deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into v-gmoor-fix-pr-5361

Browse Source
This commit is contained in:
Gary Moore 2021-07-01 15:22:33 -07:00 committed by GitHub
commit 267514ccac
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 122 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
windows/client-management/mdm/bitlocker-csp.md
View File

@ -172,11 +172,15 @@ If you want to disable this policy, use the following SyncML:
</SyncBody>
</SyncML>
```
> [!NOTE]
> Currently only used space encryption is supported when using this CSP.
<!--/Policy-->
<!--Policy-->
<a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType**
<!--Description-->
Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".
Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the BitLocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".
<!--/Description-->
<!--SupportedValues-->
<table>
@ -204,7 +208,7 @@ ADMX Info:
<ul>
<li>GP English name: <em>Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)</em></li>
<li>GP name: <em>EncryptionMethodWithXts_Name</em></li>
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
@ -260,7 +264,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="systemdrivesrequirestartupauthentication"></a>**SystemDrivesRequireStartupAuthentication**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".
This setting is a direct mapping to the BitLocker Group Policy "Require additional authentication at startup".
<!--/Description-->
<!--SupportedSKUs-->
<table>
@ -289,7 +293,7 @@ ADMX Info:
<ul>
<li>GP English name: <em>Require additional authentication at startup</em></li>
<li>GP name: <em>ConfigureAdvancedStartup_Name</em></li>
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Operating System Drives</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
@ -368,7 +372,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="systemdrivesminimumpinlength"></a>**SystemDrivesMinimumPINLength**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".
This setting is a direct mapping to the BitLocker Group Policy "Configure minimum PIN length for startup".
<!--/Description-->
<!--SupportedSKUs-->
<table>
@ -397,7 +401,7 @@ ADMX Info:
<ul>
<li>GP English name:<em>Configure minimum PIN length for startup</em></li>
<li>GP name: <em>MinimumPINLength_Name</em></li>
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Operating System Drives</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
@ -444,7 +448,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="systemdrivesrecoverymessage"></a>**SystemDrivesRecoveryMessage**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL"
This setting is a direct mapping to the BitLocker Group Policy "Configure pre-boot recovery message and URL"
(PrebootRecoveryInfo_Name).
<!--/Description-->
<!--SupportedSKUs-->
@ -474,7 +478,7 @@ ADMX Info:
<ul>
<li>GP English name: <em>Configure pre-boot recovery message and URL</em></li>
<li>GP name: <em>PrebootRecoveryInfo_Name</em></li>
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Operating System Drives</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
@ -534,7 +538,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="systemdrivesrecoveryoptions"></a>**SystemDrivesRecoveryOptions**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).
This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).
<!--/Description-->
<!--SupportedSKUs-->
<table>
@ -563,7 +567,7 @@ ADMX Info:
<ul>
<li>GP English name: <em>Choose how BitLocker-protected operating system drives can be recovered</em></li>
<li>GP name: <em>OSRecoveryUsage_Name</em></li>
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Operating System Drives</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Operating System Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
@ -631,7 +635,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="fixeddrivesrecoveryoptions"></a>**FixedDrivesRecoveryOptions**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().
This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().
<!--/Description-->
<!--SupportedSKUs-->
<table>
@ -660,7 +664,7 @@ ADMX Info:
<ul>
<li>GP English name: <em>Choose how BitLocker-protected fixed drives can be recovered</em></li>
<li>GP name: <em>FDVRecoveryUsage_Name</em></li>
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Fixed Drives</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Fixed Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
@ -737,7 +741,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="fixeddrivesrequireencryption"></a>**FixedDrivesRequireEncryption**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).
This setting is a direct mapping to the BitLocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).
<!--/Description-->
<!--SupportedSKUs-->
<table>
@ -766,7 +770,7 @@ ADMX Info:
<ul>
<li>GP English name: <em>Deny write access to fixed drives not protected by BitLocker</em></li>
<li>GP name: <em>FDVDenyWriteAccess_Name</em></li>
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Fixed Drives</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Fixed Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->
@ -806,7 +810,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
<a href="" id="removabledrivesrequireencryption"></a>**RemovableDrivesRequireEncryption**
<!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).
This setting is a direct mapping to the BitLocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).
