-V) enables administrators to share their UE-V settings location templates. Upload your settings location templates to the gallery for other users to use, and download templates that other users have created.
Before you share a settings location template on the UE-V template gallery, ensure it does not contain any personal or company information. You can use any XML viewer to open and view the contents of a settings location template file. The following template values should be reviewed before you share a template with anyone outside your company.
- Template Author Name Specify a general, non-identifying name for the template author name or exclude this data from the template.
- Template Author Email Specify a general, non-identifying template author email or exclude this data from the template.
Before you deploy any settings location template that you have downloaded from the UE-V gallery, you should first test the template to ensure that the application settings synchronize settings correctly in a test environment.
## Related topics
## Next steps
[Administering UE-V](uev-administering-uev.md)
[Use UE-V with custom applications](uev-deploy-uev-for-custom-applications.md)

22
windows/configuration/wcd/wcd-firstexperience.md
View File

@ -1,5 +1,5 @@
---
title: FirstExperience (Windows 10)
title: FirstExperience
description: This section describes the FirstExperience settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
author: aczechowski
@ -13,18 +13,18 @@ manager: dougeby
# FirstExperience (Windows Configuration Designer reference)
Use these settings to configure the out-of-box experience (OOBE) to set up HoloLens.
Use these settings to configure the out-of-box experience (OOBE) to set up HoloLens.
## Applies to
| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
| Setting | Windows client | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: |
| All settings | | | ✔️ | |
| All settings | | | X | |
Setting | Description
--- | ---
PreferredRegion | Enter the [geographical location identifier](/windows/win32/intl/table-of-geographical-locations) for the region.
PreferredTimezone | Enter the timezone. [Microsoft Time Zone Index Values](/previous-versions/windows/embedded/ms912391(v=winembedded.11))
SkipCalibration | Initial setup of HoloLens includes a calibration step. Set to **True** to skip calibration.
SkipTraining | Initial setup of HoloLens includes training on how to perform the gestures to operate HoloLens. Set to **True** to skip training.
SkipWifi | Set to **True** to skip connecting to a Wi-Fi network.<br><br>**Note:** HoloLens [requires a Wi-Fi connection during setup to verify the account](/hololens/hololens-setup). To skip the Wi-Fi connection page during setup, your provisioning package must provide the network configuration. You can configure the network configuration [in the HoloLens wizard](/hololens/hololens-provisioning#create-a-provisioning-package-for-hololens-using-the-hololens-wizard) and then switch to the advanced editor to configure **FirstExperience** settings, or in advanced settings, configure a WLAN [connectivity profile](wcd-connectivityprofiles.md).
| Setting | Description |
| --- | --- |
| PreferredRegion | Enter the [geographical location identifier](/windows/win32/intl/table-of-geographical-locations) for the region. |
| PreferredTimezone | Enter the timezone. [Microsoft Time Zone Index Values](/previous-versions/windows/embedded/ms912391(v=winembedded.11)) |
| SkipCalibration | Initial setup of HoloLens includes a calibration step. Set to **True** to skip calibration. |
| SkipTraining | Initial setup of HoloLens includes training on how to perform the gestures to operate HoloLens. Set to **True** to skip training. |
| SkipWifi | Set to **True** to skip connecting to a Wi-Fi network.<br><br>**Note:** HoloLens [requires a Wi-Fi connection during setup to verify the account](/hololens/hololens2-start). To skip the Wi-Fi connection page during setup, your provisioning package must provide the network configuration. You can configure the network configuration [in the HoloLens wizard](/hololens/hololens-provisioning#provisioning-package-hololens-wizard) and then switch to the advanced editor to configure **FirstExperience** settings, or in advanced settings, configure a WLAN [connectivity profile](wcd-connectivityprofiles.md). |

119
windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
View File

@ -7,49 +7,52 @@ ms.author: aaroncz
ms.prod: w10
ms.localizationpriority: medium
author: aczechowski
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.topic: how-to
---
# Prepare for Zero Touch Installation of Windows 10 with Configuration Manager
**Applies to**
- Windows 10
- Windows 10
This topic will walk you through the Zero Touch Installation process of Windows 10 operating system deployment (OSD) using Microsoft Endpoint Manager (ConfigMgr) [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT).
This article walks you through the Zero Touch Installation (ZTI) process of Windows 10 OS deployment using Microsoft Endpoint Configuration Manager [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT).
## Prerequisites
In this topic, you will use [components](#components-of-configuration-manager-operating-system-deployment) of an existing Configuration Manager infrastructure to prepare for Windows 10 OSD. In addition to the base setup, the following configurations should be made in the Configuration Manager environment:
In this article, you'll use [components](#components-of-configuration-manager-operating-system-deployment) of an existing Configuration Manager infrastructure to prepare for Windows 10 OSD. In addition to the base setup, the following configurations should be made in the Configuration Manager environment:
- Configuration Manager current branch + all security and critical updates are installed.
- Note: Procedures in this guide use ConfigMgr 1910. For information about the version of Windows 10 supported by ConfigMgr, see [Support for Windows 10](/configmgr/core/plan-design/configs/support-for-windows-10).
- The [Active Directory Schema has been extended](/configmgr/core/plan-design/network/extend-the-active-directory-schema) and System Management container created.
- Active Directory Forest Discovery and Active Directory System Discovery are [enabled](/configmgr/core/servers/deploy/configure/configure-discovery-methods).
- IP range [boundaries and a boundary group](/configmgr/core/servers/deploy/configure/define-site-boundaries-and-boundary-groups) for content and site assignment have been created.
- The Configuration Manager [reporting services](/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured.
> [!NOTE]
> Procedures in this guide use Configuration Manager version 1910. For more information about the versions of Windows 10 supported by Configuration Manager, see [Support for Windows 10](/mem/configmgr/core/plan-design/configs/support-for-windows-10).
- The [Active Directory Schema has been extended](/mem/configmgr/core/plan-design/network/extend-the-active-directory-schema) and System Management container created.
- Active Directory Forest Discovery and Active Directory System Discovery are [enabled](/mem/configmgr/core/servers/deploy/configure/configure-discovery-methods).
- IP range [boundaries and a boundary group](/mem/configmgr/core/servers/deploy/configure/define-site-boundaries-and-boundary-groups) for content and site assignment have been created.
- The Configuration Manager [reporting services](/mem/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured.
- A file system folder structure and Configuration Manager console folder structure for packages has been created. Steps to verify or create this folder structure are [provided below](#review-the-sources-folder-structure).
- The [Windows ADK](/windows-hardware/get-started/adk-install) (including USMT) version 1903, Windows PE add-on, WSIM 1903 update, [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456, and DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed.
- The [CMTrace tool](/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point.
- Note: CMTrace is automatically installed with the current branch of Configuration Manager at **Program Files\Microsoft Configuration Manager\tools\cmtrace.exe**. In previous releases of ConfigMgr it was necessary to install the [Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012) separately to get the CMTrace tool, but this is no longer needed. Configuraton Manager version 1910 installs version 5.0.8913.1000 of the CMTrace tool.
- The [CMTrace tool](/mem/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point.
For the purposes of this guide, we will use three server computers: DC01, CM01 and HV01.
> [!NOTE]
> CMTrace is automatically installed with the current branch of Configuration Manager.
For the purposes of this guide, we'll use three server computers: DC01, CM01 and HV01.
- DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server.
- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server.
- HV01 is a Hyper-V host computer that is used to build a Windows 10 reference image. This computer does not need to be a domain member.
- HV01 is a Hyper-V host computer that is used to build a Windows 10 reference image. This computer doesn't need to be a domain member.
All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
All server and client computers referenced in this guide are on the same subnet. This configuration isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates.
### Domain credentials
The following generic credentials are used in this guide. You should replace these credentials as they appear in each procedure with your credentials.
**Active Directory domain name**: contoso.com<br>
**Domain administrator username**: administrator<br>
**Domain administrator password**: pass@word1
- **Active Directory domain name**: `contoso.com`
- **Domain administrator username**: `administrator`
-**Domain administrator password**: `pass@word1`
## Create the OU structure
@ -60,7 +63,7 @@ On **DC01**:
To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell. The procedure below uses Windows PowerShell.
To use Windows PowerShell, copy the following commands into a text file and save it as <b>C:\Setup\Scripts\ou.ps1</b>. Be sure that you are viewing file extensions and that you save the file with the .ps1 extension.
To use Windows PowerShell, copy the following commands into a text file and save it as **C:\Setup\Scripts\ou.ps1**. Be sure that you're viewing file extensions and that you save the file with the `.ps1` extension.
```powershell
$oulist = Import-csv -Path c:\oulist.txt
@ -106,10 +109,10 @@ On **DC01**:
2. Select the Service Accounts OU and create the CM\_JD account using the following settings:
* Name: CM\_JD
* User logon name: CM\_JD
* Password: pass@word1
* User sign-in name: CM\_JD
* Password: `pass@word1`
* User must change password at next logon: Clear
* User cannot change password: Selected
* User can't change password: Selected
* Password never expires: Selected
3. Repeat the step, but for the CM\_NAA account.
@ -120,13 +123,13 @@ On **DC01**:
## Configure Active Directory permissions
In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain you need to configure permissions in Active Directory. These steps assume you have downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01.
In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://github.com/DeploymentArtist/SWP1/tree/master/Scripts) and copied it to C:\\Setup\\Scripts on DC01.
On **DC01**:
1. Sign in as contoso\administrator and enter the following at an elevated Windows PowerShell prompt:
```
```powershell
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
Set-Location C:\Setup\Scripts
.\Set-OUPermissions.ps1 -Account CM_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
@ -199,7 +202,7 @@ On **CM01**:
1. Sign in as contoso\administrator.
2. Ensure the Configuration Manager Console is closed before continuing.
5. Click Start, type **Configure ConfigManager Integration**, and run the application the following settings:
5. Select Start, type **Configure ConfigManager Integration**, and run the application the following settings:
* Site Server Name: CM01.contoso.com
* Site code: PS1
@ -214,9 +217,9 @@ Most organizations want to display their name during deployment. In this section
On **CM01**:
1. Open the Configuration Manager Console, select the Administration workspace, then click **Client Settings**.
2. In the right pane, right-click **Default Client Settings** and then click **Properties**.
3. In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and click **OK**.
1. Open the Configuration Manager Console, select the Administration workspace, then select **Client Settings**.
2. In the right pane, right-click **Default Client Settings** and then select **Properties**.
3. In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and select **OK**.
![figure 9.](../images/mdt-06-fig10.png)
@ -261,7 +264,7 @@ On **CM01**:
Configure the CM01 distribution point for PXE.
>[!NOTE]
>If you select **Enable a PXE responder without Windows Deployment Service**, then WDS will not be installed, or if it is already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder does not support multicast. For more information, see [Install and configure distribution points](/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe).
>If you select **Enable a PXE responder without Windows Deployment Service**, then WDS will not be installed, or if it is already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder does not support multicast. For more information, see [Install and configure distribution points](/mem/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe).
4. Using the CMTrace tool, review the C:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines.
@ -275,13 +278,13 @@ On **CM01**:
The contents of the D:\\RemoteInstall\\SMSBoot\\x64 folder after you enable PXE.
**Note**: These files are used by WDS. They are not used by the ConfigMgr PXE Responder. This article does not use the ConfigMgr PXE Responder.
**Note**: These files are used by WDS. They aren't used by the ConfigMgr PXE Responder. This article doesn't use the ConfigMgr PXE Responder.
Next, see [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md).
## Components of Configuration Manager operating system deployment
Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are additional components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which is not used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are other components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which isn't used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10.
- **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios.
- **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages.
@ -291,26 +294,22 @@ Operating system deployment with Configuration Manager is part of the normal sof
- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image.
- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md).
- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers.
- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager.
- **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides extra task sequence templates to Configuration Manager.
**Note**  The Windows Assessment and Deployment Kit (ADK) for Windows 10 is also required to support management and deployment of Windows 10.
> [!NOTE]
> The Windows Assessment and Deployment Kit (ADK) for Windows 10 is also required to support management and deployment of Windows 10.
## Why integrate MDT with Configuration Manager
As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager.
>[!NOTE]
>MDT installation requires the following:
>- The Windows ADK for Windows 10 (installed in the previous procedure)
>- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check)
>- Microsoft .NET Framework
As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name doesn't reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager.
### MDT enables dynamic deployment
When MDT is integrated with Configuration Manager, the task sequence takes additional instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used.
When MDT is integrated with Configuration Manager, the task sequence takes other instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have a script or web services provide the settings used.
The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples:
- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence.
- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is an HP EliteBook 8570w. You don't have to add the package to the task sequence.
``` syntax
[Settings]
@ -342,7 +341,7 @@ The Gather action in the task sequence is reading the rules.
### MDT adds an operating system deployment simulation environment
When testing a deployment, it is important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested very quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md).
When testing a deployment, it's important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md).
![figure 3.](../images/mdt-06-fig03.png)
@ -362,26 +361,34 @@ For some deployment scenarios, you may need to prompt the user for information d
![figure 5.](../images/mdt-06-fig05.png)
The optional UDI wizard open in the UDI Wizard Designer.
The optional UDI wizard opens in the UDI Wizard Designer.
MDT Zero Touch simply extends Configuration Manager with many useful built-in operating system deployment components. By providing well-established, supported solutions, MDT reduces the complexity of deployment in Configuration Manager.
### Why use MDT Lite Touch to create reference images
You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons:
- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more.
- Configuration Manager performs deployment in the LocalSystem context. This means that you cannot configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
- The Configuration Manager task sequence does not suppress user interface interaction.
- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it is automatically captured.
- MDT Lite Touch does not require any infrastructure and is easy to delegate.
- Configuration Manager performs deployment in the LocalSystem context. This means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
- The Configuration Manager task sequence doesn't suppress user interface interaction.
- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it's automatically captured.
- MDT Lite Touch doesn't require any infrastructure and is easy to delegate.
## Related topics
## Related articles
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)<br>
[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)<br>
[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)<br>
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)<br>
[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)<br>
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)<br>
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)

13
windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
View File

@ -39,12 +39,8 @@ sections:
- question: |
Can I evaluate Windows 10 Enterprise?
answer: |
Yes, a 90-day evaluation of Windows 10 Enterprise is available. The evaluation is available in Chinese (Simplified), Chinese (Traditional), English, French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features.
Yes, a 90-day evaluation of Windows 10 Enterprise is available through the [Evaluation Center](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). The evaluation is available in Chinese (Simplified), Chinese (Traditional), English, French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day Evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features.
> [!NOTE]
> The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).<!-- 6049663 -->
- name: Drivers and compatibility
questions:
- question: |
@ -74,12 +70,9 @@ sections:
- question: |
Which deployment tools support Windows 10?
answer: |
Updated versions of Microsoft deployment tools, including Microsoft Endpoint Configuration Manager, MDT, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10.
Updated versions of Microsoft deployment tools, including Microsoft Endpoint Configuration Manager, MDT, and the Windows Assessment and Deployment Kit (Windows ADK) support Windows 10.
- [Microsoft Endpoint Configuration Manager](/mem/configmgr) simplifies the deployment and management of Windows 10. If you aren't currently using Configuration Manager, download a free 180-day trial.
> [!NOTE]
> The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).<!-- 6049663 -->
- [Microsoft Endpoint Configuration Manager](/mem/configmgr) simplifies the deployment and management of Windows 10. If you aren't currently using it, download a free 180-day trial of [Microsoft Endpoint Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager).
- [MDT](/mem/configmgr/mdt) is a collection of tools, processes, and guidance for automating desktop and server deployment.

4
windows/deployment/update/waas-wu-settings.md
View File

@ -98,9 +98,9 @@ By enabling the Group Policy setting under **Computer Configuration\Administrati
### Do not connect to any Windows Update Internet locations
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store.
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update, the Microsoft Store, or the Microsoft Store for Business.
Use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations** to enable this policy. When enabled, this policy will disable the functionality described above, and may cause connection to public services such as the Microsoft Store, Windows Update for Business and Delivery Optimization to stop working.
Use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations** to enable this policy. When enabled, this policy will disable the functionality described above, and may cause connection to public services such as the Microsoft Store, Microsoft Store for Business, Windows Update for Business, and Delivery Optimization to stop working.
>[!NOTE]
>This policy applies only when the device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.

23
windows/deployment/update/windows-update-errors.md
View File

@ -7,7 +7,6 @@ ms.author: aaroncz
manager: dougeby
ms.reviewer: kaushika
ms.topic: troubleshooting
ms.custom: seo-marvel-apr2020
ms.collection: highpri
---
@ -42,7 +41,7 @@ The following table provides information about common errors you might run into
| Message | Description | Mitigation |
|---------|-------------|------------|
| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update client.<br><br>If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc).|
| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update client.|
## 0x80072EFD or 0x80072EFEor 0x80D02002
@ -84,7 +83,7 @@ The following table provides information about common errors you might run into
| Message | Description | Mitigation |
|---------|-------------|------------|
| WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we're unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. |
| WU_E_CALL_CANCELLED | Operation was canceled. | The operation was canceled by the user or service. You might also receive this error when we're unable to filter the results. |
## 0x8024000E
@ -96,19 +95,19 @@ The following table provides information about common errors you might run into
| Message | Description | Mitigation |
|---------|-------------|------------|
| WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the Wuident.cab file. | You might encounter this error when WSUS is not sending the self-update to the clients.<br><br>Review [KB920659](/troubleshoot/windows-server/deployment/wsus-selfupdate-not-send-automatic-updates) for instructions to resolve the issue. |
| WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the Wuident.cab file. | You might encounter this error when WSUS is not sending the self-update to the clients.<br><br>For more information to resolve the issue, review [KB920659](/troubleshoot/windows-server/deployment/wsus-selfupdate-not-send-automatic-updates). |
## 0x80244007
| Message | Description | Mitigation |
|---------|-------------|------------|
| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows can't renew the cookies for Windows Update. <br><br>Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. |
| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of `WU_E_PT_SOAP_*` error codes. | This issue occurs because Windows can't renew the cookies for Windows Update. <br><br>For more information to resolve the issue, see [0x80244007 error when Windows tries to scan for updates on a WSUS server](https://support.microsoft.com/topic/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-server-6af342d9-9af6-f3bb-b6ad-2be56bf7826e). |
## 0x80070422
| Message | Description | Mitigation |
|---------|-------------|------------|
| NA | This issue occurs when the Windows Update service stops working or isn't running. | Check if the Windows Update service is running.<br> |
| NA | This issue occurs when the Windows Update service stops working or isn't running. | Check if the Windows Update service is running. |
## 0x800f0821
@ -145,7 +144,7 @@ The following table provides information about common errors you might run into
| Message | Description | Mitigation |
|---------|-------------|------------|
| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an access was denied.<br> Go to %Windir%\logs\CBS, open the last CBS.log and search for “, error” and match with the timestamp. After finding the error, scroll up and try to determine what caused the access denial. It could be access denied to a file, registry key. Determine what object needs the right permissions and change the permissions as needed. |
| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an access was denied.<br> Go to %Windir%\logs\CBS, open the last CBS.log and search for ", error" and match with the timestamp. After finding the error, scroll up and try to determine what caused the access denial. It could be access denied to a file, registry key. Determine what object needs the right permissions and change the permissions as needed. |
## 0x80070570
@ -158,14 +157,14 @@ The following table provides information about common errors you might run into
| Message | Description | Mitigation |
|---------|-------------|------------|
| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS, open the last CBS.log, and search for “, error” and match with the timestamp. |
| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS, open the last CBS.log, and search for `, error`. Then match the results with the timestamp. |
## 0x80070020
| Message | Description | Mitigation |
|---------|-------------|------------|
| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by non-Microsoft filter drivers like antivirus. <br> 1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/) <br> 2. Download the sysinternal tool [Process Monitor](/sysinternals/downloads/procmon). <br> 3. Run Procmon.exe. It will start data capture automatically. <br> 4. Install the update package again <br> 5. With the Process Monitor main window in focus, press CTRL + E or select the magnifying glass to stop data capture. <br> 6. Select **File > Save > All Events > PML**, and choose a path to save the .PML file <br> 7. Go to %windir%\logs\cbs, open the last Cbs.log file, and search for the error. After finding the error line a bit above, you should have the file being accessed during the installation that is giving the sharing violation error <br> 8. In Process Monitor, filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”). <br> 9. Try to stop it or uninstall the process causing the error. |
| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by non-Microsoft filter drivers like antivirus. <br> 1. [Perform a clean boot and retry the installation](https://support.microsoft.com/topic/how-to-perform-a-clean-boot-in-windows-da2f9573-6eec-00ad-2f8a-a97a1807f3dd) <br> 2. Download the sysinternal tool [Process Monitor](/sysinternals/downloads/procmon). <br> 3. Run Procmon.exe. It will start data capture automatically. <br> 4. Install the update package again <br> 5. With the Process Monitor main window in focus, press CTRL + E or select the magnifying glass to stop data capture. <br> 6. Select **File > Save > All Events > PML**, and choose a path to save the .PML file <br> 7. Go to %windir%\logs\cbs, open the last Cbs.log file, and search for the error. After finding the error line a bit above, you should have the file being accessed during the installation that is giving the sharing violation error <br> 8. In Process Monitor, filter for path and insert the file name (it should be something like "path" "contains" "filename from CBS"). <br> 9. Try to stop it or uninstall the process causing the error. |
## 0x80073701
@ -183,19 +182,19 @@ The following table provides information about common errors you might run into
| Message | Description | Mitigation |
|---------|-------------|------------|
| WININET_E_CONNECTION_ABORTED; The connection with the server was closed abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking or downloading updates.<br> From a cmd prompt run: *BITSADMIN /LIST /ALLUSERS /VERBOSE* <br> Search for the 0x80072EFE error code. You should see a reference to an HTTP code with a specific file. Using a browser, try to download it manually, making sure youre using your organization's proxy settings. If the download fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. |
| WININET_E_CONNECTION_ABORTED; The connection with the server was closed abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking or downloading updates.<br> From a cmd prompt run: *BITSADMIN /LIST /ALLUSERS /VERBOSE* <br> Search for the 0x80072EFE error code. You should see a reference to an HTTP code with a specific file. Using a browser, try to download it manually, making sure you're using your organization's proxy settings. If the download fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. |
## 0x80072F8F
| Message | Description | Mitigation |
|---------|-------------|------------|
| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client. | This error generally means that the Windows Update Agent was unable to decode the received content. Install and configure TLS 1.2 by installing the update in [KB3140245](https://support.microsoft.com/help/3140245/).
| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client. | This error generally means that the Windows Update Agent was unable to decode the received content. Install and configure TLS 1.2 by installing the update in [KB3140245](https://support.microsoft.com/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392).
## 0x80072EE2
| Message | Description | Mitigation |
|---------|-------------|------------|
| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to Windows Update, Configuration Manager, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager. <br> Check with your network team to ensure that the device can reach the update sources. For more info, see [Troubleshoot software update scan failures in Configuration Manager](/troubleshoot/mem/configmgr/troubleshoot-software-update-scan-failures). <br> If youre using the public Microsoft update servers, check that your device can access the following Windows Update endpoints: <br> `http://windowsupdate.microsoft.com` <br> `https://*.windowsupdate.microsoft.com` <br> `https://update.microsoft.com` <br> `https://*.update.microsoft.com` <br> `https://windowsupdate.com` <br> `https://*.windowsupdate.com` <br> `https://download.windowsupdate.com` <br> `https://*.download.windowsupdate.com` <br> `https://download.microsoft.com` <br> `https://*.download.windowsupdate.com` <br> `https://wustat.windows.com` <br> `https://*.wustat.windows.com` <br> `https://ntservicepack.microsoft.com` |
| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to Windows Update, Configuration Manager, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager. <br> Check with your network team to ensure that the device can reach the update sources. For more info, see [Troubleshoot software update scan failures in Configuration Manager](/troubleshoot/mem/configmgr/troubleshoot-software-update-scan-failures). <br> If you're using the public Microsoft update servers, check that your device can access the following Windows Update endpoints: <br> `http://windowsupdate.microsoft.com` <br> `https://*.windowsupdate.microsoft.com` <br> `https://update.microsoft.com` <br> `https://*.update.microsoft.com` <br> `https://windowsupdate.com` <br> `https://*.windowsupdate.com` <br> `https://download.windowsupdate.com` <br> `https://*.download.windowsupdate.com` <br> `https://download.microsoft.com` <br> `https://*.download.windowsupdate.com` <br> `https://wustat.windows.com` <br> `https://*.wustat.windows.com` <br> `https://ntservicepack.microsoft.com` |
## 0x80240022

