-Only for mobile application management (MAM) |
+Only for mobile application management (MAM)
|
|
|
@@ -2843,4 +2843,4 @@ The following list shows the CSPs supported in HoloLens devices:
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
- 9 - Added in Windows 10 Team 2020 Update
-- 10 - Added in [Windows Holographic, version 20H2](https://docs.microsoft.com/hololens/hololens-release-notes#windows-holographic-version-20h2)
+- 10 - Added in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2)
From 769114b7494120e57e068de280a77cb18b49c4d9 Mon Sep 17 00:00:00 2001
From: Daniel Simpson
Date: Wed, 23 Jun 2021 13:28:04 -0700
Subject: [PATCH 08/37] Update Language-pack-management-csp.md
---
.../mdm/Language-pack-management-csp.md | 42 ++++++++++++-------
1 file changed, 27 insertions(+), 15 deletions(-)
diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md
index 85fe76af37..2e9d2f4140 100644
--- a/windows/client-management/mdm/Language-pack-management-csp.md
+++ b/windows/client-management/mdm/Language-pack-management-csp.md
@@ -14,43 +14,55 @@ ms.date: 06/22/2021
# Language Pack Management CSP
-Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. A separate CSP exists to allow provisioning of optional Features On Demand (FOD) which include handwriting recognition, text-to-speech, etc. associated with a language. device management tools like Intune can use management commands remotely to devices to configure language related settings.
+The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. A separate CSP exists to provision optional Features On Demand (FOD) which include handwriting recognition, text-to-speech, etc. associated with a language. Device management tools such as Intune can use management commands remotely to devices to configure language related settings.
-Device context
-1. Enumerate installed languages with GET command on the "InstalledLanguges" node:
+1. List the installed languages with GET command on the "InstalledLanguges" node. For example:
-Sample command
-**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages**
-**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN/Providers**
-**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /ja-JP/Providers**
+```
+GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages
+GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN/Providers
+GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /ja-JP/Providers
+```
-The nodes under “InstalledLanguages” are the language tags of the installed languages. The “providers” node under language tag is the bit map representation of either "language pack (features)" or "LXPs". 1 indicates the language pack installed is a System Language Pack (non-LXP), “2” stands for LXPs installed. “3” stands for both installed.
+The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either **language pack (features)** or **LXPs**. The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indidcates that the LXP is installed. **3** indicates that both are installed.
-2. Install language pack features with EXECUTE command on the "StartInstall" node of the language
-
-Sample command
+2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example,
+```
**ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/**
**EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation**
+```
-The installation is an asynchronous operation. IT admin can query the ‘Status’ node by using the following commands:
+The installation is an asynchronous operation. You can query the **Status** node by using the following commands:
+```
**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status**
**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode**
+```
+
+Return value definitions are:
+
+- 0 – Not started
+- 1 – In process
+- 2 – Succeeded
+- 3 – Failed. ErrorCode is a HRESULT that could help you diagnose the issue and why installation failed
-Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed
> [!NOTE]
-> If the IT administration has not set the policy of blocking cleanup of unused language packs, then this command will fail.
+> If the IT administrator has not set the policy of blocking cleanup of unused language packs, then this command will fail.
-3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed.
+3. Delete installed Language with the DELETE command on the installed language tag. The deletion will run in background, and admins can query the installed language later and resend the command if needed.
Sample command
+```
**DELETE ./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN (Delete command)**
+```
4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node
Sample command
+```
**./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages**
+```
From f25f4173932e00702c8aa4d9525c593a013ab649 Mon Sep 17 00:00:00 2001
From: greg-lindsay
Date: Thu, 24 Jun 2021 12:15:35 -0700
Subject: [PATCH 09/37] change testbase link
---
windows/whats-new/windows-11-plan.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md
index 1227f3908d..3df8ed3080 100644
--- a/windows/whats-new/windows-11-plan.md
+++ b/windows/whats-new/windows-11-plan.md
@@ -109,7 +109,7 @@ If you run into compatibility issues or want to ensure that your organization's
**App Assure**: With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows 11 can be resolved. Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats.
-**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://www.microsoft.com/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form.
+**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://aka.ms/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form.
You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows 11.
From eefda074104c8536d027ddbe9b4a4736078b7cd7 Mon Sep 17 00:00:00 2001
From: John Flores
Date: Thu, 24 Jun 2021 15:16:47 -0400
Subject: [PATCH 10/37] Update windows-11-prepare.md
---
windows/whats-new/windows-11-prepare.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md
index dda3e2c11d..5ccbff2c5b 100644
--- a/windows/whats-new/windows-11-prepare.md
+++ b/windows/whats-new/windows-11-prepare.md
@@ -31,7 +31,7 @@ The tools that you use for core workloads during Windows 10 deployments can stil
> [!IMPORTANT]
> Be sure to check with the providers of any non-Microsoft solutions that you use. Verify compatibility of these tools with Windows 11, particularly if they provide security or data loss prevention capabilities.