<!--/Description-->
<!--SupportedSKUs-->
<table>
@ -835,7 +839,7 @@ ADMX Info:
<ul>
<li>GP English name: <em>Deny write access to removable drives not protected by BitLocker</em></li>
<li>GP name: <em>RDVDenyWriteAccess_Name</em></li>
<li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Removeable Drives</em></li>
<li>GP path: <em>Windows Components/BitLocker Drive Encryption/Removeable Drives</em></li>
<li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
</ul>
<!--/ADMXMapped-->

4
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -114,7 +114,7 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
> [!NOTE]
> Currently, this policy is supported only in HoloLens 2, Hololens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition.
> Currently, this policy is supported only in HoloLens 2, HoloLens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition.
Specifies whether the user must input a PIN or password when the device resumes from an idle state.
@ -757,7 +757,7 @@ PIN enforces the following behavior for desktop and mobile devices:
- 1 - Digits only
- 2 - Digits and lowercase letters are required
- 3 - Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts.
- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop.
- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop or HoloLens.
The default value is 1. The following list shows the supported values and actual enforced values:

2
windows/client-management/troubleshoot-tcpip-port-exhaust.md
View File

@ -90,7 +90,7 @@ If you suspect that the machine is in a state of port exhaustion:
![Screenshot of event id 4231 in Event Viewer](images/tcp-ts-19.png)
3. Collect a `netstat -anob output` from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID.
3. Collect a `netstat -anob` output from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID.
![Screenshot of netstate command output](images/tcp-ts-20.png)

2
windows/deployment/update/update-compliance-configuration-manual.md
View File

@ -47,7 +47,7 @@ Each MDM Policy links to its documentation in the CSP hierarchy, providing its e
|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. |
|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
| **System/AllowUpdateComplianceProcessing** |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
| **System/**[**AllowUpdateComplianceProcessing**](/windows/client-management/mdm/policy-csp-system#system-allowUpdateComplianceProcessing) |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
### Group policies

7
windows/deployment/windows-10-subscription-activation.md
View File

@ -103,9 +103,9 @@ For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 E
If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://www.microsoft.com/en-us/microsoft-365/blog/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
#### Multi-factor authentication
#### Multifactor authentication
An issue has been identified with Hybrid Azure AD joined devices that have enabled [multi-factor authentication](/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription.
An issue has been identified with Hybrid Azure AD joined devices that have enabled [multifactor authentication](/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription.
To resolve this issue:
@ -226,7 +226,8 @@ When you have the required Azure AD subscription, group-based licensing is the p
If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise.
Caution: Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE(Out Of Box Experience)
> [!CAUTION]
> Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE (Out Of Box Experience).
If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.

105
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -27,13 +27,13 @@ ms.date: 5/21/2021
This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
> [!IMPORTANT]
> - The downloadable Windows 10, version 1903 scripts/settings can be used on Windows 10, version 1909 devices.
> - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic)
> - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features.
> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Microsoft Defender Antivirus. Accordingly, we do not recommend disabling any of these features.
> - It is recommended that you restart a device after making configuration changes to it.
> - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
@ -48,7 +48,7 @@ We are always striving to improve our documentation and welcome your feedback. Y
## Management options for each setting
The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections
The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Microsoft Defender Antivirus diagnostic data and MSRT reporting, and turn off all of these connections
### Settings for Windows 10 Enterprise edition
@ -103,12 +103,14 @@ The following table lists management options for each setting, beginning with Wi
| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [24. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) | |
| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
### Settings for Windows Server 2016 with Desktop Experience
@ -131,7 +133,7 @@ See the following table for a summary of the management settings for Windows Ser
| [18. Settings > Privacy](#bkmk-settingssection) | | | |
| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [24. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
@ -148,7 +150,7 @@ See the following table for a summary of the management settings for Windows Ser
| [14. Network Connection Status Indicator](#bkmk-ncsi) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [19. Software Protection Platform](#bkmk-spp) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [22. Teredo](#bkmk-teredo) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [24. Windows Defender](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [24. Microsoft Defender Antivirus](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [29. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