28
windows/deployment/windows-10-poc-mdt.md
View File

@ -1,7 +1,6 @@
---
title: Step by step - Deploy Windows 10 in a test lab using MDT
description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT).
ms.custom: seo-marvel-apr2020
ms.prod: w10
ms.localizationpriority: medium
ms.date: 10/11/2017
@ -9,15 +8,14 @@ ms.reviewer:
manager: dougeby
ms.author: aaroncz
author: aczechowski
ms.topic: article
ms.topic: how-to
---
# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit
**Applies to**
- Windows 10
- Windows 10
> [!IMPORTANT]
> This guide leverages the proof of concept (PoC) environment configured using procedures in the following guide:
@ -62,18 +60,18 @@ MDT performs deployments by using the Lite Touch Installation (LTI), Zero Touch
```powershell
$AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0
Stop-Process -Name Explorer
```
2. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/download/details.aspx?id=54259) on SRV1 using the default options. As of the writing of this guide, the latest version of MDT was 8443.
1. Download and install the 64-bit version of [Microsoft Deployment Toolkit (MDT)](https://www.microsoft.com/download/details.aspx?id=54259) on SRV1 using the default options.
3. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components.
1. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](/windows-hardware/get-started/adk-install) on SRV1 using the default installation settings. Installation might require several minutes to acquire all components.
3. If desired, re-enable IE Enhanced Security Configuration:
1. If desired, re-enable IE Enhanced Security Configuration:
```powershell
Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1
Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1
Stop-Process -Name Explorer
```
@ -345,7 +343,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
In this example a **MachineObjectOU** entry is not provided. Normally this entry describes the specific OU where new client computer objects are created in Active Directory. However, for the purposes of this test lab clients are added to the default computers OU, which requires that this parameter be unspecified.
If desired, edit the follow line to include or exclude other users when migrating settings. Currently, the command is set to user exclude (ue) all users except for CONTOSO users specified by the user include option (ui):
```console
ScanStateArgs=/ue:*\* /ui:CONTOSO\*
```
@ -354,9 +352,9 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
```console
ScanStateArgs=/all
```
```
For more information, see [ScanState Syntax](/previous-versions/windows/it-pro/windows-vista/cc749015(v=ws.10)).
For more information, see [ScanState Syntax](/windows/deployment/usmt/usmt-scanstate-syntax).
4. Click **Edit Bootstap.ini** and replace text in the file with the following text:
@ -641,12 +639,10 @@ Deployment logs are available on the client computer in the following locations:
You can review WDS events in Event Viewer at: **Applications and Services Logs > Microsoft > Windows > Deployment-Services-Diagnostics**. By default, only the **Admin** and **Operational** logs are enabled. To enable other logs, right-click the log and then click **Enable Log**.
Tools for viewing log files, and to assist with troubleshooting are available in the [Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012)
Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) for detailed troubleshooting information.
## Related Topics
[Microsoft Deployment Toolkit](/mem/configmgr/mdt/)<BR>
[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
[Microsoft Deployment Toolkit](/mem/configmgr/mdt/)
[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)

5
windows/deployment/windows-10-poc-sc-config-mgr.md
View File

@ -123,10 +123,7 @@ The procedures in this guide are summarized in the following table. An estimate
Stop-Process -Name Explorer
```
1. Download **Microsoft Endpoint Configuration Manager** on SRV1.
> [!NOTE]
> The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).<!-- 6049663 -->
1. Download [Microsoft Endpoint Configuration Manager (current branch)](https://www.microsoft.com/evalcenter/evaluate-microsoft-endpoint-configuration-manager) and extract the contents on SRV1.
1. Open the file, enter **C:\configmgr** for **Unzip to folder**, and select **Unzip**. The `C:\configmgr` directory will be automatically created. Select **OK** and then close the **WinZip Self-Extractor** dialog box when finished.

9
windows/deployment/windows-10-poc.md
View File

@ -180,11 +180,9 @@ Starting with Windows 8, the host computer's microprocessor must support second
When you have completed installation of Hyper-V on the host computer, begin configuration of Hyper-V by downloading VHD and ISO files to the Hyper-V host. These files will be used to create the VMs used in the lab.
1. Create a directory on your Hyper-V host named **C:\VHD**. Download a single VHD file for **Windows Server** to the **C:\VHD** directory.
1. Create a directory on your Hyper-V host named **C:\VHD**. Download a single VHD file for [Windows Server](https://www.microsoft.com/evalcenter/evaluate-windows-server-2022) to the **C:\VHD** directory.
> [!NOTE]
> The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).<!-- 6049663 -->
>
> The currently available downloads are Windows Server 2019 or Windows Server 2022. The rest of this article refers to "Windows Server 2012 R2" and similar variations.
> [!IMPORTANT]
@ -194,10 +192,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf
3. Copy the VHD to a second file also in the **C:\VHD** directory and name this VHD **2012R2-poc-2.vhd**.
4. Download the **Windows 10 Enterprise** ISO file to the **C:\VHD** directory on your Hyper-V host.
> [!NOTE]
> The Microsoft Evaluation Center is temporarily unavailable. To access this download, see [Accessing trials and kits for Windows (Eval Center workaround)](https://techcommunity.microsoft.com/t5/windows-11/accessing-trials-and-kits-for-windows-eval-center-workaround/m-p/3361125).<!-- 6049663 -->
4. Download the [Windows 10 Enterprise](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) ISO file to the **C:\VHD** directory on your Hyper-V host.
You can select the type, version, and language of installation media to download. In this example, a Windows 10 Enterprise, 64 bit, English ISO is chosen. You can choose a different version.

9
windows/deployment/windows-autopatch/TOC.yml
View File

@ -25,8 +25,13 @@
items:
- name: Add and verify admin contacts
href: deploy/windows-autopatch-admin-contacts.md
- name: Register your devices
href: deploy/windows-autopatch-register-devices.md
- name: Device registration
href:
items:
- name: Device registration overview
href: deploy/windows-autopatch-device-registration-overview.md
- name: Register your devices
href: deploy/windows-autopatch-register-devices.md
- name: Operate
href: operate/index.md
items:

59
windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md Normal file
View File

@ -0,0 +1,59 @@
---
title: Device registration overview
description: This article provides and overview on how to register devices in Autopatch
ms.date: 07/28/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: andredm7
---
# Device registration overview
Windows Autopatch must [register your existing devices](windows-autopatch-register-devices.md) into its service to manage update deployments on your behalf.
The Windows Autopatch device registration process is transparent for end-users because it doesnt require devices to be reset.
The overall device registration process is:
:::image type="content" source="../media/windows-autopatch-device-registration-overview.png" alt-text="Overview of the device registration process" lightbox="../media/windows-autopatch-device-registration-overview.png":::
1. IT admin identifies devices to be managed by Windows Autopatch and adds them into the **Windows Autopatch Device Registration** Azure Active Directory (AD) group.
1. Windows Autopatch then:
1. Performs device readiness prior registration (prerequisite checks).
1. Calculates the deployment ring distribution.
1. Assigns devices to one of the deployment rings based on the previous calculation.
1. Assigns devices to other Azure AD groups required for management.
1. Marks devices as active for management so it can apply its update deployment policies.
1. IT admin then monitors the device registration trends and the update deployment reports.
For more information about the device registration workflow, see the [Detailed device registration workflow diagram](#detailed-device-registration-workflow-diagram) section for more technical details behind the Windows Autopatch device registration process.
## Detailed device registration workflow diagram
See the following detailed workflow diagram. The diagram covers the Windows Autopatch device registration process:
:::image type="content" source="../media/windows-autopatch-device-registration-workflow-diagram.png" alt-text="Detailed device registration workflow diagram" lightbox="../media/windows-autopatch-device-registration-workflow-diagram.png":::
| Step | Description |
| ----- | ----- |
| **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. |
| **Step 2: Add devices** | IT admin adds devices through direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group. |
| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function hourly discovers devices previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Endpoint Manager-Intune and Azure AD when registering devices into its service.<ol><li>Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:</li><ol><li>**AzureADDeviceID**</li><li>**OperatingSystem**</li><li>**DisplayName (Device name)**</li><li>**AccountEnabled**</li><li>**RegistrationDateTime**</li><li>**ApproximateLastSignInDateTime**</li></ol><li>In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.</li></ol> |
| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:<ol><li>**Serial number, model, and manufacturer.**</li><ol><li>Checks if the serial number already exists in the Windows Autopatchs managed device database.</li></ol><li>**If the device is Intune-managed or not.**</li><ol><li>Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.</li><ol><li>If **yes**, it means this device is enrolled into Intune.</li><li>If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.</li></ol><li>**If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.</li><ol><li>Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not ready** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasnt enrolled into Intune.</li><li>A common reason is when the Azure AD device ID is stale, it doesnt have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).</li></ol><li>**If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.</li></ol><li>**If the device is a Windows device or not.**</li><ol><li>Windows Autopatch looks to see if the Azure AD device ID has an Intune device ID associated with it.</li><ol><li>**If yes**, it means this device is enrolled into Intune.</li><li>**If not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.</li></ol></ol><li>**Windows Autopatch checks the Windows SKU family**. The SKU must be either:</li><ol><li>**Enterprise**</li><li>**Pro**</li><li>**Pro Workstation**</li></ol><li>**If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:</li><ol><li>**Only managed by Intune.**</li><ol><li>If the device is only managed by Intune, the device is marked as Passed all prerequisites.</li></ol><li>**Co-managed by both Configuration Manager and Intune.**</li><ol><li>If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:</li><ol><li>**Windows Updates Policies**</li><li>**Device Configuration**</li><li>**Office Click to Run**</li></ol><li>If Windows Autopatch determines that one of these workloads isnt enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not Ready** tab.</li></ol></ol></ol>|
| **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:<ol><li>If the Windows Autopatch tenants existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.</li><li>If the Windows Autopatch tenants existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.</li></ol> |
| **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to one of the following deployment ring groups:<ol><li>**Modern Workplace Devices-Windows Autopatch-First**</li><ol><li>The Windows Autopatch device registration process doesnt automatically assign devices to the Test ring represented by the Azure AD group (Modern Workplace Devices-Windows Autopatch-Test). Its important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.</li></ol><li>**Modern Workplace Devices-Windows Autopatch-Fast**</li><li>**Modern Workplace Devices-Windows Autopatch-Broad**</li></ol> |
| **Step 7: Assign devices to an Azure AD group** | Windows Autopatch also assigns devices to the following Azure AD groups when certain conditions apply:<ol><li>**Modern Workplace Devices - All**</li><ol><li>This group has all devices managed by Windows Autopatch.</li></ol><li>When registering **Windows 10 devices**, use **Modern Workplace Devices Dynamic - Windows 10**</li><ol><li>This group has all devices managed by Windows Autopatch and that have Windows 10 installed.</li></ol><li>When registering **Windows 11 devices**, use **Modern Workplace Devices Dynamic - Windows 11**</li><ol><li>This group has all devices managed by Windows Autopatch and that have Windows 11 installed.</li></ol><li>When registering **virtual devices**, use **Modern Workplace Devices - Virtual Machine**</li><ol><li>This group has all virtual devices managed by Windows Autopatch.</li></ol> |
| **Step 8: Post-device registration** | In post-device registration, three actions occur:<ol><li>Windows Autopatch adds devices to its managed database.</li><li>Flags devices as **Active** in the **Ready** tab.</li><li>The Azure AD device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extensions allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.</li><ol><li>The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.</li></ol> |
| **Step 9: Review device registration status** | IT admins review the device registration status in both the **Ready** and **Not ready** tabs.<ol><li>If the device was **successfully registered**, the device shows up in the **Ready** tab.</li><li>If **not**, the device shows up in the **Not ready** tab.</li></ol> |
| **Step 10: End of registration workflow** | This is the end of the Windows Autopatch device registration workflow. |
## Detailed prerequisite check workflow diagram
As described in **step #4** in the previous [Detailed device registration workflow diagram](#detailed-device-registration-workflow-diagram), the following diagram is a visual representation of the prerequisite construct for the Windows Autopatch device registration process. The prerequisite checks are sequentially performed.
:::image type="content" source="../media/windows-autopatch-prerequisite-check-workflow-diagram.png" alt-text="Detailed prerequisite check workflow diagram" lightbox="../media/windows-autopatch-prerequisite-check-workflow-diagram.png":::

2
windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
View File

@ -65,7 +65,7 @@ It's recommended to detect and clean up stale devices in Azure AD before registe
To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites:
- [Supported Windows 10/11 Enterprise and Professional edition versions](/windows/release-health/supported-versions-windows-client)
- Windows 10 (1809+)/11 Enterprise and Professional edition versions (only x64 architecture).
- Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported).
- Managed by Microsoft Endpoint Manager.
- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) and/or [Configuration Manager Co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#configuration-manager-co-management-requirements).

BIN
windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 560 KiB

BIN
windows/deployment/windows-autopatch/media/windows-autopatch-prerequisite-check-workflow-diagram.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 317 KiB

11
windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
View File

@ -1,7 +1,7 @@
---
title: Unenroll your tenant
description: This article explains what unenrollment means for your organization and what actions you must take.
ms.date: 07/11/2022
ms.date: 07/27/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
@ -22,7 +22,7 @@ If you're looking to unenroll your tenant from Windows Autopatch, this article d
Unenrolling from Windows Autopatch requires manual actions from both you and from the Windows Autopatch Service Engineering Team. The Windows Autopatch Service Engineering Team will:
- Remove Windows Autopatch access to your tenant.
- Deregister your devices from the Windows Autopatch service. Deregistering your devices from Windows Autopatch won't remove your devices from Intune, Azure AD or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in Deregister a device.
- Deregister your devices from the Windows Autopatch service. Deregistering your devices from Windows Autopatch won't remove your devices from Intune, Azure AD or Configuration Manager. The Windows Autopatch Service Engineering Team follows the same process and principles as laid out in [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices).
- Delete all data that we've stored in the Windows Autopatch data storage.
> [!NOTE]
@ -33,9 +33,7 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro
| Responsibility | Description |
| ----- | ----- |
| Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We wont make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../references/windows-autopatch-privacy.md). |
| Windows Autopatch cloud service accounts | Windows Autopatch will remove the cloud service accounts created during the enrollment process. The accounts are:<ul><li>MsAdmin</li><li>MsAdminInt</li><li>MsTest</li></ul> |
| Conditional access policy | Windows Autopatch will remove the Modern Workplace Secure Workstation conditional access policy. |
| Microsoft Endpoint Manager roles | Windows Autopatch will remove the Modern Workplace Intune Admin role. |
| Deregistering devices | Windows Autopatch will deregister all devices previously registered with the service. Only the Windows Autopatch device record will be deleted. We will not delete Microsoft Intune and/or Azure Active Directory device records. For more information, see [Deregister a device](/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices). |
## Your responsibilities after unenrolling your tenant
@ -43,6 +41,9 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro
| ----- | ----- |
| Updates | After the Windows Autopatch service is unenrolled, well no longer provide updates to your devices. You must ensure that your devices continue to receive updates through your own policies to ensure they're secure and up to date. |
| Optional Windows Autopatch configuration | Windows Autopatch wont remove the configuration policies or groups used to enable updates on your devices. You're responsible for these policies following tenant unenrollment. If you dont wish to use these policies for your devices after unenrollment, you may safely delete them. |
| Windows Autopatch cloud service accounts | After unenrollment, you may safely remove the cloud service accounts created during the enrollment process. The accounts are:<ul><li>MsAdmin</li><li>MsAdminInt</li><li>MsTest</li></ul> |
| Conditional access policy | After unenrollment, you may safely remove the **Modern Workplace Secure Workstation** conditional access policy. |
| Microsoft Endpoint Manager roles | After unenrollment, you may safely remove the Modern Workplace Intune Admin role. |
## Unenroll from Windows Autopatch

2
windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
View File

@ -79,8 +79,6 @@ sections:
- Microsoft 365 Apps for enterprise updates: All devices registered for Windows Autopatch will receive updates from the Monthly Enterprise Channel.
- Microsoft Edge: Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel and will provide support for issues with Microsoft Edge updates.
- Microsoft Teams: Windows Autopatch allows eligible devices to benefit from the standard automatic update channels and will provide support for issues with Teams updates.
- question: What does Windows Autopatch do to ensure updates are done successfully?
answer: For information about the Microsoft Admin Center, see [Manage third-party app subscriptions for your organization](/microsoft-365/commerce/manage-saas-apps).
- question: What does Windows Autopatch do to ensure updates are done successfully?
answer: |
For Windows quality updates, updates are applied to device in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task.

2
windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
View File

@ -25,7 +25,7 @@ For each check, the tool will report one of four possible results:
| Ready | No action is required before completing enrollment. |
| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.<p><p>You can complete enrollment, but you must fix these issues before you deploy your first device. |
| Not ready | You must fix these issues before enrollment. You wont be able to enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. |
| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permission to run this check or your tenant is not properly licensed for Microsoft Intune. |
> [!NOTE]
> The results reported by this tool reflect the status of your settings only at the time that you ran it. If you make changes later to policies in Microsoft Intune, Azure Active Directory (AD), or Microsoft 365, items that were "Ready" can become "Not ready". To avoid problems with Windows Autopatch operations, review the specific settings described in this article before you change any policies.

9
windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md
View File

@ -39,11 +39,12 @@ Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. The fol
| [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 |
| [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 |
The following Windows 64-bit editions are required for Windows Autopatch:
The following Windows OS 10 editions, 1809 builds and architecture are supported in Windows Autopatch:
- Windows 10/11 Pro
- Windows 10/11 Enterprise
- Windows 10/11 Pro for Workstations
- x64 architecture
- Windows 10 (1809+)/11 Pro
- Windows 10 (1809+)/11 Enterprise
- Windows 10 (1809+)/11 Pro for Workstations
## Configuration Manager Co-management requirements

4
windows/hub/breadcrumb/toc.yml
View File

@ -45,7 +45,7 @@ items:
topicHref: /windows/security/threat-protection/auditing/security-auditing-overview
- name: Microsoft Defender Application Guard
tocHref: /windows/security/threat-protection/microsoft-defender-application-guard/
topicHref: /windows/security/threat-protection/microsoft-defender-application-guard/
topicHref: /windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview
- name: Security policy settings
tocHref: /windows/security/threat-protection/security-policy-settings/
topicHref: /windows/security/threat-protection/security-policy-settings/security-policy-settings
@ -54,4 +54,4 @@ items:
topicHref: /windows/security/threat-protection/windows-defender-application-control/
- name: Windows Defender Firewall
tocHref: /windows/security/threat-protection/windows-firewall/
topicHref: /windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security
topicHref: /windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security

2
windows/security/TOC.yml
View File

@ -316,6 +316,8 @@
href: identity-protection/credential-guard/credential-guard-known-issues.md
- name: Protect Remote Desktop credentials with Remote Credential Guard
href: identity-protection/remote-credential-guard.md
- name: Configuring LSA Protection
href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json
- name: Technical support policy for lost or forgotten passwords
href: identity-protection/password-support-policy.md
- name: Access Control Overview

12
windows/security/breadcrumb/toc.yml Normal file
View File

@ -0,0 +1,12 @@
items:
- name: Docs
tocHref: /
topicHref: /
items:
- name: Windows
tocHref: /windows/
topicHref: /windows/resources/
items:
- name: Security
tocHref: /windows/security/
topicHref: /windows/security/

89
windows/security/identity-protection/access-control/local-accounts.md
View File

