deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'atp-allowblock' of https://cpubwin.visualstudio.com/it-client/_git/it-client into atp-allowblock

Browse Source
This commit is contained in:
Joey Caparas 2019-03-25 18:08:49 -07:00
commit 2da5cea9f5
29 changed files with 116 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--20-release-notesuevv2.md
View File

@ -32,55 +32,55 @@ This section contains release notes for User Experience Virtualization.
When a computer has an application that is installed through both Application Virtualization (App-V) and a locally with a Windows Installer (.msi) file, the registry-based settings do not synchronize between the technologies. When a computer has an application that is installed through both Application Virtualization (App-V) and a locally with a Windows Installer (.msi) file, the registry-based settings do not synchronize between the technologies.
WORKAROUND: To resolve this problem, run the application by selecting one of the two technologies, but not both. **WORKAROUND:** To resolve this problem, run the application by selecting one of the two technologies, but not both.
### <a href="" id="settings-do-not-synchronization-when-network-share-is-outside-user-s-domain"></a>Settings do not synchronization when network share is outside users domain ### <a href="" id="settings-do-not-synchronization-when-network-share-is-outside-user-s-domain"></a>Settings do not synchronization when network share is outside users domain
When Windows® 8 attempts operating system settings synchronization, the synchronization fails with the following error message: **boost::filesystem::exists::Incorrect user name or password**. This error can indicate that the network share is outside the users domain or a domain with a trust relationship to that domain. To check for operational log events, open the **Event Viewer** and navigate to **Applications and Services Logs** / **Microsoft** / **User Experience Virtualization** / **Logging** / **Operational**. Network shares that are used for UE-V settings storage locations should reside in the same Active Directory domain as the user or a trusted domain of the users domain. When Windows® 8 attempts operating system settings synchronization, the synchronization fails with the following error message: **boost::filesystem::exists::Incorrect user name or password**. This error can indicate that the network share is outside the users domain or a domain with a trust relationship to that domain. To check for operational log events, open the **Event Viewer** and navigate to **Applications and Services Logs** / **Microsoft** / **User Experience Virtualization** / **Logging** / **Operational**. Network shares that are used for UE-V settings storage locations should reside in the same Active Directory domain as the user or a trusted domain of the users domain.
WORKAROUND: Use network shares from the same Active Directory domain as the user. **WORKAROUND:** Use network shares from the same Active Directory domain as the user.
### Unpredictable results with both Office 2010 and Office 2013 installed ### Unpredictable results with both Office 2010 and Office 2013 installed
When a user has both Office 2010 and Office 2013 installed, any common settings between the two versions of Office are roamed by UE-V. This could cause the Office 2010 package size to be quite large or result in unpredictable conflicts with 2013, particularly if Office 365 is used. When a user has both Office 2010 and Office 2013 installed, any common settings between the two versions of Office are roamed by UE-V. This could cause the Office 2010 package size to be quite large or result in unpredictable conflicts with 2013, particularly if Office 365 is used.
WORKAROUND: Install only one version of Office or limit which settings are synchronized by UE-V. **WORKAROUND:** Install only one version of Office or limit which settings are synchronized by UE-V.
### Uninstall and re-install of Windows 8 app reverts settings to initial state ### Uninstall and re-install of Windows 8 app reverts settings to initial state
While using UE-V settings synchronization for a Windows 8 app, if the user uninstalls the app and then reinstalls the app, the apps settings revert to their default values.  This happens because the uninstall removes the local (cached) copy of the apps settings but does not remove the local UE-V settings package.  When the app is reinstalled and launched, UE-V gather the app settings that were reset to the app defaults and then uploads the default settings to the central storage location.  Other computers running the app then download the default settings.  This behavior is identical to the behavior of desktop applications. While using UE-V settings synchronization for a Windows 8 app, if the user uninstalls the app and then reinstalls the app, the apps settings revert to their default values.  This happens because the uninstall removes the local (cached) copy of the apps settings but does not remove the local UE-V settings package.  When the app is reinstalled and launched, UE-V gather the app settings that were reset to the app defaults and then uploads the default settings to the central storage location.  Other computers running the app then download the default settings.  This behavior is identical to the behavior of desktop applications.
WORKAROUND: None. **WORKAROUND:** None.
### Email signature roaming for Outlook 2010 ### Email signature roaming for Outlook 2010
UE-V will roam the Outlook 2010 signature files between devices. However, the default signature options for new messages and replies or forwards are not synchronized. These two settings are stored in the Outlook profile, which UE-V does not roam. UE-V will roam the Outlook 2010 signature files between devices. However, the default signature options for new messages and replies or forwards are not synchronized. These two settings are stored in the Outlook profile, which UE-V does not roam.
WORKAROUND: None. **WORKAROUND:** None.