-#### On-premise solutions
+#### On-premises solutions
- If you use Windows Server Update Service (WSUS), you will need to sync the new **Windows 11** product category. After you sync the product category, you will see Windows 11 offered as an option. If you would like to validate Windows 11 prior to release, you can sync the **Windows Insider Pre-release** category as well.
@@ -59,7 +59,7 @@ The following are some common use cases and the corresponding Microsoft Endpoint
- **Configure rules and control settings for users, apps, and devices**: When you enroll devices in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), administrators have full control over apps, settings, features, and security for both Windows 11 and Windows 10. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps.
- **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows 11 by using Microsoft Endpoint Manager.
-If you are exclusively using an on-premise device management solution (for example, Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune. These solutions can make it easier to keep devices secure and up-to-date.
+If you are exclusively using an on-premises device management solution (for example, Configuration Manager), you can still use the [cloud management gateway](/mem/configmgr/core/clients/manage/cmg/overview), enable [tenant attach](/mem/configmgr/tenant-attach/device-sync-actions), or enable [co-management](/mem/configmgr/comanage/overview) with Microsoft Intune. These solutions can make it easier to keep devices secure and up-to-date.
## Review servicing approach and policies
From 2b1f47e6f3dcc2a72d5965d1d6bf9a72bd72c896 Mon Sep 17 00:00:00 2001
From: greg-lindsay
Date: Thu, 24 Jun 2021 12:44:49 -0700
Subject: [PATCH 11/37] edit S mode requirements
---
windows/whats-new/windows-11-requirements.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md
index 2fbeeb8490..2b48d9fb14 100644
--- a/windows/whats-new/windows-11-requirements.md
+++ b/windows/whats-new/windows-11-requirements.md
@@ -47,8 +47,8 @@ For information about tools to evaluate readiness, see [Determine eligibility](w
For the best Windows 11 upgrade experience, eligible devices should be running Windows 10, version 20H1 or later.
> [!NOTE]
-> S mode is not supported on Windows 11.
-> If you are running Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading.
+> S mode is only supported on the Home edition of Windows 11.
+> If you are running a different edition of Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading.
> Switching a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you cannot switch back to S mode later.
## Feature-specific requirements
From 6b4c4036a9753d7ae79f7b2891de7290bc70bf3f Mon Sep 17 00:00:00 2001
From: greg-lindsay
Date: Thu, 24 Jun 2021 12:49:11 -0700
Subject: [PATCH 12/37] public to private for testbase
---
windows/whats-new/windows-11-plan.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md
index 3df8ed3080..17d61a7125 100644
--- a/windows/whats-new/windows-11-plan.md
+++ b/windows/whats-new/windows-11-plan.md
@@ -109,7 +109,7 @@ If you run into compatibility issues or want to ensure that your organization's
**App Assure**: With enrollment in the [App Assure](/windows/compatibility/app-assure) service, any app compatibility issues that you find with Windows 11 can be resolved. Microsoft will help you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats.
-**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://aka.ms/testbase) (currently in public preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form.
+**Test Base for Microsoft 365**: For software publishers, systems integrators, and IT administrators, [Test Base for Microsoft 365](https://aka.ms/testbase) (currently in private preview) is a service that allows you to validate your apps across a variety of Windows feature and quality updates and environments in a Microsoft-managed Azure environment. Enterprise organizations can also nominate their software publishers for participation by completing a short form.
You might already be using App Assure and Test Base in your Windows 10 environment. Both of these tools will continue to function with Windows 11.
From 6747493aab97d69588473413beaf68978e48af4d Mon Sep 17 00:00:00 2001
From: greg-lindsay
Date: Thu, 24 Jun 2021 13:13:28 -0700
Subject: [PATCH 13/37] update requirements
---
windows/whats-new/windows-11-requirements.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md
index 2b48d9fb14..8c87b2c454 100644
--- a/windows/whats-new/windows-11-requirements.md
+++ b/windows/whats-new/windows-11-requirements.md
@@ -60,7 +60,7 @@ Some features in Windows 11 have requirements beyond those listed above. See the
- **BitLocker to Go**: requires a USB flash drive. This feature is available in Windows Pro and above editions.
- **Client Hyper-V**: requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above.
- **Cortana**: requires a microphone and speaker and is currently available on Windows 11 for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States.
-- **DirectStorage**: requires 1 TB or greater NVMe SSD to store and run games that use the "Standard NVM Express Controller" driver and a DirectX12 Ultimate GPU.
+- **DirectStorage**: requires an NVMe SSD to store and run games that use the Standard NVM Express Controller driver and a DirectX12 GPU with Shader Model 6.0 support.
- **DirectX 12 Ultimate**: available with supported games and graphics chips.
- **Presence**: requires sensor that can detect human distance from device or intent to interact with device.