### Settings for Windows Server 2016 Nano Server
@ -213,12 +215,14 @@ See the following table for a summary of the management settings for Windows Ser
| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [24. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) |
| [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) | |
| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
## How to configure each setting
@ -423,7 +427,7 @@ To turn off Insider Preview builds for Windows 10:
| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the Address Bar. <br /> **Set Value to: Disabled**|
| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the Address Bar. <br /> **Set Value to: Enabled** </br> You can also turn this off in the UI by clearing the <strong>Internet Options</strong> &gt; **Advanced** &gt; **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.|
| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer. <br /> **Set Value to: Enabled**|
| Prevent managing Windows Defender SmartScreen | Choose whether employees can manage the Windows Defender SmartScreen in Internet Explorer. <br /> **Set Value to: Enabled** and then set **Select Windows Defender SmartScreen mode** to **Off**.|
| Prevent managing Microsoft Defender SmartScreen | Choose whether employees can manage the Microsoft Defender SmartScreen in Internet Explorer. <br /> **Set Value to: Enabled** and then set **Select Windows Defender SmartScreen mode** to **Off**.|
| Registry Key | Registry path |
@ -432,7 +436,7 @@ To turn off Insider Preview builds for Windows 10:
| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer<br />REG_DWORD: AllowServicePoweredQSA <br />**Set Value to: 0**|
| Turn off the auto-complete feature for web addresses |HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\CurrentVersion\\Explorer\\AutoComplete<br/>REG_SZ: AutoSuggest <br />Set Value to: **no** |
| Turn off browser geolocation | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation<br/>REG_DWORD: PolicyDisableGeolocation <br />**Set Value to: 1** |
| Prevent managing Windows Defender SmartScreen | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter<br/>REG_DWORD: EnabledV9 <br />**Set Value to: 0** |
| Prevent managing Microsoft Defender SmartScreen | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter<br/>REG_DWORD: EnabledV9 <br />**Set Value to: 0** |
There are more Group Policy objects that are used by Internet Explorer:
@ -569,7 +573,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
| Configure Do Not Track | Choose whether employees can send Do Not Track headers.<br /> **Set to Enabled** |
| Configure Password Manager | Choose whether employees can save passwords locally on their devices. <br /> **Set to Disabled** |
| Configure search suggestions in Address Bar | Choose whether the Address Bar shows search suggestions. <br /> **Set to Disabled** |
| Configure Windows Defender SmartScreen (Windows 10, version 1703) | Choose whether Windows Defender SmartScreen is turned on or off. <br /> **Set to Disabled** |
| Configure Windows Defender SmartScreen (Windows 10, version 1703) | Choose whether Microsoft Defender SmartScreen is turned on or off. <br /> **Set to Disabled** |
| Allow web content on New Tab page | Choose whether a new tab page appears. <br /> **Set to Disabled** |
| Configure Start pages | Choose the Start page for domain-joined devices. <br /> **Enabled** and **Set this to <<about:blank>>** |
| Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage. <br /> **Set to: Enable** |
@ -594,7 +598,9 @@ Alternatively, you can configure the following Registry keys as described:
### <a href="" id="bkmk-edgegp"></a>13.2 Microsoft Edge Enterprise
> [!Important]
For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies).
> [!IMPORTANT]
> - The following settings are applicable to Microsoft Edge version 77 or later.
> - For details on supported Operating Systems, see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems).
> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge, see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge).
@ -602,34 +608,20 @@ Alternatively, you can configure the following Registry keys as described:
| Policy | Group Policy Path | Registry Path |
|----------------------------------|--------------------|---------------------------------------------|
| **SearchSuggestEnabled** | Computer Configuration/Administrative Templates/Windows Component/Microsoft Edge - Enable search suggestions | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: SearchSuggestEnabled Set to 0** |
| **AutofillAddressEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for addresses | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: AutofillAddressEnabled Set to 0** |
| **AutofillCreditCardEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for credit cards | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: AutofillCreditCardEnabled Set to 0** |
| **ConfigureDoNotTrack** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Configure Do Not Track | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Enabled**| **REG_DWORD name: ConfigureDoNotTrackSet to 1** |
| **PasswordManagerEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Password manager and protection-Enable saving passwords to the password manager | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: PasswordManagerEnabled Set to 0** |
| **DefaultSearchProviderEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Default search provider-Enable the default search provider | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: DefaultSearchProviderEnabled Set to 0** |
| **HideFirstRunExperience** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Hide the First-run experience and splash screen | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Enabled**| **REG_DWORD name: HideFirstRunExperience Set to 1** |
| **SmartScreenEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/SmartScreen settings-Configure Microsoft Defender SmartScreen | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: SmartScreenEnabled Set to 0** |