### UE-V does not support roaming settings between 32-bit and 64-bit versions of Microsoft Office ### UE-V does not support roaming settings between 32-bit and 64-bit versions of Microsoft Office
We recommend that you install the 32-bit version of Microsoft Office for both 32-bit and 64-bit operating systems. To choose the Microsoft Office version that you need, click here. ([http://office.microsoft.com/word-help/choose-the-32-bit-or-64-bit-version-of-microsoft-office-HA010369476.aspx](https://go.microsoft.com/fwlink/?LinkID=247623)). UE-V supports roaming settings between identical architecture versions of Office. For example, 32-bit Office settings will roam between all 32-bit Office instances. UE-V does not support roaming settings between 32-bit and 64-bit versions of Office. We recommend that you install the 64-bit version of Microsoft Office for modern computers. To determine which version you you need, [click here](https://support.office.com/article/choose-between-the-64-bit-or-32-bit-version-of-office-2dee7807-8f95-4d0c-b5fe-6c6f49b8d261?ui=en-US&rs=en-US&ad=US#32or64Bit=Newer_Versions).
WORKAROUND: None **WORKAROUND:** None
### <a href="" id="msi-s-are-not-localized"></a>MSIs are not localized ### <a href="" id="msi-s-are-not-localized"></a>MSIs are not localized
UE-V 2.0 includes a localized setup program for both the UE-V Agent and UE-V generator. These MSI files are still available but the user interface is minimized and the MSIs only display in English. Despite the file being in English, the setup program installs all supported languages during the installation. UE-V 2.0 includes a localized setup program for both the UE-V Agent and UE-V generator. These MSI files are still available but the user interface is minimized and the MSIs only display in English. Despite the file being in English, the setup program installs all supported languages during the installation.
WORKAROUND: None **WORKAROUND:** None
### Favicons that are associated with Internet Explorer 9 favorites do not roam ### Favicons that are associated with Internet Explorer 9 favorites do not roam
The favicons that are associated with Internet Explorer 9 favorites are not roamed by User Experience Virtualization and do not appear when the favorites first appear on a new computer. The favicons that are associated with Internet Explorer 9 favorites are not roamed by User Experience Virtualization and do not appear when the favorites first appear on a new computer.
WORKAROUND: Favicons will appear with their associated favorites once the bookmark is used and cached in the Internet Explorer 9 browser. **WORKAROUND:** Favicons will appear with their associated favorites once the bookmark is used and cached in the Internet Explorer 9 browser.
### File settings paths are stored in registry ### File settings paths are stored in registry
Some application settings store the paths of their configuration and settings files as values in the registry. The files that are referenced as paths in the registry must be synchronized when settings are roamed between computers. Some application settings store the paths of their configuration and settings files as values in the registry. The files that are referenced as paths in the registry must be synchronized when settings are roamed between computers.
WORKAROUND: Use folder redirection or some other technology to ensure that any files that are referenced as file settings paths are present and placed in the same location on all computers where settings roam. **WORKAROUND:** Use folder redirection or some other technology to ensure that any files that are referenced as file settings paths are present and placed in the same location on all computers where settings roam.
### Long Settings Storage Paths could cause an error ### Long Settings Storage Paths could cause an error
@ -90,25 +90,25 @@ Keep settings storage paths as short as possible. Long paths could prevent resol
To check the operational log events, open the Event Viewer and navigate to Applications and Services Logs / Microsoft / User Experience Virtualization / Logging / Operational. To check the operational log events, open the Event Viewer and navigate to Applications and Services Logs / Microsoft / User Experience Virtualization / Logging / Operational.
WORKAROUND: None. **WORKAROUND:** None.
### Some operating system settings only roam between like operating system versions ### Some operating system settings only roam between like operating system versions
Operating system settings for Narrator and currency characters specific to the locale (i.e. language and regional settings) will only roam across like operating system versions of Windows. For example, currency characters will not roam between Windows 7 and Windows 8. Operating system settings for Narrator and currency characters specific to the locale (i.e. language and regional settings) will only roam across like operating system versions of Windows. For example, currency characters will not roam between Windows 7 and Windows 8.
WORKAROUND: None **WORKAROUND:** None
### Windows 8 apps do not sync settings when the app restarts after closing unexpectedly ### Windows 8 apps do not sync settings when the app restarts after closing unexpectedly
If a Windows 8 app closes unexpectedly soon after startup, settings for the application may not be synchronized when the application is restarted. If a Windows 8 app closes unexpectedly soon after startup, settings for the application may not be synchronized when the application is restarted.
WORKAROUND: Close the Windows 8 app, close and restart the UevAppMonitor.exe application (can use TaskManager), and then restart the Windows 8 app. **WORKAROUND:** Close the Windows 8 app, close and restart the UevAppMonitor.exe application (can use TaskManager), and then restart the Windows 8 app.
### <a href="" id="ue-v-1-agent-generates-errors-when-running-ue-v-2-templates-"></a>UE-V 1 agent generates errors when running UE-V 2 templates ### <a href="" id="ue-v-1-agent-generates-errors-when-running-ue-v-2-templates-"></a>UE-V 1 agent generates errors when running UE-V 2 templates
If a UE-V 2 settings location template is distributed to a computer installed with a UE-V 1 agent, some settings fail to synchronize between computers and the agent reports errors in the event log. If a UE-V 2 settings location template is distributed to a computer installed with a UE-V 1 agent, some settings fail to synchronize between computers and the agent reports errors in the event log.
WORKAROUND: When migrating from UE-V 1 to UE-V 2 and it is likely youll have computers running the previous version of the agent, create a separate UE-V 2.0 catalog to support the UE-V 2.0 Agent and templates. **WORKAROUND:** When migrating from UE-V 1 to UE-V 2 and it is likely youll have computers running the previous version of the agent, create a separate UE-V 2.0 catalog to support the UE-V 2.0 Agent and templates.
## Hotfixes and Knowledge Base articles for UE-V 2.0 ## Hotfixes and Knowledge Base articles for UE-V 2.0