@ -10,7 +10,7 @@ ms.collection:
- highpri
ms.topic: article
ms.localizationpriority: medium
ms.date: 02/28/2019
ms.date: 06/17/2022
---
# Local Accounts
@ -21,13 +21,13 @@ ms.date: 02/28/2019
- Windows Server 2019
- Windows Server 2016
This reference topic for IT professionals describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server.
This reference article for IT professionals describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server.
## <a href="" id="about-local-user-accounts-"></a>About local user accounts
Local user accounts are stored locally on the server. These accounts can be assigned rights and permissions on a particular server, but on that server only. Local user accounts are security principals that are used to secure and manage access to the resources on a standalone or member server for services or users.
This topic describes the following:
This article describes the following:
- [Default local user accounts](#sec-default-accounts)
@ -57,9 +57,9 @@ For information about security principals, see [Security Principals](security-pr
The default local user accounts are built-in accounts that are created automatically when you install Windows.
After Windows is installed, the default local user accounts cannot be removed or deleted. In addition, default local user accounts do not provide access to network resources.
After Windows is installed, the default local user accounts can't be removed or deleted. In addition, default local user accounts don't provide access to network resources.
Default local user accounts are used to manage access to the local servers resources based on the rights and permissions that are assigned to the account. The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC). Computer Management is a collection of administrative tools that you can use to manage a single local or remote computer. For more information, see [How to manage local accounts](#sec-manage-accounts) later in this topic.
Default local user accounts are used to manage access to the local servers resources based on the rights and permissions that are assigned to the account. The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC). Computer Management is a collection of administrative tools that you can use to manage a single local or remote computer. For more information, see [How to manage local accounts](#sec-manage-accounts) later in this article.
Default local user accounts are described in the following sections.
@ -69,23 +69,23 @@ The default local Administrator account is a user account for the system adminis
The Administrator account has full control of the files, directories, services, and other resources on the local computer. The Administrator account can create other local users, assign user rights, and assign permissions. The Administrator account can take control of local resources at any time simply by changing the user rights and permissions.
The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled.
The default Administrator account can't be deleted or locked out, but it can be renamed or disabled.
From Windows 10, Windows 11 and Windows Server 2016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation.
**Account group membership**
By default, the Administrator account is installed as a member of the Administrators group on the server. It is a best practice to limit the number of users in the Administrators group because members of the Administrators group on a local server have Full Control permissions on that computer.
By default, the Administrator account is installed as a member of the Administrators group on the server. It's a best practice to limit the number of users in the Administrators group because members of the Administrators group on a local server have Full Control permissions on that computer.
The Administrator account cannot be deleted or removed from the Administrators group, but it can be renamed.
The Administrator account can't be deleted or removed from the Administrators group, but it can be renamed.
**Security considerations**
Because the Administrator account is known to exist on many versions of the Windows operating system, it is a best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to the server or client computer.
Because the Administrator account is known to exist on many versions of the Windows operating system, it's a best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to the server or client computer.
You can rename the Administrator account. However, a renamed Administrator account continues to use the same automatically assigned security identifier (SID), which can be discovered by malicious users. For more information about how to rename or disable a user account, see [Disable or activate a local user account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732112(v=ws.11)) and [Rename a local user account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725595(v=ws.11)).
As a security best practice, use your local (non-Administrator) account to sign in and then use **Run as administrator** to accomplish tasks that require a higher level of rights than a standard user account. Do not use the Administrator account to sign in to your computer unless it is entirely necessary. For more information, see [Run a program with administrative credentials](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732200(v=ws.11)).
As a security best practice, use your local (non-Administrator) account to sign in and then use **Run as administrator** to accomplish tasks that require a higher level of rights than a standard user account. Don't use the Administrator account to sign in to your computer unless it's entirely necessary. For more information, see [Run a program with administrative credentials](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732200(v=ws.11)).
In comparison, on the Windows client operating system, a user with a local user account that has Administrator rights is considered the system administrator of the client computer. The first local user account that is created during installation is placed in the local Administrators group. However, when multiple users run as local administrators, the IT staff has no control over these users or their client computers.
@ -99,7 +99,7 @@ In this case, Group Policy can be used to enable secure settings that can contro
### <a href="" id="sec-guest"></a>Guest account
The Guest account is disabled by default on installation. The Guest account lets occasional or one-time users, who do not have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave the Guest account disabled, unless its use is entirely necessary.
The Guest account is disabled by default on installation. The Guest account lets occasional or one-time users, who don't have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it's a security risk. For this reason, it's a best practice to leave the Guest account disabled, unless its use is entirely necessary.
**Account group membership**
@ -107,26 +107,26 @@ By default, the Guest account is the only member of the default Guests group (SI
**Security considerations**
When enabling the Guest account, only grant limited rights and permissions. For security reasons, the Guest account should not be used over the network and made accessible to other computers.
When enabling the Guest account, only grant limited rights and permissions. For security reasons, the Guest account shouldn't be used over the network and made accessible to other computers.
In addition, the guest user in the Guest account should not be able to view the event logs. After the Guest account is enabled, it is a best practice to monitor the Guest account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
In addition, the guest user in the Guest account shouldn't be able to view the event logs. After the Guest account is enabled, it's a best practice to monitor the Guest account frequently to ensure that other users can't use services and other resources. This includes resources that were unintentionally left available by a previous user.
## <a href="" id="sec-helpassistant"></a>HelpAssistant account (installed with a Remote Assistance session)
The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending.
HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it is initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the users invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service.
HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it's initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the users invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service.
**Security considerations**
The SIDs that pertain to the default HelpAssistant account include:
- SID: S-1-5-&lt;domain&gt;-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note that, in Windows Server 2008, Remote Desktop Services are called Terminal Services.
- SID: S-1-5-&lt;domain&gt;-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note: In Windows Server 2008, Remote Desktop Services are called Terminal Services.
- SID: S-1-5-&lt;domain&gt;-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used.
For the Windows Server operating system, Remote Assistance is an optional component that isn't installed by default. You must install Remote Assistance before it can be used.
For details about the HelpAssistant account attributes, see the following table.
@ -140,14 +140,14 @@ For details about the HelpAssistant account attributes, see the following table.
|Default members|None|
|Default member of|Domain Guests<br/><br/>Guests|
|Protected by ADMINSDHOLDER?|No|
|Safe to move out of default container?|Can be moved out, but we do not recommend it.|
|Safe to move out of default container?|Can be moved out, but we don't recommend it.|
|Safe to delegate management of this group to non-Service admins?|No|
### DefaultAccount
The DefaultAccount, also known as the Default System Managed Account (DSMA), is a built-in account introduced in Windows 10 version 1607 and Windows Server 2016.
The DSMA is a well-known user account type.
It is a user neutral account that can be used to run processes that are either multi-user aware or user-agnostic.
It's a user neutral account that can be used to run processes that are either multi-user aware or user-agnostic.
The DSMA is disabled by default on the desktop SKUs (full windows SKUs) and WS 2016 with the Desktop.
The DSMA has a well-known RID of 503. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: S-1-5-21-\<ComputerIdentifier>-503
@ -167,24 +167,24 @@ Today, Xbox automatically signs in as Guest account and all apps run in this con
All the apps are multi-user-aware and respond to events fired by user manager.
The apps run as the Guest account.
Similarly, Phone auto logs in as a “DefApps” account which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account.
Similarly, Phone auto logs in as a “DefApps” account, which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account.
In the converged user model, the multi-user-aware apps and multi-user-aware brokers will need to run in a context different from that of the users.
For this purpose, the system creates DSMA.
#### How the DefaultAccount gets created on domain controllers
If the domain was created with domain controllers that run Windows Server 2016, the DefaultAccount will exist on all domain controllers in the domain.
If the domain was created with domain controllers that run an earlier version of Windows Server, the DefaultAccount will be created after the PDC Emulator role is transferred to a domain controller that runs Windows Server 2016. The DefaultAccount will then be replicated to all other domain controllers in the domain.
If the domain was created with domain controllers running Windows Server 2016, the DefaultAccount will exist on all domain controllers in the domain.
If the domain was created with domain controllers running an earlier version of Windows Server, the DefaultAccount will be created after the PDC Emulator role is transferred to a domain controller that runs Windows Server 2016. The DefaultAccount will then be replicated to all other domain controllers in the domain.
#### Recommendations for managing the Default Account (DSMA)
Microsoft does not recommend changing the default configuration, where the account is disabled. There is no security risk with having the account in the disabled state. Changing the default configuration could hinder future scenarios that rely on this account.
Microsoft doesn't recommend changing the default configuration, where the account is disabled. There's no security risk with having the account in the disabled state. Changing the default configuration could hinder future scenarios that rely on this account.
## <a href="" id="sec-localsystem"></a>Default local system accounts
### SYSTEM
The SYSTEM account is used by the operating system and by services that run under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM accounts user rights. It is an internal account that does not show up in User Manager, and it cannot be added to any groups.
The SYSTEM account is used by the operating system and by services running under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM accounts user rights. It's an internal account that doesn't show up in User Manager, and it can't be added to any groups.
On the other hand, the SYSTEM account does appear on an NTFS file system volume in File Manager in the **Permissions** portion of the **Security** menu. By default, the SYSTEM account is granted Full Control permissions to all files on an NTFS volume. Here the SYSTEM account has the same functional rights and permissions as the Administrator account.
@ -200,22 +200,22 @@ The LOCAL SERVICE account is a predefined local account used by the service cont
## <a href="" id="sec-manage-accounts"></a>How to manage local user accounts
The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in Local Users and Groups. For more information about creating and managing local user accounts, see [Manage Local Users](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731899(v=ws.11)).
The default local user accounts, and the local user accounts you create, are located in the Users folder. The Users folder is located in Local Users and Groups. For more information about creating and managing local user accounts, see [Manage Local Users](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731899(v=ws.11)).
You can use Local Users and Groups to assign rights and permissions on the local server, and that server only, to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a server, such as backing up files and folders or shutting down a server. An access permission is a rule that is associated with an object, usually a file, folder, or printer. It regulates which users can have access to an object on the server and in what manner.
You can use Local Users and Groups to assign rights and permissions on only the local server to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a server, such as backing up files and folders or shutting down a server. An access permission is a rule that is associated with an object, usually a file, folder, or printer. It regulates which users can have access to an object on the server and in what manner.
You cannot use Local Users and Groups on a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers that are not domain controllers on the network.
You can't use Local Users and Groups on a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers that aren't domain controllers on the network.
> [!NOTE]
> You use Active Directory Users and Computers to manage users and groups in Active Directory.
You can also manage local users by using NET.EXE USER and manage local groups by using NET.EXE LOCALGROUP, or by using a variety of PowerShell cmdlets and other scripting technologies.
You can also manage local users by using NET.EXE USER and manage local groups by using NET.EXE LOCALGROUP, or by using various PowerShell cmdlets and other scripting technologies.
### <a href="" id="sec-restrict-protect-accounts"></a>Restrict and protect local accounts with administrative rights
An administrator can use a number of approaches to prevent malicious users from using stolen credentials, such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights; this is also called "lateral movement".
An administrator can use many approaches to prevent malicious users from using stolen credentials such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights. This is also called "lateral movement".
The simplest approach is to sign in to your computer with a standard user account, instead of using the Administrator account for tasks, for example, to browse the Internet, send email, or use a word processor. When you want to perform an administrative task, for example, to install a new program or to change a setting that affects other users, you don't have to switch to an Administrator account. You can use User Account Control (UAC) to prompt you for permission or an administrator password before performing the task, as described in the next section.
The simplest approach is to sign in to your computer with a standard user account, instead of using the Administrator account for tasks. For example, use a standard account to browse the Internet, send email, or use a word processor. When you want to perform administrative tasks such as installing a new program or changing a setting that affects other users, you don't have to switch to an Administrator account. You can use User Account Control (UAC) to prompt you for permission or an administrator password before performing the task, as described in the next section.
The other approaches that can be used to restrict and protect user accounts with administrative rights include:
@ -240,16 +240,18 @@ UAC makes it possible for an account with administrative rights to be treated as
In addition, UAC can require administrators to specifically approve applications that make system-wide changes before those applications are granted permission to run, even in the administrator's user session.
For example, a default feature of UAC is shown when a local account signs in from a remote computer by using Network logon (for example, by using NET.EXE USE). In this instance, it is issued a standard user token with no administrative rights, but without the ability to request or receive elevation. Consequently, local accounts that sign in by using Network logon cannot access administrative shares such as C$, or ADMIN$, or perform any remote administration.
For example, a default feature of UAC is shown when a local account signs in from a remote computer by using Network logon (for example, by using NET.EXE USE). In this instance, it's issued a standard user token with no administrative rights, but without the ability to request or receive elevation. Consequently, local accounts that sign in by using Network logon can't access administrative shares such as C$, or ADMIN$, or perform any remote administration.
For more information about UAC, see [User Account Control](/windows/access-protection/user-account-control/user-account-control-overview).
The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access.
<!-- MicrosoftDocs/windows-itpro-docs/issues/7146 start line 254-->
|No.|Setting|Detailed Description|
|--- |--- |--- |
||Policy location|Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options|
|1|Policy name|[User Account Control: Run all administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode)|
|1|Policy name|[User Account Control: Admin Approval Mode for the Built-in Administrator account](/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account)|
||Policy setting|Enabled|
|2|Policy location|Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options|
||Policy name|[User Account Control: Run all administrators in Admin Approval Mode](/windows/device-security/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode)|
@ -262,7 +264,6 @@ The following table shows the Group Policy and registry settings that are used t
> [!NOTE]
> You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates.
#### To enforce local account restrictions for remote access
1. Start the **Group Policy Management** Console (GPMC).
@ -281,7 +282,7 @@ The following table shows the Group Policy and registry settings that are used t
![local accounts 3.](images/localaccounts-proc1-sample3.png)
6. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by doing the following:
6. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by following these steps:
1. Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and &gt; **Security Options**.
@ -289,7 +290,7 @@ The following table shows the Group Policy and registry settings that are used t
3. Double-click **User Account Control: Admin Approval Mode for the Built-in Administrator account** &gt; **Enabled** &gt; **OK**.
7. Ensure that the local account restrictions are applied to network interfaces by doing the following:
7. Ensure that the local account restrictions are applied to network interfaces by following these steps:
1. Navigate to Computer Configuration\\Preferences and Windows Settings, and &gt; **Registry**.
@ -301,7 +302,7 @@ The following table shows the Group Policy and registry settings that are used t
4. Ensure that the **Hive** box is set to **HKEY\_LOCAL\_MACHINE**.
5. Click (**…**), browse to the following location for **Key Path** &gt; **Select** for: **SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System**.
5. Select (**…**), browse to the following location for **Key Path** &gt; **Select** for: **SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System**.
6. In the **Value name** area, type **LocalAccountTokenFilterPolicy**.
@ -321,7 +322,7 @@ The following table shows the Group Policy and registry settings that are used t
![local accounts 6.](images/localaccounts-proc1-sample6.png)
3. Select the GPO that you just created, and &gt; **OK**.
3. Select the GPO that you created, and &gt; **OK**.
9. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy.
@ -331,7 +332,7 @@ The following table shows the Group Policy and registry settings that are used t
### <a href="" id="sec-deny-network-logon"></a>Deny network logon to all local Administrator accounts
Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that the credentials for local accounts that are stolen from a compromised operating system cannot be used to compromise additional computers that use the same credentials.
Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that stolen credentials for local accounts from a compromised operating system can't be used to compromise other computers that use the same credentials.
> [!NOTE]
> To perform this procedure, you must first identify the name of the local, default Administrator account, which might not be the default user name "Administrator", and any other accounts that are members of the local Administrators group.
@ -357,7 +358,7 @@ The following table shows the Group Policy settings that are used to deny networ
3. In the console tree, right-click **Group Policy Objects**, and &gt; **New**.
4. In the **New GPO** dialog box, type &lt;**gpo\_name**&gt;, and then &gt; **OK** where *gpo\_name* is the name of the new GPO indicates that it is being used to restrict the local administrative accounts from interactively signing in to the computer.
4. In the **New GPO** dialog box, type &lt;**gpo\_name**&gt;, and then &gt; **OK** where *gpo\_name* is the name of the new GPO indicates that it's being used to restrict the local administrative accounts from interactively signing in to the computer.
![local accounts 7.](images/localaccounts-proc2-sample1.png)
@ -371,15 +372,15 @@ The following table shows the Group Policy settings that are used to deny networ
2. Double-click **Deny access to this computer from the network**.
3. Click **Add User or Group**, type **Local account and member of Administrators group**, and &gt; **OK**.
3. Select **Add User or Group**, type **Local account and member of Administrators group**, and &gt; **OK**.
7. Configure the user rights to deny Remote Desktop (Remote Interactive) logons for administrative local accounts as follows:
1. Navigate to Computer Configuration\\Policies\\Windows Settings and Local Policies, and then click **User Rights Assignment**.
1. Navigate to Computer Configuration\\Policies\\Windows Settings and Local Policies, and then select **User Rights Assignment**.
2. Double-click **Deny log on through Remote Desktop Services**.
3. Click **Add User or Group**, type **Local account and member of Administrators group**, and &gt; **OK**.
3. Select **Add User or Group**, type **Local account and member of Administrators group**, and &gt; **OK**.
8. Link the GPO to the first **Workstations** OU as follows:
@ -387,7 +388,7 @@ The following table shows the Group Policy settings that are used to deny networ
2. Right-click the **Workstations** OU, and &gt; **Link an existing GPO**.
3. Select the GPO that you just created, and &gt; **OK**.
3. Select the GPO that you created, and &gt; **OK**.
9. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy.
@ -401,9 +402,9 @@ The following table shows the Group Policy settings that are used to deny networ
### <a href="" id="sec-create-unique-passwords"></a>Create unique passwords for local accounts with administrative rights
Passwords should be unique per individual account. While this is generally true for individual user accounts, many enterprises have identical passwords for common local accounts, such as the default Administrator account. This also occurs when the same passwords are used for local accounts during operating system deployments.
Passwords should be unique per individual account. While it's true for individual user accounts, many enterprises have identical passwords for common local accounts, such as the default Administrator account. This also occurs when the same passwords are used for local accounts during operating system deployments.
Passwords that are left unchanged or changed synchronously to keep them identical add a significant risk for organizations. Randomizing the passwords mitigates "pass-the-hash" attacks by using different passwords for local accounts, which hampers the ability of malicious users to use password hashes of those accounts to compromise other computers.
Passwords that are left unchanged or changed synchronously to keep them identical add a significant risk for organizations. Randomizing the passwords mitigates "pass-the-hash" attacks by using different passwords for local accounts, which hamper the ability of malicious users to use password hashes of those accounts to compromise other computers.
Passwords can be randomized by:

195
windows/security/identity-protection/access-control/special-identities.md
View File

@ -16,15 +16,15 @@ ms.reviewer:
# Special Identities
**Applies to**
- Windows Server 2016 or later
- Windows Server 2016 or later
This reference topic for the IT professional describes the special identity groups (which are sometimes referred to as security groups) that are used in Windows access control.
Special identity groups are similar to Active Directory security groups as listed in the users and built-in containers. Special identity groups can provide an efficient way to assign access to resources in your network. By using special identity groups, you can:
- Assign user rights to security groups in Active Directory.
- Assign permissions to security groups for the purpose of accessing resources.
- Assign user rights to security groups in Active Directory.
- Assign permissions to security groups for the purpose of accessing resources.
Servers that are running the supported Windows Server operating systems designated in the **Applies To** list at the beginning of this topic include several special identity groups. These special identity groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances.
@ -34,61 +34,47 @@ For information about security groups and group scope, see [Active Directory Sec
The special identity groups are described in the following tables:
- [Anonymous Logon](#anonymous-logon)
- [Authenticated Users](#authenticated-users)
- [Batch](#batch)
- [Creator Group](#creator-group)
- [Creator Owner](#creator-owner)
- [Dialup](#dialup)
- [Digest Authentication](#digest-authentication)
- [Enterprise Domain Controllers](#enterprise-domain-controllers)
- [Everyone](#everyone)
- [Interactive](#interactive)
- [Local Service](#local-service)
- [LocalSystem](#localsystem)
- [Network](#network)
- [Network Service](#network-service)
- [NTLM Authentication](#ntlm-authentication)
- [Other Organization](#other-organization)
- [Principal Self](#principal-self)
- [Remote Interactive Logon](#remote-interactive-logon)
- [Restricted](#restricted)
- [SChannel Authentication](#schannel-authentication)
- [Service](#service)
- [Terminal Server User](#terminal-server-user)
- [This Organization](#this-organization)
- [Window Manager\\Window Manager Group](#window-managerwindow-manager-group)
- [Anonymous Logon](#anonymous-logon)
- [Attested Key Property](#attested-key-property)
- [Authenticated Users](#authenticated-users)
- [Authentication Authority Asserted Identity](#authentication-authority-asserted-identity)
- [Batch](#batch)
- [Console Logon](#console-logon)
- [Creator Group](#creator-group)
- [Creator Owner](#creator-owner)
- [Dialup](#dialup)
- [Digest Authentication](#digest-authentication)
- [Enterprise Domain Controllers](#enterprise-domain-controllers)
- [Everyone](#everyone)
- [Fresh Public Key Identity](#fresh-public-key-identity)
- [Interactive](#interactive)
- [IUSR](#iusr)
- [Key Trust](#key-trust)
- [Local Service](#local-service)
- [LocalSystem](#localsystem)
- [MFA Key Property](#mfa-key-property)
- [Network](#network)
- [Network Service](#network-service)
- [NTLM Authentication](#ntlm-authentication)
- [Other Organization](#other-organization)
- [Owner Rights](#owner-rights)
- [Principal Self](#principal-self)
- [Proxy](#proxy)
- [Remote Interactive Logon](#remote-interactive-logon)
- [Restricted](#restricted)
- [SChannel Authentication](#schannel-authentication)
- [Service](#service)
- [Service Asserted Identity](#service-asserted-identity)
- [Terminal Server User](#terminal-server-user)
- [This Organization](#this-organization)
- [Window Manager\\Window Manager Group](#window-managerwindow-manager-group)
## Anonymous Logon
Any user who accesses the system through an anonymous logon has the Anonymous Logon identity. This identity allows anonymous access to resources, such as a web page that is published on corporate servers. The Anonymous Logon group is not a member of the Everyone group by default.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-7 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -96,11 +82,10 @@ Any user who accesses the system through an anonymous logon has the Anonymous Lo
## Attested Key Property
A SID that means the key trust object had the attestation property.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-18-6 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -108,11 +93,10 @@ A SID that means the key trust object had the attestation property.
## Authenticated Users
Any user who accesses the system through a sign-in process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization. Membership is controlled by the operating system.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-11 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -120,11 +104,10 @@ Any user who accesses the system through a sign-in process has the Authenticated
## Authentication Authority Asserted Identity
A SID that means the client's identity is asserted by an authentication authority based on proof of possession of client credentials.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-18-1 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -132,11 +115,10 @@ A SID that means the client's identity is asserted by an authentication authorit
## Batch
Any user or process that accesses the system as a batch job (or through the batch queue) has the Batch identity. This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup job that deletes temporary files. Membership is controlled by the operating system.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-3 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -144,11 +126,10 @@ Any user or process that accesses the system as a batch job (or through the batc
## Console Logon
A group that includes users who are logged on to the physical console. This SID can be used to implement security policies that grant different rights based on whether a user has been granted physical access to the console.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-2-1 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -156,13 +137,12 @@ A group that includes users who are logged on to the physical console. This SID
## Creator Group
The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory.
A placeholder security identifier (SID) is created in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the primary group of the objects current owner. The primary group is used only by the Portable Operating System Interface for UNIX (POSIX) subsystem.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-3-1 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -170,11 +150,10 @@ A placeholder security identifier (SID) is created in an inheritable access cont
## Creator Owner
The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder SID is created in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the objects current owner.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-3-0 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -182,11 +161,10 @@ The person who created the file or the directory is a member of this special ide
## Dialup
Any user who accesses the system through a dial-up connection has the Dial-Up identity. This identity distinguishes dial-up users from other types of authenticated users.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-1 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -194,9 +172,8 @@ Any user who accesses the system through a dial-up connection has the Dial-Up id
## Digest Authentication
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-64-21 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -204,11 +181,10 @@ Any user who accesses the system through a dial-up connection has the Dial-Up id
## Enterprise Domain Controllers
This group includes all domain controllers in an Active Directory forest. Domain controllers with enterprise-wide roles and responsibilities have the Enterprise Domain Controllers identity. This identity allows them to perform certain tasks in the enterprise by using transitive trusts. Membership is controlled by the operating system.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-9 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -216,15 +192,14 @@ This group includes all domain controllers in an Active Directory forest. Domain
## Everyone
All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group.
On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed, using Registry Editor, by going to the **Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** key and setting the value of **everyoneincludesanonymous** DWORD to 1).
On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed, using Registry Editor, by going to the **Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** key and setting the value of **everyoneincludesanonymous** DWORD to 1).
Membership is controlled by the operating system.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-1-0 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -232,11 +207,10 @@ Membership is controlled by the operating system.
## Fresh Public Key Identity
A SID that means the client's identity is asserted by an authentication authority based on proof of current possession of client public key credentials.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-18-3 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -244,11 +218,10 @@ A SID that means the client's identity is asserted by an authentication authorit
## Interactive
Any user who is logged on to the local system has the Interactive identity. This identity allows only local users to access a resource. Whenever a user accesses a given resource on the computer to which they are currently logged on, the user is automatically added to the Interactive group. Membership is controlled by the operating system.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-4 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -256,11 +229,10 @@ Any user who is logged on to the local system has the Interactive identity. This
## IUSR
Internet Information Services (IIS) uses this account by default whenever anonymous authentication is enabled.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-17 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -268,11 +240,10 @@ Internet Information Services (IIS) uses this account by default whenever anonym
## Key Trust
A SID that means the client's identity is based on proof of possession of public key credentials using the key trust object.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-18-4 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -280,11 +251,10 @@ A SID that means the client's identity is based on proof of possession of public
## Local Service
The Local Service account is similar to an Authenticated User account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with anonymous credentials. The name of the account is NT AUTHORITY\\LocalService. This account does not have a password.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-19 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -292,12 +262,10 @@ The Local Service account is similar to an Authenticated User account. The Local
## LocalSystem
This is a service account that is used by the operating system. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-18 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -305,11 +273,10 @@ This is a service account that is used by the operating system. The LocalSystem
## MFA Key Property
A SID that means the key trust object had the multifactor authentication (MFA) property.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-18-5 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -320,7 +287,7 @@ A SID that means the key trust object had the multifactor authentication (MFA) p
This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-2 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -328,11 +295,10 @@ This group implicitly includes all users who are logged on through a network con
## Network Service
The Network Service account is similar to an Authenticated User account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources by using the credentials of the computer account. The name of the account is NT AUTHORITY\\NetworkService. This account does not have a password.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-20 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -340,9 +306,8 @@ The Network Service account is similar to an Authenticated User account. The Net
## NTLM Authentication
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-64-10 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -350,11 +315,10 @@ The Network Service account is similar to an Authenticated User account. The Net
## Other Organization
This group implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the operating system.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-1000 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -362,11 +326,10 @@ This group implicitly includes all users who are logged on to the system through
## Owner Rights
A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-3-4 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -374,11 +337,10 @@ A group that represents the current owner of the object. When an ACE that carrie
## Principal Self
This identity is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-10 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -386,11 +348,10 @@ This identity is a placeholder in an ACE on a user, group, or computer object in
## Proxy
Identifies a SECURITY_NT_AUTHORITY Proxy.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-8 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -398,11 +359,10 @@ Identifies a SECURITY_NT_AUTHORITY Proxy.
## Remote Interactive Logon
This identity represents all users who are currently logged on to a computer by using a Remote Desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-14|
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -410,11 +370,10 @@ This identity represents all users who are currently logged on to a computer by
## Restricted
Users and computers with restricted capabilities have the Restricted identity. This identity group is used by a process that is running in a restricted security context, such as running an application with the RunAs service. When code runs at the Restricted security level, the Restricted SID is added to the users access token.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-12 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -422,9 +381,8 @@ Users and computers with restricted capabilities have the Restricted identity. T
## SChannel Authentication
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-64-14 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -432,12 +390,10 @@ Users and computers with restricted capabilities have the Restricted identity. T
## Service
Any service that accesses the system has the Service identity. This identity group includes all security principals that are signed in as a service. This identity grants access to processes that are being run by Windows Server services. Membership is controlled by the operating system.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-6 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -445,11 +401,10 @@ Any service that accesses the system has the Service identity. This identity gro
## Service Asserted Identity
A SID that means the client's identity is asserted by a service.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-18-2 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -457,11 +412,10 @@ A SID that means the client's identity is asserted by a service.
## Terminal Server User
Any user accessing the system through Terminal Services has the Terminal Server User identity. This identity allows users to access Terminal Server applications and to perform other necessary tasks with Terminal Server services. Membership is controlled by the operating system.
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-13 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
@ -469,18 +423,17 @@ Any user accessing the system through Terminal Services has the Terminal Server
## This Organization
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-15 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights| None |
|Default User Rights| None |
## Window Manager\\Window Manager Group
| Attribute | Value |
| :--: | :--: |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-90 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|

114
windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
View File

@ -12,46 +12,56 @@ ms.date: 01/26/2022
ms.reviewer:
---
# Windows Defender Credential Guard: Known issues
# Windows Defender Credential Guard: Known issues
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. So applications that require such capabilities won't function when it's enabled. For more information, see [Application requirements](/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
The following known issue has been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/help/4051033):
Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. So applications that require such capabilities won't function when it's enabled. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements).
- Scheduled tasks with domain user-stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message: <br>
"Task Scheduler failed to log on \Test. <br>
Failure occurred in LogonUserExEx. <br>
User Action: Ensure the credentials for the task are correctly specified. <br>
Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect)."
- When enabling NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. You also get a similar user name in a user logon failure event 4625 with error 0xC0000064 on the machine itself. For example:
> Log Name: Microsoft-Windows-NTLM/Operational
Source: Microsoft-Windows-Security-Netlogon
Event ID: 8004
Task Category: Auditing NTLM
Level: Information
Description:
Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: \<Secure Channel Name>
User name:
@@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA
The following known issues have been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4):
- Scheduled tasks with domain user-stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message:
```console
Task Scheduler failed to log on '\Test'.
Failure occurred in 'LogonUserExEx'.
User Action: Ensure the credentials for the task are correctly specified.
Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect).
```
- When you enable NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. You also get a similar user name in a user logon failure event 4625 with error 0xC0000064 on the machine itself. For example:
```console
Log Name: Microsoft-Windows-NTLM/Operational
Source: Microsoft-Windows-Security-Netlogon
Event ID: 8004
Task Category: Auditing NTLM
Level: Information
Description:
Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: <Secure Channel Name>
User name:
@@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA
Domain name: NULL
- This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled.
- The username appears in an unusual format because local accounts arent protected by Credential Guard. The task also fails to execute.
- As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account.
```
- This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled.
- The username appears in an unusual format because local accounts aren't protected by Credential Guard. The task also fails to execute.
- As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account.
The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217)
- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows machines](https://support.microsoft.com/topic/april-11-2017-kb4015217-os-build-14393-1066-and-14393-1083-b5f79067-98bd-b4ec-8b81-5d858d7dc722)
This issue can potentially lead to unexpected account lockouts. See also Microsoft® Knowledge Base articles [KB4015219](https://support.microsoft.com/help/4015219/windows-10-update-kb4015219) and [KB4015221](https://support.microsoft.com/help/4015221/windows-10-update-kb4015221)
This issue can potentially lead to unexpected account lockouts. For more information, see the following support articles:
- [KB4015219](https://support.microsoft.com/topic/april-11-2017-kb4015219-os-build-10586-873-68b8e379-aafa-ea6c-6b29-56d19785e657)
- [KB4015221](https://support.microsoft.com/topic/april-11-2017-kb4015221-os-build-10240-17354-743f52bc-a484-d23f-71f5-b9957cbae0e6)
## Known issues involving third-party applications
@ -59,61 +69,47 @@ The following issue affects MSCHAPv2:
- [Credential guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a very popular enterprise implementation](https://quickview.cloudapps.cisco.com/quickview/bug/CSCul55352).
The following issue affects the Java GSS API. See the following Oracle bug database article:
The following issue affects the Java GSS API. See the following Oracle bug database article:
- [JDK-8161921: Windows Defender Credential Guard doesn't allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
When Windows Defender Credential Guard is enabled on Windows, the Java GSS API won't authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and won't provide the TGT session key to applications regardless of registry key settings. For more information, see [Application requirements](/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
When Windows Defender Credential Guard is enabled on Windows, the Java GSS API won't authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and won't provide the TGT session key to applications regardless of registry key settings. For more information, see [Application requirements](credential-guard-requirements.md#application-requirements).
The following issue affects Cisco AnyConnect Secure Mobility Client:
- [Blue screen on Windows computers running Hypervisor-Protected Code Integrity and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \*
*Registration required to access this article.
- [Blue screen on Windows computers running Hypervisor-Protected Code Integrity and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692)
The following issue affects McAfee Application and Change Control (MACC):
- [KB88869 Windows machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) <sup>[1]</sup>
The following issue affects AppSense Environment Manager.
For more information, see the following Knowledge Base article:
- [Installing AppSense Environment Manager on Windows machines causes LSAISO.exe to exhibit high CPU usage when Windows Defender Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) <sup>[1]</sup> \**
- [KB88869 Windows machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kcm.trellix.com/corporate/index?page=content&id=KB88869) <sup>[Note 1](#bkmk_note1)</sup>
The following issue affects Citrix applications:
- Windows machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. <sup>[1]</sup>
<sup>[1]</sup> Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10, Windows 11, Windows Server 2016, or Windows Server 2019 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article:
- Windows machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. <sup>[Note 1](#bkmk_note1)</sup>
- [KB4032786 High CPU usage in the LSAISO process on Windows](/troubleshoot/windows-client/performance/lsaiso-process-high-cpu-usage)
For further technical information on LSAISO.exe, see the MSDN article: [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes)
\** Registration is required to access this article.
<a name="bkmk_note1"></a>
> [!NOTE]
> **Note 1**: Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10, Windows 11, Windows Server 2016, or Windows Server 2019 machines to exhibit high CPU usage. For technical and troubleshooting information, see [KB4032786 High CPU usage in the LSAISO process on Windows](/troubleshoot/windows-client/performance/lsaiso-process-high-cpu-usage).
>
> For more technical information on LSAISO.exe, see [Isolated User Mode (IUM) Processes](/windows/win32/procthread/isolated-user-mode--ium--processes).
## Vendor support
See the following article on Citrix support for Secure Boot:
- [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/)
For more information on Citrix support for Secure Boot, see [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/)
Windows Defender Credential Guard isn't supported by either these products, products versions, computer systems, or Windows 10 versions:
Windows Defender Credential Guard isn't supported by the following products, products versions, computer systems, or Windows 10 versions:
- For Windows Defender Credential Guard on Windows with McAfee Encryption products, see:
[Support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard on Windows with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
- [Support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard on Windows with McAfee encryption products](https://kcm.trellix.com/corporate/index?page=content&id=KB86009KB86009)
- For Windows Defender Credential Guard on Windows with Check Point Endpoint Security Client, see:
[Check Point Endpoint Security Client support for Microsoft Windows Defender Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
- [Check Point Endpoint Security Client support for Microsoft Windows Defender Credential Guard and Hypervisor-Protected Code Integrity features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
- For Windows Defender Credential Guard on Windows with VMWare Workstation
[Windows host fails when running VMWare Workstation when Windows Defender Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361)
- ["VMware Workstation and Device/Credential Guard are not compatible" error in VMware Workstation on Windows 10 host (2146361)](https://kb.vmware.com/s/article/2146361)
- For Windows Defender Credential Guard on Windows with specific versions of the Lenovo ThinkPad
[ThinkPad support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard in Microsoft Windows ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
- [ThinkPad support for Hypervisor-Protected Code Integrity and Windows Defender Credential Guard in Microsoft Windows](https://support.lenovo.com/in/en/solutions/ht503039)
- For Windows Defender Credential Guard on Windows with Symantec Endpoint Protection
[Windows devices with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
- [Windows devices with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
This isn't a comprehensive list. Check whether your product vendor, product version, or computer system, supports Windows Defender Credential Guard on systems that run Windows or specific versions of Windows. Specific computer system models may be incompatible with Windows Defender Credential Guard.
This list isn't comprehensive. Check whether your product vendor, product version, or computer system supports Windows Defender Credential Guard on systems that run Windows or specific versions of Windows. Specific computer system models may be incompatible with Windows Defender Credential Guard.
Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.
Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.

8
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -63,7 +63,7 @@ sections:
- question: How does Windows Hello for Business work with Azure AD registered devices?
answer: |
A user will be prompted to set-up a Windows Hello for Business key on an Azure AD registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using their exiting gestures.
A user will be prompted to set up a Windows Hello for Business key on an Azure AD registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using their exiting gestures.
If a user has signed into their Azure AD registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Azure AD resources. The Windows Hello for Business key meets Azure AD multi-factor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources.
@ -79,7 +79,7 @@ sections:
answer: |
It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN isn't supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users.
- question: Can I use an external Windows Hello compatible camera when my computer has a built in Windows Hello compatible camera?
- question: Can I use an external Windows Hello compatible camera when my computer has a built-in Windows Hello compatible camera?
answer: |
Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera is used for face authentication. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). However, using external Hello cameras and accessories is restricted if ESS is enabled, please see [Windows Hello Enhanced Sign-in Security](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security#pluggableperipheral-biometric-sensors).
@ -101,14 +101,10 @@ sections:
answer: |
The user experience for Windows Hello for Business occurs after the user signs in, after you deploy Windows Hello for Business policy settings to your environment.
[Windows Hello for Business user enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience)
- question: What happens when a user forgets their PIN?
answer: |
If the user can sign in with a password, they can reset their PIN by selecting the "I forgot my PIN" link in Settings. Beginning with Windows 10 1709, users can reset their PIN above the lock screen by selecting the "I forgot my PIN" link on the PIN credential provider.
[Windows Hello for Business forgotten PIN user experience](hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience)
For on-premises deployments, devices must be well-connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can onboard their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs. Non-destructive PIN reset works without access to the corporate network. Destructive PIN reset requires access to the corporate network. For more details about destructive and non-destructive PIN reset, see [PIN reset](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset).
- question: What URLs do I need to allow for a hybrid deployment?

2
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -65,8 +65,6 @@ For Hybrid Azure AD-joined devices:
You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
Visit the [Windows Hello for Business Videos](./hello-videos.md) page and watch [Windows Hello for Business forgotten PIN user experience](./hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience).
## Non-Destructive PIN reset
**Requirements:**

435
windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
View File

@ -1,5 +1,5 @@
---
title: How Windows Hello for Business works - Technology and Terms
title: How Windows Hello for Business works - technology and terms
description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works.
ms.prod: m365-security
author: GitPrakhar13
@ -11,275 +11,340 @@ localizationpriority: medium
ms.date: 10/08/2018
ms.reviewer:
---
# Technology and Terms
# Technology and terms
**Applies to:**
- Windows 10
- Windows 11
- [Attestation Identity Keys](#attestation-identity-keys)
- [Azure AD Joined](#azure-ad-joined)
- [Azure AD Registered](#azure-ad-registered)
- [Certificate Trust](#certificate-trust)
- [Cloud Deployment](#cloud-deployment)
- [Cloud Experience Host](#cloud-experience-host)
- [Deployment Type](#deployment-type)
- [Endorsement Key](#endorsement-key)
- [Federated Environment](#federated-environment)
- [Hybrid Azure AD Joined](#hybrid-azure-ad-joined)
- [Hybrid Deployment](#hybrid-deployment)
- [Join Type](#join-type)
- [Key Trust](#key-trust)
- [Managed Environment](#managed-environment)
- [On-premises Deployment](#on-premises-deployment)
- [Pass-through Authentication](#pass-through-authentication)
- [Password Hash Synchronization](#password-hash-sync)
- [Primary Refresh Token](#primary-refresh-token)
- [Storage Root Key](#storage-root-key)
- [Trust Type](#trust-type)
- [Trusted Platform Module](#trusted-platform-module)
<hr>
## Attestation identity keys
## Attestation Identity Keys
Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
Because the endorsement certificate is unique for each device and doesn't change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
> [!NOTE]
> The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
> The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.
Windows creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows device.
Windows creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it's communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows device.
Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 or Windows 11 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
Many existing devices that will upgrade to Windows 10 won't have a TPM, or the TPM won't contain an endorsement certificate. **To accommodate those devices, Windows 10 or Windows 11 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates aren't issued by Microsoft Cloud CA. This behavior isn't as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate.
In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be used by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that's not backed by an endorsement certificate.
### Related topics
[Endorsement Key](#endorsement-key), [Storage Root Key](#storage-root-key), [Trusted Platform Module](#trusted-platform-module)
### Related to attestation identity keys
### More information
- [Windows Client Certificate Enrollment Protocol: Glossary](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_70efa425-6b46-462f-911d-d399404529ab)
- [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
- [Endorsement key](#endorsement-key)
- [Storage root key](#storage-root-key)
- [Trusted platform module](#trusted-platform-module)
### More information about attestation identity keys
[Return to Top](hello-how-it-works-technology.md)
## Azure AD Joined
Azure AD Join is intended for organizations that desire to be cloud-first or cloud-only. There is no restriction on the size or type of organizations that can deploy Azure AD Join. Azure AD Join works well even in an hybrid environment and can enable access to on-premise applications and resources.
### Related topics
[Join Type](#join-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined)
- [Windows client certificate enrollment protocol: glossary](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_70efa425-6b46-462f-911d-d399404529ab)
- [TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
### More information
- [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction).
## Azure Active Directory join
[Return to Top](hello-how-it-works-technology.md)
## Azure AD Registered
The goal of Azure AD registered devices is to provide you with support for the Bring Your Own Device (BYOD) scenario. In this scenario, a user can access your organization's Azure Active Directory controlled resources using a personal device.
### Related topics
[Azure AD Joined](#azure-ad-joined), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Join Type](#join-type)
Azure Active Directory (Azure AD) join is intended for organizations that desire to be cloud-first or cloud-only. There's no restriction on the size or type of organizations that can deploy Azure AD join. Azure AD join also works in a hybrid environment and can enable access to on-premises applications and resources.
### More information
- [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction)
### Related to Azure AD join
- [Join type](#join-type)
- [Hybrid Azure AD join](#hybrid-azure-ad-join)
[Return to Top](hello-how-it-works-technology.md)
## Certificate Trust
The certificate trust model uses a securely issued certificate based on the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The certificate trust model is supported in hybrid and on-premises deployments and is compatible with Windows Server 2008 R2 and later domain controllers.
### More information about Azure AD join
### Related topics
[Deployment Type](#deployment-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Hybrid Deployment](#hybrid-deployment), [Key Trust](#key-trust), [On-premises Deployment](#on-premises-deployment), [Trust Type](#trust-type)
[Introduction to device identity in Azure AD](/azure/active-directory/devices/overview).
### More information
- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
## Azure AD registration
[Return to Top](hello-how-it-works-technology.md)
## Cloud Deployment
The Windows Hello for Business Cloud deployment is exclusively for organizations using cloud-based identities and resources. Device management is accomplished using Intune or a modern management alternative. Cloud deployments use Azure AD joined or Azure AD registered device join types.
The goal of Azure AD-registered devices is to provide you with support for the _bring your own device_ (BYOD) scenario. In this scenario, a user can access your organization's Azure AD-controlled resources using a personal device.
### Related topics
[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Deployment Type](#deployment-type), [Join Type](#join-type)
### Related to Azure AD registration
[Return to Top](hello-how-it-works-technology.md)
## Cloud Experience Host
In Windows 10 and Windows 11, Cloud Experience Host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC.
- [Azure AD join](#azure-active-directory-join)
- [Hybrid Azure AD join](#hybrid-azure-ad-join)
- [Join type](#join-type)
### Related topics
[Windows Hello for Business](./hello-identity-verification.md), [Managed Windows Hello in Organization](./hello-manage-in-organization.md)
### More information about Azure AD registration
### More information
- [Windows Hello for Business and Device Registration](./hello-how-it-works-device-registration.md)
[Introduction to device identity in Azure AD](/azure/active-directory/devices/overview).
[Return to Top](hello-how-it-works-technology.md)
## Certificate trust
The certificate trust model uses a securely issued certificate based on the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The certificate trust model is supported in hybrid and on-premises deployments and is compatible with Windows Server 2008 R2 and later domain controllers.
### Related to certificate trust
- [Deployment type](#deployment-type)
- [Hybrid Azure AD join](#hybrid-azure-ad-join)
- [Hybrid deployment](#hybrid-deployment)
- [Key trust](#key-trust)
- [On-premises deployment](#on-premises-deployment)
- [Trust type](#trust-type)
### More information about certificate trust
[Windows Hello for Business planning guide](hello-planning-guide.md)
## Cloud deployment
The Windows Hello for Business cloud deployment is exclusively for organizations using cloud-based identities and resources. Device management is accomplished using Intune or a modern management alternative. Cloud deployments use Azure AD-joined or Azure AD-registered devices.
### Related to cloud deployment
- [Azure AD join](#azure-active-directory-join)
- [Azure AD registration](#azure-ad-registration)
- [Deployment type](#deployment-type)
- [Join type](#join-type)
## Cloud experience host
In Windows 10 and Windows 11, cloud experience host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC.
### Related to cloud experience host
- [Windows Hello for Business](./hello-identity-verification.md)
- [Managed Windows Hello in organization](./hello-manage-in-organization.md)
### More information on cloud experience host
[Windows Hello for Business and device registration](./hello-how-it-works-device-registration.md)
## Deployment type
Windows Hello for Business has three deployment models to accommodate the needs of different organizations. The three deployment models include:
## Deployment Type
Windows Hello for Business has three deployment models to accommodate the needs of different organizations. The three deployment models include:
- Cloud
- Hybrid
- On-Premises
- On-premises
### Related topics
[Cloud Deployment](#cloud-deployment), [Hybrid Deployment](#hybrid-deployment), [On-premises Deployment](#on-premises-deployment)
### Related to deployment type
### More information
- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
- [Cloud deployment](#cloud-deployment)
- [Hybrid deployment](#hybrid-deployment)
- [On-premises deployment](#on-premises-deployment)
[Return to Top](hello-how-it-works-technology.md)
## Endorsement Key
### More information about deployment type
[Windows Hello for Business planning guide](hello-planning-guide.md)
## Endorsement key
The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits).
The endorsement key public key is generally used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs.
The endorsement key public key is used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs.
The endorsement key acts as an identity card for the TPM.
The endorsement key is often accompanied by one or two digital certificates:
- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10 and Windows 11.
### Related topics
[Attestation Identity Keys](#attestation-identity-keys), [Storage Root Key](#storage-root-key), [Trusted Platform Module](#trusted-platform-module)
### Related to endorsement key
### More information
- [Understand the TPM endorsement key](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770443(v=ws.11)).
- [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
- [Attestation identity keys](#attestation-identity-keys)
- [Storage root key](#storage-root-key)
- [Trusted platform module](#trusted-platform-module)
[Return to Top](hello-how-it-works-technology.md)
## Federated Environment
Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure Active Directory and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they do not have to sign in again to use Office 365 or other Azure-based applications. This federated authentication model can provide additional authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.
### More information about endorsement key
### Related topics
[Hybrid Deployment](#hybrid-deployment), [Managed Environment](#managed-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Sync](#password-hash-sync)
- [Understand the TPM endorsement key](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770443(v=ws.11))
- [TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
### More information
- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
## Federated environment
Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure AD and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they don't have to sign in again to use Office 365 or other Azure-based applications. This federated authentication model can provide extra authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.
### Related to federated environment
- [Hybrid deployment](#hybrid-deployment)
- [Managed environment](#managed-environment)
- [Pass-through authentication](#pass-through-authentication)
- [Password hash sync](#password-hash-sync)
### More information about federated environment
[Choose the right authentication method for your Azure AD hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
## Hybrid Azure AD join
[Return to Top](hello-how-it-works-technology.md)
## Hybrid Azure AD Joined
For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable:
- IT departments to manage work-owned devices from a central location.
- Users to sign in to their devices with their Active Directory work or school accounts.
Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use or group policy (GP) to manage them.
- Users to sign in to their devices with their Active Directory work or school accounts.
If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD-joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory.
Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use or group policy to manage them.
### Related topics
[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Deployment](#hybrid-deployment)
If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure AD, you can implement hybrid Azure AD-joined devices. These devices are joined to both your on-premises Active Directory and your Azure AD.
### More information
- [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction)
### Related to hybrid Azure AD join
[Return to Top](hello-how-it-works-technology.md)
## Hybrid Deployment
The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that is synchronized with Azure Active Directory. Hybrid deployments support devices that are Azure AD registered, Azure AD joined, and hybrid Azure AD joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust.
- [Azure AD join](#azure-active-directory-join)
- [Azure AD registration](#azure-ad-registration)
- [Hybrid deployment](#hybrid-deployment)
### Related topics
[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined),
### More information about hybrid Azure AD join
### More information
- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
[Introduction to device identity in Azure AD](/azure/active-directory/devices/overview)
## Hybrid deployment
The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that's synchronized with Azure AD. Hybrid deployments support devices that are Azure AD-registered, Azure AD-joined, and hybrid Azure AD-joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust.
### Related to hybrid deployment
- [Azure AD join](#azure-active-directory-join)
- [Azure AD registration](#azure-ad-registration)
- [Hybrid Azure AD join](#hybrid-azure-ad-join)
### More information about hybrid deployment
[Windows Hello for Business planning guide](hello-planning-guide.md)
[Return to Top](hello-how-it-works-technology.md)
## Join type
Join type is how devices are associated with Azure Active Directory. For a device to authenticate to Azure Active Directory it must be registered or joined.
Join type is how devices are associated with Azure AD. For a device to authenticate to Azure AD it must be registered or joined.
Registering a device to Azure AD enables you to manage a device's identity. When a device is registered, Azure AD device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Azure AD. You can use the identity to enable or disable a device.
When combined with a mobile device management(MDM) solution such as Microsoft Intune, the device attributes in Azure AD are updated with additional information about the device. This allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. For more information on enrolling devices in Microsoft Intune, see Enroll devices for management in Intune .
When combined with a mobile device management (MDM) solution such as Microsoft Intune, the device attributes in Azure AD are updated with additional information about the device. This behavior allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. For more information on enrolling devices in Microsoft Intune, see Enroll devices for management in Intune.
Joining a device is an extension to registering a device. This means, it provides you with all the benefits of registering a device and in addition to this, it also changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account.
Joining a device is an extension to registering a device. This method provides you with all the benefits of registering a device, and changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account.
### Related topics
[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined)
### Related to join type
### More information
- [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction)
- [Azure AD join](#azure-active-directory-join)
- [Azure AD registration](#azure-ad-registration)
- [Hybrid Azure AD join](#hybrid-azure-ad-join)
[Return to Top](hello-how-it-works-technology.md)
## Key Trust
The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The key trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers.
### More information about join type
### Related topics
[Certificate Trust](#certificate-trust), [Deployment Type](#deployment-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Hybrid Deployment](#hybrid-deployment), [On-premises Deployment](#on-premises-deployment), [Trust Type](#trust-type)
[Introduction to device identity in Azure AD](/azure/active-directory/devices/overview)
### More information
- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
## Key trust
[Return to Top](hello-how-it-works-technology.md)
## Managed Environment
Managed environments are for non-federated environments where Azure Active Directory manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services.
The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The key trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers.
### Related topics
[Federated Environment](#federated-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Synchronization](#password-hash-sync)
### Related to key trust
[Return to Top](#technology-and-terms)
## On-premises Deployment
The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities. On-premises deployments support domain joined devices. The on-premises deployment model supports two authentication trust types, key trust and certificate trust.
- [Certificate trust](#certificate-trust)
- [Deployment type](#deployment-type)
- [Hybrid Azure AD join](#hybrid-azure-ad-join)
- [Hybrid deployment](#hybrid-deployment)
- [On-premises deployment](#on-premises-deployment)
- [Trust type](#trust-type)
### Related topics
[Cloud Deployment](#cloud-deployment), [Deployment Type](#deployment-type), [Hybrid Deployment](#hybrid-deployment)
### More information about key trust
### More information
- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
[Windows Hello for Business planning guide](hello-planning-guide.md)
## Managed environment
Managed environments are for non-federated environments where Azure AD manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services (ADFS).
### Related to managed environment
- [Federated environment](#federated-environment)
- [Pass-through authentication](#pass-through-authentication)
- [Password hash synchronization](#password-hash-sync)
## On-premises deployment
The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities. On-premises deployments support domain joined devices. The on-premises deployment model supports two authentication trust types, key trust and certificate trust.
### Related to on-premises deployment
- [Cloud deployment](#cloud-deployment)
- [Deployment type](#deployment-type)
- [Hybrid deployment](#hybrid-deployment)
### More information about on-premises deployment
[Windows Hello for Business planning guide](hello-planning-guide.md)
[Return to Top](hello-how-it-works-technology.md)
## Pass-through authentication
Provides a simple password validation for Azure AD authentication services using a software agent running on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and logon hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
### Related topics
[Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Password Hash Synchronization](#password-hash-sync)
Pass-through authentication provides a simple password validation for Azure AD authentication services. It uses a software agent that runs on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
### Related to pass-through authentication
### More information
- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](/azure/security/azure-ad-choose-authn)
- [Federated environment](#federated-environment)
- [Managed environment](#managed-environment)
- [Password hash synchronization](#password-hash-sync)
[Return to Top](hello-how-it-works-technology.md)
## Password Hash Sync
The simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
### More information about pass-through authentication
### Related topics
[Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Pass-through authentication](#pass-through-authentication)
[Choose the right authentication method for your Azure AD hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
### More information
- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](/azure/security/azure-ad-choose-authn)
## Password hash sync
[Return to Top](hello-how-it-works-technology.md)
## Primary Refresh Token
SSO relies on special tokens obtained for each of the types of applications above. These are in turn used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Azure AD and AD FS applications we call this a Primary Refresh Token (PRT). This is a [JSON Web Token](http://openid.net/specs/draft-jones-json-web-token-07.html) containing claims about both the user and the device.
Password hash sync is the simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
The PRT is initially obtained during Windows Logon (user sign-in/unlock) in a similar way the Kerberos TGT is obtained. This is true for both Azure AD joined and hybrid Azure AD-joined devices. In personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account (in a personal device the account to unlock the device is not the work account but a consumer account e.g. hotmail.com, live.com, outlook.com, etc.).
### Related to password hash sync
The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. Please also note that the PRT contains information about the device. This means that if you have any [device-based conditional access](/azure/active-directory/active-directory-conditional-access-policy-connected-applications) policy set on an application, without the PRT, access will be denied.
- [Federated environment](#federated-environment)
- [Managed environment](#managed-environment)
- [Pass-through authentication](#pass-through-authentication)
[Return to Top](#technology-and-terms)
## Storage Root Key
The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is created when the ownership of the TPM is taken.
### More information about password hash sync
### Related topics
[Attestation Identity Keys](#attestation-identity-keys), [Endorsement Key](#endorsement-key), [Trusted Platform Module](#trusted-platform-module)
[Choose the right authentication method for your Azure AD hybrid identity solution](/azure/active-directory/hybrid/choose-ad-authn)
### More information
[TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
## Primary refresh token
Single sign on (SSO) relies on special tokens obtained for each of the types of applications above. These special tokens are then used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Azure AD and AD FS applications, this token is a _primary refresh token_ (PRT). It's a [JSON Web Token](https://openid.net/specs/draft-jones-json-web-token-07.html) that contains claims about both the user and the device.
The PRT is initially obtained during Windows user sign-in or unlock in a similar way the Kerberos TGT is obtained. This behavior is true for both Azure AD joined and hybrid Azure AD-joined devices. For personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account. For a personal device the account to unlock the device isn't the work account, but a consumer account. For example, hotmail.com, live.com, or outlook.com.
The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. The PRT also contains information about the device. If you have any [device-based conditional access](/azure/active-directory/conditional-access/concept-conditional-access-grant) policy set on an application, without the PRT, access will be denied.
## Storage root key
The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048-bits length). The SRK has a major role and is used to protect TPM keys, so that these keys can't be used without the TPM. The SRK key is created when the ownership of the TPM is taken.
### Related to storage root key
- [Attestation identity keys](#attestation-identity-keys)
- [Endorsement key](#endorsement-key)
- [Trusted platform module](#trusted-platform-module)
### More information about storage root key
[TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
[Return to Top](hello-how-it-works-technology.md)
## Trust type
The trust type determines how a user authenticates to the Active Directory to access on-premises resources. There are two trust types, key trust and certificate trust. The hybrid and on-premises deployment models support both trust types. The trust type does not affect authentication to Azure Active Directory. Windows Hello for Business authentication to Azure Active Directory always uses the key, not a certificate (excluding smart card authentication in a federated environment).
### Related topics
[Certificate Trust](#certificate-trust), [Hybrid Deployment](#hybrid-deployment), [Key Trust](#key-trust), [On-premises Deployment](#on-premises-deployment)
The trust type determines how a user authenticates to the Active Directory to access on-premises resources. There are two trust types, key trust and certificate trust. The hybrid and on-premises deployment models support both trust types. The trust type doesn't affect authentication to Azure AD. Windows Hello for Business authentication to Azure AD always uses the key, not a certificate (excluding smart card authentication in a federated environment).
### More information
- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
### Related to trust type
[Return to Top](hello-how-it-works-technology.md)
## Trusted Platform Module
- [Certificate trust](#certificate-trust)
- [Hybrid deployment](#hybrid-deployment)
- [Key trust](#key-trust)
- [On-premises deployment](#on-premises-deployment)
A Trusted Platform Module (TPM) is a hardware component that provides unique security features.<br>
### More information about trust type
Windows leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
[Windows Hello for Business planning guide](hello-planning-guide.md)
## Trusted platform module
A trusted platform module (TPM) is a hardware component that provides unique security features.
Windows uses security characteristics of a TPM for the following functions:
- Measuring boot integrity sequence. Based on that sequence, it automatically unlocks BitLocker-protected drives
- Protecting credentials
- Health attestation
A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). There are currently two versions of the TPM specification produced by TCG that aren't compatible with each other:
A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible with each other:
- The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
- The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
@ -290,27 +355,29 @@ Windows recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG.
TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
- Update cryptography strength to meet modern security needs
- Support for SHA-256 for PCRs
- Support for HMAC command
- Support for SHA-256 for PCRs
- Support for HMAC command
- Cryptographic algorithms flexibility to support government needs
- TPM 1.2 is severely restricted in terms of what algorithms it can support
- TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
- TPM 1.2 is severely restricted in terms of what algorithms it can support
- TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
- Consistency across implementations
- The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
- TPM 2.0 standardizes much of this behavior
- The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
- TPM 2.0 standardizes much of this behavior
In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device. A TPM incorporates in a single component:
- A RSA 2048-bit key generator
In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device. A TPM incorporates in a single component:
- An RSA 2048-bit key generator
- A random number generator
- Nonvolatile memory for storing EK, SRK, and AIK keys
- A cryptographic engine to encrypt, decrypt, and sign
- Volatile memory for storing the PCRs and RSA keys
### Related to trusted platform module
### Related topics
[Attestation Identity Keys](#attestation-identity-keys), [Endorsement Key](#endorsement-key), [Storage Root Key](#storage-root-key)
- [Attestation identity keys](#attestation-identity-keys)
- [Endorsement key](#endorsement-key)
- [Storage root key](#storage-root-key)
### More information
- [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
### More information about trusted platform module
[Return to Top](hello-how-it-works-technology.md)
[TPM library specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)

12
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
View File

@ -288,11 +288,13 @@ Sign-in to the issuing certificate authority or management workstations with _Do
7. On the **Security** tab, click **Add**.
8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**.
8. Select **Object Types**, then, in the window that appears, choose **Computers** and click **OK**.
9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
9. Type **NDES server** in the **Enter the object names to select** text box and click **OK**.
10. Click on the **Apply** to save changes and close the console.
10. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
11. Click on the **Apply** to save changes and close the console.
### Create an Azure AD joined Windows Hello for Business authentication certificate template
@ -334,7 +336,7 @@ The certificate authority may only issue certificates for certificate templates
> [!Important]
> Ensure you publish the **AADJ WHFB Authentication** certificate templates to the certificate authority that Microsoft Intune uses by way of the NDES servers. The NDES configuration asks you to choose a certificate authority from which it requests certificates. You need to publish that certificate templates to that issuing certificate authority. The **NDES-Intune Authentication** certificate is directly enrolled and can be published to any certificate authority.
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
Sign in to the certificate authority or management workstations with an _enterprise admin_ -equivalent credential.
1. Open the **Certificate Authority** management console.
@ -849,7 +851,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
![Azure AD new group creation.](images/aadjcert/azureadcreatewhfbcertgroup.png)
8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**.
8. Click **Members**. Use the **Select members** pane to add members to this group. When finished, click **Select**.
9. Click **Create**.

12
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
View File

@ -21,7 +21,7 @@ ms.reviewer:
- Hybrid Deployment
- Key trust
Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer.
Windows Hello for Business deployments rely on certificates. Hybrid deployments use publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer.
All deployments use enterprise issued certificates for domain controllers as a root of trust.
@ -79,11 +79,11 @@ The certificate template is configured to supersede all the certificate template
> [!NOTE]
> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
>you can view
>To see all certificates in the NTAuth store, use the following command:
>
>'''powershell
>Certutil -view
>Publish Certificate Templates to a Certificate Authority
> `Certutil -viewstore -enterprise NTAuth`
### Publish Certificate Templates to a Certificate Authority
The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
@ -95,7 +95,7 @@ Sign-in to the certificate authority or management workstations with an _enterpr
4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)** template you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
6. If you published the **Domain Controller Authentication (Kerberos)** certificate template, then you should unpublish the certificate templates you included in the superseded templates list.
* To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation.
- To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation.
7. Close the console.
### Unpublish Superseded Certificate Templates

40
windows/security/identity-protection/hello-for-business/hello-overview.md
View File

@ -37,37 +37,37 @@ Windows Hello lets users authenticate to:
- A Microsoft account.
- An Active Directory account.
- A Microsoft Azure Active Directory (Azure AD) account.
- Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://go.microsoft.com/fwlink/p/?LinkId=533889) authentication.
- Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://fidoalliance.org/) authentication.
After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users.
As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows 10-based devices that connect to your organization.
As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows 10-based devices that connect to your organization.
## Biometric sign-in
Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don't currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users' credentials.
- **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well.
- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10 and Windows 11.
- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is more reliable and less error-prone. Most existing fingerprint readers work with Windows 10 and Windows 11, whether they're external or integrated into laptops or USB keyboards.
Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. For more information about biometric authentication with Windows Hello for Business, see [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md).
## The difference between Windows Hello and Windows Hello for Business
- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it is set up, but can use a simple password hash depending on an individual's account type. This configuration is referred to as Windows Hello convenience PIN and it is not backed by asymmetric (public/private key) or certificate-based authentication.
- Individuals can create a PIN or biometric gesture on their personal devices for convenient sign-in. This use of Windows Hello is unique to the device on which it's set up, but can use a password hash depending on an individual's account type. This configuration is referred to as Windows Hello convenience PIN and it's not backed by asymmetric (public/private key) or certificate-based authentication.
- **Windows Hello for Business**, which is configured by Group Policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This makes it much more secure than **Windows Hello convenience PIN**.
- **Windows Hello for Business**, which is configured by group policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This behavior makes it more secure than **Windows Hello convenience PIN**.
## Benefits of Windows Hello
Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone, anywhere. Because they're stored on the server, a server breach can reveal those stored credentials.
You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-password.md). Passwords are shared secrets; they're entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone, anywhere. Because they're stored on the server, a server breach can reveal those stored credentials.
In Windows 10 and later, Windows Hello replaces passwords. When an identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM 2.0, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows to access resources and services.
In Windows 10 and later, Windows Hello replaces passwords. When an identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM 2.0, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows that it's a verified identity, because of the combination of Windows Hello keys and gestures. It then provides an authentication token that allows Windows to access resources and services.
>[!NOTE]
>Windows Hello as a convenience sign-in uses regular username and password authentication, without the user entering the password.
> [!NOTE]
> Windows Hello as a convenience sign-in uses regular username and password authentication, without the user entering the password.
:::image type="content" alt-text="How authentication works in Windows Hello." source="images/authflow.png" lightbox="images/authflow.png":::
@ -79,15 +79,15 @@ Windows Hello helps protect user identities and user credentials. Because the us
- Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
- Identity provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps the Windows Hello public key to a user account during the registration step.
- An identity provider validates the user identity and maps the Windows Hello public key to a user account during the registration step. Example providers are Active Directory, Azure AD, or a Microsoft account.
- Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy. To guarantee that keys are generated in hardware, you must set policy.
- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture does not roam between devices and is not shared with the server. Biometrics templates are stored locally on a device. The PIN is never stored or shared.
- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture doesn't roam between devices and isn't shared with the server. Biometrics templates are stored locally on a device. The PIN is never stored or shared.
- The private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process.
- PIN entry and biometric gesture both trigger Windows 10 and later to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user.
- PIN entry and biometric gesture both trigger Windows 10 and later to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user.
- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
@ -97,25 +97,21 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md).
## Comparing key-based and certificate-based authentication
Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that do not use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 21H2, there is a feature called cloud trust for hybrid deployments which uses Azure AD as the root of trust. Cloud trust uses key-based credentials for Windows Hello but does not require certificates on the domain controller.
Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud trust for hybrid deployments, which uses Azure AD as the root of trust. Cloud trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller.
Windows Hello for Business with a key, including cloud trust, does not support supplied credentials for RDP. RDP does not support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
Windows Hello for Business with a key, including cloud trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
## Learn more
[Implementing strong user authentication with Windows Hello for Business](https://www.microsoft.com/en-us/itshowcase/implementing-strong-user-authentication-with-windows-hello-for-business)
[Implementing strong user authentication with Windows Hello for Business](https://www.microsoft.com/insidetrack/implementing-strong-user-authentication-with-windows-hello-for-business)
[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/en-us/itshowcase/implementing-windows-hello-for-business-at-microsoft)
[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/insidetrack/implementing-windows-hello-for-business-at-microsoft)
[Introduction to Windows Hello](/learn/?l=eH7yoY2BC_9106218949), video presentation on Microsoft Virtual Academy
[Windows Hello for Business: Authentication](https://youtu.be/WPmzoP_vMek): In this video, learn about Windows Hello for Business and how it's used to sign-in and access resources.
[Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication)
[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](https://go.microsoft.com/fwlink/p/?LinkId=533890)
[Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891)
## Related topics
## Related articles
- [How Windows Hello for Business works](hello-how-it-works.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)

24
windows/security/identity-protection/hello-for-business/hello-videos.md
View File

@ -8,8 +8,8 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
ms.date: 07/26/2022
ms.reviewer: paoloma
---
# Windows Hello for Business Videos
@ -46,22 +46,4 @@ Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business pr
Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works.
> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek]
## Windows Hello for Business user enrollment experience
The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment.
> [!VIDEO https://www.youtube.com/embed/FJqHPTZTpNM]
</br>
> [!VIDEO https://www.youtube.com/embed/etXJsZb8Fso]
## Windows Hello for Business forgotten PIN user experience
If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings. Beginning with the Fall Creators Update, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider.
> [!VIDEO https://www.youtube.com/embed/KcVTq8lTlkI]
For on-premises deployments, devices must be well connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network.
> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek]

2
windows/security/index.yml
View File

@ -156,7 +156,7 @@ landingContent:
- text: Microsoft Security Development Lifecycle
url: threat-protection/msft-security-dev-lifecycle.md
- text: Microsoft Bug Bounty
url: /microsoft-365/security/intelligence/microsoft-bug-bounty-program.md
url: /microsoft-365/security/intelligence/microsoft-bug-bounty-program
- text: Common Criteria Certifications
url: threat-protection/windows-platform-common-criteria.md
- text: Federal Information Processing Standard (FIPS) 140 Validation

18
windows/security/information-protection/secure-the-windows-10-boot-process.md
View File

@ -85,7 +85,23 @@ These requirements help protect you from rootkits while allowing you to run any
To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software can't change the Secure Boot settings.
Like most mobile devices, ARM-based Certified For Windows RT devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot can't be turned off, and you can't load a different OS. Fortunately, there's a large market of ARM processor devices designed to run other operating systems.
The default state of Secure Boot has a wide circle of trust which can result in customers trusting boot components they may not need. Since the Microsoft 3rd Party UEFI CA certificate signs the bootloaders for all Linux distributions, trusting the Microsoft 3rd Party UEFI CA signature in the UEFI database increase s the attack surface of systems. A customer who intended to only trust and boot a single Linux distribution will trust all distributions much more than their desired configuration. A vulnerability in any of the bootloaders exposes the system and places the customer at risk of exploit for a bootloader they never intended to use, as seen in recent vulnerabilities, for example [with the GRUB bootloader](https://msrc.microsoft.com/security-guidance/advisory/ADV200011) or [firmware-level rootkit]( https://www.darkreading.com/threat-intelligence/researchers-uncover-dangerous-new-firmware-level-rootkit) affecting boot components. [Secured-core PCs](/windows-hardware/design/device-experiences/OEM-highly-secure-11) require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most secure configuration of their PCs possible.
To trust and boot operating systems, like Linux, and components signed by the UEFI signature, Secured-core PCs can be configured in the BIOS menu to add the signature in the UEFI database by following these steps:
1. Open the firmware menu, either:
- Boot the PC, and press the manufacturers key to open the menus. Common keys used: Esc, Delete, F1, F2, F10, F11, or F12. On tablets, common buttons are Volume up or Volume down. During startup, theres often a screen that mentions the key. If theres not one, or if the screen goes by too fast to see it, check your manufacturers site.
- Or, if Windows is already installed, from either the Sign on screen or the Start menu, select Power ( ) > hold Shift while selecting Restart. Select Troubleshoot > Advanced options > UEFI Firmware settings.
2. From the firmware menu navigate to Security > Secure Boot and select the option to trust the “3rd Party CA”.
3. Save changes and exit.
Microsoft continues to collaborate with Linux and IHV ecosystem partners to design least privileged features to help you stay secure and opt-in trust for only the publishers and components you trust.
Like most mobile devices, Arm-based devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot can't be turned off, and you can't load a different OS. Fortunately, there's a large market of ARM processor devices designed to run other operating systems.
## Trusted Boot

6
windows/security/threat-protection/auditing/event-5070.md
View File

@ -17,7 +17,7 @@ ms.technology: windows-sec
# 5070(S, F): A cryptographic function property modification was attempted.
This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This is a Cryptographic Next Generation (CNG) function.
This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This function is a Cryptographic Next Generation (CNG) function.
This event generates when named property for a cryptographic function in an existing CNG context was updated.
@ -27,9 +27,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
- <https://www.microsoft.com/download/details.aspx?id=30688>
This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
This event is used for Cryptographic Next Generation (CNG) troubleshooting.
There is no example of this event in this document.
There's no example of this event in this document.
***Subcategory:***&nbsp;[Audit Other Policy Change Events](audit-other-policy-change-events.md)

22
windows/security/threat-protection/auditing/event-5136.md
View File

@ -27,7 +27,7 @@ This event generates every time an Active Directory object is modified.
To generate this event, the modified object must have an appropriate entry in [SACL](/windows/win32/secauthz/access-control-lists): the “**Write”** action auditing for specific attributes.
For a change operation you will typically see two 5136 events for one action, with different **Operation\\Type** fields: “Value Deleted” and then “Value Added”. “Value Deleted” event typically contains previous value and “Value Added” event contains new value.
For a change operation, you'll typically see two 5136 events for one action, with different **Operation\\Type** fields: “Value Deleted” and then “Value Added”. “Value Deleted” event typically contains previous value and “Value Added” event contains new value.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@ -82,13 +82,13 @@ For a change operation you will typically see two 5136 events for one action, wi
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify object” operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@ -142,13 +142,13 @@ For a change operation you will typically see two 5136 events for one action, wi
- We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
- Take first 3 sections a6b34ab5-551b-4626.
- Take first three sections a6b34ab5-551b-4626.
- For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
- For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
- Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
- Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
- Delete - : b54ab3a61b552646b8ee2b36b3ee6672
- Delete: b54ab3a61b552646b8ee2b36b3ee6672
- Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72
@ -180,7 +180,7 @@ For a change operation you will typically see two 5136 events for one action, wi
> **Note**&nbsp;&nbsp;[LDAP Display Name](/windows/win32/adschema/a-ldapdisplayname) is the name used by LDAP clients, such as the ADSI LDAP provider, to read and write the attribute by using the LDAP protocol.
- **Syntax (OID)** \[Type = UnicodeString\]**:** The syntax for an attribute defines the storage representation, byte ordering, and matching rules for comparisons of property types. Whether the attribute value must be a string, a number, or a unit of time is also defined. Every attribute of every object is associated with exactly one syntax. The syntaxes are not represented as objects in the schema, but they are programmed to be understood by Active Directory. The allowable syntaxes in Active Directory are predefined.
- **Syntax (OID)** \[Type = UnicodeString\]**:** The syntax for an attribute defines the storage representation, byte ordering, and matching rules for comparisons of property types. Whether the attribute value must be a string, a number, or a unit of time is also defined. Every attribute of every object is associated with exactly one syntax. The syntaxes aren't represented as objects in the schema, but they're programmed to be understood by Active Directory. The allowable syntaxes in Active Directory are predefined.
| OID | Syntax Name | Description |
|----------|--------------------------------------------|----------------------------------------------------------|
@ -189,7 +189,7 @@ For a change operation you will typically see two 5136 events for one action, wi
| 2.5.5.2 | String(Object-Identifier) | The object identifier. |
| 2.5.5.3 | Case-Sensitive String | General String. |
| 2.5.5.4 | CaseIgnoreString(Teletex) | Differentiates uppercase and lowercase. |
| 2.5.5.5 | String(Printable), String(IA5) | Teletex. Does not differentiate uppercase and lowercase. |
| 2.5.5.5 | String(Printable), String(IA5) | Teletex. Doesn't differentiate uppercase and lowercase. |
| 2.5.5.6 | String(Numeric) | Printable string or IA5-String. |
| 2.5.5.7 | Object(DN-Binary) | Both character sets are case-sensitive. |
| 2.5.5.8 | Boolean | A sequence of digits. |
@ -205,7 +205,7 @@ For a change operation you will typically see two 5136 events for one action, wi
> Table 10. LDAP Attribute Syntax OIDs.
- **Value** \[Type = UnicodeString\]: the value which was added or deleted, depending on the **Operation\\Type** field.
- **Value** \[Type = UnicodeString\]: the value that was added or deleted, depending on the **Operation\\Type** field.
**Operation:**
@ -235,4 +235,4 @@ For 5136(S): A directory service object was modified.
- If you need to monitor modifications to specific Active Directory attributes, monitor for **LDAP Display Name** field with specific attribute name.
- It is better to monitor **Operation\\Type = Value Added** events, because you will see the new value of attribute. At the same time you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value.
- It's better to monitor **Operation\\Type = Value Added** events, because you'll see the new value of attribute. At the same time, you can correlate to previous **Operation\\Type = Value Deleted** event with the same **Correlation ID** to see the previous value.

14
windows/security/threat-protection/auditing/event-5137.md
View File

@ -76,13 +76,13 @@ This event only generates if the parent object has a particular entry in its [SA
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “create object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “create object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create object” operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@ -136,13 +136,13 @@ This event only generates if the parent object has a particular entry in its [SA
- We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
- Take first 3 sections a6b34ab5-551b-4626.
- Take first three sections a6b34ab5-551b-4626.
- For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
- For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
- Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
- Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
- Delete - : b54ab3a61b552646b8ee2b36b3ee6672
- Delete: b54ab3a61b552646b8ee2b36b3ee6672
- Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72
@ -182,4 +182,4 @@ For 5137(S): A directory service object was created.
- If you need to monitor creation of Active Directory objects with specific classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor all new group policy objects creations: **groupPolicyContainer** class.
- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5137](event-5137.md). There is no reason to audit all creation events for all types of Active Directory objects; find the most important locations (organizational units, folders, etc.) and monitor for creation of specific classes only (user, computer, group, etc.).
- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5137](event-5137.md). There's no reason to audit all creation events for all types of Active Directory objects; find the most important locations (organizational units, folders, etc.) and monitor for creation of specific classes only (user, computer, group, etc.).

16
windows/security/threat-protection/auditing/event-5138.md
View File

@ -77,13 +77,13 @@ This event only generates if the container to which the Active Directory object
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested that the object be undeleted or restored. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
- **Security ID** \[Type = SID\]**:** SID of account that requested that the object be undeleted or restored. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** name of account that requested that the object be undeleted or restored.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@ -105,7 +105,7 @@ This event only generates if the container to which the Active Directory object
**Object:**
- **Old DN** \[Type = UnicodeString\]: Old distinguished name of undeleted object. It will points to [Active Directory Recycle Bin](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392261(v=ws.10)) folder, in case if it was restored from it.
- **Old DN** \[Type = UnicodeString\]: Old distinguished name of undeleted object. It will point to [Active Directory Recycle Bin](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd392261(v=ws.10)) folder, in case if it was restored from it.
> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
>
@ -139,13 +139,13 @@ This event only generates if the container to which the Active Directory object
- We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
- Take first 3 sections a6b34ab5-551b-4626.
- Take first three sections a6b34ab5-551b-4626.
- For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
- For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
- Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
- Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
- Delete - : b54ab3a61b552646b8ee2b36b3ee6672
- Delete: b54ab3a61b552646b8ee2b36b3ee6672
- Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72
@ -185,4 +185,4 @@ For 5138(S): A directory service object was undeleted.
- If you need to monitor undelete operations (restoration) of Active Directory objects with specific classes, monitor for **Class** field with specific class name.
- It may be a good idea to monitor all undelete events, because the operation is not performed very often. Confirm that there is a reason for the object to be undeleted.
- It may be a good idea to monitor all undelete events, because the operation isn't performed often. Confirm that there's a reason for the object to be undeleted.