| **NewTabPageLocation** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Configure the new tab page URL | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Enabled-Value “about:blank”**| **REG_SZ name: NewTabPageLocation Set to about:blank** |
| **RestoreOnStartup** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Action to take on startup | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge |
| | **Set to Disabled**| **REG_DWORD name: RestoreOnStartupSet to 5** |
| **RestoreOnStartupURLs** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page-Sites to open when the browser starts | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\RestoreOnStartupURLs |
| | **Set to Disabled**| **REG_SZ name: 1 Set to about:blank** |
| **UpdateDefault** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Applications-Update policy override default | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate |
| | **Set to Enabled - 'Updates disabled'**| **REG_DWORD name: UpdateDefault Set to 0** |
| **AutoUpdateCheckPeriodMinutes** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate |
| | **Set to Enabled - Set Value for Minutes between update checks to 0**| **REG_DWORD name: AutoUpdateCheckPeriodMinutes Set to 0** |
| **Experimentation and Configuration Service** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate |
| | **Set to RestrictedMode**| **REG_DWORD name: ExperimentationAndConfigurationServiceControl Set to 0** |
| **SearchSuggestEnabled** | Computer Configuration/Administrative Templates/Windows Component/Microsoft Edge - Enable search suggestions <br> **Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge <br> **REG_DWORD name: SearchSuggestEnabled Set to 0**|
| **AutofillAddressEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for addresses <br> **Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge <br> **REG_DWORD name: AutofillAddressEnabled Set to 0**|
| **AutofillCreditCardEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for credit cards <br> **Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge <br> **REG_DWORD name: AutofillCreditCardEnabled Set to 0**|
| **ConfigureDoNotTrack** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Configure Do Not Track <br> **Set to Enabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge <br> **REG_DWORD name: ConfigureDoNotTrackSet to 1** |
| **PasswordManagerEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Password manager and protection-Enable saving passwords to the password manager <br> **Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge <br> **REG_DWORD name: PasswordManagerEnabled Set to 0**|
| **DefaultSearchProviderEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Default search provider-Enable the default search provider <br> **Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge <br> **REG_DWORD name: DefaultSearchProviderEnabled Set to 0**|
| **HideFirstRunExperience** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Hide the First-run experience and splash screen <br> **Set to Enabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge <br> **REG_DWORD name: HideFirstRunExperience Set to 1**|
| **SmartScreenEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/SmartScreen settings-Configure Microsoft Defender SmartScreen <br> **Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge <br> **REG_DWORD name: SmartScreenEnabled Set to 0**|
| **NewTabPageLocation** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Configure the new tab page URL <br> **Set to Enabled-Value “about:blank”**| HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge <br> **REG_SZ name: NewTabPageLocation Set to about:blank**|
| **RestoreOnStartup** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Action to take on startup <br> **Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge <br> **REG_DWORD name: RestoreOnStartupSet to 5**|
| **RestoreOnStartupURLs** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page-Sites to open when the browser starts <br> **Set to Disabled**| HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\RestoreOnStartupURLs <br> **REG_SZ name: 1 Set to about:blank**|
| **UpdateDefault** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Applications-Update policy override default <br> **Set to Enabled - 'Updates disabled'** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate <br> **REG_DWORD name: UpdateDefault Set to 0**|
| **AutoUpdateCheckPeriodMinutes** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override <br> **Set to Enabled - Set Value for Minutes between update checks to 0**| HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate <br> **REG_DWORD name: AutoUpdateCheckPeriodMinutes Set to 0**|
|**Experimentation and Configuration Service** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override <br> **Set to RestrictedMode**| HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate <br> **REG_DWORD name: ExperimentationAndConfigurationServiceControl Set to 0**|
|||
### <a href="" id="bkmk-ncsi"></a>14. Network Connection Status Indicator
@ -925,7 +917,7 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin
- Create a REG_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one).
To turn off **Turn on Windows Defender SmartScreen to check web content (URLs) that Microsoft Store apps use**:
To turn off **Turn on Microsoft Defender SmartScreen to check web content (URLs) that Microsoft Store apps use**:
- Turn off the feature in the UI.
@ -1628,13 +1620,13 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha
When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but theyre non-functional and they cant be controlled by the employee.
### <a href="" id="bkmk-defender"></a>24. Windows Defender
### <a href="" id="bkmk-defender"></a>24. Microsoft Defender Antivirus
You can disconnect from the Microsoft Antimalware Protection Service.