6
windows/client-management/mdm/oma-dm-protocol-support.md
View File

@ -314,13 +314,13 @@ For more information about Basic or MD5 client authentication, MD5 server authen
## User targeted vs. Device targeted configuration ## User targeted vs. Device targeted configuration
For CSPs and policies that supports per user configuration, MDM server could send user targeted setting values to the device the user that enrolled MDM is actively logged in. The device notifies the server the login status via a device alert (1224) with Alert type = in DM pkg\#1. For CSPs and policies that support per user configuration, the MDM server can send user targeted setting values to the device that a MDM-enrolled user is actively logged into. The device notifies the server of the login status via a device alert (1224) with Alert type = in DM pkg\#1.
The data part of this alert could be one of following strings: The data part of this alert could be one of following strings:
- user the user that enrolled the device is actively login. The MDM server could send user specific configuration for CSPs/policies that support per user configuration - user the user that enrolled the device is actively logged in. The MDM server could send user specific configuration for CSPs/policies that support per user configuration
- others another user login but that user does not have an MDM account. The server can only apply device wide configuration, e.g. configuration applies to all users in the device. - others another user login but that user does not have an MDM account. The server can only apply device wide configuration, e.g. configuration applies to all users in the device.
- none no active user login. The server can only apply device wide configuration and available configuration is restricted to the device environment (no active user login - none no active user login. The server can only apply device wide configuration and available configuration is restricted to the device environment (no active user login).
Below is an alert example: Below is an alert example:

2
windows/client-management/mdm/policy-csp-deviceinstallation.md
View File

@ -422,7 +422,7 @@ To enable this policy, use the following SyncML. This example prevents Windows f
<CmdID>$CmdID$</CmdID> <CmdID>$CmdID$</CmdID>
<Item> <Item>
<Target> <Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings</LocURI> <LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings</LocURI>
</Target> </Target>
<Meta> <Meta>
<Format xmlns="syncml:metinf">string</Format> <Format xmlns="syncml:metinf">string</Format>

BIN
windows/deployment/images/upgrademdt-fig1-machines.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 8.0 KiB

After

Width:  |  Height:  |  Size: 8.4 KiB

8
windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
View File

@ -32,7 +32,7 @@ After you deploy and store the customized databases on each of your local comput
The command-line options use the following conventions. The command-line options use the following conventions.
Sdbinst.exe \[-q\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\] \[-?\] Sdbinst.exe \[-q\] \[-?\] \[-u\] \[-g\] \[-p\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\]
The following table describes the available command-line options. The following table describes the available command-line options.
@ -78,6 +78,12 @@ The following table describes the available command-line options.
<p>For example,</p> <p>For example,</p>
<p><code>sdbinst.exe -?</code></p></td> <p><code>sdbinst.exe -?</code></p></td>
</tr> </tr>
<tr class="even">
<td align="left"><p>-p</p></td>
<td align="left"><p>Allows SDBs installation with Patches</p>
<p>For example,</p>
<p><code>sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb</code></p></td>
</tr>
</tbody> </tbody>
</table> </table>

2
windows/deployment/planning/windows-10-1803-removed-features.md
View File

@ -51,4 +51,4 @@ If you have feedback about the proposed replacement of any of these features, yo
|Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.| |Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.|
|IPv4/6 Transition Technologies (6to4, ISATAP, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.| |IPv4/6 Transition Technologies (6to4, ISATAP, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.|
|[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers have been deprecated since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to re-install them after upgrading.| |[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers have been deprecated since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to re-install them after upgrading.|
|Business Scanning, also called Distributed Scan Management (DSM) **(Added 05/03/2018)**|The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124\(vs.11\)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| |Business Scanning, also called Distributed Scan Management (DSM) **(Added 05/03/2018)**|The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.|

18
windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
View File

@ -42,6 +42,8 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win
[Device names not appearing for Windows 10 devices](#device-names-not-appearing-for-windows-10-devices) [Device names not appearing for Windows 10 devices](#device-names-not-appearing-for-windows-10-devices)
[Custom log queries using the AbnormalShutdownCount field of Device Health show zero or lower than expected results](#custom-log-queries-using-the-abnormalshutdowncount-field-of-device-health-show-zero-or-lower-than-expected-results)
[Disable Upgrade Readiness](#disable-upgrade-readiness) [Disable Upgrade Readiness](#disable-upgrade-readiness)
[Exporting large data sets](#exporting-large-data-sets) [Exporting large data sets](#exporting-large-data-sets)
@ -54,7 +56,7 @@ In Log Analytics, go to **Settings > Connected sources > Windows telemetry** and
Even though devices can take 2-3 days after enrollment to show up due to latency in the system, you can now verify the status of your devices with a few hours of running the deployment script as described in [You can now check on the status of your computers within hours of running the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/05/12/wheres-my-data/) on the Windows Analytics blog. Even though devices can take 2-3 days after enrollment to show up due to latency in the system, you can now verify the status of your devices with a few hours of running the deployment script as described in [You can now check on the status of your computers within hours of running the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/05/12/wheres-my-data/) on the Windows Analytics blog.
>[!NOTE] >[!NOTE]
> If you generate the status report and get an error message saying "Sorry! Were not recognizing your Commercial Id," go to **Settings > Connected sources > Windows telemetry** and unsubscribe, wait a minute and then re-subscribe to Upgrade Readiness. > If you generate the status report and get an error message saying "Sorry! Were not recognizing your Commercial Id," go to **Settings > Connected sources > Windows telemetry** remove the Upgrade Readiness solution, and then re-add it.
If devices are not showing up as expected, find a representative device and follow these steps to run the latest pilot version of the Upgrade Readiness deployment script on it to troubleshoot issues: If devices are not showing up as expected, find a representative device and follow these steps to run the latest pilot version of the Upgrade Readiness deployment script on it to troubleshoot issues:
@ -201,6 +203,20 @@ Finally, Upgrade Readiness only collects IE site discovery data on devices that
### Device names not appearing for Windows 10 devices ### Device names not appearing for Windows 10 devices
Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Allowing device names to be collected can make it easier for you to identify individual devices that report problems. Without the device name, Windows Analytics can only label devices by a GUID that it generates. Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Allowing device names to be collected can make it easier for you to identify individual devices that report problems. Without the device name, Windows Analytics can only label devices by a GUID that it generates.
### Custom log queries using the AbnormalShutdownCount field of Device Health show zero or lower than expected results
This issue affects custom queries of the Device Health data by using the **Logs > Search page** or API. It does not impact any of the built-in tiles or reports of the Device Health solution. The **AbnormalShutdownCount** field of the **DHOSReliability** data table represents abnormal shutdowns other than crashes, such as sudden power loss or holding down the power button.
We have identified an incompatibility between AbnormalShutdownCount and the Limited Enhanced diagnostic data level on Windows 10, versions 1709, 1803, and 1809. Such devices do not send the abnormal shutdown signal to Microsoft. You should not rely on AbnormalShutdownCount in your custom queries unless you use any one of the following workarounds:
- Upgrade devices to Windows 10, version 1903 when available. Participants in the Windows Insider program can preview this change using Windows Insider builds.
- Change the diagnostic data setting from devices running Windows 10, versions 1709, 1803, and 1809 normal Enhanced level instead of Limited Enhanced.
- Use alternative data from devices to track abnormal shutdowns. For example, you can forward abnormal shutdown events from the Windows Event Log to your Log Analytics workspace by using the Log Analytics agent. Suggested events to forward include:
- Log: System, ID: 41, Source: Kernel-Power
- Log System, ID: 6008, Source: EventLog
### Disable Upgrade Readiness ### Disable Upgrade Readiness
If you want to stop using Upgrade Readiness and stop sending diagnostic data to Microsoft, follow these steps: If you want to stop using Upgrade Readiness and stop sending diagnostic data to Microsoft, follow these steps:

3
windows/deployment/update/windows-analytics-overview.md
View File

@ -52,3 +52,6 @@ Use Upgrade Readiness to get:
- Data export to commonly used software deployment tools, including System Center Configuration Manager - Data export to commonly used software deployment tools, including System Center Configuration Manager
To get started with any of these solutions, visit the links for instructions to add it to Azure Portal. To get started with any of these solutions, visit the links for instructions to add it to Azure Portal.
>[!NOTE]
> For details about licensing requirements and costs associated with using Windows Analytics solutions, see [What are the requirements and costs for Windows Analytics solutions?](windows-analytics-FAQ-troubleshooting.md#what-are-the-requirements-and-costs-for-windows-analytics-solutions).

1
windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
View File

@ -95,6 +95,7 @@ This policy setting controls whether the elevation request prompt is displayed o
- **Enabled** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. - **Enabled** (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
- **Disabled** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. - **Disabled** All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.
## User Account Control: Virtualize file and registry write failures to per-user locations ## User Account Control: Virtualize file and registry write failures to per-user locations
This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software. This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\\system32, or HKLM\\Software.

8
windows/security/identity-protection/vpn/vpn-conditional-access.md
View File

@ -10,7 +10,7 @@ ms.author: pashort
manager: elizapo manager: elizapo
ms.reviewer: ms.reviewer:
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 01/26/2019 ms.date: 03/21/2019
--- ---
# VPN and conditional access # VPN and conditional access
@ -32,11 +32,7 @@ Conditional Access Platform components used for Device Compliance include the fo
- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. - Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA.
- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. - Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When that certificate expires, the client will again check with Azure AD for health validation before a new certificate is issued.
Additional details regarding the Azure AD issued short-lived certificate:
- The default lifetime is 60 minutes and is configurable
- When that certificate expires, the client will again check with Azure AD so that continued health can be validated before a new certificate is issued allowing continuation of the connection
- [Microsoft Intune device compliance policies](https://docs.microsoft.com/intune/deploy-use/introduction-to-device-compliance-policies-in-microsoft-intune) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things. - [Microsoft Intune device compliance policies](https://docs.microsoft.com/intune/deploy-use/introduction-to-device-compliance-policies-in-microsoft-intune) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.

7
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -11,7 +11,7 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 03/15/2019 ms.date: 03/25/2019
--- ---
# Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune # Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune
@ -68,6 +68,9 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
- [Store apps](#add-store-apps) - [Store apps](#add-store-apps)
- [Desktop apps](#add-desktop-apps) - [Desktop apps](#add-desktop-apps)
>[!NOTE]
>An application might return access denied errors after removing it from the list of protected apps. Rather than remove it from the list, uninstall and reinstall the application or exempt it from WIP policy.
### Add recommended apps ### Add recommended apps
Select **Recommended apps** and select each app you want to access your enterprise data or select them all, and click **OK**. Select **Recommended apps** and select each app you want to access your enterprise data or select them all, and click **OK**.
@ -397,7 +400,7 @@ To define the network boundaries, click **App policy** > the name of your policy
![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png) ![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png)
Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the following options, and then click **OK**. Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the options covered in the following subsections, and then click **OK**.
### Cloud resources ### Cloud resources

13
windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
View File

@ -13,7 +13,7 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 02/26/2019 ms.date: 03/25/2019
--- ---
# Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP) # Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)
@ -38,8 +38,15 @@ This table includes the recommended URLs to add to your Enterprise Cloud Resourc
|Visual Studio Online |contoso.visualstudio.com | |Visual Studio Online |contoso.visualstudio.com |
|Power BI |contoso.powerbi.com | |Power BI |contoso.powerbi.com |
>[!NOTE] You can add other work-only apps to the Cloud Resource list, or you can create a packaged app rule for the .exe file to protect every file the app creates or modifies. Depending on how the app is accessed, you might want to add both.
>You can add other work-only apps to the Cloud Resource list, or you can create a packaged app rule for the .exe file to protect every file the app creates or modifies. Depending on how the app is accessed, you might want to add both.
For Office 365 endpoints, see [Office 365 URLs and IP address ranges](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges).
Office 365 endpoints are updated monthly.
Allow the domains listed in section number 46 Allow Required and add also add the apps.
Note that apps from officeapps.live.com can also store personal data.
When multiple files are selected from SharePoint Online or OneDrive, the files are aggregated and the URL can change. In this case, add a entry for a second-level domain and use a wildcard such as .svc.ms.
## Recommended Neutral Resources ## Recommended Neutral Resources
We recommended adding these URLs if you use the Neutral Resources network setting with Windows Information Protection (WIP). We recommended adding these URLs if you use the Neutral Resources network setting with Windows Information Protection (WIP).

12
windows/security/threat-protection/intelligence/supply-chain-malware.md
View File

@ -48,15 +48,17 @@ To learn more about supply chain attacks, read this blog post called [attack inc
### For software vendors and developers ### For software vendors and developers
* Take steps to ensure your apps are not compromised. * Maintain a highly secure build and update infrastructure.
* Maintain a secure and up-to-date infrastructure. Restrict access to critical build systems.
* Immediately apply security patches for OS and software. * Immediately apply security patches for OS and software.
* Implement mandatory integrity controls to ensure only trusted tools run.
* Require multi-factor authentication for admins. * Require multi-factor authentication for admins.
* Build secure software update processes as part of the software development lifecycle. * Build secure software updaters as part of the software development lifecycle.
* Require SSL for update channels and implement certificate pinning.
* Sign everything, including configuration files, scripts, XML files, and packages.
* Check for digital signatures, and dont let the software updater accept generic input and commands.
* Develop an incident response process for supply chain attacks. * Develop an incident response process for supply chain attacks.
* Disclose supply chain incidents and notify customers with accurate and timely information
For more general tips on protecting your systems and devices, see [prevent malware infection](prevent-malware-infection.md). For more general tips on protecting your systems and devices, see [prevent malware infection](prevent-malware-infection.md).

2
windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
View File

@ -49,4 +49,4 @@ To be eligible for VIA your organization must:
3. Be willing to sign and adhere to the VIA membership agreement. 3. Be willing to sign and adhere to the VIA membership agreement.
If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).

2
windows/security/threat-protection/intelligence/virus-initiative-criteria.md
View File

@ -53,4 +53,4 @@ Your organization must meet the following eligibility requirements to qualify fo
### Apply now ### Apply now
If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry).

10
windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
View File

@ -15,12 +15,12 @@ ms.topic: conceptual
ms.date: 04/19/2017 ms.date: 04/19/2017
--- ---
# Network security: Configure encryption types allowed for Kerberos Win7 only # Network security: Configure encryption types allowed for Kerberos
**Applies to** **Applies to**
- Windows 10 - Windows 10
Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos Win7 only** security policy setting. Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos** security policy setting.
## Reference ## Reference
@ -67,9 +67,9 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
| Default domain policy| Not defined| | Default domain policy| Not defined|
| Default domain controller policy| Not defined| | Default domain controller policy| Not defined|
| Stand-alone server default settings | Not defined| | Stand-alone server default settings | Not defined|
| Domain controller effective default settings | None of these encryption types that are available in this policy are allowed.| | Domain controller effective default settings | The default OS setting applies, DES suites are not supported by default.|
| Member server effective default settings | None of these encryption types that are available in this policy are allowed.| | Member server effective default settings | The default OS setting applies, DES suites are not supported by default.|
| Effective GPO default settings on client computers | None of these encryption types that are available in this policy are allowed.| | Effective GPO default settings on client computers | The default OS setting applies, DES suites are not supported by default.|
   
## Security considerations ## Security considerations

1
windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md
View File

@ -14,7 +14,6 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: article ms.topic: article
ms.date: 30/07/2018
--- ---
# Supported Windows Defender ATP query APIs # Supported Windows Defender ATP query APIs

BIN
windows/security/threat-protection/windows-defender-atp/images/creating-account.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/setup-preferences.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 86 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/setup-preferences2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 101 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/welcome1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 80 KiB

55
windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
View File

@ -63,61 +63,50 @@ When accessing [Windows Defender Security Center](https://SecurityCenter.Windows
2. The **Welcome** screen will provide some details as to what is about to occur during the set up wizard. 2. The **Welcome** screen will provide some details as to what is about to occur during the set up wizard.
![Image of Welcome screen for portal set up](images\atp-portal-welcome-screen.png) ![Image of Welcome screen for portal set up](images\welcome1.png)
You will need to set up your preferences for Windows Defender Security Center. You will need to set up your preferences for Windows Defender Security Center.
3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation. 3. Set up preferences
> [!WARNING] ![Image of geographic location in set up](images\setup-preferences.png)
> This option cannot be changed without completely offboarding from Windows Defender ATP and completing a new enrollment process.
![Image of geographic location in set up](images\atp-geographic-location-setup.png) 1. **Select data storage location** <br> When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the United States, the European Union, or the United Kingdom. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
4. Windows Defender ATP will store data up to a period of 6 months in your cloud instance, however, you have the option to set the data retention period for a shorter timeframe during this step of the set up process. > [!WARNING]
> This option cannot be changed without completely offboarding from Windows Defender ATP and completing a new enrollment process.
> [!NOTE] 2. **Select the data retention policy** <br> Windows Defender ATP will store data up to a period of 6 months in your cloud instance, however, you have the option to set the data retention period for a shorter timeframe during this step of the set up process.
> This option can be changed at a later time.
![Image of data retention set up](images\atp-data-retention-policy.png) > [!NOTE]
> This option can be changed at a later time.
5. You will need to indicate the size of your organization based on an estimate of the number of employees currently employed. 3. **Select the size of your organization** <br> You will need to indicate the size of your organization based on an estimate of the number of employees currently employed.
> [!NOTE] > [!NOTE]
> The **organization size** question is not related to how many licenses were purchased for your organization. It is used by the service to optimize the creation of the data cluster for your organization. > The **organization size** question is not related to how many licenses were purchased for your organization. It is used by the service to optimize the creation of the data cluster for your organization.
![Image of organization size](images\atp-organization-size.png) 4. **Turn on preview features** <br> Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on **Preview features**.
6. The customer industry information is helpful in collecting data for the Windows Security Team, and while optional, would be useful if completed. You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
> [!NOTE]
> This option can be changed at a later time.
![Image of industry information](images\atp-industry-information.png)
7. Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on **Preview features**.
You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
- Toggle the setting between On and Off to choose **Preview features**. - Toggle the setting between On and Off to choose **Preview features**.
> [!NOTE] > [!NOTE]
> This option can be changed at a later time. > This option can be changed at a later time.
![Image of preview experience](images\atp-preview-experience.png) 4. You will receive a warning notifying you that you won't be able to change some of your preferences once you click **Continue**.
8. You will receive a warning notifying you that you won't be able to change some of your preferences once you click **Continue**.
> [!NOTE] > [!NOTE]
> Some of these options can be changed at a later time in Windows Defender Security Center. > Some of these options can be changed at a later time in Windows Defender Security Center.
![Image of final preference set up](images\atp-final-preference-setup.png) ![Image of final preference set up](images\setup-preferences2.png)
9. A dedicated cloud instance of Windows Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete. 5. A dedicated cloud instance of Windows Defender Security Center is being created at this time. This step will take an average of 5 minutes to complete.
![Image of Windows Defender ATP cloud instance](images\atp-windows-cloud-instance-creation.png) ![Image of Windows Defender ATP cloud instance](images\creating-account.png)
10. You are almost done. Before you can start using Windows Defender ATP you'll need to: 6. You are almost done. Before you can start using Windows Defender ATP you'll need to:
- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) - [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
@ -129,7 +118,7 @@ When accessing [Windows Defender Security Center](https://SecurityCenter.Windows
> If you click **Start using Windows Defender ATP** before onboarding machines you will receive the following notification: > If you click **Start using Windows Defender ATP** before onboarding machines you will receive the following notification:
>![Image of setup imcomplete](images\atp-setup-incomplete.png) >![Image of setup imcomplete](images\atp-setup-incomplete.png)
11. After onboarding machines you can click **Start using Windows Defender ATP**. You will now launch Windows Defender ATP for the first time. 7. After onboarding machines you can click **Start using Windows Defender ATP**. You will now launch Windows Defender ATP for the first time.
![Image of onboard machines](images\atp-onboard-endpoints-WDATP-portal.png) ![Image of onboard machines](images\atp-onboard-endpoints-WDATP-portal.png)

