diff --git a/windows/client-management/mdm/config-lock.md b/windows/client-management/mdm/config-lock.md index a13a98d8b4..26a30c88a6 100644 --- a/windows/client-management/mdm/config-lock.md +++ b/windows/client-management/mdm/config-lock.md @@ -8,7 +8,7 @@ ms.topic: article ms.prod: w11 ms.technology: windows author: lovina-saldanha -ms.date: 10/07/2021 +ms.date: 03/14/2022 --- # Secured-Core PC Configuration Lock @@ -89,45 +89,45 @@ Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally m |[ApplicationControl](applicationcontrol-csp.md) -|**MDM policies** | -|-----| -|[DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md) | -|[DataProtection/LegacySelectiveWipeID](policy-csp-dataprotection.md) | -|[DeviceGuard/ConfigureSystemGuardLaunch](policy-csp-deviceguard.md) | -|[DeviceGuard/EnableVirtualizationBasedSecurity](policy-csp-deviceguard.md) | -|[DeviceGuard/LsaCfgFlags](policy-csp-deviceguard.md) | -|[DeviceGuard/RequirePlatformSecurityFeatures](policy-csp-deviceguard.md) | -|[DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) | -|[DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) | -|[DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) | -|[DeviceInstallation/PreventDeviceMetadataFromNetwork](policy-csp-deviceinstallation.md) | -|[DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](policy-csp-deviceinstallation.md) | -|[DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) | -|[DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) | -|[DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) | -|[DmaGuard/DeviceEnumerationPolicy](policy-csp-dmaguard.md) | -|[WindowsDefenderSecurityCenter/CompanyName](policy-csp-windowsdefendersecuritycenter.md) | -|[WindowsDefenderSecurityCenter/DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md) | -|[WindowsDefenderSecurityCenter/DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md) | -|[WindowsDefenderSecurityCenter/DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md) | -|[WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md) | -|[WindowsDefenderSecurityCenter/DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md) | -|[WindowsDefenderSecurityCenter/DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md) | -|[WindowsDefenderSecurityCenter/DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md) | -|[WindowsDefenderSecurityCenter/DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md) | -|[WindowsDefenderSecurityCenter/DisableNotifications](policy-csp-windowsdefendersecuritycenter.md) | -|[WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md)| -|[WindowsDefenderSecurityCenter/DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md) | -|[WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md) | -|[WindowsDefenderSecurityCenter/Email](policy-csp-windowsdefendersecuritycenter.md) | -|[WindowsDefenderSecurityCenter/EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md) | -|[WindowsDefenderSecurityCenter/EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md) | -|[WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md) | -|[WindowsDefenderSecurityCenter/HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md) | -|[WindowsDefenderSecurityCenter/HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md) | -|[WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md) | -|[WindowsDefenderSecurityCenter/Phone](policy-csp-windowsdefendersecuritycenter.md) | -|[WindowsDefenderSecurityCenter/URL](policy-csp-windowsdefendersecuritycenter.md) | -|[SmartScreen/EnableAppInstallControl](policy-csp-smartscreen.md)| -|[SmartScreen/EnableSmartScreenInShell](policy-csp-smartscreen.md) | -|[SmartScreen/PreventOverrideForFilesInShell](policy-csp-smartscreen.md) | +|**MDM policies** | **Supported by Group Policy** | +|-----|-----| +|[DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md) | No | +|[DataProtection/LegacySelectiveWipeID](policy-csp-dataprotection.md) | No | +|[DeviceGuard/ConfigureSystemGuardLaunch](policy-csp-deviceguard.md) | Yes | +|[DeviceGuard/EnableVirtualizationBasedSecurity](policy-csp-deviceguard.md) | Yes | +|[DeviceGuard/LsaCfgFlags](policy-csp-deviceguard.md) | Yes | +|[DeviceGuard/RequirePlatformSecurityFeatures](policy-csp-deviceguard.md) | Yes | +|[DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) | Yes | +|[DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) | Yes | +|[DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) | Yes | +|[DeviceInstallation/PreventDeviceMetadataFromNetwork](policy-csp-deviceinstallation.md) | Yes | +|[DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](policy-csp-deviceinstallation.md) | Yes | +|[DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](policy-csp-deviceinstallation.md) | Yes | +|[DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md) | Yes | +|[DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](policy-csp-deviceinstallation.md) | Yes | +|[DmaGuard/DeviceEnumerationPolicy](policy-csp-dmaguard.md) | Yes | +|[WindowsDefenderSecurityCenter/CompanyName](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[WindowsDefenderSecurityCenter/DisableAccountProtectionUI](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[WindowsDefenderSecurityCenter/DisableAppBrowserUI](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[WindowsDefenderSecurityCenter/DisableClearTpmButton](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[WindowsDefenderSecurityCenter/DisableEnhancedNotifications](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[WindowsDefenderSecurityCenter/DisableFamilyUI](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[WindowsDefenderSecurityCenter/DisableHealthUI](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[WindowsDefenderSecurityCenter/DisableNetworkUI](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[WindowsDefenderSecurityCenter/DisableNotifications](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](policy-csp-windowsdefendersecuritycenter.md)| Yes | +|[WindowsDefenderSecurityCenter/DisableVirusUI](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[WindowsDefenderSecurityCenter/Email](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[WindowsDefenderSecurityCenter/EnableCustomizedToasts](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[WindowsDefenderSecurityCenter/EnableInAppCustomization](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[WindowsDefenderSecurityCenter/HideSecureBoot](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[WindowsDefenderSecurityCenter/HideTPMTroubleshooting](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[WindowsDefenderSecurityCenter/Phone](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[WindowsDefenderSecurityCenter/URL](policy-csp-windowsdefendersecuritycenter.md) | Yes | +|[SmartScreen/EnableAppInstallControl](policy-csp-smartscreen.md)| Yes | +|[SmartScreen/EnableSmartScreenInShell](policy-csp-smartscreen.md) | Yes | +|[SmartScreen/PreventOverrideForFilesInShell](policy-csp-smartscreen.md) | Yes | diff --git a/windows/deployment/do/mcc-enterprise.md b/windows/deployment/do/mcc-enterprise.md index 86cac31bd1..8078d99554 100644 --- a/windows/deployment/do/mcc-enterprise.md +++ b/windows/deployment/do/mcc-enterprise.md @@ -120,11 +120,9 @@ For information about creating or locating your subscription ID, see [Steps to o ### Create the MCC resource in Azure -The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. +The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. -#### Use the following link and sign in to Azure - - +Send email to the MCC team ([mccforenterprise@microsoft.com](mailto:mccforenterprise@microsoft.com)) with your Azure subscription ID to get access to the preview. The team will send you a link to the Azure portal which will allow you to create the resource described below. 1. On the Azure Portal home page, choose **Create a resource**: ![eMCC img02](images/emcc02.png) @@ -527,7 +525,7 @@ You can either set your MCC IP address or FQDN using: **Verify Content using the DO Client** -To verify that Delivery Optimization client can download content using Microsoft Connected Cache you can execute the following steps: +To verify that the Delivery Optimization client can download content using MCC, you can use the following steps: 1. Download a game or application from the Microsoft Store. diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md index 5a7999d53e..ccdf0bbec3 100644 --- a/windows/deployment/do/mcc-isp.md +++ b/windows/deployment/do/mcc-isp.md @@ -111,9 +111,9 @@ For information about creating or locating your subscription ID, see [Steps to o ### Create the MCC resource in Azure -The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. +The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. -Use the following link to sign in to Azure: +Send email to the MCC team ([msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com)) with your Azure subscription ID to get access to the preview. The team will send you a link to the Azure portal, which will allow you to create the resource described below. 1. Choose **Create a resource** diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml index b9edd5b644..75d0561ae3 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml @@ -15,7 +15,7 @@ metadata: audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual - ms.date: 02/28/2019 + ms.date: 03/14/2022 ms.custom: bitlocker title: BitLocker Security FAQ @@ -41,7 +41,7 @@ sections: - question: | What are the implications of using the sleep or hibernate power management options? answer: | - BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. For improved security, we recommend disabling sleep mode and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp). + BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it is configured to use another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. In sleep mode, the computer is vulnerable to direct memory access attacks, since it remains unprotected data in RAM. Therefore, for improved security, we recommend disabling sleep mode and that you use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp). - question: | What are the advantages of a TPM? @@ -50,4 +50,4 @@ sections: > [!NOTE] > Configuring BitLocker with an additional factor of authentication provides even more protection against TPM hardware attacks. - \ No newline at end of file + diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 867be41703..bb6166a66f 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -9,7 +9,7 @@ metadata: ms.localizationpriority: medium author: denisebmsft ms.author: deniseb - ms.date: 09/30/2021 + ms.date: 03/14/2022 ms.reviewer: manager: dansimp ms.custom: asr @@ -220,6 +220,11 @@ sections: 1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`. 2. Reboot the device. + + - question: | + What does the _Allow users to trust files that open in Microsoft Defender Application Guard_ option in the Group policy do? + answer: | + This policy was present in Windows 10 prior to version 2004. It was removed from later versions of Windows as it doesn't enforce anything for either Edge or Office. additionalContent: | diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index cf455c976a..d5400d4de7 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -10,7 +10,7 @@ author: denisebmsft ms.author: deniseb ms.reviewer: manager: dansimp -ms.date: 09/09/2021 +ms.date: 03/14/2022 ms.custom: asr ms.technology: windows-sec --- @@ -215,20 +215,6 @@ You have the option to change each of these settings to work with your enterpris - Windows 10 Professional edition, version 1809 - Windows 11 -#### File trust options - -1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow users to trust files that open in Microsoft Defender Application Guard** setting. - -2. Click **Enabled**, set **Options** to **2**, and click **OK**. - - ![Group Policy editor File trust options.](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png) - -3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. - -4. Open a file in Edge, such an Office 365 file. - -5. Check to see that an antivirus scan completed before the file was opened. - #### Camera and microphone options 1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow camera and microphone access in Microsoft Defender Application Guard** setting. @@ -267,5 +253,5 @@ Once a user has the extension and its companion app installed on their enterpris 3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge. ![A non-enterprise website being redirected to an Application Guard container -- the text displayed explains that the page is being opened in Application Guard for Microsoft Edge.](images/app-guard-chrome-extension-launchIng-edge.png) -4. Open a new Application Guard window, by select the Microsoft Defender Application Guard icon, then **New Application Guard Window** - ![The "New Application Guard Window" option is highlighted in red](images/app-guard-chrome-extension-new-app-guard-page.png) \ No newline at end of file +4. Open a new Application Guard window, by selecting the Microsoft Defender Application Guard icon, then **New Application Guard Window** + ![The "New Application Guard Window" option is highlighted in red](images/app-guard-chrome-extension-new-app-guard-page.png)