> [!IMPORTANT]
> **Required Steps BEFORE setting the Windows Defender Group Policy or RegKey on Windows 10 version 1903**
> 1. Ensure Windows and Windows Defender are fully up to date.
> **Required Steps BEFORE setting the Microsoft Defender Antivirus Group Policy or RegKey on Windows 10 version 1903**
> 1. Ensure Windows and Microsoft Defender Antivirus are fully up to date.
> 2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link and then scroll down to the Tamper Protection toggle to set it to **Off**.
- **Enable** the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Defender Antivirus** &gt; **MAPS** &gt; **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS**
@ -1699,9 +1691,9 @@ You can turn off **Enhanced Notifications** as follows:
- Create a new REG_DWORD registry setting named **DisableEnhancedNotifications** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Reporting** and enter the decimal value **1**.
### <a href="" id="bkmk-defender-smartscreen"></a>24.1 Windows Defender SmartScreen
### <a href="" id="bkmk-defender-smartscreen"></a>24.1 Microsoft Defender SmartScreen
To disable Windows Defender SmartScreen:
To disable Microsoft Defender SmartScreen:
In Group Policy, configure:
@ -1942,6 +1934,29 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre
- Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the **value to 0 (zero)**.
### <a href="" id="bkmk-clcp"></a>30. Cloud Clipboard
Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access it. Clipboard items in the cloud can be downloaded and pasted across your Windows 10 devices.
Most restricted value is 0.
ADMX Info:
- GP English name: Allow Clipboard synchronization across devices<br>
- GP name: AllowCrossDeviceClipboard<br>
- GP path: System/OS Policies<br>
- GP ADMX file name: OSPolicy.admx<br>
The following list shows the supported values:<br>
0 Not allowed. 1 (default) Allowed.<br>
### <a href="" id="bkmk-svccfg"></a>31. Services Configuration
Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working.
You can turn off Services Configuration by setting the following registry entries:
Add a REG_DWORD value named **DisableOneSettingsDownloads** to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection** and set the value to **1**.
### <a href="" id="bkmk-allowedtraffic"></a> Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline

2
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
View File

@ -193,7 +193,7 @@ Sign-in to a certificate authority or management workstation with _Domain Admin
10. On the **Request Handling** tab, select the **Renew with same key** check box.
11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**.
11. On the **Security** tab, click **Add**. Type **Windows Hello for Business Users** in the **Enter the object names to select** text box and click **OK**.
12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Read**, **Enroll**, and **AutoEnroll** permissions. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.

16
windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 02/11/2020
ms.date: 07/01/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -25,21 +25,23 @@ The threat landscape is continually evolving. While hackers are busy developing
> Given the technological complexity, the security promise of Microsoft Defender Application Guard (MDAG) may not hold true on VMs and in VDI environments. Hence, MDAG is currently not officially supported on VMs and in VDI environments. However, for testing and automation purposes on non-production machines, you may enable MDAG on a VM by enabling Hyper-V nested virtualization on the host.
## Hardware requirements
Your environment needs the following hardware to run Microsoft Defender Application Guard.
Your environment must have the following hardware to run Microsoft Defender Application Guard.
| Hardware | Description |
|--------|-----------|
| 64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_<br><br>**-AND-**<br><br>One of the following virtualization extensions for VBS:<br><br>VT-x (Intel)<br><br>**-OR-**<br><br>AMD-V|
| CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_ <p> **AND** <p> One of the following virtualization extensions for VBS:<br/>VT-x (Intel)<br/>**OR**<br/>AMD-V |
| Hardware memory | Microsoft requires a minimum of 8GB RAM |
| Hard disk | 5 GB free space, solid state disk (SSD) recommended |
| Input/Output Memory Management Unit (IOMMU) support| Not required, but strongly recommended |
## Software requirements
Your environment needs the following software to run Microsoft Defender Application Guard.
Your environment must have the following software to run Microsoft Defender Application Guard.
| Software | Description |
|--------|-----------|
|Operating system|Windows 10 Enterprise edition, version 1709 or higher<br>Windows 10 Professional edition, version 1803 or higher<br>Windows 10 Professional for Workstations edition, version 1803 or higher<br>Windows 10 Professional Education edition version 1803 or higher<br>Windows 10 Education edition, version 1903 or higher<br>Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. |
|Browser|Microsoft Edge and Internet Explorer|
|Management system<br> (only for managed devices)|[Microsoft Intune](/intune/)<br><br>**-OR-**<br><br>[Microsoft Endpoint Configuration Manager](/configmgr/)<br><br>**-OR-**<br><br>[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))<br><br>**-OR-**<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
| Operating system | Windows 10 Enterprise edition, version 1805 or higher <br/> Windows 10 Professional edition, version 1805 or higher <br/> Windows 10 Professional for Workstations edition, version 1805 or higher <br/> Windows 10 Professional Education edition, version 1805 or higher <br/> Windows 10 Education edition, version 1805 or higher <br/> Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. |
| Browser | Microsoft Edge |
| Management system <br> (only for managed devices)| [Microsoft Intune](/intune/) <p> **OR** <p> [Microsoft Endpoint Configuration Manager](/configmgr/) <p> **OR** <p> [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) <p> **OR** <p>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. |

4
windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
View File

@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
ms.date: 07/01/2021
ms.technology: mde
---
@ -92,7 +92,7 @@ Overwriting the administrator's password does not help the attacker access data
Enable the **Network access: Do not allow storage of passwords and credentials for network authentication** setting.
To limit the number of changed domain credentials that are stored on the computer, set the **cachedlogonscount** registry entry. By default, the operating system caches the verifier for each unique user's ten most recent valid logons. This value can be set to any value between 0 and 50. By default, all versions of the Windows operating system remember 10 cached logons, except Windows Server 2008 and later, which are set at 25.
To limit the number of cached domain credentials that are stored on the computer, set the **cachedlogonscount** registry entry. By default, the operating system caches the verifier for each unique user's ten most recent valid logons. This value can be set to any value between 0 and 50. By default, all versions of the Windows operating system remember 10 cached logons, except Windows Server 2008 and later, which are set at 25.
When you try to log on to a domain from a Windows-based client device, and a domain controller is unavailable, you do not receive an error message. Therefore, you may not notice that you logged on with cached domain credentials. You can set a notification of logon that uses cached domain credentials with the ReportDC registry entry.

4
windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
View File

@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/02/2018
ms.date: 07/01/2021
ms.technology: mde
---
@ -46,7 +46,7 @@ Membership in the local **Administrators** group, or equivalent, is the minimum
2. Click the **Services** tab, right-click **AppIDSvc**, and then click **Start Service**.
3. Verify that the status for the Application Identity service is **Running**.
Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic** by using the Sevices snap-in. Try either of these methods instead:
Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic** by using the Services snap-in. Try either of these methods instead:
- Open an elevated command prompt or PowerShell session and type:

8
windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.date: 12/28/2020
ms.date: 07/01/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@ -38,7 +38,7 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM)
2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**.
![Secure Launch Group Policy](images/secure-launch-group-policy.png)
![Secure Launch Configuration](images/secure-launch-group-policy.png)
### Windows Security Center
@ -64,7 +64,7 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** >
To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.
![Windows Security Center](images/secure-launch-msinfo.png)
![Verifying Secure Launch is running in the Windows Security Center](images/secure-launch-msinfo.png)
> [!NOTE]
> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
@ -74,7 +74,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
|For Intel&reg; vPro&trade; processors starting with Intel&reg; Coffeelake, Whiskeylake, or later silicon|Description|
|--------|-----------|
|64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs are not supported.|
|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs are not supported, with the exception of Intel chips that support Platform Trust Technology (PTT), which is a type of integrated hardware TPM that meets the TPM 2.0 spec.|
|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).|
|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData ,EfiRuntimeServicesCode , EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. |
|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (e.g. no OS/VMM owned memory). <br/>Must NOT contain any mappings to code sections within EfiRuntimeServicesCode. <br/>Must NOT have execute and write permissions for the same page <br/>Must allow ONLY that TSEG pages can be marked executable and the memory map must report TSEG EfiReservedMemoryType. <br/>BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. |

4
windows/whats-new/windows-11-requirements.md
View File

@ -38,7 +38,9 @@ To install or upgrade to Windows 11, devices must meet the following minimum har
- Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features.
- Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use.
\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Keeping Windows 11 up-to-date](https://www.microsoft.com/windows/windows-11-specifications). Also see [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/).
\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Windows 11 specifications](https://www.microsoft.com/windows/windows-11-specifications).
Also see [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/).
For information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility).