mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-23 10:47:22 +00:00
Merge branch 'master' into quarentine-file
This commit is contained in:
commit
28a91343eb
@ -131,4 +131,4 @@ This section contains advanced troubleshooting topics and links to help you reso
|
||||
|
||||
## Other Resources
|
||||
|
||||
### [Troubleshooting Windows Server components](https://docs.microsoft.com/windows-server/troubleshoot/windows-server-support-solutions)
|
||||
- [Troubleshooting Windows Server components](https://docs.microsoft.com/windows-server/troubleshoot/windows-server-troubleshooting)
|
||||
|
@ -17,13 +17,14 @@ ms.topic: article
|
||||
|
||||
# Manually Configuring Devices for Update Compliance
|
||||
|
||||
There are a number of requirements to consider when manually configuring Update Compliance. These can potentially change with newer versions of Windows 10. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
|
||||
There are a number of requirements to consider when manually configuring devices for Update Compliance. These can potentially change with newer versions of Windows 10. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
|
||||
|
||||
The requirements are separated into different categories:
|
||||
|
||||
1. Ensuring the [**required policies**](#required-policies) for Update Compliance are correctly configured.
|
||||
2. Devices in every network topography needs to send data to the [**required endpoints**](#required-endpoints) for Update Compliance, for example both devices in main and satellite offices, which may have different network configurations.
|
||||
3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It is recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality.
|
||||
4. [**Run a full Census sync**](#run-a-full-census-sync) on new devices to ensure that all necessary data points are collected.
|
||||
|
||||
## Required policies
|
||||
|
||||
@ -75,3 +76,14 @@ To enable data sharing between devices, your network, and Microsoft's Diagnostic
|
||||
## Required services
|
||||
|
||||
Many Windows and Microsoft services are required to ensure that not only the device can function, but Update Compliance can see device data. It is recommended that you allow all default services from the out-of-box experience to remain running. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) checks whether the majority of these services are running or are allowed to run automatically.
|
||||
|
||||
|
||||
## Run a full Census sync
|
||||
|
||||
Census is a service that runs on a regular schedule on Windows devices. A number of key device attributes, like what operating system edition is installed on the device, are included in the Census payload. However, to save network load and system resources, data that tends to be more static (like edition) is sent approximately once per week rather than on every daily run. Because of this, these attributes can take longer to appear in Update Compliance unless you start a full Census sync. The Update Compliance Configuration Script does this.
|
||||
|
||||
A full Census sync adds a new registry value to Census's path. When this registry value is added, Census's configuration is overridden to force a full sync. For Census to work normally, this registry value should be enabled, Census should be started manually, and then the registry value should be disabled. Follow these steps:
|
||||
|
||||
1. For every device you are manually configuring for Update Compliance, add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to **1**.
|
||||
2. Run Devicecensus.exe with administrator privileges on every device. Devicecensus.exe is in the System32 folder. No additional run parameters are required.
|
||||
3. After Devicecensus.exe has run, the **FullSync** registry value can be removed or set to **0**.
|
||||
|
@ -17,11 +17,6 @@ ms.topic: article
|
||||
|
||||
# Monitor Windows Updates with Update Compliance
|
||||
|
||||
> [!IMPORTANT]
|
||||
> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal. Two planned feature removals for Update Compliance – Microsoft Defender Antivirus reporting and Perspectives – are now scheduled to be removed beginning Monday, May 11, 2020.
|
||||
> * The retirement of Microsoft Defender Antivirus reporting will begin Monday, May 11, 2020. You can continue to for threats with [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) and [Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection).
|
||||
> * The Perspectives feature of Update Compliance will be retired Monday, May 11, 2020. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance.
|
||||
|
||||
## Introduction
|
||||
|
||||
Update Compliance enables organizations to:
|
||||
|
@ -116,6 +116,7 @@ You may choose to apply a rule to permit HTTP RANGE requests for the following U
|
||||
|
||||
*.download.windowsupdate.com
|
||||
*.dl.delivery.mp.microsoft.com
|
||||
*.delivery.mp.microsoft.com
|
||||
*.emdl.ws.microsoft.com
|
||||
|
||||
If you cannot permit RANGE requests, keep in mind that this means you are downloading more content than needed in updates (as delta patching will not work).
|
||||
@ -166,6 +167,10 @@ Check that your device can access these Windows Update endpoints:
|
||||
- `http://*.download.windowsupdate.com`
|
||||
- `http://wustat.windows.com`
|
||||
- `http://ntservicepack.microsoft.com`
|
||||
- `https://*.prod.do.dsp.mp.microsoft.com`
|
||||
- `http://*.dl.delivery.mp.microsoft.com`
|
||||
- `https://*.delivery.mp.microsoft.com`
|
||||
- `https://tsfe.trafficshaping.dsp.mp.microsoft.com`
|
||||
|
||||
Allow these endpoints for future use.
|
||||
|
||||
|
@ -64,10 +64,10 @@ A final set of changes includes two new policies that can help you fine-tune dia
|
||||
|
||||
- The **Limit dump collection** policy is a new policy that can be used to limit the types of [crash dumps](https://docs.microsoft.com/windows/win32/dxtecharts/crash-dump-analysis) that can be sent back to Microsoft. If this policy is enabled, Windows Error Reporting will send only kernel mini dumps and user mode triage dumps.
|
||||
- Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Dump Collection**
|
||||
- MDM policy: System/ LimitDiagnosticLogCollection
|
||||
- MDM policy: System/LimitDumpCollection
|
||||
- The **Limit diagnostic log collection** policy is another new policy that limits the number of diagnostic logs that are sent back to Microsoft. If this policy is enabled, diagnostic logs are not sent back to Microsoft.
|
||||
- Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Diagnostic Log Collection**
|
||||
- MDM policy: System/LimitDumpCollection
|
||||
- MDM policy: System/LimitDiagnosticLogCollection
|
||||
|
||||
>[!Important]
|
||||
>All of the changes mentioned in this section will not be released on versions of Windows, version 1809 and earlier as well as Windows Server 2019 and earlier.
|
||||
|
@ -44,11 +44,12 @@ Windows Hello for Business uses asymmetric keys as user credentials (rather than
|
||||
|
||||
Sign-in to the domain controller hosting the schema master operational role using enterprise administrator equivalent credentials.
|
||||
|
||||
1. Open an elevated command prompt.
|
||||
2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO.
|
||||
3. To update the schema, type ```adprep /forestprep```.
|
||||
4. Read the Adprep Warning. Type the letter **C** and press **Enter** to update the schema.
|
||||
5. Close the Command Prompt and sign-out.
|
||||
1. Mount the ISO file (or insert the DVD) containing the Windows Server 2016 or later installation media.
|
||||
2. Open an elevated command prompt.
|
||||
3. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO.
|
||||
4. To update the schema, type ```adprep /forestprep```.
|
||||
5. Read the Adprep Warning. Type the letter **C** and press **Enter** to update the schema.
|
||||
6. Close the Command Prompt and sign-out.
|
||||
|
||||
## Create the KeyCredential Admins Security Global Group
|
||||
|
||||
|
@ -77,9 +77,7 @@ Communicating with Azure Active Directory uses the following URLs:
|
||||
- login.windows.net
|
||||
|
||||
If your environment uses Microsoft Intune, you need these additional URLs:
|
||||
- enrollment.manage-beta.microsoft.com
|
||||
- enrollment.manage.microsoft.com
|
||||
- portal.manage-beta.microsoft.com
|
||||
- portal.manage.microsoft.com
|
||||
|
||||
## What is the difference between non-destructive and destructive PIN reset?
|
||||
|
@ -49,7 +49,7 @@ In this task you will
|
||||
|
||||
### Configure Active Directory to support Domain Administrator enrollment
|
||||
|
||||
The designed Windows for Business configuration has you give the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
|
||||
The designed Windows Hello for Business configuration gives the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
|
||||
|
||||
Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute.
|
||||
|
||||
|
@ -301,35 +301,32 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted
|
||||
|
||||
Sign-in a workstation with access equivalent to a _domain user_.
|
||||
|
||||
1. Sign-in to the [Azure Portal](https://portal.azure.com/).
|
||||
2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**.
|
||||
3. Click **device enrollment**.
|
||||
4. Click **Windows enrollment**
|
||||
5. Under **Windows enrollment**, click **Windows Hello for Business**.
|
||||

|
||||
6. Under **Priority**, click **Default**.
|
||||
7. Under **All users and all devices**, click **Settings**.
|
||||
8. Select **Enabled** from the **Configure Windows Hello for Business** list.
|
||||
9. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software based keys.
|
||||
10. Type the desired **Minimum PIN length** and **Maximum PIN length**.
|
||||
1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
|
||||
2. Select **Devices**.
|
||||
3. Choose **Enroll devices**.
|
||||
4. Select **Windows enrollment**.
|
||||
5. Under **Windows enrollment**, select **Windows Hello for Business**.
|
||||

|
||||
6. Select **Enabled** from the **Configure Windows Hello for Business** list.
|
||||
7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys.