- **Intelligent Video Conferencing**: requires video camera, microphone, and speaker (audio output)
From 3919f4de32931580f92760397d6ec2390afa0dc8 Mon Sep 17 00:00:00 2001
From: Thomas Raya
Date: Thu, 24 Jun 2021 16:34:43 -0700
Subject: [PATCH 14/37] Update docfx.json
---
windows/whats-new/docfx.json | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index 16f6364ce9..fe5bc2fe98 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -3,8 +3,8 @@
"content": [
{
"files": [
- "**/*.md",
- "**/*.yml"
+ "**/**/*.md",
+ "**/**/*.yml"
],
"exclude": [
"**/obj/**",
@@ -19,9 +19,9 @@
"resource": [
{
"files": [
- "**/*.png",
- "**/*.jpg",
- "**/*.gif"
+ "**/**/*.png",
+ "**/**/*.jpg",
+ "**/**/*.gif"
],
"exclude": [
"**/obj/**",
From 01d51d82f1b559925c5b029fa959cea9aab20336 Mon Sep 17 00:00:00 2001
From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit>
Date: Fri, 25 Jun 2021 08:54:28 -0700
Subject: [PATCH 15/37] Update .openpublishing.redirection.json
---
.openpublishing.redirection.json | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 4afc122348..8dbea776cc 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -18919,6 +18919,11 @@
"source_path": "windows/security/threat-protection/device-control/device-control-report.md",
"redirect_url": "/microsoft-365/security/defender-endpoint/device-control-report",
"redirect_document_id": false
- }
+ },
+ {
+ "source_path": "windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md",
+ "redirect_url": "/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows",
+ "redirect_document_id": false
+ }
]
}
From 7d9be28bd3ac8285558ffc9248ba849c65f52a4c Mon Sep 17 00:00:00 2001
From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit>
Date: Fri, 25 Jun 2021 08:55:31 -0700
Subject: [PATCH 16/37] Delete
system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md
---
...sed-root-of-trust-helps-protect-windows.md | 88 -------------------
1 file changed, 88 deletions(-)
delete mode 100644 windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md
deleted file mode 100644
index bb47f523e4..0000000000
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: How Windows Defender System Guard protect Windows 10 from firmware exploits
-description: Windows Defender System Guard in Windows 10 uses a hardware-based root of trust to securely protect systems against firmware exploits.
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.reviewer:
-manager: dansimp
-ms.author: deniseb
-author: denisebmsft
-search.appverid: met150
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-ms.date: 03/01/2019
-ms.custom: asr
-ms.technology: mde
----
-
-
-# Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10
-
-In order to protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
-
-Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees:
-
-- Protect and maintain the integrity of the system as it starts up
-- Validate that system integrity has truly been maintained through local and remote attestation
-
-## Maintaining the integrity of the system as it starts
-
-### Static Root of Trust for Measurement (SRTM)
-
-With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system.
-This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
-
-With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader.
-This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI).
-This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).
-
-As there are thousands of PC vendors that produce numerous models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup.
-Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a block list), or a list of known 'good' SRTM measurements (also known as an allow list).
-Each option has a drawback:
-
-- A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed. This means that the SRTM flow is inherently brittle - a minor change can invalidate the entire chain of trust.
-- A list of known 'good' SRTM measurements requires each new BIOS/PC combination measurement to be carefully added, which is slow.
-In addition, a bug fix for UEFI code can take a long time to design, build, retest, validate, and redeploy.
-
-### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM)
-
-Windows Defender System Guard Secure Launch, first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM).
-DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path.
-This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
-
-
-
-
-Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly.
-
-### System Management Mode (SMM) protection
-
-System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful.
-Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS.
-SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor.
-To defend against this, two techniques are used:
-
-1. Paging protection to prevent inappropriate access to code and data
-2. SMM hardware supervision and attestation
-
-Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering.
-This prevents access to any memory that has not been specifically assigned.
-
-A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it does not access any part of the address space that it is not supposed to.
-
-SMM protection is built on top of the Secure Launch technology and requires it to function.
-In the future, Windows 10 will also measure this SMI Handler’s behavior and attest that no OS-owned memory has been tampered with.
-
-## Validating platform integrity after Windows is running (run time)
-
-While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We should be able to trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. When it comes to platform integrity, we can’t just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device’s integrity.
-
-As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch will not support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few.
-
-
-
-
-After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
-
From 4a278d355423eb63947930bfda1eab44643500b1 Mon Sep 17 00:00:00 2001
From: Daniel Simpson
Date: Fri, 25 Jun 2021 09:22:30 -0700
Subject: [PATCH 17/37] Update configuration-service-provider-reference.md
---
.../mdm/configuration-service-provider-reference.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index 3dad2ebf68..679a0aabe7 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -1036,7 +1036,6 @@ Additional lists:
|
Only for mobile application management (MAM) |
-
|
|
|
From 1d0e4e99cc951f391c0527b9fe5b43de8ceadd2c Mon Sep 17 00:00:00 2001
From: Max Stein
Date: Fri, 25 Jun 2021 12:02:25 -0700
Subject: [PATCH 18/37] Update devicestatus-csp.md
Light formatting fixes.
---
.../client-management/mdm/devicestatus-csp.md | 32 +++++++++----------
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index 0dd72c26d2..f861b2d2e4 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -9,7 +9,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 04/30/2019
+ms.date: 06/25/2021
---
# DeviceStatus CSP
@@ -150,8 +150,8 @@ Node for the compliance query.
**DeviceStatus/Compliance/EncryptionCompliance**
Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following:
-- 0 - not encrypted
-- 1 - encrypted
+- 0 - Not encrypted
+- 1 - Encrypted
Supported operation is Get.
@@ -179,8 +179,8 @@ Supported operation is Get.
Added in Windows, version 1803. Read only node that specifies the device mode.
Valid values:
-- 0 - the device is in standard configuration
-- 1 - the device is in S mode configuration
+- 0 - The device is in standard configuration
+- 1 - The device is in S mode configuration
Supported operation is Get.
@@ -211,10 +211,10 @@ Added in Windows, version 1607. Integer that specifies the status of the antivi
Valid values:
-- 0 – Antivirus is on and monitoring
-- 1 – Antivirus is disabled
-- 2 – Antivirus is not monitoring the device/PC or some options have been turned off
-- 3 (default) – Antivirus is temporarily not completely monitoring the device/PC
+- 0 – Antivirus is on and monitoring.
+- 1 – Antivirus is disabled.
+- 2 – Antivirus is not monitoring the device/PC or some options have been turned off.
+- 3 (default) – Antivirus is temporarily not completely monitoring the device/PC.
- 4 – Antivirus not applicable for this device. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.)
Supported operation is Get.
@@ -263,10 +263,10 @@ Added in Windows, version 1607. Integer that specifies the status of the firewa
Valid values:
-- 0 – Firewall is on and monitoring
-- 1 – Firewall has been disabled
-- 2 – Firewall is not monitoring all networks or some rules have been turned off
-- 3 (default) – Firewall is temporarily not monitoring all networks
+- 0 – Firewall is on and monitoring.
+- 1 – Firewall has been disabled.
+- 2 – Firewall is not monitoring all networks or some rules have been turned off.
+- 3 (default) – Firewall is temporarily not monitoring all networks.
- 4 – Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.)
Supported operation is Get.
@@ -331,8 +331,8 @@ Added in Windows, version 1709. Virtualization-based security status. Value is
- 0 - Running
- 1 - Reboot required
- 2 - 64 bit architecture required
-- 3 - not licensed
-- 4 - not configured
+- 3 - Not licensed
+- 4 - Not configured
- 5 - System doesn't meet hardware requirements
- 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details
@@ -349,4 +349,4 @@ Added in Windows, version 1709. Local System Authority (LSA) credential guard s
- 4 - VBS not running
-Supported operation is Get.
\ No newline at end of file
+Supported operation is Get.
From 4214f6193ad6590941d482a82942d27493561997 Mon Sep 17 00:00:00 2001
From: Daniel Simpson
Date: Fri, 25 Jun 2021 12:56:06 -0700
Subject: [PATCH 19/37] update driver topic
---
...icrosoft-recommended-driver-block-rules.md | 161 +++++++++++++++++-
1 file changed, 154 insertions(+), 7 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index 887fc765be..44f0200b2e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -1,9 +1,9 @@
---
title: Microsoft recommended driver block rules (Windows 10)
-description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.
-keywords: security, malware, kernel mode, driver
+description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.
+keywords: security, malware, kernel mode, driver
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: m365-security
+ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -14,8 +14,7 @@ author: jgeurten
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 10/15/2020
-ms.technology: mde
+ms.date:
---
# Microsoft recommended driver block rules
@@ -30,7 +29,7 @@ Microsoft has strict requirements for code running in kernel. Consequently, mali
- Hypervisor-protected code integrity (HVCI) enabled devices
- Windows 10 in S mode (S mode) devices
-Microsoft recommends enabling [HVCI](../device-guard/enable-virtualization-based-protection-of-code-integrity.md) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.
+Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.
> [!Note]
> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It is recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode.
@@ -127,6 +126,80 @@ Microsoft recommends enabling [HVCI](../device-guard/enable-virtualization-based
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -352,6 +425,80 @@ Microsoft recommends enabling [HVCI](../device-guard/enable-virtualization-based
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -385,4 +532,4 @@ Microsoft recommends enabling [HVCI](../device-guard/enable-virtualization-based
## More information
-- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md)
\ No newline at end of file
+- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md)
From 8c7a9c164c557f35bc0bb73f1d9e25a87d3d8966 Mon Sep 17 00:00:00 2001
From: Nazmus Sakib
Date: Fri, 25 Jun 2021 13:23:51 -0700
Subject: [PATCH 20/37] Add TPM2.0 recommendation
Update additional details on TPM2.0 usage/recommendation in feature table
---
.../tpm/tpm-recommendations.md | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
index 6179ba0c0a..6bde2d3d8d 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -111,21 +111,20 @@ The following table defines which Windows features require TPM support.
Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
-|-|-|-|-
- Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot
+ Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.
BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Automatic Device Encryption requires Modern Standby](../bitlocker/bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) including TPM 2.0 support
Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
Windows Defender Application Control (Device Guard) | No | Yes | Yes
- Windows Defender System Guard | Yes | No | Yes
- Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported.
- Device Health Attestation| Yes | Yes | Yes
- Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support.
+ Windows Defender System Guard (DRTM) | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
+ Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. Paired with Windows Defender System Guard, TPM 2.0 provides enhanced security for Credential Guard. Windows 11 requires TPM 2.0 by default to facilitate easier enablement of this enhanced security for customers.
+ Device Health Attestation| Yes | Yes | Yes | TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.
+ Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. TPM 2.0 is recommended over TPM 1.2 for better performance and security. Windows Hello as a FIDO platform authenticator will take advantage of TPM 2.0 for key storage.
UEFI Secure Boot | No | Yes | Yes
TPM Platform Crypto Provider Key Storage Provider| Yes | Yes | Yes
Virtual Smart Card | Yes | Yes | Yes
Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM.
Autopilot | No | N/A | Yes | If you intend to deploy a scenario which requires TPM (such as white glove and self-deploying mode), then TPM 2.0 and UEFI firmware are required.
SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
- DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
## OEM Status on TPM 2.0 system availability and certified parts
@@ -133,4 +132,4 @@ Government customers and enterprise customers in regulated industries may have a
## Related topics
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
\ No newline at end of file
+- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
From 46f1dd1f676094fb8b63692ebfe2ecd4cb04e8a7 Mon Sep 17 00:00:00 2001
From: David Strome
Date: Fri, 25 Jun 2021 13:34:41 -0700
Subject: [PATCH 21/37] Remove SV docset
---
.openpublishing.publish.config.json | 14 --------
windows/sv/TOC.yml | 5 ---
windows/sv/breadcrumb/toc.yml | 3 --
windows/sv/docfx.json | 51 -----------------------------
windows/sv/index.md | 11 -------
5 files changed, 84 deletions(-)
delete mode 100644 windows/sv/TOC.yml
delete mode 100644 windows/sv/breadcrumb/toc.yml
delete mode 100644 windows/sv/docfx.json
delete mode 100644 windows/sv/index.md
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index 32eb1b181b..f9ebdac192 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -129,20 +129,6 @@
"build_entry_point": "docs",
"template_folder": "_themes"
},
- {
- "docset_name": "sv",
- "build_source_folder": "windows/sv",
- "build_output_subfolder": "sv",
- "locale": "en-us",
- "monikers": [],
- "moniker_ranges": [],
- "open_to_public_contributors": true,
- "type_mapping": {
- "Conceptual": "Content"
- },
- "build_entry_point": "docs",
- "template_folder": "_themes"
- },
{
"docset_name": "win-access-protection",
"build_source_folder": "windows/access-protection",
diff --git a/windows/sv/TOC.yml b/windows/sv/TOC.yml
deleted file mode 100644
index 01da3e1c0a..0000000000
--- a/windows/sv/TOC.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-- name: Index
- href: index.md
-
-
-
diff --git a/windows/sv/breadcrumb/toc.yml b/windows/sv/breadcrumb/toc.yml
deleted file mode 100644
index 48236190f9..0000000000
--- a/windows/sv/breadcrumb/toc.yml
+++ /dev/null
@@ -1,3 +0,0 @@
-- name: Docs
- tocHref: /
- topicHref: /
diff --git a/windows/sv/docfx.json b/windows/sv/docfx.json
deleted file mode 100644
index e7955464fe..0000000000
--- a/windows/sv/docfx.json
+++ /dev/null
@@ -1,51 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/*.yml"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "_themes/**",
- "_themes.pdf/**",
- "**/docfx.json",
- "_repo.en-us/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices.md"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "_themes/**",
- "_themes.pdf/**",
- "**/docfx.json",
- "_repo.en-us/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "breadcrumb_path": "/windows/windows-11/breadcrumb/toc.json",
- "extendBreadcrumb": true,
- "feedback_system": "None"
- },
- "fileMetadata": {},
- "template": [],
- "dest": "windows-11",
- "markdownEngineName": "markdig"
- }
-}
\ No newline at end of file
diff --git a/windows/sv/index.md b/windows/sv/index.md
deleted file mode 100644
index 7a31c42d39..0000000000
--- a/windows/sv/index.md
+++ /dev/null
@@ -1,11 +0,0 @@
----
-title: SV
-description: SV
-ms.prod: w10
-manager: laurawi
-ms.topic: article
-author: greg-lindsay
-ms.author: greglin
----
-
-# .
\ No newline at end of file
From 270bf2a633662cd9a2f668a9d843010747381bec Mon Sep 17 00:00:00 2001
From: v-hearya
Date: Sat, 26 Jun 2021 02:25:05 +0530
Subject: [PATCH 22/37] developer-faq.md converted into YML
---
windows/security/threat-protection/TOC.yml | 2 +-
.../threat-protection/intelligence/TOC.yml | 2 +-
.../intelligence/developer-faq.md | 51 ----------------
.../intelligence/developer-faq.yml | 60 +++++++++++++++++++
.../intelligence/developer-resources.md | 2 +-
5 files changed, 63 insertions(+), 54 deletions(-)
delete mode 100644 windows/security/threat-protection/intelligence/developer-faq.md
create mode 100644 windows/security/threat-protection/intelligence/developer-faq.yml
diff --git a/windows/security/threat-protection/TOC.yml b/windows/security/threat-protection/TOC.yml
index 3c8e12e04c..e310d0d993 100644
--- a/windows/security/threat-protection/TOC.yml
+++ b/windows/security/threat-protection/TOC.yml
@@ -224,7 +224,7 @@
- name: Information for developers
items:
- name: Software developer FAQ
- href: intelligence/developer-faq.md
+ href: intelligence/developer-faq.yml
- name: Software developer resources
href: intelligence/developer-resources.md
- name: The Windows Security app
diff --git a/windows/security/threat-protection/intelligence/TOC.yml b/windows/security/threat-protection/intelligence/TOC.yml
index 6c1f372f77..eb239b51c5 100644
--- a/windows/security/threat-protection/intelligence/TOC.yml
+++ b/windows/security/threat-protection/intelligence/TOC.yml
@@ -55,6 +55,6 @@
- name: Information for developers
items:
- name: Software developer FAQ
- href: developer-faq.md
+ href: developer-faq.yml
- name: Software developer resources
href: developer-resources.md
diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md
deleted file mode 100644
index 73ca4ec48c..0000000000
--- a/windows/security/threat-protection/intelligence/developer-faq.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: Software developer FAQ
-ms.reviewer:
-description: This page provides answers to common questions we receive from software developers
-keywords: wdsi, software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking
-search.product: eADQiWindows 10XVcnh
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.technology: mde
----
-
-# Software developer FAQ
-
-This page provides answers to common questions we receive from software developers. For general guidance about submitting malware or incorrectly detected files, read the submission guide.
-
-## Does Microsoft accept files for a known list or false-positive prevention program?
-
-No. We don't accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list. Far less frequently, in will add your digital certificate to a list of trusted publishers.
-
-## How do I dispute the detection of my program?
-
-Submit the file in question as a software developer. Wait until your submission has a final determination.
-
-If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We'll use the information you provide to investigate further if necessary.
-
-We encourage all software vendors and developers to read about [how Microsoft identifies malware and Potentially Unwanted Applications (PUA)](criteria.md).
-
-## Why is Microsoft asking for a copy of my program?
-
-Providing copies can help us with our analysis. Participants of the [Microsoft Active Protection Service (MAPS)](https://www.microsoft.com/msrc/mapp) may occasionally receive these requests. The requests will stop once our systems have received and processed the file.
-
-## Why does Microsoft classify my installer as a software bundler?
-
-It contains instructions to offer a program classified as unwanted software. You can review the [criteria](criteria.md) we use to check applications for behaviors that are considered unwanted.
-
-## Why is the Windows Defender Firewall blocking my program?
-
-Firewall blocks aren't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md).
-
-## Why does the Microsoft Defender Windows Defender SmartScreen say my program isn't commonly downloaded?
-
-This isn't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender Windows Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/developer-faq.yml b/windows/security/threat-protection/intelligence/developer-faq.yml
new file mode 100644
index 0000000000..04300736d9
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/developer-faq.yml
@@ -0,0 +1,60 @@
+### YamlMime:FAQ
+metadata:
+ title: Software developer FAQ
+ ms.reviewer:
+ description: This page provides answers to common questions we receive from software developers
+ keywords: wdsi, software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking
+ search.product: eADQiWindows 10XVcnh
+ ms.prod: m365-security
+ ms.mktglfcycl: deploy
+ ms.sitesec: library
+ ms.pagetype: security
+ ms.author: dansimp
+ author: dansimp
+ ms.localizationpriority: medium
+ manager: dansimp
+ audience: ITPro
+ ms.collection: M365-security-compliance
+ ms.topic: article
+ ms.technology: mde
+
+title: Software developer FAQ
+summary: This page provides answers to common questions we receive from software developers. For general guidance about submitting malware or incorrectly detected files, read the submission guide.
+
+
+sections:
+ - name: Ignored
+ questions:
+ - question: |
+ Does Microsoft accept files for a known list or false-positive prevention program?
+ answer: |
+ No. We don't accept these requests from software developers. Signing your program's files in a consistent manner, with a digital certificate issued by a trusted root authority, helps our research team quickly identify the source of a program and apply previously gained knowledge. In some cases, this might result in your program being quickly added to the known list. Far less frequently, in will add your digital certificate to a list of trusted publishers.
+
+ - question: |
+ How do I dispute the detection of my program?
+ answer: |
+ Submit the file in question as a software developer. Wait until your submission has a final determination.
+
+ If you're not satisfied with our determination of the submission, use the developer contact form provided with the submission results to reach Microsoft. We'll use the information you provide to investigate further if necessary.
+
+ We encourage all software vendors and developers to read about [how Microsoft identifies malware and Potentially Unwanted Applications (PUA)](criteria.md).
+
+ - question: |
+ Why is Microsoft asking for a copy of my program?
+ answer: |
+ Providing copies can help us with our analysis. Participants of the [Microsoft Active Protection Service (MAPS)](https://www.microsoft.com/msrc/mapp) may occasionally receive these requests. The requests will stop once our systems have received and processed the file.
+
+ - question: |
+ Why does Microsoft classify my installer as a software bundler?
+ answer: |
+ It contains instructions to offer a program classified as unwanted software. You can review the [criteria](criteria.md) we use to check applications for behaviors that are considered unwanted.
+
+ - question: |
+ Why is the Windows Defender Firewall blocking my program?
+ answer: |
+ Firewall blocks aren't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Windows Defender Firewall](../windows-firewall/windows-firewall-with-advanced-security.md).
+
+ - question: |
+ Why does the Microsoft Defender Windows Defender SmartScreen say my program isn't commonly downloaded?
+ answer: |
+ This isn't related to Microsoft Defender Antivirus and other Microsoft antimalware. [Learn about Microsoft Defender Windows Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md)
diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md
index 659eaad25b..3b7d080b28 100644
--- a/windows/security/threat-protection/intelligence/developer-resources.md
+++ b/windows/security/threat-protection/intelligence/developer-resources.md
@@ -37,7 +37,7 @@ To objectively identify malware and unidentified software, Microsoft applies a [
### Developer questions
-Find more guidance about the file submission and detection dispute process in our [FAQ for software developers](developer-faq.md).
+Find more guidance about the file submission and detection dispute process in our [FAQ for software developers](developer-faq.yml).
### Scan your software
From faeaeaddf09933dc0263f9b89e76065217129b2c Mon Sep 17 00:00:00 2001
From: Jordan Geurten
Date: Fri, 25 Jun 2021 14:17:28 -0700
Subject: [PATCH 23/37] Removed duplicate block events and file IOCs not
intended to be blocked
---
...icrosoft-recommended-driver-block-rules.md | 68 +++++++++++++++++++
1 file changed, 68 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index 7d56cdbe9e..835c6da8f0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -126,6 +126,40 @@ Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -351,6 +385,40 @@ Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
From 8d5d5e2f5ad1cf5ec2d42c19692250213fa9a3cd Mon Sep 17 00:00:00 2001
From: Gary Moore
Date: Fri, 25 Jun 2021 16:20:23 -0700
Subject: [PATCH 24/37] Acrolinx "a existing"
---
.../security/information-protection/tpm/tpm-recommendations.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
index 6bde2d3d8d..2a29a3881a 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -95,7 +95,7 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u
### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
-- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
+- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of an existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
### IoT Core
From c163663490a9c6b53e407a7ea2145407739cac0d Mon Sep 17 00:00:00 2001
From: Gary Moore
Date: Fri, 25 Jun 2021 16:20:54 -0700
Subject: [PATCH 25/37] Fixed broken note
---
.../security/information-protection/tpm/tpm-recommendations.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
index 2a29a3881a..658a7d98d5 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -72,7 +72,7 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
> [!NOTE]
> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
-
+>
> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
## Discrete, Integrated or Firmware TPM?
From f19fe3f304c3519cb505ea0a608ede95fd59bc9a Mon Sep 17 00:00:00 2001
From: Michael Howard
Date: Sat, 26 Jun 2021 11:38:08 -0500
Subject: [PATCH 26/37] Fixed error in Principal Self SID
---
.../identity-protection/access-control/special-identities.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md
index 0dc6406a6d..f0c84a4b48 100644
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
@@ -282,7 +282,7 @@ This group implicitly includes all users who are logged on to the system through
## Principal Self
-This identify is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object.
+This identity is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object.
| **Attribute** | **Value** |
| :--: | :--: |
From f3a48169fa776b759e5f8f8e5dd3d4fa6c113b4a Mon Sep 17 00:00:00 2001
From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com>
Date: Sun, 27 Jun 2021 15:03:31 +0530
Subject: [PATCH 27/37] Update Language-pack-management-csp.md
---
windows/client-management/mdm/Language-pack-management-csp.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md
index 2e9d2f4140..d5266e8bf7 100644
--- a/windows/client-management/mdm/Language-pack-management-csp.md
+++ b/windows/client-management/mdm/Language-pack-management-csp.md
@@ -24,7 +24,7 @@ GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN/Provide
GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /ja-JP/Providers
```
-The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either **language pack (features)** or **LXPs**. The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indidcates that the LXP is installed. **3** indicates that both are installed.
+The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either **language pack (features)** or **LXPs**. The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indicates that the LXP is installed. **3** indicates that both are installed.
2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example,
From 305560033d5d1e7ffb8db62e7b65ef3e963d4201 Mon Sep 17 00:00:00 2001
From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com>
Date: Sun, 27 Jun 2021 17:01:16 +0530
Subject: [PATCH 28/37] Updated
---
.../mdm/Language-pack-management-csp.md | 64 ++++++-------------
.../policy-configuration-service-provider.md | 9 +++
2 files changed, 29 insertions(+), 44 deletions(-)
diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md
index d5266e8bf7..3c7af93899 100644
--- a/windows/client-management/mdm/Language-pack-management-csp.md
+++ b/windows/client-management/mdm/Language-pack-management-csp.md
@@ -1,5 +1,5 @@
---
-title: Language Pack Management CSP
+title: Language Pack Management CSP
description: Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10.
ms.reviewer:
manager: dansimp
@@ -14,64 +14,40 @@ ms.date: 06/22/2021
# Language Pack Management CSP
-The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10. A separate CSP exists to provision optional Features On Demand (FOD) which include handwriting recognition, text-to-speech, etc. associated with a language. Device management tools such as Intune can use management commands remotely to devices to configure language related settings.
+The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of [optional FODs](/windows-hardware/manufacture/desktop/features-on-demand-language-fod) (Handwriting recognition, Text-to-speech etc.) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings.
-1. List the installed languages with GET command on the "InstalledLanguges" node. For example:
+1. Enumerate installed languages with GET command on the "InstalledLanguages" node
+
+ ***GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages**
+ **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers**
+ **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers***
-```
-GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages
-GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN/Providers
-GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /ja-JP/Providers
-```
-The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either **language pack (features)** or **LXPs**. The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indicates that the LXP is installed. **3** indicates that both are installed.
+ The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (features)](/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indicates that the LXP is installed. **3** indicates that both are installed.
2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example,
-```
-**ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/**
-**EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation**
-```
+ ***ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/**
+ **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation***
-The installation is an asynchronous operation. You can query the **Status** node by using the following commands:
+ The installation is an asynchronous operation. You can query the **Status** node by using the following commands:
-```
-**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status**
-**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode**
-```
+ *****GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status****
+ ***GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode***
-Return value definitions are:
-
-- 0 – Not started
-- 1 – In process
-- 2 – Succeeded
-- 3 – Failed. ErrorCode is a HRESULT that could help you diagnose the issue and why installation failed
+ Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed.
> [!NOTE]
-> If the IT administrator has not set the policy of blocking cleanup of unused language packs, then this command will fail.
+> If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail.
-3. Delete installed Language with the DELETE command on the installed language tag. The deletion will run in background, and admins can query the installed language later and resend the command if needed.
+3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed.
-Sample command
-```
-**DELETE ./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN (Delete command)**
-```
+
+ ***DELETE ./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN(Delete command)***
4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node
-Sample command
-```
-**./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages**
-```
-
-
-
-
-
-
-
-
-
-
+ **.*/Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages***
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index fbe229c166..329281e328 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -1371,6 +1371,7 @@ The following diagram shows the Policy configuration service provider in tree fo
+
## ADMX_ICM policies
@@ -6781,6 +6782,14 @@ The following diagram shows the Policy configuration service provider in tree fo
+### Language Pack Management CSP policies
+
+
+ -
+ LanmanWorkstation/EnableInsecureGuestLogons
+
+
+
### Licensing policies
From 6b6be2cac41decb77f9ded8b594274a4956cc761 Mon Sep 17 00:00:00 2001
From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com>
Date: Sun, 27 Jun 2021 23:45:45 +0530
Subject: [PATCH 29/37] Updated
---
.../mdm/Language-pack-management-csp.md | 21 +++++++++++--------
...onfiguration-service-provider-reference.md | 1 +
2 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md
index 3c7af93899..f4a96bb39f 100644
--- a/windows/client-management/mdm/Language-pack-management-csp.md
+++ b/windows/client-management/mdm/Language-pack-management-csp.md
@@ -18,22 +18,25 @@ The Language Pack Management CSP allows a direct way to provision language packs
1. Enumerate installed languages with GET command on the "InstalledLanguages" node
- ***GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages**
+ **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages**
**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers**
- **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers***
+ **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers**
- The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (features)](/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1). The value of **1** indicates the language pack installed is a System Language Pack (non-LXP), **2** indicates that the LXP is installed. **3** indicates that both are installed.
+ The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either [language pack (features)](/windows-hardware/manufacture/desktop/available-language-packs-for-windows) or [LXPs](https://www.microsoft.com/en-us/store/collections/localexperiencepacks?cat0=devices&rtc=1).
+ - Indicates the language pack installed is a System Language Pack (non-LXP)
+ - Indicates that the LXP is installed.
+ - Indicates that both are installed.
2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example,
- ***ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/**
- **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation***
+ **ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/**
+ **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation**
The installation is an asynchronous operation. You can query the **Status** node by using the following commands:
- *****GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status****
- ***GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode***
+ **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status**
+ **GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode**
Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed.
@@ -43,11 +46,11 @@ The Language Pack Management CSP allows a direct way to provision language packs
3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed.
- ***DELETE ./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages /zh-CN(Delete command)***
+ **DELETE./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN(Delete command)**
4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node
- **.*/Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages***
+ **./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages**
\ No newline at end of file
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index 679a0aabe7..4f9dd3d9da 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -1302,6 +1302,7 @@ Additional lists:
|
|
 |
+ |