14
windows/security/threat-protection/auditing/event-5139.md
View File

@ -77,13 +77,13 @@ This event only generates if the destination object has a particular entry in it
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “move object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “move object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “move object” operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@ -139,13 +139,13 @@ This event only generates if the destination object has a particular entry in it
- We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
- Take first 3 sections a6b34ab5-551b-4626.
- Take first three sections a6b34ab5-551b-4626.
- For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
- For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
- Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
- Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
- Delete - : b54ab3a61b552646b8ee2b36b3ee6672
- Delete: b54ab3a61b552646b8ee2b36b3ee6672
- Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72
@ -185,4 +185,4 @@ For 5139(S): A directory service object was moved.
- If you need to monitor movement of Active Directory objects with specific classes, monitor for **Class** field with specific class name.
- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5139](event-5139.md). There is no reason to audit all movement events for all types of Active Directory objects, you need to find the most important locations (organizational units, folders, etc.) and monitor for movement of specific classes only to these locations (user, computer, group, etc.).
- You must set correct auditing access lists (SACLs) for specific classes within Active Directory container to get [5139](event-5139.md). There's no reason to audit all movement events for all types of Active Directory objects, you need to find the most important locations (organizational units, folders, etc.) and monitor for movement of specific classes only to these locations (user, computer, group, etc.).

12
windows/security/threat-protection/auditing/event-5140.md
View File

@ -78,13 +78,13 @@ This event generates once per session, when first access attempt was made.
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested access to network share object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
- **Security ID** \[Type = SID\]**:** SID of account that requested access to network share object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested access to network share object.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@ -120,7 +120,7 @@ This event generates once per session, when first access attempt was made.
- ::1 or 127.0.0.1 means localhost.
- **Source Port** \[Type = UnicodeString\]: source TCP or UDP port which was used from remote or local machine to request the access.
- **Source Port** \[Type = UnicodeString\]: source TCP or UDP port that was used from remote or local machine to request the access.
- 0 for local access attempts.
@ -134,7 +134,7 @@ This event generates once per session, when first access attempt was made.
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights. Has always “**0x1**” value for this event.
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. Has always “**ReadData (or ListDirectory)**” value for this event.
- **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. Has always “**ReadData (or ListDirectory)**” value for this event.
## Security Monitoring Recommendations
@ -144,9 +144,9 @@ For 5140(S, F): A network share object was accessed.
- If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event<b>.</b> For example, you could monitor share **C$** on domain controllers.
- Monitor this event if the **Network Information\\Source Address** is not from your internal IP range.
- Monitor this event if the **Network Information\\Source Address** isn't from your internal IP range.
- Monitor this event if the **Network Information\\Source Address** should not be able to connect with the specific computer (**Computer:**).
- Monitor this event if the **Network Information\\Source Address** shouldn't be able to connect with the specific computer (**Computer:**).
- If you need to monitor access attempts to local shares from a specific IP address (“**Network Information\\Source Address”)**, use this event.

14
windows/security/threat-protection/auditing/event-5141.md
View File

@ -77,13 +77,13 @@ This event only generates if the deleted object has a particular entry in its [S
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete object” operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@ -137,13 +137,13 @@ This event only generates if the deleted object has a particular entry in its [S
- We have this GUID to search for: a6b34ab5-551b-4626-b8ee-2b36b3ee6672
- Take first 3 sections a6b34ab5-551b-4626.
- Take first three sections a6b34ab5-551b-4626.
- For each of these 3 sections you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
- For each of these three sections, you need to change (Invert) the order of bytes, like this b54ab3a6-1b55-2646
- Add the last 2 sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
- Add the last two sections without transformation: b54ab3a6-1b55-2646-b8ee-2b36b3ee6672
- Delete - : b54ab3a61b552646b8ee2b36b3ee6672
- Delete: b54ab3a61b552646b8ee2b36b3ee6672
- Divide bytes with backslashes: \\b5\\4a\\b3\\a6\\1b\\55\\26\\46\\b8\\ee\\2b\\36\\b3\\ee\\66\\72
@ -193,4 +193,4 @@ For 5141(S): A directory service object was deleted.
- If you need to monitor deletion of Active Directory objects with specific classes, monitor for **Class** field with specific class name. For example, we recommend that you monitor for group policy objects deletions: **groupPolicyContainer** class.
- If you need to monitor deletion of specific Active Directory objects, monitor for **DN** field with specific object name. For example, if you have critical Active Directory objects which should not be deleted, monitor for their deletion.
- If you need to monitor deletion of specific Active Directory objects, monitor for **DN** field with specific object name. For example, if you have critical Active Directory objects that shouldn't be deleted, monitor for their deletion.

20
windows/security/threat-protection/auditing/event-5143.md
View File

@ -78,13 +78,13 @@ This event generates every time network share object was modified.
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify network share object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify network share object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify network share object” operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@ -120,9 +120,9 @@ This event generates every time network share object was modified.
<img src="images/advanced-sharing.png" alt="Advanced Sharing illustration" width="300" height="319" />
- **Old Remark** \[Type = UnicodeString\]: the old value of network share “**Comments:**” field. Has “**N/A**” value if it is not set.
- **Old Remark** \[Type = UnicodeString\]: the old value of network share “**Comments:**” field. Has “**N/A**” value if it isn't set.
- **New Remark** \[Type = UnicodeString\]: the new value of network share “**Comments:**” field. Has “**N/A**” value if it is not set.
- **New Remark** \[Type = UnicodeString\]: the new value of network share “**Comments:**” field. Has “**N/A**” value if it isn't set.
- **Old MaxUsers** \[Type = HexInt32\]: old hexadecimal value of “**Limit the number of simultaneous user to:**” field. Has “**0xFFFFFFFF**” value if the number of connections is unlimited.
@ -155,7 +155,7 @@ This event generates every time network share object was modified.
| "AU" | Authenticated users | "LG" | Local guest |
| "BA" | Built-in administrators | "LS" | Local service account |
| "BG" | Built-in guests | "SY" | Local system |
| "BO" | Backup operators | "NU" | Network logon user |
| "BO" | Backup operators | "NU" | Network sign-in user |
| "BU" | Built-in users | "NO" | Network configuration operators |
| "CA" | Certificate server administrators | "NS" | Network service account |
| "CG" | Creator group | "PO" | Printer operators |
@ -167,7 +167,7 @@ This event generates every time network share object was modified.
| "DU" | Domain users | "RC" | Restricted code |
| "EA" | Enterprise administrators | "SA" | Schema administrators |
| "ED" | Enterprise domain controllers | "SO" | Server operators |
| "WD" | Everyone | "SU" | Service logon user |
| "WD" | Everyone | "SU" | Service sign-in user |
- *G*: = Primary Group.
- *D*: = DACL Entries.
@ -187,7 +187,7 @@ Example: D:(A;;FA;;;WD)
"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Isn't also set.
"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
@ -213,7 +213,7 @@ Example: D:(A;;FA;;;WD)
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"OI" - OBJECT INHERIT: Child objects that aren't containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
@ -224,7 +224,7 @@ Example: D:(A;;FA;;;WD)
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
- rights: A hexadecimal string that denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
| Value | Description | Value | Description |
|----------------------------|---------------------------------|----------------------|--------------------------|
@ -246,7 +246,7 @@ Example: D:(A;;FA;;;WD)
- object\_guid: N/A
- inherit\_object\_guid: N/A
- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. For more information, see the table above.
For more information about SDDL syntax, see these articles: <https://msdn.microsoft.com/library/cc230374.aspx>, <https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx>.

30
windows/security/threat-protection/auditing/event-5145.md
View File

@ -78,13 +78,13 @@ This event generates every time network share object (file or folder) was access
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested access to network share object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
- **Security ID** \[Type = SID\]**:** SID of account that requested access to network share object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested access to network share object.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@ -120,7 +120,7 @@ This event generates every time network share object (file or folder) was access
- ::1 or 127.0.0.1 means localhost.
- **Source Port** \[Type = UnicodeString\]: source TCP or UDP port which was used from remote or local machine to request the access.
- **Source Port** \[Type = UnicodeString\]: source TCP or UDP port that was used from remote or local machine to request the access.
- 0 for local access attempts.
@ -136,7 +136,7 @@ This event generates every time network share object (file or folder) was access
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights.
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**.
- **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**.
## Table of file access codes
@ -144,10 +144,10 @@ This event generates every time network share object (file or folder) was access
|-----------------------------------------------------------|----------------------------|---------------|
| ReadData (or ListDirectory) | 0x1,<br>%%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.<br>**ListDirectory -** For a directory, the right to list the contents of the directory. |
| WriteData (or AddFile) | 0x2,<br>%%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).<br>**AddFile -** For a directory, the right to create a file in the directory. |
| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,<br>%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**). <br>**AddSubdirectory -** For a directory, the right to create a subdirectory.<br>**CreatePipeInstance -** For a named pipe, the right to create a pipe. |
| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,<br>%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations won't overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**). <br>**AddSubdirectory -** For a directory, the right to create a subdirectory.<br>**CreatePipeInstance -** For a named pipe, the right to create a pipe. |
| ReadEA | 0x8,<br>%%4419 | The right to read extended file attributes. |
| WriteEA | 0x10,<br>%%4420 | The right to write extended file attributes. |
| Execute/Traverse | 0x20,<br>%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.<br>**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**&thinsp; [privilege](/windows/win32/secauthz/privileges), which ignores the **FILE\_TRAVERSE**&thinsp; [access right](/windows/win32/secauthz/access-rights-and-access-masks). See the remarks in [File Security and Access Rights](/windows/win32/fileio/file-security-and-access-rights) for more information. |
| Execute/Traverse | 0x20,<br>%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.<br>**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**&thinsp; [privilege](/windows/win32/secauthz/privileges), which ignores the **FILE\_TRAVERSE**&thinsp; [access right](/windows/win32/secauthz/access-rights-and-access-masks). For more information, see the remarks in [File Security and Access Rights](/windows/win32/fileio/file-security-and-access-rights). |
| DeleteChild | 0x40,<br>%%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. |
| ReadAttributes | 0x80,<br>%%4423 | The right to read file attributes. |
| WriteAttributes | 0x100,<br>%%4424 | The right to write file attributes. |
@ -155,7 +155,7 @@ This event generates every time network share object (file or folder) was access
| READ\_CONTROL | 0x20000,<br>%%1538 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). |
| WRITE\_DAC | 0x40000,<br>%%1539 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. |
| WRITE\_OWNER | 0x80000,<br>%%1540 | The right to change the owner in the object's security descriptor |
| SYNCHRONIZE | 0x100000,<br>%%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. |
| SYNCHRONIZE | 0x100000,<br>%%1541 | The right to use the object for synchronization. This right enables a thread to wait until the object is in the signaled state. Some object types don't support this access right. |
| ACCESS\_SYS\_SEC | 0x1000000,<br>%%1542 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. |
> <span id="_Ref433878809" class="anchor"></span>Table 13. File access codes.
@ -193,7 +193,7 @@ REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS.
| "AU" | Authenticated users | "LG" | Local guest |
| "BA" | Built-in administrators | "LS" | Local service account |
| "BG" | Built-in guests | "SY" | Local system |
| "BO" | Backup operators | "NU" | Network logon user |
| "BO" | Backup operators | "NU" | Network sign-in user |
| "BU" | Built-in users | "NO" | Network configuration operators |
| "CA" | Certificate server administrators | "NS" | Network service account |
| "CG" | Creator group | "PO" | Printer operators |
@ -205,7 +205,7 @@ REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS.
| "DU" | Domain users | "RC" | Restricted code |
| "EA" | Enterprise administrators | "SA" | Schema administrators |
| "ED" | Enterprise domain controllers | "SO" | Server operators |
| "WD" | Everyone | "SU" | Service logon user |
| "WD" | Everyone | "SU" | Service sign-in user |
- *G*: = Primary Group.
- *D*: = DACL Entries.
@ -225,7 +225,7 @@ Example: D:(A;;FA;;;WD)
"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Isn't also set.
"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
@ -251,7 +251,7 @@ Example: D:(A;;FA;;;WD)
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"OI" - OBJECT INHERIT: Child objects that aren't containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
@ -262,7 +262,7 @@ Example: D:(A;;FA;;;WD)
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
- rights: A hexadecimal string that denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
| Value | Description | Value | Description |
|----------------------------|---------------------------------|----------------------|--------------------------|
@ -284,7 +284,7 @@ Example: D:(A;;FA;;;WD)
- object\_guid: N/A
- inherit\_object\_guid: N/A
- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. For more information, see the table above.
For more information about SDDL syntax, see these articles: <https://msdn.microsoft.com/library/cc230374.aspx>, <https://msdn.microsoft.com/library/windows/hardware/aa374892(v=vs.85).aspx>.
@ -294,9 +294,9 @@ For 5145(S, F): A network share object was checked to see whether client can be
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Monitor this event if the **Network Information\\Source Address** is not from your internal IP range.
- Monitor this event if the **Network Information\\Source Address** isn't from your internal IP range.
- Monitor this event if the **Network Information\\Source Address** should not be able to connect with the specific computer (**Computer:**).
- Monitor this event if the **Network Information\\Source Address** shouldn't be able to connect with the specific computer (**Computer:**).
- If you have critical files or folders on specific network shares, for which you need to monitor access attempts (Success and Failure), monitor for specific **Share Information\\Share Name** and **Share Information\\Relative Target Name**.

4
windows/security/threat-protection/auditing/event-5148.md
View File

@ -17,9 +17,9 @@ ms.technology: windows-sec
# 5148(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack starts or was detected.
In most circumstances, this event occurs rarely. It's designed to be generated when an ICMP DoS attack starts or was detected.
There is no example of this event in this document.
There's no example of this event in this document.
***Subcategory:***&nbsp;[Audit Other Object Access Events](audit-other-object-access-events.md)

4
windows/security/threat-protection/auditing/event-5149.md
View File

@ -17,9 +17,9 @@ ms.technology: windows-sec
# 5149(F): The DoS attack has subsided and normal processing is being resumed.
In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack ended.
In most circumstances, this event occurs rarely. It's designed to be generated when an ICMP DoS attack ends.
There is no example of this event in this document.
There's no example of this event in this document.
***Subcategory:***&nbsp;[Audit Other Object Access Events](audit-other-object-access-events.md)

12
windows/security/threat-protection/auditing/event-5152.md
View File

@ -109,7 +109,7 @@ This event is generated for every received network packet.
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- 127.0.0.1, ::1 - localhost
- **Source Port** \[Type = UnicodeString\]**:** port number on which application received the packet.
@ -123,7 +123,7 @@ This event is generated for every received network packet.
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- 127.0.0.1, ::1 - localhost
- **Destination Port** \[Type = UnicodeString\]**:** port number that was used from remote machine to send the packet.
@ -167,20 +167,20 @@ For 5152(F): The Windows Filtering Platform blocked a packet.
- If you have a pre-defined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
- Check that **Source Address** is one of the addresses assigned to the computer.
- If the computer or device should not have access to the Internet, or contains only applications that dont connect to the Internet, monitor for [5152](event-5152.md) events where **Destination Address** is an IP address from the Internet (not from private IP ranges).
- If the computer or device shouldn't have access to the Internet, or contains only applications that dont connect to the Internet, monitor for [5152](event-5152.md) events where **Destination Address** is an IP address from the Internet (not from private IP ranges).
- If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in **Destination Address**.
- If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in **“Destination Address”** that are not in the allow list.
- If you've an allowlist of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in **“Destination Address”** that aren't in the allowlist.
- If you need to monitor all inbound connections to a specific local port, monitor for [5152](event-5152.md) events with that “**Source Port**.**”**
- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
- Monitor for all connections with a “**Protocol Number”** that isn't typical for this device or computer, for example, anything other than 1, 6, or 17.
- If the computers communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”

10
windows/security/threat-protection/auditing/event-5154.md
View File

@ -95,10 +95,10 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/
- IPv6 Address
- :: - all IP addresses in IPv6 format
s
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- 127.0.0.1, ::1 - localhost
- **Source Port** \[Type = UnicodeString\]: source TCP\\UDP port number that was requested for listening by application.
@ -112,7 +112,7 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/
**Filter Information:**
- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows application to listen on the specific port. By default Windows firewall won't prevent a port from being listened by an application and if this application doesnt match any filters you will get value **0** in this field.
- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows application to listen on the specific port. By default Windows firewall won't prevent a port from being listened by an application and if this application doesnt match any filters you'll get value **0** in this field.
To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**&lt;filterId&gt;**)**,** for example:
@ -128,7 +128,7 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/
For 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
- If you have an “allow list” of applications that are associated with certain operating systems or server roles, and that are expected to listen on specific ports, monitor this event for **“Application Name”** and other relevant information.
- If you've an “allowlist” of applications that are associated with certain operating systems or server roles, and that are expected to listen on specific ports, monitor this event for **“Application Name”** and other relevant information.
- If a certain application is allowed to listen only on specific port numbers, monitor this event for **“Application Name”** and **“Network Information\\Source Port**.**”**
@ -138,7 +138,7 @@ For 5154(S): The Windows Filtering Platform has permitted an application or serv
- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”

10
windows/security/threat-protection/auditing/event-5155.md
View File

@ -17,7 +17,7 @@ ms.technology: windows-sec
# 5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
By default Windows firewall won't prevent a port from being listened by an application. In the other word, Windows system will not generate Event 5155 by itself.
By default Windows firewall won't prevent a port from being listened by an application. In the other word, Windows system won't generate Event 5155 by itself.
You can add your own filters using the WFP APIs to block listen to reproduce this event: <https://msdn.microsoft.com/library/aa364046(v=vs.85).aspx>.
@ -72,7 +72,7 @@ This event generates every time the [Windows Filtering Platform](/windows/win32/
**Application Information**:
- **Process ID** \[Type = Pointer\]: Hexadecimal Process ID (PID) of the process which was permitted to bind to the local port. The PID is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
- **Process ID** \[Type = Pointer\]: Hexadecimal Process ID (PID) of the process that was permitted to bind to the local port. The PID is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
@ -100,7 +100,7 @@ This event generates every time the [Windows Filtering Platform](/windows/win32/
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- 127.0.0.1, ::1 - localhost
- **Source Port** \[Type = UnicodeString\]**:** The port number used by the application.
@ -126,7 +126,7 @@ This event generates every time the [Windows Filtering Platform](/windows/win32/
**Filter Information:**
- **Filter Run-Time ID** \[Type = UInt64\]: A unique filter ID which blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding to an application, and if this application doesnt match any filters, you will get a 0 value in this field.
- **Filter Run-Time ID** \[Type = UInt64\]: A unique filter ID that blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding to an application, and if this application doesnt match any filters, you'll get a 0 value in this field.
To find a specific Windows Filtering Platform filter by ID, you need to execute the following command: **netsh wfp show filters**. As a result of this command, a **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**&lt;filterId&gt;**), for example:
@ -134,7 +134,7 @@ This event generates every time the [Windows Filtering Platform](/windows/win32/
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](/windows/win32/fwp/application-layer-enforcement--ale-) layer name.
- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, you need to execute the following command: **netsh wfp show state**. As result of this command, a **wfpstate.xml** file will be generated. You need to open this file and find the specific substring with the required layer ID (**&lt;layerId&gt;**), for example:
- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, you need to execute the following command: **netsh wfp show state**. As a result of this command, a **wfpstate.xml** file will be generated. You need to open this file and find the specific substring with the required layer ID (**&lt;layerId&gt;**), for example:
<img src="images/wfpstate-xml.png" alt="Wfpstate xml illustration" width="1563" height="780" />

12
windows/security/threat-protection/auditing/event-5156.md
View File

@ -109,7 +109,7 @@ This event generates when [Windows Filtering Platform](/windows/win32/fwp/window
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- 127.0.0.1, ::1 - localhost
- **Source Port** \[Type = UnicodeString\]**:** port number from which the connection was initiated.
@ -123,7 +123,7 @@ This event generates when [Windows Filtering Platform](/windows/win32/fwp/window
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- 127.0.0.1, ::1 - localhost
- **Destination Port** \[Type = UnicodeString\]**:** port number where the connection was received.
@ -167,20 +167,20 @@ For 5156(S): The Windows Filtering Platform has permitted a connection.
- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
- Check that “**Source Address”** is one of the addresses assigned to the computer.
- If the computer or device should not have access to the Internet, or contains only applications that dont connect to the Internet, monitor for [5156](event-5156.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
- If the computer or device shouldn't have access to the Internet, or contains only applications that dont connect to the Internet, monitor for [5156](event-5156.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
- If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
- If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
- If you've an allowlist of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that aren't in the allowlist.
- If you need to monitor all inbound connections to a specific local port, monitor for [5156](event-5156.md) events with that “**Source Port**.**”**
- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
- Monitor for all connections with a “**Protocol Number”** that isn't typical for this device or computer, for example, anything other than 1, 6, or 17.
- If the computers communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”

12
windows/security/threat-protection/auditing/event-5157.md
View File

@ -109,7 +109,7 @@ This event generates when [Windows Filtering Platform](/windows/win32/fwp/window
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- 127.0.0.1, ::1 - localhost
- **Source Port** \[Type = UnicodeString\]**:** port number on which application received the connection.
@ -123,7 +123,7 @@ This event generates when [Windows Filtering Platform](/windows/win32/fwp/window
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- 127.0.0.1, ::1 - localhost
- **Destination Port** \[Type = UnicodeString\]**:** port number that was used from remote machine to initiate connection.
@ -167,20 +167,20 @@ For 5157(F): The Windows Filtering Platform has blocked a connection.
- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
- Check that “**Source Address”** is one of the addresses assigned to the computer.
- If the\` computer or device should not have access to the Internet, or contains only applications that dont connect to the Internet, monitor for [5157](event-5157.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
- If the\` computer or device shouldn't have access to the Internet, or contains only applications that dont connect to the Internet, monitor for [5157](event-5157.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
- If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
- If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
- If you've an allowlist of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that aren't in the allowlist.
- If you need to monitor all inbound connections to a specific local port, monitor for [5157](event-5157.md) events with that “**Source Port**.**”**
- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
- Monitor for all connections with a “**Protocol Number”** that isn't typical for this device or computer, for example, anything other than 1, 6, or 17.
- If the computers communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”

10
windows/security/threat-protection/auditing/event-5158.md
View File

@ -90,7 +90,7 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/
**Network Information:**
- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application was bind the port.
- **Source Address** \[Type = UnicodeString\]**:** local IP address on which application was bound the port.
- IPv4 Address
@ -100,7 +100,7 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- 127.0.0.1, ::1 - localhost
- **Source Port** \[Type = UnicodeString\]**:** port number which application was bind.
@ -126,7 +126,7 @@ This event generates every time [Windows Filtering Platform](/windows/win32/fwp/
**Filter Information:**
- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows the application to bind the port. By default, Windows firewall won't prevent a port from being bound by an application. If this application doesnt match any filters, you will get value 0 in this field.
- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows the application to bind the port. By default, Windows firewall won't prevent a port from being bound by an application. If this application doesnt match any filters, you'll get value 0 in this field.
To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**&lt;filterId&gt;**)**,** for example:
@ -144,7 +144,7 @@ For 5158(S): The Windows Filtering Platform has permitted a bind to a local port
- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.”
@ -152,6 +152,6 @@ For 5158(S): The Windows Filtering Platform has permitted a bind to a local port
- If you need to monitor all actions with a specific local port, monitor for [5158](event-5158.md) events with that “**Source Port.”**
- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 6 or 17.
- Monitor for all connections with a “**Protocol Number”** that isn't typical for this device or computer, for example, anything other than 6 or 17.
- If the computers communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”

6
windows/security/threat-protection/auditing/event-5159.md
View File

@ -98,7 +98,7 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
- 0.0.0.0 - all IP addresses in IPv4 format
- 127.0.0.1 , ::1 - localhost
- 127.0.0.1, ::1 - localhost
- **Source Port** \[Type = UnicodeString\]**:** the port number used by the application.
@ -124,7 +124,7 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
**Filter Information:**
- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesnt match any filters, you will get value 0 in this field.
- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesnt match any filters, you'll get value 0 in this field.
To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find the specific substring with the required filter ID (**&lt;filterId&gt;**)**,** for example:
@ -138,4 +138,4 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
## Security Monitoring Recommendations
- There is no recommendation for this event in this document.
- There's no recommendation for this event in this document.

12
windows/security/threat-protection/auditing/event-5632.md
View File

@ -85,7 +85,7 @@ It typically generates when network adapter connects to new wireless network.
- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which 802.1x authentication request was made.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following ones:
- Domain NETBIOS name example: CONTOSO
@ -125,16 +125,16 @@ You can see interfaces GUID using the following commands:
- **Reason Code** \[Type = UnicodeString\]**:** contains Reason Text (explanation of Reason Code) and Reason Code for wireless authentication results. See more information about reason codes for wireless authentication here: <https://msdn.microsoft.com/library/windows/desktop/dd877212(v=vs.85).aspx>, <https://technet.microsoft.com/library/cc727747(v=ws.10).aspx>.
- **Error Code** \[Type = HexInt32\]**:** there is no information about this field in this document.
- **Error Code** \[Type = HexInt32\]**:** there's no information about this field in this document.
- **EAP Reason Code** \[Type = HexInt32\]**:** there is no information about this field in this document. See additional information here: <https://technet.microsoft.com/library/dd197570(v=ws.10).aspx>.
- **EAP Reason Code** \[Type = HexInt32\]**:** there's no information about this field in this document. See additional information here: <https://technet.microsoft.com/library/dd197570(v=ws.10).aspx>.
- **EAP Root Cause String** \[Type = UnicodeString\]**:** there is no information about this field in this document.
- **EAP Root Cause String** \[Type = UnicodeString\]**:** there's no information about this field in this document.
- **EAP Error Code** \[Type = HexInt32\]**:** there is no information about this field in this document.
- **EAP Error Code** \[Type = HexInt32\]**:** there's no information about this field in this document.
## Security Monitoring Recommendations
For 5632(S, F): A request was made to authenticate to a wireless network.
- There is no recommendation for this event in this document.
- There's no recommendation for this event in this document.

4
windows/security/threat-protection/auditing/event-6144.md
View File

@ -25,7 +25,7 @@ ms.technology: windows-sec
This event generates every time settings from the “Security Settings” section in the group policy object are applied successfully to a computer, without any errors. This event generates on the target computer itself.
It is a routine event which shows you the list of Group Policy Objects that include “Security Settings” policies, and that were applied to the computer.
It's a routine event that shows you the list of Group Policy Objects that include “Security Settings” policies, and that were applied to the computer.
This event generates every time Group Policy is applied to the computer.
@ -82,7 +82,7 @@ You can find specific GROUP\_POLICY\_GUID using **Get-GPO** PowerShell cmdlet wi
For 6144(S): Security policy in the group policy objects has been applied successfully.
- If you have a pre-defined list of Group Policy Objects which contain Security Settings and must be applied to specific computers, then you can compare the list from this event with your list and in case of any difference trigger an alert.
- If you have a pre-defined list of Group Policy Objects that contain Security Settings and must be applied to specific computers, then you can compare the list from this event with your list and if there's any difference, you must trigger an alert.
- This event is mostly an informational event.

6
windows/security/threat-protection/auditing/event-6145.md
View File

@ -25,7 +25,7 @@ ms.technology: windows-sec
This event generates every time settings from the “Security Settings” section in the group policy object are applied to a computer with one or more errors. This event generates on the target computer itself.
This event generates, for example, if the [SID](/windows/win32/secauthz/security-identifiers) of a security principal which was included in one of the Group Policy settings cannot be resolved or translated to the real account name.
This event generates, for example, if the [SID](/windows/win32/secauthz/security-identifiers) of a security principal which was included in one of the Group Policy settings can't be resolved or translated to the real account name.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@ -66,7 +66,7 @@ This event generates, for example, if the [SID](/windows/win32/secauthz/security
***Field Descriptions:***
**Error Code** \[Type = UInt32\]: specific error code which shows the error which happened during Group Policy processing. You can find the meaning of specific error code here: <https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx>. For example, error code 1332 means that “no mapping between account names and security IDs was done”.
**Error Code** \[Type = UInt32\]: specific error code that shows the error that happened during Group Policy processing. You can find the meaning of specific error code here: <https://msdn.microsoft.com/library/windows/desktop/ms681381(v=vs.85).aspx>. For example, error code 1332 means that “no mapping between account names and security IDs was done”.
**GPO List** \[Type = UnicodeString\]: the list of Group Policy Objects that include “Security Settings” policies, and that were applied with errors to the computer. The format of the list item is: “GROUP\_POLICY\_GUID GROUP\_POLICY\_NAME”.
@ -80,7 +80,7 @@ You can find specific GROUP\_POLICY\_GUID using **Get-GPO** PowerShell cmdlet wi
For 6145(F): One or more errors occurred while processing security policy in the group policy objects.
- This event indicates that Group Policy Objects which were applied to the computer or device had some errors during processing. If you see this event, we recommend checking settings in the GPOs from **GPO List** and resolving the cause of the errors.
- This event indicates that Group Policy Objects that were applied to the computer or device had some errors during processing. If you see this event, we recommend checking settings in the GPOs from **GPO List** and resolving the cause of the errors.
- If you have a pre-defined list of Group Policy Objects that contain Security Settings and that must be applied to specific computers, check this event to see if errors occurred when the Security Settings were applied. If so, you can review the error codes and investigate the cause of the failure.

12
windows/security/threat-protection/auditing/event-6281.md
View File

@ -1,6 +1,6 @@
---
title: 6281(F) Code Integrity determined that the page hashes of an image file are not valid. (Windows 10)
description: Describes security event 6281(F) Code Integrity determined that the page hashes of an image file are not valid.
title: 6281(F) Code Integrity determined that the page hashes of an image file aren't valid. (Windows 10)
description: Describes security event 6281(F) Code Integrity determined that the page hashes of an image file aren't valid.
ms.pagetype: security
ms.prod: m365-security
ms.mktglfcycl: deploy
@ -14,16 +14,16 @@ ms.author: dansimp
ms.technology: windows-sec
---
# 6281(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
# 6281(F): Code Integrity determined that the page hashes of an image file aren't valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
[Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
[Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it's loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
This event generates when [code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. This event also generates when signing certificate was revoked. The invalid hashes could indicate a potential disk device error.
This event generates when [code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) determined that the page hashes of an image file aren't valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. This event also generates when signing certificate was revoked. The invalid hashes could indicate a potential disk device error.
There is no example of this event in this document.
There's no example of this event in this document.
***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)

4
windows/security/threat-protection/auditing/event-6405.md
View File

@ -19,7 +19,7 @@ ms.technology: windows-sec
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
There is no example of this event in this document.
There's no example of this event in this document.
***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
@ -35,4 +35,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
- There is no recommendation for this event in this document.
- There's no recommendation for this event in this document.

4
windows/security/threat-protection/auditing/event-6406.md
View File

@ -19,7 +19,7 @@ ms.technology: windows-sec
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
There is no example of this event in this document.
There's no example of this event in this document.
***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
@ -37,4 +37,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
- There is no recommendation for this event in this document.
- There's no recommendation for this event in this document.

6
windows/security/threat-protection/auditing/event-6407.md
View File

@ -1,6 +1,6 @@
---
title: 6407(-) 1%. (Windows 10)
description: Describes security event 6407(-) 1%. This is a BranchCache event, which is outside the scope of this document.
description: Describes security event 6407(-) 1%. This event is a BranchCache event, which is outside the scope of this document.
ms.pagetype: security
ms.prod: m365-security
ms.mktglfcycl: deploy
@ -19,7 +19,7 @@ ms.technology: windows-sec
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
There is no example of this event in this document.
There's no example of this event in this document.
***Subcategory:***&nbsp;[Audit Other System Events](audit-other-system-events.md)
@ -35,4 +35,4 @@ There is no example of this event in this document.
## Security Monitoring Recommendations
- There is no recommendation for this event in this document.
- There's no recommendation for this event in this document.

8
windows/security/threat-protection/auditing/event-6410.md
View File

@ -1,6 +1,6 @@
---
title: 6410(F) Code integrity determined that a file does not meet the security requirements to load into a process. (Windows 10)
description: Describes security event 6410(F) Code integrity determined that a file does not meet the security requirements to load into a process.
title: 6410(F) Code integrity determined that a file doesn't meet the security requirements to load into a process. (Windows 10)
description: Describes security event 6410(F) Code integrity determined that a file doesn't meet the security requirements to load into a process.
ms.pagetype: security
ms.prod: m365-security
ms.mktglfcycl: deploy
@ -17,11 +17,11 @@ ms.technology: windows-sec
# 6410(F): Code integrity determined that a file does not meet the security requirements to load into a process.
[Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
[Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it's loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
This event generates due to writable [shared sections](/previous-versions/windows/desktop/cc307397(v=msdn.10)) being present in a file image.
There is no example of this event in this document.
There's no example of this event in this document.
***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)

4
windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
View File

@ -23,9 +23,9 @@ ms.technology: windows-sec
This topic for the IT professional describes the Advanced Security Audit policy setting, **File System (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the file system for an entire computer.
If you select the **Configure security** check box on the policys property page, you can add a user or group to the global SACL. This enables you to define computer system access control lists (SACLs) per object type for the file system. The specified SACL is then automatically applied to every file system object type.
If you select the **Configure security** check box on the policys property page, you can add a user or group to the global SACL. This user/group addition enables you to define computer system access control lists (SACLs) per object type for the file system. The specified SACL is then automatically applied to every file system object type.
If both a file or folder SACL and a global SACL are configured on a computer, the effective SACL is derived by combining the file or folder SACL and the global SACL. This means that an audit event is generated if an activity matches either the file or folder SACL or the global SACL.
If both a file or folder SACL and a global SACL are configured on a computer, the effective SACL is derived by combining the file or folder SACL and the global SACL. This SACL (of such a constitution) means that an audit event is generated if an activity matches either the file or folder SACL or the global SACL.
This policy setting must be used in combination with the **File System** security policy setting under Object Access. For more information, see [Audit File System](audit-file-system.md).
## Related topics

2
windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
View File

@ -23,7 +23,7 @@ ms.technology: windows-sec
This article for IT professionals describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects.
Central access policies and rules determine access permissions for files on multiple file servers, so it's important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS). You can monitor them just like any other object in Active Directory. These policies and rules are critical elements in a Dynamic Access Control deployment. They are stored in AD DS, so they're less likely to be tampered with than other network objects. But it's important to monitor them for potential changes in security auditing and to verify that policies are being enforced.
Central access policies and rules determine access permissions for files on multiple file servers, so it's important to monitor changes to them. Like user claim and device claim definitions, central access policy and rule definitions reside in Active Directory Domain Services (AD DS). You can monitor them just like any other object in Active Directory. These policies and rules are critical elements in a Dynamic Access Control deployment. They're stored in AD DS, so they're less likely to be tampered with than other network objects. But it's important to monitor them for potential changes in security auditing and to verify that policies are being enforced.
Follow the procedures in this article to configure settings to monitor changes to central access policy and central access rule definitions and to verify the changes. These procedures assume that you've configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (demonstration steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).

8
windows/security/threat-protection/auditing/monitor-claim-types.md
View File

@ -1,6 +1,6 @@
---
title: Monitor claim types (Windows 10)
description: Learn how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.
description: Learn how to monitor changes to claim types that are associated with dynamic access control when you're using advanced security auditing options.
ms.assetid: 426084da-4eef-44af-aeec-e7ab4d4e2439
ms.reviewer:
ms.author: dansimp
@ -21,11 +21,11 @@ ms.technology: windows-sec
# Monitor claim types
This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.
This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you're using advanced security auditing options.
Claim types are one of the basic building blocks of Dynamic Access Control. Claim types can include attributes such as the departments in an organization or the levels of security clearance that apply to classes of users. You can use security auditing to track whether claims are added, modified, enabled, disabled, or deleted.
Use the following procedures to configure settings to monitor changes to claim types in AD DS. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic
Use the following procedures to configure settings to monitor changes to claim types in AD DS. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic
Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).
>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
@ -36,7 +36,7 @@ Access Control in your network, see [Deploy a Central Access Policy (Demonstrati
2. In Server Manager, point to **Tools**, and then click **Group Policy Management**.
3. In the console tree, right-click the default domain controller Group Policy Object, and then click **Edit**.
4. Double-click **Computer Configuration**, click **Security Settings**, expand **Advanced Audit Policy Configuration**, expand **System Audit Policies**, click **DS Access**, and then double-click **Audit directory service changes**.
5. Select the **Configure the following audit events** check box, select the **Success** check box (andthe **Failure** check box, if desired), and then click **OK**.
5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
After you configure settings to monitor changes to claim types in AD DS, verify that the changes are being monitored.

6
windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
View File

@ -1,6 +1,6 @@
---
title: Monitor resource attribute definitions (Windows 10)
description: Learn how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.
description: Learn how to monitor changes to resource attribute definitions when you're using advanced security auditing options to monitor dynamic access control objects.
ms.assetid: aace34b0-123a-4b83-9e09-f269220e79de
ms.reviewer:
ms.author: dansimp
@ -21,12 +21,12 @@ ms.technology: windows-sec
# Monitor resource attribute definitions
This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.
This topic for the IT professional describes how to monitor changes to resource attribute definitions when you're using advanced security auditing options to monitor dynamic access control objects.
Resource attribute definitions define the basic properties of resource attributes, such as what it means for a resource to be defined as “high business value.” Resource attribute definitions are stored in AD DS under the Resource Properties container. Changes to these definitions could significantly change the protections that govern a resource, even if the resource attributes that apply to the resource remain unchanged. Changes can be monitored like any other AD DS object.
For information about monitoring changes to the resource attributes that apply to files, see [Monitor the resource attributes on files and folders](monitor-the-resource-attributes-on-files-and-folders.md).
Use the following procedures to configure settings to monitor changes to resource attribute definitions in AD DS and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).
Use the following procedures to configure settings to monitor changes to resource attribute definitions in AD DS and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-).
>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.

11
windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
View File

@ -1,9 +1,7 @@
---
title: Windows Defender Application Control and virtualization-based code integrity (Windows 10)
title: Windows Defender Application Control and virtualization-based code integrity
description: Hardware and software system integrity-hardening capabilities that can be deployed separately or in combination with Windows Defender Application Control (WDAC).
keywords: virtualization, security, malware, device guard
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
@ -28,12 +26,12 @@ Using Windows Defender Application Control to restrict devices to only authorize
1. WDAC policy is enforced by the Windows kernel itself, and the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
2. WDAC lets you set application control policy for code that runs in user mode, kernel mode hardware and software drivers, and even code that runs as part of Windows.
3. Customers can protect the WDAC policy even from local administrator tampering by digitally signing the policy. To change signed policy requires both administrative privilege and access to the organizations digital signing process. This makes it difficult for an attacker, including one who has managed to gain administrative privilege, to tamper with WDAC policy.
3. Customers can protect the WDAC policy even from local administrator tampering by digitally signing the policy. To change signed policy requires both administrative privilege and access to the organization's digital signing process. This makes it difficult for an attacker, including one who has managed to gain administrative privilege, to tamper with WDAC policy.
4. You can protect the entire WDAC enforcement mechanism with HVCI. Even if a vulnerability exists in kernel mode code, HVCI greatly reduces the likelihood that an attacker could successfully exploit it. This is important because an attacker that compromises the kernel could normally disable most system defenses, including those enforced by WDAC or any other application control solution.
## Why we no longer use the Device Guard brand
When we originally promoted Device Guard, we did so with a specific security promise in mind. Although there were no direct dependencies between WDAC and HVCI, we intentionally focused our discussion around the lockdown state achieved when using them together. However, since HVCI relies on Windows virtualization-based security, it has hardware, firmware, and kernel driver compatibility requirements that some older systems cant meet. This misled many people to assume that if systems couldn't use HVCI, they couldnt use WDAC either.
When we originally promoted Device Guard, we did so with a specific security promise in mind. Although there were no direct dependencies between WDAC and HVCI, we intentionally focused our discussion around the lockdown state achieved when using them together. However, since HVCI relies on Windows virtualization-based security, it has hardware, firmware, and kernel driver compatibility requirements that some older systems can't meet. This misled many people to assume that if systems couldn't use HVCI, they couldn't use WDAC either.
WDAC has no specific hardware or software requirements other than running Windows 10, which means customers were denied the benefits of this powerful application control capability due to Device Guard confusion.
@ -43,6 +41,5 @@ We hope this change will help us better communicate options for adopting applica
## Related articles
- [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md)
- [Dropping the Hammer Down on Malware Threats with Windows 10s Windows Defender](https://channel9.msdn.com/Events/Ignite/2015/BRK2336)
- [Driver compatibility with Windows Defender in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10)
- [Driver compatibility with Device Guard in Windows 10](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865)
- [Code integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10))

92
windows/security/threat-protection/get-support-for-security-baselines.md
View File

@ -1,6 +1,6 @@
---
title: Get support
description: Frequently asked question about how to get support for Windows baselines, the Security Compliance Toolkit (SCT), and related topics in your organization.
description: Frequently asked questions about how to get support for Windows baselines and the Security Compliance Toolkit (SCT).
ms.prod: m365-security
ms.localizationpriority: medium
ms.author: dansimp
@ -15,87 +15,69 @@ ms.technology: windows-sec
# Get Support for Windows baselines
**What is the Microsoft Security Compliance Manager (SCM)?**
## Frequently asked questions
The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we have moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy.
### What is the Microsoft Security Compliance Manager (SCM)?
More information about this change can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures).
The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we've moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy.
**Where can I get an older version of a Windows baseline?**
For more information, see [Security Compliance Manager (SCM) retired; new tools and procedures](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures).
Any version of Windows baseline before Windows 10 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. See the version matrix in this article to see if your version of Windows baseline is available on SCT.
### Where can I get an older version of a Windows baseline?
- [SCM 4.0 Download](/previous-versions/tn-archive/cc936627(v=technet.10))
- [SCM Frequently Asked Questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
- [SCM Release Notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
Any version of Windows baseline before Windows 10 version 1703 can still be downloaded using SCM. Any future versions of Windows baseline will be available through SCT. To see if your version of Windows baseline is available on SCT, see the [Version matrix](#version-matrix).
**What file formats are supported by the new SCT?**
- [SCM 4.0 download](https://www.microsoft.com/download/details.aspx?id=53353)
- [SCM frequently asked questions (FAQ)](https://social.technet.microsoft.com/wiki/contents/articles/1836.microsoft-security-compliance-manager-scm-frequently-asked-questions-faq.aspx)
- [SCM release notes](https://social.technet.microsoft.com/wiki/contents/articles/1864.microsoft-security-compliance-manager-scm-release-notes.aspx)
- [SCM baseline download help](https://social.technet.microsoft.com/wiki/contents/articles/1865.microsoft-security-compliance-manager-scm-baseline-download-help.aspx)
The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a .PolicyRules file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. See the LGPO documentation for more information. Keep in mind that SCMs .cab files are no longer supported.
### What file formats are supported by the new SCT?
**Does SCT support Desired State Configuration (DSC) file format?**
The toolkit supports formats created by the Windows GPO backup feature (`.pol`, `.inf`, and `.csv`). Policy Analyzer saves its data in XML files with a `.PolicyRules` file extension. A local group policy object (LGPO) also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. The `.cab` files from SCM are no longer supported.
Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features.
### Does SCT support the Desired State Configuration (DSC) file format?
**Does SCT support the creation of Microsoft Endpoint Manager DCM packs?**
Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We're currently developing a tool to provide customers with these features.
No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement).
### Does SCT support the creation of Microsoft Endpoint Configuration Manager DCM packs?
**Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?**
No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616). A tool that supports conversion of GPO backups to DSC format is the [BaselineManagement module](https://github.com/Microsoft/BaselineManagement).
No. SCM supported only SCAP 1.0, which was not updated as SCAP evolved. The new toolkit likewise does not include SCAP support.
### Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?
<br />
No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new toolkit also doesn't include SCAP support.
## Version Matrix
## Version matrix
**Client Versions**
### Client versions
| Name | Build | Baseline Release Date | Security Tools |
| Name | Build | Baseline release date | Security tools |
|---|---|---|---|
|Windows 10 | [1709 (RS3)](/archive/blogs/secguide/security-baseline-for-windows-10-fall-creators-update-v1709-draft) <p> [1703 (RS2)](/archive/blogs/secguide/security-baseline-for-windows-10-creators-update-v1703-final) <p>[1607 (RS1)](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) <p>[1511 (TH2)](/archive/blogs/secguide/security-baseline-for-windows-10-v1511-threshold-2-final) <p>[1507 (TH1)](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2017 <p>August 2017 <p>October 2016 <p>January 2016<p> January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
Windows 8 |[9200](/previous-versions/tn-archive/jj916413(v=technet.10)) |October 2012| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10))|
Windows 7 |[7601 (SP1)](/previous-versions/tn-archive/ee712767(v=technet.10))| October 2009| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
| Vista |[6002 (SP2)](/previous-versions/tn-archive/dd450978(v=technet.10))| January 2007| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
| Windows XP |[2600 (SP3)](/previous-versions/tn-archive/cc163061(v=technet.10))| October 2001| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10))|
| Windows 10 | [Version 1709](/archive/blogs/secguide/security-baseline-for-windows-10-fall-creators-update-v1709-draft) <p> [Version 1703](/archive/blogs/secguide/security-baseline-for-windows-10-creators-update-v1703-final) <p>[Version 1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) <p>[1511 (TH2)](/archive/blogs/secguide/security-baseline-for-windows-10-v1511-threshold-2-final) <p>[1507 (TH1)](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2017 <p>August 2017 <p>October 2016 <p>January 2016<p> January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
<br />
### Server versions
**Server Versions**
| Name | Build | Baseline Release Date | Security Tools |
| Name | Build | Baseline release date | Security tools |
|---|---|---|---|
|Windows Server 2016 | [SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) |October 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
|Windows Server 2012 R2|[SecGuide](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)|August 2014 | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319)|
|Windows Server 2012|[Technet](/previous-versions/tn-archive/jj898542(v=technet.10)) |2012| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
Windows Server 2008 R2 |[SP1](/previous-versions/tn-archive/gg236605(v=technet.10))|2009 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
| Windows Server 2008 |[SP2](/previous-versions/tn-archive/cc514539(v=technet.10))| 2008 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
|Windows Server 2003 R2|[Technet](/previous-versions/tn-archive/cc163140(v=technet.10))| 2003 | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10))|
|Windows Server 2003|[Technet](/previous-versions/tn-archive/cc163140(v=technet.10))|2003|[SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10))|
|Windows Server 2012|[Technet](/previous-versions/tn-archive/jj898542(v=technet.10)) |2012| [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
<br />
### Microsoft products
**Microsoft Products**
| Name | Details | Security Tools |
|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
| Internet Explorer 11 | [SecGuide](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Internet Explorer 10 | [Technet](/previous-versions/tn-archive/jj898540(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
| Internet Explorer 9 | [Technet](/previous-versions/tn-archive/hh539027(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
| Internet Explorer 8 | [Technet](/previous-versions/tn-archive/ee712766(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
| Exchange Server 2010 | [Technet](/previous-versions/tn-archive/hh913521(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
| Exchange Server 2007 | [Technet](/previous-versions/tn-archive/hh913520(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
| Microsoft Office 2010 | [Technet](/previous-versions/tn-archive/gg288965(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
| Microsoft Office 2007 SP2 | [Technet](/previous-versions/tn-archive/cc500475(v=technet.10)) | [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
<br />
| Name | Details | Security tools |
|--|--|--|
| Internet Explorer 11 | [SecGuide](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Exchange Server 2010 | [Technet](/previous-versions/tn-archive/hh913521(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
| Exchange Server 2007 | [Technet](/previous-versions/tn-archive/hh913520(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
| Microsoft Office 2010 | [Technet](/previous-versions/tn-archive/gg288965(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
| Microsoft Office 2007 SP2 | [Technet](/previous-versions/tn-archive/cc500475(v=technet.10)) | [SCM 4.0](https://www.microsoft.com/download/details.aspx?id=53353) |
> [!NOTE]
> Browser baselines are built-in to new OS versions starting with Windows 10
> Browser baselines are built-in to new OS versions starting with Windows 10.
## See also
[Windows security baselines](windows-security-baselines.md)
[Windows security baselines](windows-security-baselines.md)

4
windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
View File

@ -169,9 +169,9 @@ sections:
10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
- question: |
How can I disable portions of ICS without breaking Application Guard?
How can I disable portions of Internet Connection Service (ICS) without breaking Application Guard?
answer: |
ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
ICS is enabled by default in Windows, and ICS must be enabled for Application Guard to function correctly. We do not recommend disabling ICS, this will stop Application Guard from working; however, you can disable ICS in part by using a Group Policy and editing registry keys.
1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.

28
windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
View File

@ -1,13 +1,9 @@
---
title: Microsoft Defender SmartScreen overview (Windows)
title: Microsoft Defender SmartScreen overview
description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
ms.prod: m365-security
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
ms.author: macapara
audience: ITPro
ms.localizationpriority: high
ms.reviewer:
manager: dansimp
@ -19,7 +15,7 @@ adobe-target: true
**Applies to:**
- Windows 10
- Windows 10
- Windows 11
- Microsoft Edge
@ -41,15 +37,15 @@ Microsoft Defender SmartScreen protects against phishing or malware websites and
Microsoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially engineered attack. The primary benefits are:
- **Anti-phishing and anti-malware support:** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more information about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97)
- **Anti-phishing and anti-malware support:** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user doesn't select or download anything on the page, the danger often goes unnoticed. For more information about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/).
- **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user.
- **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If there's no reputation, the item is marked as a higher risk and presents a warning to the user.
- **Operating system integration:** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) that attempts to download and run.
- **Improved heuristics and diagnostic data:** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files.
- **Management through Group Policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md).
- **Management through group policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both group policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md).
- **Blocking URLs associated with potentially unwanted applications:** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
@ -58,7 +54,7 @@ Microsoft Defender SmartScreen provide an early warning system against websites
## Submit files to Microsoft Defender SmartScreen for review
If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more information, see [Submit files for analysis](../intelligence/submission-guide.md).
If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more information, see [Submit files for analysis](/microsoft-365/security/intelligence/submission-guide).
When submitting Microsoft Defender SmartScreen products, make sure to select **Microsoft Defender SmartScreen** from the product menu.
@ -72,6 +68,7 @@ When submitting Microsoft Defender SmartScreen products, make sure to select **M
When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](/previous-versions/windows/internet-explorer/ie-developer/compatibility/dd565657(v=vs.85)).
## Viewing Windows event logs for Microsoft Defender SmartScreen
Microsoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log, in the Event Viewer.
Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it:
@ -83,15 +80,14 @@ wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true
> [!NOTE]
> For information on how to use the Event Viewer, see [Windows Event Viewer](/host-integration-server/core/windows-event-viewer1).
| EventID | Description |
|---|---|
| 1000 | Application Windows Defender SmartScreen Event |
| 1001 | Uri Windows Defender SmartScreen Event |
| 1002 | User Decision Windows Defender SmartScreen Event |
## Related topics
- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
- [Threat protection](../index.md)
- [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings)
- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference.md#configuration-service-provider-reference)
## Related articles
- [SmartScreen frequently asked questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
- [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md)
- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference)

2
windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
View File

@ -58,7 +58,7 @@ Windows 10 mitigations that you can configure are listed in the following two ta
| **Credential Guard**<br> helps keep attackers<br>from gaining access through<br>Pass-the-Hash or<br>Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.<br>Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard) |
| **Enterprise certificate pinning**<br> helps prevent <br>man-in-the-middle attacks<br>that use PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can "pin" (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf. <br><br>**More information**: [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning) |
| **Device Guard**<br> helps keep a device<br>from running malware or<br>other untrusted apps | Device Guard includes a Code Integrity policy that you create; an allowlist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which uses virtualization-based security (VBS) to protect Windows' kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.<br>Device Guard is included in Windows 10 Enterprise and Windows Server 2016.<br><br>**More information**: [Introduction to Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) |
| **Microsoft Defender Antivirus**,<br>which helps keep devices<br>free of viruses and other<br>malware | Windows 10 includes Microsoft Defender Antivirus, a robust inbox anti-malware solution. Microsoft Defender Antivirus has been improved to a considerable extent since it was introduced in Windows 8.<br><br>**More information**: [Microsoft Defender Antivirus](#microsoft-defender-antivirus), later in this topic |
| **Microsoft Defender Antivirus**,<br>which helps keep devices<br>free of viruses and other<br>malware | Windows 10 includes Microsoft Defender Antivirus, a robust inbox anti-malware solution. Microsoft Defender Antivirus has been improved significantly since it was introduced in Windows 8.<br><br>**More information**: [Microsoft Defender Antivirus](#microsoft-defender-antivirus), later in this topic |
| **Blocking of untrusted fonts**<br> helps prevent fonts<br>from being used in<br>elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](/windows/win32/secauthz/appcontainer-isolation) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).<br><br>**More information**: [Block untrusted fonts in an enterprise](/windows/threat-protection/block-untrusted-fonts-in-enterprise) |
| **Memory protections**<br> help prevent malware<br>from using memory manipulation<br>techniques such as buffer<br>overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note:<br>A subset of apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.<br><br>**More information**: [Table 2](#table-2), later in this topic |
| **UEFI Secure Boot**<br> helps protect<br>the platform from<br>boot kits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot is a security standard for firmware built in to PCs by manufacturers beginning with Windows 8. It helps to protect the boot process and firmware against tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.<br><br>**More information**: [UEFI and Secure Boot](/windows/device-security/bitlocker/bitlocker-countermeasures#uefi-and-secure-boot)</a> |

2
windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md
View File

@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for
## Reference
This policy setting determines whether server operators can use the**at** command to submit jobs. If you enable this policy setting, jobs that are created by server operators by means of the **at** command run in the context of the account that runs the Task Scheduler service. By default, that is the Local System account.
This policy setting determines whether server operators can use the **at** command to submit jobs. If you enable this policy setting, jobs that are created by server operators by means of the **at** command run in the context of the account that runs the Task Scheduler service. By default, that account is the Local System account.
>**Note:**  This security option setting affects only the scheduler tool for the **at** command. It does not affect the Task Scheduler tool.

24
windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
View File

@ -22,7 +22,7 @@ ms.technology: windows-sec
**Applies to:**
- Windows 10
- Windows 10
Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Message text for users attempting to log on** security policy setting.
@ -30,13 +30,10 @@ Describes the best practices, location, values, management, and security conside
The **Interactive logon: Message text for users attempting to log on** and [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) policy settings are closely related.
**Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they log on.
- **Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they log on.
- **Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message.
**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons — for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited.
Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers.
When these policy settings are configured, users will see a dialog box before they can log on to the server console.
This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. When these policy settings are configured, users will see a dialog box before they can log on to the server console.
### Possible values
@ -47,12 +44,15 @@ The possible values for this setting are:
### Best practices
- It is advisable to set **Interactive logon: Message text for users attempting to log on** to a value similar to one of the following:
It is advisable to set **Interactive logon: Message text for users attempting to log on** to a value similar to one of the following:
1. IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION.
2. This system is restricted to authorized users. Individuals who attempt unauthorized access will be prosecuted. If you are unauthorized, terminate access now. Click OK to indicate your acceptance of this information.
> [!IMPORTANT]
> Any warning that you display in the title or text should be approved by representatives from your organization's legal and human resources departments.
```text
1. IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION.
2. This system is restricted to authorized users. Individuals who attempt unauthorized access will be prosecuted. If you are unauthorized, terminate access now. Click OK to indicate your acceptance of this information.
```
> [!NOTE]
> Any warning that you display in the title or text should be approved by representatives from your organization's legal and human resources departments.
### Location

46
windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md
View File

@ -21,7 +21,8 @@ ms.technology: windows-sec
# Interactive logon: Message title for users attempting to log on
**Applies to**
- Windows 10
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Message title for users attempting to log on** security policy setting.
@ -29,28 +30,24 @@ Describes the best practices, location, values, policy management and security c
This security setting allows you to specify a title that appears in the title bar of the window that contains the **Interactive logon: Message title for users attempting to log on**. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited.
The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message title for users attempting to log on** specifies a message title to be displayed to users when they log on.
Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers.
When these policy settings are configured, users will see a dialog box before they can log on to the server console.
The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. When these policy settings are configured, users will see a dialog box before they can log on to the server console.
### Possible values
- *User-defined title*
- Not defined
- *User-defined title*
- Not defined
### Best practices
1. It is advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one the following:
1. It is advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one the following:
- RESTRICTED SYSTEM
- RESTRICTED SYSTEM
or
or
- WARNING: This system is restricted to authorized users.
- WARNING: This system is restricted to authorized users.
2. Set the policy [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) to reinforce the meaning of the messages title.
2. Set the policy [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) to reinforce the meaning of the messages title.
### Location
@ -62,13 +59,13 @@ The following table lists the actual and effective default values for this polic
|Server type or GPO | Default value|
| - | - |
| Default Domain Policy| Not defined|
| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Not defined|
| DC Effective Default Settings | Not defined|
| Member Server Effective Default Settings | Not defined|
| Client Computer Effective Default Settings | Not defined|
| Default Domain Policy| Not defined|
| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | Not defined|
| DC Effective Default Settings | Not defined|
| Member Server Effective Default Settings | Not defined|
| Client Computer Effective Default Settings | Not defined|
## Policy management
This section describes features and tools that are available to help you manage this policy.
@ -83,8 +80,8 @@ This section describes how an attacker might exploit a feature or its configurat
There are two policy settings that relate to logon displays:
- [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md)
- **Interactive logon: Message title for users attempting to log on**
- [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md)
- **Interactive logon: Message title for users attempting to log on**
The first policy setting specifies a text message that displays to users when they log on, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited.
@ -96,8 +93,9 @@ Users often do not understand the importance of security practices. However, the
Configure the [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) and **Interactive logon: Message title for users attempting to log on** settings to an appropriate value for your organization.
>**Note:**  Any warning message that displays should be approved by your organization's legal and human resources representatives.
> [!NOTE]
> Any warning message that displays should be approved by your organization's legal and human resources representatives.
### Potential impact
Users see a message in a dialog box before they can log on to the server console.

20
windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md
View File

@ -1,6 +1,6 @@
---
title: Microsoft network server Disconnect clients when logon hours expire (Windows 10)
description: Best practices, location, values, and security considerations for the policy setting, Microsoft network server Disconnect clients when logon hours expire.
title: Microsoft network server Disconnect clients when sign-in hours expire (Windows 10)
description: Best practices, location, values, and security considerations for the policy setting, Microsoft network server Disconnect clients when sign-in hours expire.
ms.assetid: 48b5c424-9ba8-416d-be7d-ccaabb3f49af
ms.reviewer:
ms.author: dansimp
@ -18,7 +18,7 @@ ms.date: 04/19/2017
ms.technology: windows-sec
---
# Microsoft network server: Disconnect clients when logon hours expire
# Microsoft network server: Disconnect clients when sign-in hours expire
**Applies to**
- Windows 10
@ -27,17 +27,17 @@ Describes the best practices, location, values, and security considerations for
## Reference
This policy setting enables or disables the forced disconnection of users who are connected to the local device outside their user account's valid logon hours. It affects the SMB component. If you enable this policy setting, client computer sessions with the SMB service are forcibly disconnected when the client's logon hours expire. If you disable this policy setting, established client device sessions are maintained after the client device's logon hours expire.
This policy setting enables or disables the forced disconnection of users who are connected to the local device outside their user account's valid sign-in hours. It affects the SMB component. If you enable this policy setting, client computer sessions with the SMB service are forcibly disconnected when the client's sign-in hours expire. If you disable this policy setting, established client device sessions are maintained after the client device's sign-in hours expire.
### Possible values
- Enabled
Client device sessions with the SMB service are forcibly disconnected when the client device's logon hours expire. If logon hours are not used in your organization, enabling this policy setting will have no impact.
Client device sessions with the SMB service are forcibly disconnected when the client device's sign-in hours expire. If sign-in hours aren't used in your organization, enabling this policy setting will have no impact.
- Disabled
The system maintains an established client device session after the client device's logon hours have expired.
The system maintains an established client device session after the client device's sign-in hours have expired.
- Not defined
@ -68,11 +68,11 @@ This section describes features and tools that are available to help you manage
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
### Group Policy
This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
## Security considerations
@ -80,7 +80,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
If your organization configures logon hours for users, it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours can continue to use those resources with sessions that were established during allowed hours.
If your organization configures sign-in hours for users, it makes sense to enable this policy setting. Otherwise, users who shouldn't have access to network resources outside of their sign-in hours can continue to use those resources with sessions that were established during allowed hours.
### Countermeasure
@ -88,7 +88,7 @@ Enable the **Microsoft network server: Disconnect clients when logon hours expir
### Potential impact
If logon hours are not used in your organization, this policy setting has no impact. If logon hours are used, existing user sessions are forcibly terminated when their logon hours expire.
If sign-in hours aren't used in your organization, this policy setting has no impact. If sign-in hours are used, existing user sessions are forcibly terminated when their sign-in hours expire.
## Related topics

10
windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md
View File

@ -37,15 +37,15 @@ The options for validation levels are:
- **Off**
The SPN from a SMB client is not required or validated by the SMB server.
The SPN from an SMB client isn't required or validated by the SMB server.
- **Accept if provided by client**
The SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB servers list of SPNs. If the SPN does not match, the session request for that SMB client will be denied.
The SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB servers list of SPNs. If the SPN doesn't match, the session request for that SMB client will be denied.
- **Required from client**
The SMB client must send a SPN name in session setup, and the SPN name provided must match the SMB server that is being requested to establish a connection. If no SPN is provided by the client device, or the SPN provided does not match, the session is denied.
The SMB client must send an SPN name in session setup, and the SPN name provided must match the SMB server that is being requested to establish a connection. If no SPN is provided by the client device, or the SPN provided doesn't match, the session is denied.
The default setting is Off.
@ -78,7 +78,7 @@ This section describes features and tools that are available to help you manage
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
### Policy conflict considerations
@ -86,7 +86,7 @@ None.
### Group Policy
This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in.
## Security considerations

14
windows/security/threat-protection/security-policy-settings/minimum-password-age.md
View File

@ -35,14 +35,14 @@ The **Minimum password age** policy setting determines the period of time (in da
[Windows security baselines](../windows-security-baselines.md) recommend setting **Minimum password age** to one day.
Setting the number of days to 0 allows immediate password changes. This setting is not recommended.
Setting the number of days to 0 allows immediate password changes. This setting isn't recommended.
Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again.
For example, suppose a password is "Ra1ny day!" and the history requirement is 24.
If the minimum password age is 0, the password can be changed 24 times in a row until finally changed back to "Ra1ny day!".
The minimum password age of 1 day prevents that.
If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box.
Otherwise, the user will not be able to change the password until the number of days specified by **Minimum password age**.
Otherwise, the user won't be able to change the password until the number of days specified by **Minimum password age**.
### Location
@ -67,7 +67,7 @@ This section describes features, tools, and guidance to help you manage this pol
### Restart requirement
None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy.
## Security considerations
@ -75,17 +75,17 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
Users may have favorite passwords that they like to use because they are easy to remember and they believe that their password choice is secure from compromise. Unfortunately, passwords can be compromised and if an attacker is targeting a specific individual user account, with knowledge of data about that user, reuse of old passwords can cause a security breach.
Users may have favorite passwords that they like to use because they're easy to remember and they believe that their password choice is secure from compromise. Unfortunately, passwords can be compromised and if an attacker is targeting a specific individual user account, with knowledge of data about that user, reuse of old passwords can cause a security breach.
To address password reuse, you must use a combination of security settings. Using this policy setting with the [Enforce password history](enforce-password-history.md) policy setting prevents the easy reuse of old passwords. For example, if you configure the Enforce password history policy setting to ensure that users cannot reuse any of their last 12 passwords, but you do not configure the **Minimum password age** policy setting to a number that is greater than 0, users could change their password 13 times in a few minutes and reuse their original password. Configure this policy setting to a number that is greater than 0 for the Enforce password history policy setting to be effective.
To address password reuse, you must use a combination of security settings. Using this policy setting with the [Enforce password history](enforce-password-history.md) policy setting prevents the easy reuse of old passwords. For example, if you configure the Enforce password history policy setting to ensure that users can't reuse any of their last 12 passwords, but you don't configure the **Minimum password age** policy setting to a number that is greater than 0, users could change their password 13 times in a few minutes and reuse their original password. Configure this policy setting to a number that is greater than 0 for the Enforce password history policy setting to be effective.
### Countermeasure
Configure the **Minimum password age** policy setting to a value of 1 day. Users should know about this limitation and contact the Help Desk to change a password sooner. If you configure the number of days to 0, immediate password changes would be allowed, which we do not recommend.
Configure the **Minimum password age** policy setting to a value of 1 day. Users should know about this limitation and contact the Help Desk to change a password sooner. If you configure the number of days to 0, immediate password changes would be allowed, which we don't recommend.
### Potential impact
If you set a password for a user but want that user to change the password when the user first logs on, the administrator must select the **User must change password at next logon** check box, or the user cannot change the password until the next day.
If you set a password for a user but want that user to change the password when the user first logs on, the administrator must select the **User must change password at next logon** check box, or the user can't change the password until the next day.
## Related topics

6
windows/security/threat-protection/security-policy-settings/minimum-password-length.md
View File

@ -38,9 +38,9 @@ The **Minimum password length** policy setting determines the least number of ch
Set Minimum password length to at least a value of 14. If the number of characters is set to 0, no password is required. In most environments, an eight-character password is recommended because it's long enough to provide adequate security and still short enough for users to easily remember. A minimum password length greater than 14 isn't supported at this time. This value will help provide adequate defense against a brute force attack. Adding complexity requirements will help reduce the possibility of a dictionary attack. For more info, see [Password must meet complexity requirements](password-must-meet-complexity-requirements.md).
Permitting short passwords reduces security because short passwords can be easily broken with tools that do dictionary or brute force attacks against the passwords. Requiring very long passwords can result in mistyped passwords that might cause account lockouts and might increase the volume of Help Desk calls.
Permitting short passwords reduces security because short passwords can be easily broken with tools that do dictionary or brute force attacks against the passwords. Requiring long passwords can result in mistyped passwords that might cause account lockouts and might increase the volume of Help Desk calls.
In addition, requiring extremely long passwords can actually decrease the security of an organization because users might be more likely to write down their passwords to avoid forgetting them. However, if users are taught that they can use passphrases (sentences such as "I want to drink a $5 milkshake"), they should be much more likely to remember.
In addition, requiring long passwords can actually decrease the security of an organization because users might be more likely to write down their passwords to avoid forgetting them. However, if users are taught that they can use passphrases (sentences such as "I want to drink a $5 milkshake"), they should be much more likely to remember.
### Location
@ -86,7 +86,7 @@ In most environments, we recommend an eight-character password because it's long
### Potential impact
Requirements for extremely long passwords can actually decrease the security of an organization because users might leave the information in an unsecured location or lose it. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of Help Desk calls. If your organization has issues with forgotten passwords because of password length requirements, consider teaching your users about passphrases, which are often easier to remember and, because of the larger number of character combinations, much harder to discover.
Requirements for long passwords can actually decrease the security of an organization because users might leave the information in an unsecured location or lose it. If long passwords are required, mistyped passwords could cause account lockouts and increase the volume of Help Desk calls. If your organization has issues with forgotten passwords because of password length requirements, consider teaching your users about passphrases, which are often easier to remember and, because of the larger number of character combinations, much harder to discover.
## Related topics

12
windows/security/threat-protection/security-policy-settings/modify-an-object-label.md
View File

@ -34,10 +34,10 @@ similar to NTFS file and folder permissions, which are discretionary controls on
- **Untrusted**   Default assignment for processes that are logged on anonymously.
- **Low**   Default assignment for processes that interact with the Internet.
- **Medium**   Default assignment for standard user accounts and any object that is not explicitly designated with a lower or higher integrity level.
- **Medium**   Default assignment for standard user accounts and any object that isn't explicitly designated with a lower or higher integrity level.
- **High**  Default assignment for administrator accounts and processes that request to run using administrative rights.
- **System**   Default assignment for Windows kernel and core services.
- **Installer**   Used by setup programs to install software. It is important that only trusted software is installed on computers because objects that are assigned the Installer integrity level can install, modify, and uninstall all other objects.
- **Installer**   Used by setup programs to install software. It's important that only trusted software is installed on computers because objects that are assigned the Installer integrity level can install, modify, and uninstall all other objects.
Constant: SeRelabelPrivilege
@ -48,7 +48,7 @@ Constant: SeRelabelPrivilege
### Best practices
- Do not give any group this user right.
- Don't give any group this user right.
### Location
@ -73,7 +73,7 @@ The following table lists the actual and effective default policy values for the
This section describes features, tools, and guidance to help you manage this policy.
A restart of the computer is not required for this policy setting to be effective.
A restart of the computer isn't required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
@ -97,11 +97,11 @@ This section describes how an attacker might exploit a feature or its configurat
Anyone with the **Modify an object label** user right can change the integrity level of a file or process so that it becomes elevated or decreased to a point where it can be deleted by lower integrity processes. Either of these states effectively circumvents the protection that is offered by
Windows Integrity Controls and makes your system vulnerable to attacks by malicious software.
If malicious software is set with an elevated integrity level such as Trusted Installer or System, administrator accounts do not have sufficient integrity levels to delete the program from the system. In that case, use of the **Modify an object label** right is mandated so that the object can be relabeled. However, the relabeling must occur by using a process that is at the same or a higher level of integrity than the object that you are attempting to relabel.
If malicious software is set with an elevated integrity level such as Trusted Installer or System, administrator accounts don't have sufficient integrity levels to delete the program from the system. In that case, use of the **Modify an object label** right is mandated so that the object can be relabeled. However, the relabeling must occur by using a process that is at the same or a higher level of integrity than the object that you're attempting to relabel.
### Countermeasure
Do not give any group this right. If necessary, implement it for a constrained period of time to a trusted individual to respond to a specific organizational need.
Don't give any group this right. If necessary, implement it for a constrained period of time to a trusted individual to respond to a specific organizational need.
### Potential impact

6
windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md
View File

@ -37,7 +37,7 @@ Misuse of this policy setting is a common error that can cause data loss or prob
- Enabled
An anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. This setting affects the SID-to-name translation as well as the name-to-SID translation.
An anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. This setting affects the SID-to-name translation and the name-to-SID translation.
- Disabled
@ -47,7 +47,7 @@ Misuse of this policy setting is a common error that can cause data loss or prob
### Best practices
- Set this policy to Disabled. This is the default value on member computers; therefore, it will have no impact on them. The default value for domain controllers is Enabled.
- Set this policy to Disabled, which is the default value on member computers; therefore, it will have no impact on them. The default value for domain controllers is Enabled.
### Location
@ -79,7 +79,7 @@ This section describes features and tools that are available to help you manage
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
### Group Policy

8
windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md
View File

@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for
## Reference
This policy setting determines which additional permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to give access to users in a trusted domain that does not maintain a reciprocal trust. However, even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON.
This policy setting determines which other permissions will be assigned for anonymous connections to the device. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This permission is convenient, for example, when an administrator wants to give access to users in a trusted domain that doesn't maintain a reciprocal trust. However, even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON.
This policy setting has no impact on domain controllers.
Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.
@ -38,7 +38,7 @@ Misuse of this policy setting is a common error that can cause data loss or prob
- Disabled
No additional permissions can be assigned by the administrator for anonymous connections to the device. Anonymous connections will rely on default permissions. However, an unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social-engineering attacks.
No other permissions can be assigned by the administrator for anonymous connections to the device. Anonymous connections will rely on default permissions. However, an unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social-engineering attacks.
- Not defined
@ -65,7 +65,7 @@ This section describes features and tools that are available to help you manage
### Restart requirement
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
### Policy conflicts
@ -89,7 +89,7 @@ Enable the **Network access: Do not allow anonymous enumeration of SAM accounts
### Potential impact
It is impossible to grant access to users of another domain across a one-way trust because administrators in the trusting domain are unable to enumerate lists of accounts in the other domain. Users who access file and print servers anonymously are unable to list the shared network resources on those servers; the users must be authenticated before they can view the lists of shared folders and printers.
It's impossible to grant access to users of another domain across a one-way trust because administrators in the trusting domain are unable to enumerate lists of accounts in the other domain. Users who access file and print servers anonymously are unable to list the shared network resources on those servers; the users must be authenticated before they can view the lists of shared folders and printers.
## Related topics

Some files were not shown because too many files have changed in this diff Show More