|
||||
8. Enter the desired **Minimum PIN length** and **Maximum PIN length**.
|
||||
> [!IMPORTANT]
|
||||
> The default minimum PIN length for Windows Hello for Business on Windows 10 is 6. Microsoft Intune defaults the minimum PIN length to 4, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to 6.
|
||||
> The default minimum PIN length for Windows Hello for Business on Windows 10 is six. Microsoft Intune defaults the minimum PIN length to four, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to six.
|
||||
|
||||

|
||||
|
||||
11. Select the appropriate configuration for the following settings.
|
||||
9. Select the appropriate configuration for the following settings:
|
||||
* **Lowercase letters in PIN**
|
||||
* **Uppercase letters in PIN**
|
||||
* **Special characters in PIN**
|
||||
* **PIN expiration (days)**
|
||||
* **Remember PIN history**
|
||||
|
||||
> [!NOTE]
|
||||
> The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
|
||||
|
||||
12. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**.
|
||||
13. Select **No** to **Allow phone sign-in**. This feature has been deprecated.
|
||||
14. Click **Save**
|
||||
15. Sign-out of the Azure portal.
|
||||
10. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**.
|
||||
11. Select **No** to **Allow phone sign-in**. This feature has been deprecated.
|
||||
12. Choose **Save**.
|
||||
13. Sign out of the Microsoft Endpoint Manager admin center.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> For more details about the actual experience after everything has been configured, please see [Windows Hello for Business and Authentication](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication).
|
||||
|
@ -71,7 +71,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
|
||||
> 2. Right click "Scope Descriptions" and select "Add Scope Description".
|
||||
> 3. Under name type "ugs" and Click Apply > OK.
|
||||
> 4. Launch Powershell as Administrator.
|
||||
> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier Make a note of the ObjectIdentifier.
|
||||
> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier is equal to 38aa3b87-a06d-4817-b275-7a316988d93b and make a note of the ObjectIdentifier.
|
||||
> 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier <ObjectIdentifier from step 5> -AddScope 'ugs'.
|
||||
> 7. Restart the ADFS service.
|
||||
> 8. On the client: Restart the client. User should be prompted to provision WHFB.
|
||||
|
Binary file not shown.
After Width: | Height: | Size: 52 KiB |
@ -21,6 +21,7 @@ ms.custom: bitlocker
|
||||
# BitLocker basic deployment
|
||||
|
||||
**Applies to**
|
||||
|
||||
- Windows 10
|
||||
|
||||
This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
|
||||
@ -31,7 +32,8 @@ BitLocker provides full volume encryption (FVE) for operating system volumes, as
|
||||
|
||||
In the event that the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes.
|
||||
|
||||
> **Note:** For more info about using this tool, see [Bdehdcfg](https://technet.microsoft.com/library/ee732026.aspx) in the Command-Line Reference.
|
||||
> [!NOTE]
|
||||
> For more info about using this tool, see [Bdehdcfg](/windows-server/administration/windows-commands/bdehdcfg) in the Command-Line Reference.
|
||||
|
||||
BitLocker encryption can be done using the following methods:
|
||||
|
||||
@ -48,51 +50,15 @@ To start encryption for a volume, select **Turn on BitLocker** for the appropria
|
||||
### Operating system volume
|
||||
|
||||
Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are:
|
||||
<table>
|
||||
<colgroup>
|
||||
<col width="50%" />
|
||||
<col width="50%" />
|
||||
</colgroup>
|
||||
<thead>
|
||||
<tr class="header">
|
||||
<th align="left">Requirement</th>
|
||||
<th align="left">Description</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td align="left"><p>Hardware configuration</p></td>
|
||||
<td align="left"><p>The computer must meet the minimum requirements for the supported Windows versions.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p>Operating system</p></td>
|
||||
<td align="left"><p>BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later.</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td align="left"><p>Hardware TPM</p></td>
|
||||
<td align="left"><p>TPM version 1.2 or 2.0</p>
|
||||
<p>A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p>BIOS configuration</p></td>
|
||||
<td align="left"><ul>
|
||||
<li><p>A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.</p></li>
|
||||
<li><p>The boot order must be set to start first from the hard disk, and not the USB or CD drives.</p></li>
|
||||
<li><p>The firmware must be able to read from a USB flash drive during startup.</p></li>
|
||||
</ul></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td align="left"><p>File system</p></td>
|
||||
<td align="left"><p>For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive.</p>
|
||||
<p>For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.</p>
|
||||
<p>For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p>Hardware encrypted drive prerequisites (optional)</p></td>
|
||||
<td align="left"><p>To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|Requirement|Description|
|
||||
|--- |--- |
|
||||
|Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.|
|
||||
|Operating system|BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later.|
|
||||
|Hardware TPM|TPM version 1.2 or 2.0. <p> A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.|
|
||||
|BIOS configuration|<li> A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.</li> <li> The boot order must be set to start first from the hard disk, and not the USB or CD drives.</li> <li> The firmware must be able to read from a USB flash drive during startup.</li>|
|
||||
|File system|For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive. <br/> For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive. <br/> For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.|
|
||||
|Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.|
|
||||
|
||||
Upon passing the initial configuration, users are required to enter a password for the volume. If the volume does not pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken.
|
||||
Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer cannot access the drive.
|
||||
@ -106,7 +72,8 @@ When the recovery key has been properly stored, the BitLocker Drive Encryption W
|
||||
|
||||
It is recommended that drives with little to no data utilize the **used disk space only** encryption option and that drives with data or an operating system utilize the **encrypt entire drive** option.
|
||||
|
||||
> **Note:** Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
|
||||
> [!NOTE]
|
||||
> Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
|
||||
|
||||
Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. It is recommended to run this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
|
||||
|
||||
@ -143,52 +110,20 @@ The following table shows the compatibility matrix for systems that have been Bi
|
||||
|
||||
Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes
|
||||
|
||||
<table>
|
||||
<colgroup>
|
||||
<col width="25%" />
|
||||
<col width="25%" />
|
||||
<col width="25%" />
|
||||
<col width="25%" />
|
||||
</colgroup>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td align="left"><p>Encryption Type</p></td>
|
||||
<td align="left"><p>Windows 10 and Windows 8.1</p></td>
|
||||
<td align="left"><p>Windows 8</p></td>
|
||||
<td align="left"><p>Windows 7</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p>Fully encrypted on Windows 8</p></td>
|
||||
<td align="left"><p>Presents as fully encrypted</p></td>
|
||||
<td align="left"><p>N/A</p></td>
|
||||
<td align="left"><p>Presented as fully encrypted</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td align="left"><p>Used Disk Space Only encrypted on Windows 8</p></td>
|
||||
<td align="left"><p>Presents as encrypt on write</p></td>
|
||||
<td align="left"><p>N/A</p></td>
|
||||
<td align="left"><p>Presented as fully encrypted</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p>Fully encrypted volume from Windows 7</p></td>
|
||||
<td align="left"><p>Presents as fully encrypted</p></td>
|
||||
<td align="left"><p>Presented as fully encrypted</p></td>
|
||||
<td align="left"><p>N/A</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td align="left"><p>Partially encrypted volume from Windows 7</p></td>
|
||||
<td align="left"><p>Windows 10 and Windows 8.1 will complete encryption regardless of policy</p></td>
|
||||
<td align="left"><p>Windows 8 will complete encryption regardless of policy</p></td>
|
||||
<td align="left"><p>N/A</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|||||
|
||||
|--- |--- |--- |--- |
|
||||
|Encryption Type|Windows 10 and Windows 8.1|Windows 8|Windows 7|
|
||||
|Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted|
|
||||
|Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted|
|
||||
|Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A|
|
||||
|Partially encrypted volume from Windows 7|Windows 10 and Windows 8.1 will complete encryption regardless of policy|Windows 8 will complete encryption regardless of policy|N/A|
|
||||
|
||||
## <a href="" id="bkmk-dep3"></a>Encrypting volumes using the manage-bde command line interface
|
||||
|
||||
Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx).
|
||||
Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
|
||||
|
||||
Manage-bde offers a multitude of wider options for configuring BitLocker. This means that using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.
|
||||
|
||||
Command line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.
|
||||
|
||||
### Operating system volume
|
||||
@ -246,6 +181,7 @@ manage-bde -on C:
|
||||
## <a href="" id="bkmk-dep4"></a>Encrypting volumes using the BitLocker Windows PowerShell cmdlets
|
||||
|
||||
Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.
|
||||
|
||||
<table>
|
||||
<colgroup>
|
||||
<col width="50%" />
|
||||
@ -253,11 +189,11 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
|
||||
</colgroup>
|
||||
<tbody>
|
||||
<tr class="odd">
|
||||
<td align="left"><p><b>Name</b></p></td>
|
||||
<td align="left"><p><b>Parameters</b></p></td>
|
||||
<td align="left"><p><strong>Name</strong></p></td>
|
||||
<td align="left"><p><strong>Parameters</strong></p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p><b>Add-BitLockerKeyProtector</b></p></td>
|
||||
<td align="left"><p><strong>Add-BitLockerKeyProtector</strong></p></td>
|
||||
<td align="left"><p>-ADAccountOrGroup</p>
|
||||
<p>-ADAccountOrGroupProtector</p>
|
||||
<p>-Confirm</p>
|
||||
@ -279,26 +215,26 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
|
||||
<p>-WhatIf</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td align="left"><p><b>Backup-BitLockerKeyProtector</b></p></td>
|
||||
<td align="left"><p><strong>Backup-BitLockerKeyProtector</strong></p></td>
|
||||
<td align="left"><p>-Confirm</p>
|
||||
<p>-KeyProtectorId</p>
|
||||
<p>-MountPoint</p>
|
||||
<p>-WhatIf</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p><b>Disable-BitLocker</b></p></td>
|
||||
<td align="left"><p><strong>Disable-BitLocker</strong></p></td>
|
||||
<td align="left"><p>-Confirm</p>
|
||||
<p>-MountPoint</p>
|
||||
<p>-WhatIf</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td align="left"><p><b>Disable-BitLockerAutoUnlock</b></p></td>
|
||||
<td align="left"><p><strong>Disable-BitLockerAutoUnlock</strong></p></td>
|
||||
<td align="left"><p>-Confirm</p>
|
||||
<p>-MountPoint</p>
|
||||
<p>-WhatIf</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p><b>Enable-BitLocker</b></p></td>
|
||||
<td align="left"><p><strong>Enable-BitLocker</strong></p></td>
|
||||
<td align="left"><p>-AdAccountOrGroup</p>
|
||||
<p>-AdAccountOrGroupProtector</p>
|
||||
<p>-Confirm</p>
|
||||
@ -323,44 +259,44 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
|
||||
<p>-WhatIf</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td align="left"><p><b>Enable-BitLockerAutoUnlock</b></p></td>
|
||||
<td align="left"><p><strong>Enable-BitLockerAutoUnlock</strong></p></td>
|
||||
<td align="left"><p>-Confirm</p>
|
||||
<p>-MountPoint</p>
|
||||
<p>-WhatIf</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p><b>Get-BitLockerVolume</b></p></td>
|
||||
<td align="left"><p><strong>Get-BitLockerVolume</strong></p></td>
|
||||
<td align="left"><p>-MountPoint</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td align="left"><p><b>Lock-BitLocker</b></p></td>
|
||||
<td align="left"><p><strong>Lock-BitLocker</strong></p></td>
|
||||
<td align="left"><p>-Confirm</p>
|
||||
<p>-ForceDismount</p>
|
||||
<p>-MountPoint</p>
|
||||
<p>-WhatIf</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p><b>Remove-BitLockerKeyProtector</b></p></td>
|
||||
<td align="left"><p><strong>Remove-BitLockerKeyProtector</strong></p></td>
|
||||
<td align="left"><p>-Confirm</p>
|
||||
<p>-KeyProtectorId</p>
|
||||
<p>-MountPoint</p>
|
||||
<p>-WhatIf</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td align="left"><p><b>Resume-BitLocker</b></p></td>
|
||||
<td align="left"><p><strong>Resume-BitLocker</strong></p></td>
|
||||
<td align="left"><p>-Confirm</p>
|
||||
<p>-MountPoint</p>
|
||||
<p>-WhatIf</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p><b>Suspend-BitLocker</b></p></td>
|
||||
<td align="left"><p><strong>Suspend-BitLocker</strong></p></td>
|
||||
<td align="left"><p>-Confirm</p>
|
||||
<p>-MountPoint</p>
|
||||
<p>-RebootCount</p>
|
||||
<p>-WhatIf</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td align="left"><p><b>Unlock-BitLocker</b></p></td>
|
||||
<td align="left"><p><strong>Unlock-BitLocker</strong></p></td>
|
||||
<td align="left"><p>-AdAccountOrGroup</p>
|
||||
<p>-Confirm</p>
|
||||
<p>-MountPoint</p>
|
||||
@ -374,25 +310,35 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
|
||||
</table>
|
||||
|
||||
Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
|
||||
A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the <code>Get-BitLocker</code> volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
|
||||
Occasionally, all protectors may not be shown when using <b>Get-BitLockerVolume</b> due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
|
||||
|
||||
> **Note:** In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
|
||||
A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
|
||||
|
||||
`Get-BitLockerVolume C: | fl`
|
||||
Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
|
||||
|
||||
> [!NOTE]
|
||||
> In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
|
||||
|
||||
```powershell
|
||||
Get-BitLockerVolume C: | fl
|
||||
```
|
||||
|
||||
If you wanted to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
|
||||
A simple script can pipe the values of each **Get-BitLockerVolume** return out to another variable as seen below:
|
||||
|
||||
```powershell
|
||||
$vol = Get-BitLockerVolume
|
||||
$keyprotectors = $vol.KeyProtector
|
||||
```
|
||||
|
||||
Using this, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector.
|
||||
Using this information, we can then remove the key protector for a specific volume using the command:
|
||||
|
||||
```powershell
|
||||
Remove-BitLockerKeyProtector <volume>: -KeyProtectorID "{GUID}"
|
||||
```
|
||||
> **Note:** The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
|
||||
|
||||
> [!NOTE]
|
||||
> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
|
||||
|
||||
### Operating system volume
|
||||
|
||||
@ -402,11 +348,13 @@ To enable BitLocker with just the TPM protector. This can be done using the comm
|
||||
```powershell
|
||||
Enable-BitLocker C:
|
||||
```
|
||||
|
||||
The example below adds one additional protector, the StartupKey protectors, and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot.
|
||||
|
||||
```powershell
|
||||
Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath <path> -SkipHardwareTest
|
||||
```
|
||||
|
||||
### Data volume
|
||||
|
||||
Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. Last, encryption begins.
|
||||
@ -416,23 +364,28 @@ $pw = Read-Host -AsSecureString
|
||||
<user inputs password>
|
||||
Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
|
||||
```
|
||||
|
||||
### Using a SID based protector in Windows PowerShell
|
||||
|
||||
The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and be unlocked to any member computer of the cluster.
|
||||
|
||||
>**Warning:** The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes.
|
||||
> [!WARNING]
|
||||
> The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes.
|
||||
|
||||
To add an ADAccountOrGroup protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
|
||||
|
||||
```powershell
|
||||
Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
|
||||
```
|
||||
|
||||
For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
|
||||
|
||||
```powershell
|
||||
get-aduser -filter {samaccountname -eq "administrator"}
|
||||
Get-ADUser -filter {samaccountname -eq "administrator"}
|
||||
```
|
||||
> **Note:** Use of this command requires the RSAT-AD-PowerShell feature.
|
||||
|
||||
> [!NOTE]
|
||||
> Use of this command requires the RSAT-AD-PowerShell feature.
|
||||
>
|
||||
> **Tip:** In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
|
||||
|
||||
@ -441,7 +394,9 @@ In the example below, the user wishes to add a domain SID based protector to the
|
||||
```powershell
|
||||
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "<SID>"
|
||||
```
|
||||
> **Note:** Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
|
||||
|
||||
> [!NOTE]
|
||||
> Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
|
||||
|
||||
## <a href="" id="bkmk-dep5"></a> Checking BitLocker status
|
||||
|
||||
@ -473,7 +428,9 @@ To check the status of a volume using manage-bde, use the following command:
|
||||
```powershell
|
||||
manage-bde -status <volume>
|
||||
```
|
||||
> **Note:** If no volume letter is associated with the -status command, all volumes on the computer display their status.
|
||||
|
||||
> [!NOTE]
|
||||
> If no volume letter is associated with the -status command, all volumes on the computer display their status.
|
||||
|
||||
### Checking BitLocker status with Windows PowerShell
|
||||
|
||||
@ -484,6 +441,7 @@ Using the Get-BitLockerVolume cmdlet, each volume on the system will display its
|
||||
```powershell
|
||||
Get-BitLockerVolume <volume> -Verbose | fl
|
||||
```
|
||||
|
||||
This command will display information about the encryption method, volume type, key protectors, etc.
|
||||
|
||||
### Provisioning BitLocker during operating system deployment
|
||||
@ -510,11 +468,13 @@ Decrypting volumes using manage-bde is very straightforward. Decryption with man
|
||||
```powershell
|
||||
manage-bde -off C:
|
||||
```
|
||||
|
||||
This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If a user wishes to check the status of the decryption, they can use the following command:
|
||||
|
||||
```powershell
|
||||
manage-bde -status C:
|
||||
```
|
||||
|
||||
### Decrypting volumes using the BitLocker Windows PowerShell cmdlets
|
||||
|
||||
Decryption with Windows PowerShell cmdlets is straightforward, similar to manage-bde. The additional advantage Windows PowerShell offers is the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt.
|
||||
@ -524,16 +484,16 @@ Using the Disable-BitLocker command, they can remove all protectors and encrypti
|
||||
```powershell
|
||||
Disable-BitLocker
|
||||
```
|
||||
|
||||
If a user did not want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is:
|
||||
|
||||
```powershell
|
||||
Disable-BitLocker -MountPoint E:,F:,G:
|
||||
```
|
||||
|
||||
## See also
|
||||
|
||||
- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
|
||||
- [BitLocker recovery guide](bitlocker-recovery-guide-plan.md)
|
||||
- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
|
||||
- [BitLocker overview](bitlocker-overview.md)
|
||||
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -95,7 +95,7 @@ The server side configuration to enable Network Unlock also requires provisionin
|
||||
|
||||
The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012.
|
||||
|
||||
### <a href="" id="bkmk-installwdsrole"/>Install the WDS Server role
|
||||
### <a href="" id="bkmk-installwdsrole"><a/>Install the WDS Server role
|
||||
|
||||
The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager.
|
||||
|
||||
@ -107,7 +107,7 @@ Install-WindowsFeature WDS-Deployment
|
||||
|
||||
You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Domain Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard.
|
||||
|
||||
### <a href="" id="bkmk-confirmwdsrunning"/>Confirm the WDS Service is running
|
||||
### <a href="" id="bkmk-confirmwdsrunning"><a/>Confirm the WDS Service is running
|
||||
|
||||
To confirm the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service.
|
||||
|
||||
@ -116,7 +116,7 @@ To confirm the service is running using Windows PowerShell, use the following co
|
||||
```powershell
|
||||
Get-Service WDSServer
|
||||
```
|
||||
### <a href="" id="bkmk-installnufeature"/>Install the Network Unlock feature
|
||||
### <a href="" id="bkmk-installnufeature"><a/>Install the Network Unlock feature
|
||||
|
||||
To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console.
|
||||
|
||||
@ -125,7 +125,7 @@ To install the feature using Windows PowerShell, use the following command:
|
||||
```powershell
|
||||
Install-WindowsFeature BitLocker-NetworkUnlock
|
||||
```
|
||||
### <a href="" id="bkmk-createcerttmpl"/>Create the certificate template for Network Unlock
|
||||
### <a href="" id="bkmk-createcerttmpl"><a/>Create the certificate template for Network Unlock
|
||||
|
||||
A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates.
|
||||
|
||||
@ -155,7 +155,7 @@ To add the Network Unlock template to the Certification Authority, open the Cert
|
||||
|
||||
After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock.
|
||||
|
||||
### <a href="" id="bkmk-createcert"/>Create the Network Unlock certificate
|
||||
### <a href="" id="bkmk-createcert"><a/>Create the Network Unlock certificate
|
||||
|
||||
Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate.
|
||||
|
||||
@ -218,7 +218,7 @@ Certreq example:
|
||||
|
||||
3. Open an elevated command prompt and use the certreq tool to create a new certificate using the following command, specifying the full path to the file created previously, along with the file name:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
|
||||
```
|
||||
|
||||
@ -226,7 +226,7 @@ Certreq example:
|
||||
5. Launch Certificates - Local Machine by running **certlm.msc**.
|
||||
6. Create a .pfx file by opening the **Certificates – Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file.
|
||||
|
||||
### <a href="" id="bkmk-deploycert"/>Deploy the private key and certificate to the WDS server
|
||||
### <a href="" id="bkmk-deploycert"><a/>Deploy the private key and certificate to the WDS server
|
||||
|
||||
With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following:
|
||||
|
||||
@ -281,6 +281,7 @@ SUBNET2=10.185.252.200/28
|
||||
SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet
|
||||
SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP.
|
||||
```
|
||||
|
||||
Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define subnets clients can be unlocked from with that certificate.
|
||||
|
||||
> [!NOTE]
|
||||
@ -288,8 +289,9 @@ Following the \[SUBNETS\] section, there can be sections for each Network Unlock
|
||||
|
||||
Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnet is listed in a certificate section, then only those subnets listed are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section.
|
||||
Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon.
|
||||
|
||||
```ini
|
||||
[2158a767e1c14e88e27a4c0aee111d2de2eafe60]
|
||||
[2158a767e1c14e88e27a4c0aee111d2de2eafe60]
|
||||
;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so on.
|
||||
;This list shows this cert is only allowed to unlock clients on SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out.
|
||||
SUBNET1
|
||||
@ -299,14 +301,14 @@ SUBNET3
|
||||
|
||||
To disallow the use of a certificate altogether, its subnet list may contain the line “DISABLED".
|
||||
|
||||
## <a href="" id="bkmk-turnoffnetworkunlock"/>Turning off Network Unlock
|
||||
## <a href="" id="bkmk-turnoffnetworkunlock"><a/>Turning off Network Unlock
|
||||
|
||||
To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
|
||||
|
||||
> [!NOTE]
|
||||
> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
|
||||
|
||||
## <a href="" id="bkmk-updatecerts"/>Update Network Unlock certificates
|
||||
## <a href="" id="bkmk-updatecerts"><a/>Update Network Unlock certificates
|
||||
|
||||
To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server and then update the Network Unlock certificate Group Policy setting on the domain controller.
|
||||
|
||||
@ -336,7 +338,7 @@ Files to gather when troubleshooting BitLocker Network Unlock include:
|
||||
|
||||
1. Start an elevated command prompt and run the following command:
|
||||
|
||||
``` syntax
|
||||
```cmd
|
||||
wevtutil sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true
|
||||
```
|
||||
2. Open Event Viewer on the WDS server.
|
||||
|
@ -21,6 +21,7 @@ ms.custom: bitlocker
|
||||
# BitLocker recovery guide
|
||||
|
||||
**Applies to**
|
||||
|
||||
- Windows 10
|
||||
|
||||
This topic for IT professionals describes how to recover BitLocker keys from AD DS.
|
||||
@ -43,7 +44,7 @@ BitLocker recovery is the process by which you can restore access to a BitLocker
|
||||
|
||||
The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
|
||||
|
||||
- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](https://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](https://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout.
|
||||
- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
|
||||
- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised.
|
||||
- Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
|
||||
- Failing to boot from a network drive before booting from the hard drive.
|
||||
@ -109,7 +110,7 @@ Before you create a thorough BitLocker recovery process, we recommend that you t
|
||||
|
||||
1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**.
|
||||
2. At the command prompt, type the following command and then press ENTER:
|
||||
`manage-bde. -ComputerName <RemoteComputerName> -forcerecovery <BitLockerVolume>`
|
||||
`manage-bde -ComputerName <RemoteComputerName> -forcerecovery <BitLockerVolume>`
|
||||
|
||||
> [!NOTE]
|
||||
> Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx).
|
||||
@ -118,8 +119,7 @@ Before you create a thorough BitLocker recovery process, we recommend that you t
|
||||
|
||||
When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smart card PIN resets? You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model.
|
||||
|
||||
Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker
|
||||
Administration and Monitoring](https://technet.microsoft.com/windows/hh826072.aspx).
|
||||
Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/).
|
||||
|
||||
After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. You must consider both self-recovery and recovery password retrieval methods for your organization.
|
||||
|
||||
@ -262,19 +262,18 @@ This error might occur if you updated the firmware. As a best practice you shoul
|
||||
|
||||
Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
|
||||
|
||||
|
||||
## BitLocker recovery screen
|
||||
|
||||
During BitLocker recovery, Windows can display a custom recovery message and hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery.
|
||||
|
||||
### Custom recovery message
|
||||
|
||||
BitLocker Group Policy settings in Windows 10, version 1511, let you confiure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
|
||||
BitLocker Group Policy settings in Windows 10, version 1511, let you configure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
|
||||
|
||||
This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**.
|
||||
|
||||
It can also be configured using Intune mobile device management (MDM) in the BitLocker CSP:
|
||||
*<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>*
|
||||
*\<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage\</LocURI>*
|
||||
|
||||

|
||||
|
||||
@ -282,31 +281,27 @@ Example of customized recovery screen:
|
||||
|
||||

|
||||
|
||||
|
||||
|
||||
### BitLocker recovery key hints
|
||||
|
||||
BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume’s recovery key. Hints are displayed on the recovery screen and refer to the location where key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the bootmanager recovery screen and the WinRE unlock screen.
|
||||
BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the bootmanager recovery screen and the WinRE unlock screen.
|
||||
|
||||

|
||||
|
||||
> [!IMPORTANT]
|
||||
> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft Account.
|
||||
|
||||
|
||||
There are rules governing which hint is shown during the recovery (in order of processing):
|
||||
|
||||
1. Always display custom recovery message if it has been configured (using GPO or MDM).
|
||||
2. Always display generic hint: "For more information, go to https://aka.ms/recoverykeyfaq."
|
||||
2. Always display generic hint: "For more information, go to <https://aka.ms/recoverykeyfaq>".
|
||||
3. If multiple recovery keys exist on the volume, prioritize the last created (and successfully backed up) recovery key.
|
||||
4. Prioritize keys with successful backup over keys that have never been backed up.
|
||||
5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**.
|
||||
6. If a key has been printed and saved to file, display a combined hint, “Look for a printout or a text file with the key,” instead of two separate hints.
|
||||
6. If a key has been printed and saved to file, display a combined hint, "Look for a printout or a text file with the key," instead of two separate hints.
|
||||
7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed up date.
|
||||
8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, “Contact your organization’s help desk,” will be displayed.
|
||||
8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, "Contact your organization's help desk," will be displayed.
|
||||
9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system will ask for a key that has been backed up, even if another key is newer.
|
||||
|
||||
|
||||
#### Example 1 (single recovery key with single backup)
|
||||
|
||||
| Custom URL | Yes |
|
||||
@ -378,7 +373,6 @@ There are rules governing which hint is shown during the recovery (in order of p
|
||||
|
||||

|
||||
|
||||
|
||||
#### Example 5 (multiple recovery passwords)
|
||||
|
||||
| Custom URL | No |
|
||||
@ -408,7 +402,6 @@ There are rules governing which hint is shown during the recovery (in order of p
|
||||
|
||||

|
||||
|
||||
|
||||
## <a href="" id="bkmk-usingaddrecovery"></a>Using additional recovery information
|
||||
|
||||
Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used.
|
||||
@ -456,6 +449,7 @@ You can reset the recovery password in two ways:
|
||||
```powershell
|
||||
Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
|
||||
```
|
||||
|
||||
> [!WARNING]
|
||||
> You must include the braces in the ID string.
|
||||
|
||||
@ -891,5 +885,3 @@ End Function
|
||||
## See also
|
||||
|
||||
- [BitLocker overview](bitlocker-overview.md)
|
||||
|
||||
|
||||
|
@ -28,7 +28,7 @@ Open Event Viewer and review the following logs under Applications and Services
|
||||
- Microsoft-Windows-BitLocker/BitLocker Operational
|
||||
- Microsoft-Windows-BitLocker/BitLocker Management
|
||||
|
||||
- **BitLocker-DrivePreparationTool**. Review the Admin log, the **Operational log, and any other logs that are generated in this folder. The default logs have the following unique names:
|
||||
- **BitLocker-DrivePreparationTool**. Review the Admin log, the Operational log, and any other logs that are generated in this folder. The default logs have the following unique names:
|
||||
- Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
|
||||
- Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
|
||||
|
||||
|
@ -20,7 +20,7 @@
|
||||
### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md)
|
||||
### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md)
|
||||
|
||||
## [Migration guides]()
|
||||
## [Migration guides](microsoft-defender-atp/migration-guides.md)
|
||||
### [Switch from McAfee to Microsoft Defender ATP]()
|
||||
#### [Get an overview of migration](microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md)
|
||||
#### [Prepare for your migration](microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md)
|
||||
@ -71,7 +71,8 @@
|
||||
##### [Application isolation]()
|
||||
###### [Application guard overview](microsoft-defender-application-guard/md-app-guard-overview.md)
|
||||
###### [System requirements](microsoft-defender-application-guard/reqs-md-app-guard.md)
|
||||
###### [Install Windows Defender Application Guard](microsoft-defender-application-guard/install-md-app-guard.md)
|
||||
###### [Install Microsoft Defender Application Guard](microsoft-defender-application-guard/install-md-app-guard.md)
|
||||
###### [Install Microsoft Defender Application Guard Extension](microsoft-defender-application-guard/md-app-guard-browser-extension.md)
|
||||
|
||||
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
|
||||
###### [Audit Application control policies](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
|
||||
|
@ -18,6 +18,9 @@ Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance.
|
||||
|
||||
MBSA was largely used in situations where neither Microsoft Update nor a local WSUS or Configuration Manager server was available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016.
|
||||
|
||||
> [!NOTE]
|
||||
> In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file.
|
||||
|
||||
## The Solution
|
||||
A script can help you with an alternative to MBSA’s patch-compliance checking:
|
||||
|
||||
|
@ -13,7 +13,7 @@ ms.author: deniseb
|
||||
ms.custom: nextgen
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.date: 09/04/2020
|
||||
ms.date: 09/07/2020
|
||||
---
|
||||
|
||||
# Manage Microsoft Defender Antivirus updates and apply baselines
|
||||
@ -63,7 +63,7 @@ All our updates contain:
|
||||
|
||||
 Security intelligence update version: **1.323.9.0**
|
||||
 Released: **August 27, 2020**
|
||||
 Platform: **4.18.2008.3**
|
||||
 Platform: **4.18.2008.9**
|
||||
 Engine: **1.1.17400.5**
|
||||
 Support phase: **Security and Critical Updates**
|
||||
|
||||
|
@ -4,4 +4,5 @@
|
||||
## [Install WDAG](install-md-app-guard.md)
|
||||
## [Configure WDAG policies](configure-md-app-guard.md)
|
||||
## [Test scenarios](test-scenarios-md-app-guard.md)
|
||||
## [Microsoft Defender Application Guard Extension](md-app-guard-browser-extension.md)
|
||||
## [FAQ](faq-md-app-guard.md)
|
Binary file not shown.
After Width: | Height: | Size: 68 KiB |
Binary file not shown.
After Width: | Height: | Size: 114 KiB |
Binary file not shown.
After Width: | Height: | Size: 507 KiB |
@ -0,0 +1,98 @@
|
||||
---
|
||||
title: Microsoft Defender Application Guard Extension
|
||||
description: Learn about the Microsoft Defender Application Guard browser extension, which extends Application Guard's protection to more web browsers.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.localizationpriority: medium
|
||||
author: martyav
|
||||
ms.author: v-maave
|
||||
ms.date: 06/12/2020
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.custom: asr
|
||||
---
|
||||
|
||||
# Microsoft Defender Application Guard Extension
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10
|
||||
|
||||
[Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/).
|
||||
|
||||
[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers.
|
||||
|
||||
> [!TIP]
|
||||
> Application Guard, by default, offers [native support](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard) to both Microsoft Edge and Internet Explorer. These browsers do not need the extension described here for Application Guard to protect them.
|
||||
|
||||
Microsoft Defender Application Guard Extension defends devices in your organization from advanced attacks, by redirecting untrusted websites to an isolated version of [Microsoft Edge](https://www.microsoft.com/edge). If an untrusted website turns out to be malicious, it remains within Application Guard's secure container, keeping the device protected.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version 1803 or later:
|
||||
|
||||
- Windows 10 Professional
|
||||
- Windows 10 Enterprise
|
||||
- Windows 10 Education
|
||||
|
||||
Application Guard itself is required for the extension to work. It has its own set of [requirements](reqs-md-app-guard.md). Check the Application Guard [installation guide](install-md-app-guard.md) for further steps, if you don't have it installed already.
|
||||
|
||||
## Installing the extension
|
||||
|
||||
Application Guard can be run under [managed mode](install-md-app-guard.md#enterprise-managed-mode) or [standalone mode](install-md-app-guard.md#standalone-mode). The main difference between the two modes is whether policies have been set to define the organization's boundaries.
|
||||
|
||||
Enterprise administrators running Application Guard under managed mode should first define Application Guard's [network isolation settings](configure-md-app-guard.md#network-isolation-settings), so a set of enterprise sites is already in place.
|
||||
|
||||
From there, the steps for installing the extension are similar whether Application Guard is running in managed or standalone mode.
|
||||
|
||||
1. On the local device, download and install the Application Guard extension for Google [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and/or Mozilla [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/).
|
||||
1. Install the [Windows Defender Application Guard companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8#activetab=pivot:overviewtab) from the Microsoft Store. This companion app enables Application Guard to work with web browsers other than Microsoft Edge or Internet Explorer.
|
||||
1. Restart the device.
|
||||
|
||||
### Recommended browser group policies
|
||||
|
||||
Both Chrome and Firefox have their own browser-specific group policies. We recommend that admins use the following policy settings.
|
||||
|
||||
#### Chrome policies
|
||||
|
||||
These policies can be found along the filepath, *Software\Policies\Google\Chrome\\*, with each policy name corresponding to the file name (e.g., IncognitoModeAvailability is located at *Software\Policies\Google\Chrome\IncognitoModeAvailability*).
|
||||
|
||||
Policy name | Values | Recommended setting | Reason
|
||||
-|-|-|-
|
||||
[IncognitoModeAvailability](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=IncognitoModeAvailability) | `0` = Enabled <br /> `1` = Disabled <br /> `2` = Forced (i.e. forces pages to only open in Incognito mode) | Disabled | This policy allows users to start Chrome in Incognito mode. In this mode, all extensions are turned off by default.
|
||||
[BrowserGuestModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BrowserGuestModeEnabled) | `false` or `0` = Disabled <br /> `true`, `1`, or not configured = Enabled | Disabled | This policy allows users to login as *Guest*, which opens a session in Incognito mode. In this mode, all extensions are turned off by default.
|
||||
[BackgroundModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BackgroundModeEnabled) | `false` or `0` = Disabled <br /> `true` or `1` = Enabled <br /> <br /> **Note:** If this policy is not set, the user can enable or disable background mode through local browser settings. | Enabled | This policy keeps Chrome running in the background, ensuring that navigation is always passed to the extension.
|
||||
[ExtensionSettings](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) | This policy accepts a dictionary that configures multiple other management settings for Chrome. See the [Google Cloud documentation](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) for complete schema. | Include an entry for `force_installed` | This policy prevents users from manually removing the extension.
|
||||
|
||||
#### Firefox policies
|
||||
|
||||
These policies can be found along the filepath, *Software\Policies\Mozilla\Firefox\\*, with each policy name corresponding to the file name (e.g., DisableSafeMode is located at *Software\Policies\Mozilla\Firefox\DisableSafeMode*).
|
||||
|
||||
Policy name | Values | Recommended setting | Reason
|
||||
-|-|-|-
|
||||
[DisableSafeMode](https://github.com/mozilla/policy-templates/blob/master/README.md#DisableSafeMode) | `false` or `0` = Safe mode is enabled <br /> `true` or `1` = Safe mode is disabled | True (i.e. the policy is enabled and Safe mode is *not* allowed to run) | Safe mode can allow users to circumvent Application Guard
|
||||
[BlockAboutConfig](https://github.com/mozilla/policy-templates/blob/master/README.md#BlockAboutConfig) | `false` or `0` = User access to *about:config* is allowed <br /> `true` or `1` = User access to *about:config* is not allowed | True (i.e. the policy is enabled and access to about:config is *not* allowed) | *About:config* is a special page within Firefox that offers control over many settings that may compromise security
|
||||
[Extensions - Locked](https://github.com/mozilla/policy-templates/blob/master/README.md#Extensions) | This setting accepts a list of UUIDs for extensions (these can be found by searching `extensions.webextensions.uuids` within the about:config page) | Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "`ApplicationGuardRel@microsoft.com`" | This setting allows you to lock the extension, so the user cannot disable or uninstall it.
|
||||
|
||||
## Troubleshooting guide
|
||||
|
||||
<!-- The in-line HTML in the following table is less than ideal, but MarkDown tables break if \r or \n characters are used within table cells -->
|
||||
|
||||
Error message | Cause | Actions
|
||||
-|-|-
|
||||
Application Guard undetermined state | The extension was unable to communicate with the companion app during the last information request. | 1. Install the [companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab) and reboot</br> 2. If the companion app is already installed, reboot and see if that resolves the error</br> 3. If you still see the error after rebooting, uninstall and re-install the companion app</br> 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
|
||||
ExceptionThrown | An unexpected exception was thrown. | 1. [File a bug](https://aka.ms/wdag-fb) </br> 2. Retry the operation
|
||||
Failed to determine if Application Guard is enabled | The extension was able to communicate with the companion app, but the information request failed in the app. | 1. Restart the browser </br> 2. Check for updates in both the Microsoft store and the respective web store for the affected browser
|
||||
Launch in WDAG failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed </br> 2. If the companion app is installed, reboot and see if that resolves the error </br> 3. If you still see the error after rebooting, uninstall and re-install the companion app </br> 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
|
||||
Main page navigation caught an unexpected error | An unexpected exception was thrown during the main page navigation. | 1. [File a bug](https://aka.ms/wdag-fb) </br> 2. Retry the operation
|
||||
Process trust response failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running.| 1. Make sure the companion app is installed. </br> 2. If the companion app is installed, reboot and see if that resolves the error </br> 3. If you still see the error after rebooting, uninstall and re-install the companion app </br> 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
|
||||
Protocol out of sync | The extension and native app cannot communicate with each other. This is likely caused by one being updated without supporting the protocol of the other. | Check for updates in both the Microsoft store, and the web store for the affected browser
|
||||
Security patch level does not match | Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. | Check for updates in both the Microsoft store, and the web store for the affected browser
|
||||
Unexpected response while processing trusted state | The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. | 1. [File a bug](https://aka.ms/wdag-fb) </br> 2. Check if Edge is working </br> 3. Retry the operation
|
||||
|
||||
## Related articles
|
||||
|
||||
- [Microsoft Defender Application Guard overview](md-app-guard-overview.md)
|
||||
- [Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)
|
@ -43,9 +43,10 @@ Application Guard has been created to target several types of systems:
|
||||
## Related articles
|
||||
|
||||
|Article | Description |
|
||||
|------|------------|
|
||||
|--------|-------------|
|
||||
|[System requirements for Microsoft Defender Application Guard](reqs-md-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.|
|
||||
|[Prepare and install Microsoft Defender Application Guard](install-md-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
|
||||
|[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
|
||||
|[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.|
|
||||
| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a trouble-shooting guide |
|
||||
|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
|
||||
|
@ -15,14 +15,12 @@ ms.custom: asr
|
||||
|
||||
# Application Guard testing scenarios
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
|
||||
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
|
||||
|
||||
|
||||
## Application Guard in standalone mode
|
||||
|
||||
You can see how an employee would use standalone mode with Application Guard.
|
||||
@ -81,7 +79,7 @@ Before you can use Application Guard in enterprise mode, you must install Window
|
||||
>[!NOTE]
|
||||
>Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario.
|
||||
|
||||
6. Start Microsoft Edge and type <em>www.microsoft.com</em>.
|
||||
6. Start Microsoft Edge and type *https://www.microsoft.com*.
|
||||
|
||||
After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard.
|
||||
|
||||
@ -108,6 +106,7 @@ Application Guard provides the following default behavior for your employees:
|
||||
You have the option to change each of these settings to work with your enterprise from within Group Policy.
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Enterprise edition, version 1709 or higher
|
||||
- Windows 10 Professional edition, version 1803
|
||||
|
||||
@ -129,11 +128,11 @@ You have the option to change each of these settings to work with your enterpris
|
||||
|
||||
4. Choose what can be copied:
|
||||
|
||||
- **1.** Only text can be copied between the host PC and the isolated container.
|
||||
- Only text can be copied between the host PC and the isolated container.
|
||||
|
||||
- **2.** Only images can be copied between the host PC and the isolated container.
|
||||
- Only images can be copied between the host PC and the isolated container.
|
||||
|
||||
- **3.** Both text and images can be copied between the host PC and the isolated container.
|
||||
- Both text and images can be copied between the host PC and the isolated container.
|
||||
|
||||
5. Click **OK**.
|
||||
|
||||
@ -168,9 +167,14 @@ You have the option to change each of these settings to work with your enterpris
|
||||
The previously added site should still appear in your **Favorites** list.
|
||||
|
||||
> [!NOTE]
|
||||
>If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.<br><br>If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br><br>**To reset the container, follow these steps:**<br/>1. Open a command-line program and navigate to Windows/System32.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.
|
||||
> If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.
|
||||
>
|
||||
> If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
|
||||
> <!--- Inline HTML is used on the next several lines so that the ordinal numbers will be rendered correctly; Markdown would otherwise try to render them as letters (a, b, c...) because they would be treated as a nested list --->
|
||||
> **To reset the container, follow these steps:**<br/>1. Open a command-line program and navigate to Windows/System32.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Enterprise edition, version 1803
|
||||
- Windows 10 Professional edition, version 1803
|
||||
|
||||
@ -201,6 +205,7 @@ You have the option to change each of these settings to work with your enterpris
|
||||
4. Assess the visual experience and battery performance.
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Enterprise edition, version 1809
|
||||
- Windows 10 Professional edition, version 1809
|
||||
|
||||
@ -210,7 +215,7 @@ You have the option to change each of these settings to work with your enterpris
|
||||
|
||||
2. Click **Enabled**, set **Options** to 2, and click **OK**.
|
||||
|
||||

|
||||

|
||||
|
||||
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
|
||||
|
||||
@ -224,7 +229,7 @@ You have the option to change each of these settings to work with your enterpris
|
||||
|
||||
2. Click **Enabled** and click **OK**.
|
||||
|
||||

|
||||

|
||||
|
||||
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
|
||||
|
||||
@ -238,7 +243,20 @@ You have the option to change each of these settings to work with your enterpris
|
||||
|
||||
2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**.
|
||||
|
||||

|
||||

|
||||
|
||||
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
|
||||
|
||||
## Application Guard Extension for third-party web browsers
|
||||
|
||||
The [Application Guard Extension](md-app-guard-browser-extension.md) available for Chrome and Firefox allows Application Guard to protect users even when they are running a web browser other than Microsoft Edge or Internet Explorer.
|
||||
|
||||
Once a user has the extension and its companion app installed on their enterprise device, you can run through the following scenarios.
|
||||
|
||||
1. Open either Firefox or Chrome — whichever browser you have the extension installed on.
|
||||
1. Navigate to an enterprise website, i.e. an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
|
||||

|
||||
1. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge.
|
||||

|
||||
1. Open a new Application Guard window, by select the Microsoft Defender Application Guard icon, then **New Application Guard Window**
|
||||

|
||||
|
@ -0,0 +1,226 @@
|
||||
---
|
||||
title: Microsoft Defender ATP for iOS Application license terms
|
||||
ms.reviewer:
|
||||
description: Describes the Microsoft Defender ATP for iOS license terms
|
||||
keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope,
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: sunasing
|
||||
author: sunasing
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
hideEdit: true
|
||||
---
|
||||
|
||||
# Microsoft Defender ATP for iOS application license terms
|
||||
|
||||
## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER ATP
|
||||
|
||||
These license terms ("Terms") are an agreement between Microsoft Corporation (or
|
||||
based on where you live, one of its affiliates) and you. Please read them. They
|
||||
apply to the application named above. These Terms also apply to any Microsoft
|
||||
|
||||
- updates,
|
||||
|
||||
- supplements,
|
||||
|
||||
- Internet-based services, and
|
||||
|
||||
- support services
|
||||
|
||||
for this application, unless other terms accompany those items. If so, those
|
||||
terms apply.
|
||||
|
||||
**BY USING THE APPLICATION, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM,
|
||||
DO NOT USE THE APPLICATION.**
|
||||
|
||||
**If you comply with these Terms, you have the perpetual rights below.**
|
||||
|
||||
1. **INSTALLATION AND USE RIGHTS.**
|
||||
|
||||
1. **Installation and Use.** You may install and use any number of copies
|
||||
of this application on iOS enabled device or devices which you own
|
||||
or control. You may use this application with your company's valid
|
||||
subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or
|
||||
an online service that includes MDATP functionalities.
|
||||
|
||||
2. **Updates.** Updates or upgrades to MDATP may be required for full
|
||||
functionality. Some functionality may not be available in all countries.
|
||||
|
||||
3. **Third Party Programs.** The application may include third party
|
||||
programs that Microsoft, not the third party, licenses to you under this
|
||||
agreement. Notices, if any, for the third-party program are included for
|
||||
your information only.
|
||||
|
||||
2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to
|
||||
Internet access, data transfer and other services per the terms of the data
|
||||
service plan and any other agreement you have with your network operator due
|
||||
to use of the application. You are solely responsible for any network
|
||||
operator charges.
|
||||
|
||||
3. **INTERNET-BASED SERVICES.** Microsoft provides Internet-based services with
|
||||
the application. It may change or cancel them at any time.
|
||||
|
||||
1. Consent for Internet-Based or Wireless Services. The application may
|
||||
connect to Internet-based wireless services. Your use of the application
|
||||
operates as your consent to the transmission of standard device
|
||||
information (including but not limited to technical information about
|
||||
your device, system and application software, and peripherals) for
|
||||
Internet-based or wireless services. If other terms are provided in
|
||||
connection with your use of the services, those terms also apply.
|
||||
|
||||
- Data. Some online services require, or may be enhanced by, the
|
||||
installation of local software like this one. At your, or your
|
||||
admin's direction, this software may send data from a device to or
|
||||
from an online service.
|
||||
|
||||
- Usage Data. Microsoft automatically collects usage and performance
|
||||
data over the internet. This data will be used to provide and
|
||||
improve Microsoft products and services and enhance your experience.
|
||||
You may limit or control collection of some usage and performance
|
||||
data through your device settings. Doing so may disrupt your use of
|
||||
certain features of the application. For additional information on
|
||||
Microsoft's data collection and use, see the [Online Services
|
||||
Terms](https://go.microsoft.com/fwlink/?linkid=2106777).
|
||||
|
||||
2. Misuse of Internet-based Services. You may not use any Internet-based
|
||||
service in any way that could harm it or impair anyone else's use of it
|
||||
or the wireless network. You may not use the service to try to gain
|
||||
unauthorized access to any service, data, account or network by any
|
||||
means.
|
||||
|
||||
4. **FEEDBACK.** If you give feedback about the application to Microsoft, you
|
||||
give to Microsoft, without charge, the right to use, share and commercialize
|
||||
your feedback in any way and for any purpose. You also give to third
|
||||
parties, without charge, any patent rights needed for their products,
|
||||
technologies and services to use or interface with any specific parts of a
|
||||
Microsoft software or service that includes the feedback. You will not give
|
||||
feedback that is subject to a license that requires Microsoft to license its
|
||||
software or documentation to third parties because we include your feedback
|
||||
in them. These rights survive this agreement.
|
||||
|
||||
5. **SCOPE OF LICENSE.** The application is licensed, not sold. This agreement
|
||||
only gives you some rights to use the application. Microsoft reserves all
|
||||
other rights. Unless applicable law gives you more rights despite this
|
||||
limitation, you may use the application only as expressly permitted in this
|
||||
agreement. In doing so, you must comply with any technical limitations in
|
||||
the application that only allow you to use it in certain ways. You may not
|
||||
|
||||
- work around any technical limitations in the application;
|
||||
|
||||
- reverse engineer, decompile or disassemble the application, except and
|
||||
only to the extent that applicable law expressly permits, despite this
|
||||
limitation;
|
||||
|
||||
- make more copies of the application than specified in this agreement or
|
||||
allowed by applicable law, despite this limitation;
|
||||
|
||||
- publish the application for others to copy;
|
||||
|
||||
- rent, lease or lend the application; or
|
||||
|
||||
- transfer the application or this agreement to any third party.
|
||||
|
||||
6. **EXPORT RESTRICTIONS.** The application is subject to United States export
|
||||
laws and regulations. You must comply with all domestic and international
|
||||
export laws and regulations that apply to the application. These laws
|
||||
include restrictions on destinations, end users and end use. For additional
|
||||
information,
|
||||
see [www.microsoft.com/exporting](https://www.microsoft.com/exporting).
|
||||
|
||||
7. **SUPPORT SERVICES.** Because this application is "as is," we may not
|
||||
provide support services for it. If you have any issues or questions about
|
||||
your use of this application, including questions about your company's
|
||||
privacy policy, please contact your company's admin. Do not contact the
|
||||
application store, your network operator, device manufacturer, or Microsoft.
|
||||
The application store provider has no obligation to furnish support or
|
||||
maintenance with respect to the application.
|
||||
|
||||
8. **APPLICATION STORE.**
|
||||
|
||||
1. If you obtain the application through an application store (e.g., App
|
||||
Store), please review the applicable application store terms to ensure
|
||||
your download and use of the application complies with such terms.
|
||||
Please note that these Terms are between you and Microsoft and not with
|
||||
the application store.
|
||||
|
||||
2. The respective application store provider and its subsidiaries are third
|
||||
party beneficiaries of these Terms, and upon your acceptance of these
|
||||
Terms, the application store provider(s) will have the right to directly
|
||||
enforce and rely upon any provision of these Terms that grants them a
|
||||
benefit or rights.
|
||||
|
||||
9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender ATP, MDATP, and
|
||||
Microsoft 365 are registered or common-law trademarks of Microsoft
|
||||
Corporation in the United States and/or other countries.
|
||||
|
||||
10. **ENTIRE AGREEMENT.** This agreement and the terms for supplements, updates,
|
||||
Internet-based services, and support services that you use are the entire
|
||||
agreement for the application and support services.
|
||||
|
||||
11. **APPLICABLE LAW.**
|
||||
|
||||
1. **United States.** If you acquired the application in the United States,
|
||||
Washington state law governs the interpretation of this agreement and
|
||||
applies to claims for breach of it, regardless of conflict of laws
|
||||
principles. The laws of the state where you live govern all other
|
||||
claims, including claims under state consumer protection laws, unfair
|
||||
competition laws, and in tort.
|
||||
|
||||
2. **Outside the United States.** If you acquired the application in any
|
||||
other country, the laws of that country apply.
|
||||
|
||||
12. **LEGAL EFFECT.** This agreement describes certain legal rights. You may
|
||||
have other rights under the laws of your country. You may also have rights
|
||||
with respect to the party from whom you acquired the application. This
|
||||
agreement does not change your rights under the laws of your country if the
|
||||
laws of your country do not permit it to do so.
|
||||
|
||||
13. **DISCLAIMER OF WARRANTY. THE APPLICATION IS LICENSED "AS-IS." "WITH ALL
|
||||
FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND
|
||||
WIRELESS CARRIERS OVER WHOSE NETWORK THE APPLICATION IS DISTRIBUTED, AND
|
||||
EACH OF OUR RESPECTIVE AFFILIATES, AND SUPPLIERS ("COVERED PARTIES") GIVE NO
|
||||
EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS UNDER OR IN RELATION TO THE
|
||||
APPLICATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
|
||||
APPLICATION IS WITH YOU. SHOULD THE APPLICATION BE DEFECTIVE, YOU ASSUME THE
|
||||
ENTIRE COST OF ALL NECESSARY SERVICING OR REPAIR. YOU MAY HAVE ADDITIONAL
|
||||
CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO
|
||||
THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, COVERED PARTIES EXCLUDE THE
|
||||
IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
||||
NON-INFRINGEMENT.**
|
||||
|
||||
**FOR AUSTRALIA - YOU HAVE STATUTORY GUARANTEES UNDER THE AUSTRALIAN CONSUMER LAW AND NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS.**
|
||||
|
||||
14. **LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT
|
||||
PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT ONLY DIRECT DAMAGES UP TO
|
||||
ONE U.S. DOLLAR (\$1.00). YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER
|
||||
DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR
|
||||
INCIDENTAL DAMAGES FROM ANY COVERED PARTIES.**
|
||||
|
||||
This limitation applies to:
|
||||
|
||||
- anything related to the application, services, content (including code) on
|
||||
third party Internet sites, or third party programs; and
|
||||
|
||||
- claims for breach of contract, warranty, guarantee or condition; consumer
|
||||
protection; deception; unfair competition; strict liability, negligence,
|
||||
misrepresentation, omission, trespass or other tort; violation of statute or
|
||||
regulation; or unjust enrichment; all to the extent permitted by applicable
|
||||
law.
|
||||
|
||||
It also applies even if:
|
||||
|
||||
a. Repair, replacement or refund for the application does not fully compensate
|
||||
you for any losses; or
|
||||
|
||||
b. Covered Parties knew or should have known about the possibility of the
|
||||
damages.
|
||||
|
||||
The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
|
@ -18,6 +18,7 @@ ms.collection:
|
||||
- m365solution-mcafeemigrate
|
||||
- m365solution-overview
|
||||
ms.topic: conceptual
|
||||
ms.custom: migrationguides
|
||||
ms.date: 09/03/2020
|
||||
ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
|
||||
---
|
||||
|
@ -16,6 +16,7 @@ audience: ITPro
|
||||
ms.collection:
|
||||
- M365-security-compliance
|
||||
- m365solution-McAfeemigrate
|
||||
ms.custom: migrationguides
|
||||
ms.topic: article
|
||||
ms.date: 09/03/2020
|
||||
ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
|
||||
|
@ -17,6 +17,7 @@ ms.collection:
|
||||
- M365-security-compliance
|
||||
- m365solution-mcafeemigrate
|
||||
ms.topic: article
|
||||
ms.custom: migrationguides
|
||||
ms.date: 09/03/2020
|
||||
ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
|
||||
---
|
||||
|
@ -17,6 +17,7 @@ ms.collection:
|
||||
- M365-security-compliance
|
||||
- m365solution-mcafeemigrate
|
||||
ms.topic: article
|
||||
ms.custom: migrationguides
|
||||
ms.date: 09/03/2020
|
||||
ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
|
||||
---
|
||||
@ -129,7 +130,7 @@ Microsoft Defender Antivirus can run alongside McAfee if you set Microsoft Defen
|
||||
|Method |What to do |
|
||||
|---------|---------|
|
||||
|Command Prompt |1. On a Windows device, open Command Prompt as an administrator. <br/><br/>2. Type `sc query windefend`, and then press Enter.<br/><br/>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
|
||||
|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.<br/><br/>2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus?view=win10-ps) cmdlet. <br/><br/>3. In the list of results, look for **AntivirusEnabled: True**. |
|
||||
|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.<br/><br/>2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet. <br/><br/>3. In the list of results, look for **AntivirusEnabled: True**. |
|
||||
|
||||
> [!NOTE]
|
||||
> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
|
||||
|
@ -0,0 +1,43 @@
|
||||
---
|
||||
title: Make the switch to Microsoft Defender ATP
|
||||
description: Learn how to make the switch from a non-Microsoft threat protection solution to Microsoft Defender ATP
|
||||
search.appverid: MET150
|
||||
author: denisebmsft
|
||||
ms.author: deniseb
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.topic: conceptual
|
||||
ms.date: 09/08/2020
|
||||
ms.prod: w10
|
||||
ms.localizationpriority: medium
|
||||
ms.collection:
|
||||
- M365-security-compliance
|
||||
ms.custom: migrationguides
|
||||
ms.reviewer: chriggs, depicker, yongrhee
|
||||
f1.keywords: NOCSH
|
||||
---
|
||||
|
||||
# Make the switch to Microsoft Defender ATP and Microsoft Defender Antivirus
|
||||
|
||||
## Migration guides
|
||||
|
||||
If you're considering switching from a non-Microsoft threat protection solution to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) with Microsoft Defender Antivirus, check out our migration guidance.
|
||||
|
||||
- [McAfee Endpoint Security (McAfee) to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md)
|
||||
|
||||
- [Symantec Endpoint Protection (Symantec) to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md)
|
||||
|
||||
- [Manage Microsoft Defender Advanced Threat Protection, after you've migrated](manage-atp-post-migration.md)
|
||||
|
||||
|
||||
## Got feedback?
|
||||
|
||||
Let us know what you think! Submit your feedback at the bottom of the page. We'll take your feedback into account as we continue to improve and add to our migration guidance.
|
||||
|
||||
## See also
|
||||
|
||||
- [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection)
|
||||
|
||||
- [Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp)
|
||||
|
||||
- [Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection?)
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Migrate from Symantec to Microsoft Defender ATP
|
||||
description: Make the switch from Symantec to Microsoft Defender ATP
|
||||
description: Get an overview of how to make the switch from Symantec to Microsoft Defender ATP
|
||||
keywords: migration, windows defender advanced threat protection, atp, edr
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
@ -19,6 +19,7 @@ ms.collection:
|
||||
- m365solution-overview
|
||||
ms.topic: conceptual
|
||||
ms.date: 09/04/2020
|
||||
ms.custom: migrationguides
|
||||
ms.reviewer: depicker, yongrhee, chriggs
|
||||
---
|
||||
|
||||
@ -42,7 +43,7 @@ In this migration guide, we focus on [next-generation protection](https://docs.m
|
||||
|
||||
| Feature/Capability | Description |
|
||||
|---|---|
|
||||
| [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & Vulnerability Management capabilities helps identify, assess, and remediate weaknesses across your endpoints (such as devices). |
|
||||
| [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). |
|
||||
| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
|
||||
| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
|
||||
| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Phase 3 - Onboard to Microsoft Defender ATP
|
||||
description: Make the switch from Symantec to Microsoft Defender ATP
|
||||
description: This is Phase 3, Onboarding, of making the switch from Symantec to Microsoft Defender ATP
|
||||
keywords: migration, windows defender advanced threat protection, atp, edr
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
@ -18,6 +18,7 @@ ms.collection:
|
||||
- m365solution-symantecmigrate
|
||||
ms.topic: article
|
||||
ms.date: 09/04/2020
|
||||
ms.custom: migrationguides
|
||||
ms.reviewer: depicker, yongrhee, chriggs
|
||||
---
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Phase 1 - Prepare for your migration to Microsoft Defender ATP
|
||||
description: Phase 1 of "Make the switch from Symantec to Microsoft Defender ATP". Prepare for your migration.
|
||||
description: This is Phase 1, Prepare, of migrating from Symantec to Microsoft Defender ATP.
|
||||
keywords: migration, windows defender advanced threat protection, atp, edr
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
@ -18,6 +18,7 @@ ms.collection:
|
||||
- m365solution-symantecmigrate
|
||||
ms.topic: article
|
||||
ms.date: 09/04/2020
|
||||
ms.custom: migrationguides
|
||||
ms.reviewer: depicker, yongrhee, chriggs
|
||||
---
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Phase 2 - Set up Microsoft Defender ATP
|
||||
description: Phase 2 - Set up Microsoft Defender ATP
|
||||
title: Symantec to Microsoft Defender ATP - Phase 2, Setting Up
|
||||
description: This is Phase 2, Setup, of migrating from Symantec to Microsoft Defender ATP
|
||||
keywords: migration, windows defender advanced threat protection, atp, edr
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
@ -18,6 +18,7 @@ ms.collection:
|
||||
- m365solution-symantecmigrate
|
||||
ms.topic: article
|
||||
ms.date: 09/04/2020
|
||||
ms.custom: migrationguides
|
||||
ms.reviewer: depicker, yongrhee, chriggs
|
||||
---
|
||||
|
||||
@ -104,7 +105,7 @@ Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Def
|
||||
|Method |What to do |
|
||||
|---------|---------|
|
||||
|Command Prompt |1. On a Windows device, open Command Prompt as an administrator. <br/><br/>2. Type `sc query windefend`, and then press Enter.<br/><br/>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
|
||||
|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.<br/><br/>2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus?view=win10-ps) cmdlet. <br/><br/>3. In the list of results, look for **AntivirusEnabled: True**. |
|
||||
|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.<br/><br/>2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet. <br/><br/>3. In the list of results, look for **AntivirusEnabled: True**. |
|
||||
|
||||
> [!NOTE]
|
||||
> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
|
||||
|
@ -55,7 +55,7 @@ You can navigate through the portal using the menu options available in all sect
|
||||
Area | Description
|
||||
:---|:---
|
||||
**Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data.
|
||||
[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP.
|
||||
[**Security recommendations**](tvm-security-recommendation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP.
|
||||
[**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions.
|
||||
[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page that shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs (security updates).
|
||||
[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed devices there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details.
|
||||
|
Loading…
x
Reference in New Issue
Block a user