10
windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
View File

@ -67,7 +67,15 @@ Create custom rules to control when alerts are suppressed, or resolved. You can
1. Select the alert you'd like to suppress. This brings up the **Alert management** pane. 1. Select the alert you'd like to suppress. This brings up the **Alert management** pane.
2. Select **Create a supression rule**. 2. Select **Create a suppression rule**.
You can create a suppression rule based on the following attributes:
* File hash
* File name - wild card supported
* File path - wild card supported
* IP
* URL - wild card supported
3. Select the **Trigerring IOC**. 3. Select the **Trigerring IOC**.

1
windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md
View File

@ -14,7 +14,6 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: article ms.topic: article
ms.date: 30/07/2018
--- ---
# Create custom reports using Power BI (app authentication) # Create custom reports using Power BI (app authentication)

1
windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md
View File

@ -14,7 +14,6 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: article ms.topic: article
ms.date: 30/07/2018
--- ---
# Create custom reports using Power BI (user authentication) # Create custom reports using Power BI (user authentication)

1
windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md
View File

@ -14,7 +14,6 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: article ms.topic: article
ms.date: 30/07/2018
--- ---
# Advanced Hunting using Python # Advanced Hunting using Python

2
windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
View File

@ -37,7 +37,7 @@ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evalua
## Requirements ## Requirements
Network protection requires Windows 10 Enterprise E3 and Windows Defender AV real-time protection. Network protection requires Windows 10 Pro, Enterprise E3, E5 and Windows Defender AV real-time protection.
Windows 10 version | Windows Defender Antivirus Windows 10 version | Windows Defender Antivirus
- | - - | -

2
windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
View File

@ -36,7 +36,7 @@ There are four steps to troubleshooting these problems:
Attack surface reduction rules will only work on devices with the following conditions: Attack surface reduction rules will only work on devices with the following conditions:
>[!div class="checklist"] >[!div class="checklist"]
> - Endpoints are running Windows 10 Enterprise E5, version 1709 (also known as the Fall Creators Update). > - Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). > - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). > - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).

2
windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
View File

@ -60,7 +60,7 @@ This section covers requirements for each feature in Windows Defender EG.
| Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 | | Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 |
| ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: | | ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: |
| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | | Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
| Attack surface reduction rules | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, full reporting](./images/ball_full.png) | | Attack surface reduction rules | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
| Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | | Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
| Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | | Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |